Active Directory BRIAN CULP
New York • Chicago • San Francisco Lisbon • London • Madrid • Mexico City Milan • New Delhi • San Juan Seoul • Singapore • Sydney • Toronto
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
McGraw-Hill/Osborne th 2100 Powell Street, 10 Floor Emeryville, California 94608 U.S.A. To arrange bulk purchase discounts for sales promotions, premiums, or fundraisers, please contact McGraw-Hill/Osborne at the above address. For information on translations or book distributors outside the U.S.A., please see the International Contact Information page immediately following the index of this book.
Mike Meyers’ MCSE/MCSA Windows® Server 2003 Active Directory Certification Passport (Exam 70-294) Copyright © 2003 by The McGraw-Hill Companies. All rights reserved. Printed in the United States of America. Except as permitted under the Copyright Act of 1976, no part of this publication may be reproduced or distributed in any form or by any means, or stored in a database or retrieval system, without the prior written permission of publisher, with the exception that the program listings may be entered, stored, and executed in a computer system, but they may not be reproduced for publication. 1234567890 DOC DOC 019876543 Book p/n 0-07-222576-9 and CD p/n 0-07-222577-7 parts of ISBN 0-07-222575-0 Publisher Brandon A. Nordin
Proofreaders Dan Esch, Claire Splan
Vice President & Associate Publisher Scott Rogers
Indexer Jack Lewis
Acquisitions Editor Nancy Maragioglio
Composition Carie Abrew, John Patrus
Project Editor Jody McKenzie
Illustrators Kathleen Edwards, Melinda Lytle, Lyssa Wald
Acquisitions Coordinator Jessica Wilson Technical Editor Kim Frank Copy Editor Lunaea Weatherstone
Series Design Peter F. Hancik Cover Series Design Ted Holladay
This book was composed with Corel VENTURA™ Publisher. Information has been obtained by McGraw-Hill/Osborne from sources believed to be reliable. However, because of the possibility of human or mechanical error by our sources, McGraw-Hill/ Osborne, or others, McGraw-Hill/Osborne does not guarantee the accuracy, adequacy, or completeness of any information and is not responsible for any errors or omissions or the results obtained from the use of such information.
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:26 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio iii
About the Author Brian Culp (MCT, MCSE, A+) cut his teeth in the IT world in a small networking outfit called IBM before gaining his MCSE certification and stepping into the classroom. He is currently president and CEO of LANscape, Inc., and no, they won’t trim your shrubbery or build you a berm. LANscape provides training services to companies big and small, and also provides network administration. Brian is the author of Mike Meyers’ MCSE Windows 2000 Professional Certification Passport and Mike Meyers’ MCSE Windows XP Professional Certification Passport and has contributed to several other computer titles.
About the Technical Editor Kim Frank (MCT, MCSE on W2K/NT4.0, MCSE+I, MCSA, MCP+I, A+) has more than 10 years experience in the global IT arena. He is originally from Denmark where he worked for a leading multinational professional services organization. Kim is now a technical trainer and co-founder of CTE Solutions Inc., a prominent Microsoft CTEC center in Ottawa, Canada, and teaches at various locations across the country. Among his specialties are Windows Server 2003, Windows XP, and Windows 2000 Active Directory design, implementation, migration, and security. Kim can be reached at
[email protected].
About LearnKey LearnKey provides self-paced learning content and e-learning solutions to enhance personal skills and business productivity. LearnKey claims the largest library of rich streaming-media training content that engages learners in dynamic media-rich instruction complete with video clips, audio, full motion graphics, and animated illustrations. LearnKey can be found on the Web at www.LearnKey.com.
iii P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:26 PM
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio iv
Dedication For Griffin: Chapter One: It was warm and sunny morning, late in the spring, and a boy and his dad decided to go for a ride on their mountain bikes. They pedaled over a dirt path that cut through the trees. The canopy of trees protected them from the sun’s most direct rays, and the breeze was cool against their faces. The morning smelled like it had just washed its hair. After pedaling a while, they parked their bikes on the side of the trail, took off their Styrofoam helmets, and twisted out of their backpacks. They left their backpacks—full of bottled water, snacks, and, most importantly, a first aid kit—against the mountain bikes on the side of the road. It wouldn’t take very long to realize what a mistake that had been. Chapter Two: They set off for a walk to gather sticks for a fire. They turned from the dirt path they had been riding on, and weaved their way about a few hundred yards in the forest, keeping their eyes peeled for dead branches and dry leaves they could use for kindling. The boy called out. “Look, dad! Berries. Our favorite!” And because they were looking so carefully along the ground, they found the berries, and each snacked on a handful. The boy even filled his pockets. “We’ll have them for dessert,” he said. They should have been looking up in the trees, though. If they had, they would have spotted the giant snakes. Chapter Three: Daddy noticed it first: the birds stopped chirping, and even the breeze seemed to be holding its breath now, waiting. “Grab our swords!” the dad yelled. “They’re in the backpacks. And why do we need our swords?” asked the boy, balancing two more berries atop a shirt pocket already holding more than it was designed for. The answer came immediately as the two giant snakes that had been watching them from above dropped to the ground with a thud. As quickly as the boy and his father could turn to run, the snakes had cut off their escape and coiled up, ready to strike. Each of the snakes was about twelve feet long, as big around as a barrel. One opened its jaws, revealing fangs that looked like tent spikes. “Son, get behind me! I’ll get them to chase me and you can get back to the bikes. It’s our only way out of this.” He started to turn, drawing the attention of both deadly snakes.
iv P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:26 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio v
“Wait. How much Neosporin do you have in your backpack?” the boy asked. “Plenty. Why?” “Give me your shoe. I just remembered something.” Chapter Four: When Daddy flipped his shoe to the boy, the snakes both drew back, hissing. The boy then took the shoe and threw it toward the snakes. Both snakes hit the shoe with lightning strikes, sinking their fangs in the toe of the hiking shoe, emptying enough venom to kill off half the population of town. The boy saw his chance and jumped on one of the snakes, the smaller of the two. He had it in a choke hold and was beginning to subdue the huge serpent. That’s when the other one stopped biting the shoe and turned. He opened his jaws, and in a blur, lunged forward. When the fangs sank into flesh, there was a great yelp of pain. Chapter Five: Daddy’s arm gushed blood almost immediately. The bigger snake held on, but through the pain Daddy was able to get his free arm around the snake’s triangular head. “Just hold on!” the boy said. “They need air just like us. Actually, they need it more, because of their size.” And hang on is exactly what they did, and though the two giant snakes put up a desperate struggle for their lives, the boy and his dad were able to maintain the choke hold. Soon the snakes’ struggling began to subside, but Daddy was saddened. “I’m done for, son.” “No, dad, it was a dry bite. The only thing you have to worry about is infection. That’s why I asked about the Neosporin.” “So there’s no venom in my arm?” “They used all their venom on the shoe. You wouldn’t have lasted this long if there was venom in that bite.” “How do you know?” “Snakes don’t plan on biting things more than once. They usually don’t have to.” “But the shoe? What made you think they would spend their venom on the shoe?” “The snakes are vipers, and all vipers hunt using heat and smell. It’s all in that book on snakes you got me. Your shoes seemed the warmest thing to throw at them that would smell like you.” The giant snakes finally gave out and went limp. Daddy looked puzzled for a moment, taking in what had just happened. A moment ago, he was certain he would be the one doomed to the fate of the snake in his arms. Fortune had reversed itself rather quickly, and all because of a book. “Does that book say if you can eat viper snakes for dinner?”
v P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:26 PM
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio vi
Chapter Six: On a spit of wood, the flesh of the snakes hissed. But this hiss was different than the ones the father and son had just heard. This one made their stomachs growl. Ten minutes later, they were putting honey-mustard and pickles on snakemeat sandwiches. The sandwiches were about as thick as Daddy’s forearm, which was now bandaged with plenty of Neosporin. Soon their bellies were full and their eyes were heavy. Daddy looked over with a weary smile. “I hope you saved room for blackberries.” “Of course.” They unrolled their sleeping bags and tucked themselves inside. Full of snake sandwiches and blackberries, they were asleep within minutes.
Acknowledgments I can’t overemphasize the importance of, nor can I over-thank, the people responsible for putting this book together. As always, thanks to Nancy Maragioglio for her patience with my questions that I probably shouldn’t be asking anymore, and thanks to Jessica Wilson for her input and stewarding influence. I’ve bothered them throughout the entire process, and I deeply regret any psychotherapy that may result from working with me. I need to thank the series editor, Mike Meyers, for having the juice to get this book series off the ground, and for providing ongoing input, encouragement, and support. Thanks to Kim Frank for an excellent technical edit. Any errors in content that remain are solely my responsibility. Thanks to Lunaea Weatherstone and Jody McKenzie for their efforts in the copy edit, proofing, and production. They are both responsible for hiding the bumps and bruises in my writing. They are to be held blameless for any problems with the writing style or readability; there are only so many hours in a day to correct my work. Thanks to Steve Loethen in the Kansas City Microsoft office for helping me get the necessary software and for answering all my questions. And a big thanks to Bill Ferguson, who stepped in to help create a good many of the questions for the CD-ROM and supplemental Web material. And you really should access the Web material. Without his valuable assistance cranking out excellent study material, I would probably still be writing.
vi P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:26 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio vii
Contents Check-In . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii
1
2
Planning and Preparing for Active Directory . . . . . . . . . . .
1
Objective 1.01 Understanding a Directory Service . . . . . . . . . . . .
3
Directory Services in Ancient Times . . . . . . . . . . . . . . . . . . . . . . Objective 1.02 Understanding the Components of Active Directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Directory Database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Global Catalog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Active Directory Namespace . . . . . . . . . . . . . . . . . . . . . . . . . The Objects Stored in Active Directory . . . . . . . . . . . . . . . . . . . . Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Printers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shared Folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 1.03 Installing Active Directory on Windows Server 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Running the Active Directory Setup Wizard . . . . . . . . . . . . . . . . Ideal Domain Design . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
4
The Physical Active Directory Components . . . . . . . . . . . . .
4
7 8 8 9 10 11 12 12 12 13 13
14 22 22
23 24
25
Objective 2.01 Manage an Active Directory Site . . . . . . . . . . . . . .
26
Creating a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Renaming and Deleting a Site . . . . . . . . . . . . . . . . . . . . . . . . . . . Site Properties . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
27 30 31
vii P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:27 PM
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
viii
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio viii
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Configure Site Boundaries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Moving a Subnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34 Objective 2.02 Implement an Active Directory Site Topology . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Replication: How and Why . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37 Replication Within Sites (Intra-Site) . . . . . . . . . . . . . . . . . 37 Replication Between Sites (Inter-Site) . . . . . . . . . . . . . . . 38 Configure Site Links . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 Configure Replication Schedules . . . . . . . . . . . . . . . . . . . 41 Configure Site Link Costs . . . . . . . . . . . . . . . . . . . . . . . . . 43 Site Link Bridges . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Configure Preferred Bridgehead Servers . . . . . . . . . . . . . . 45 The Inter-Site Topology Generator . . . . . . . . . . . . . . . . . . 46 Domain Controllers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47 Creating a Domain Controller . . . . . . . . . . . . . . . . . . . . . . 47 Planning Domain Controller Deployment . . . . . . . . . . . . . 48 Objective 2.03 Monitor Active Directory Replication Failures Using the Microsoft Monitoring and Management Tools . . . . . . . 48 Monitor Active Directory Replication . . . . . . . . . . . . . . . . . . . . . . 49 Monitor File Replication Service (FRS) Replication . . . . . . . . . . . 50 Delegating Control over Physical Active Directory Objects . . . . . 50 Using the ACL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50 Using the Delegation of Control Wizard . . . . . . . . . . . . . . 52 Objective 2.04 Plan a Strategy for Placement of Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54 Implementing a Global Catalog Server . . . . . . . . . . . . . . . . . . . . 55 Adding Attributes to the Global Catalog . . . . . . . . . . . . . . . . . . . 57 Evaluate Network Traffic Considerations When Placing Global Catalog Servers . . . . . . . . . . . . . . . . . . . . . . . 58 Evaluate the Need to Enable Universal Group Caching . . . . . . . . 59 Objective 2.05 Plan Flexible Operations Master Role Placement . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61 Forest-wide Operations Master Roles . . . . . . . . . . . . . . . . . . . . . 61 Domain-wide Operations Master Roles . . . . . . . . . . . . . . . . . . . . 62 RID Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 PDC Emulator Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63 Infrastructure Master . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64 Plan for Business Continuity of Operations Master Roles . . . . . . 65 Transferring the Operations Master . . . . . . . . . . . . . . . . . 66
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 1:03:15 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio ix
Contents
3
ix
Seizing the Operations Master . . . . . . . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
70 73
The Logical Active Directory Components . . . . . . . . . . . . .
75
Logical Active Directory Components . . . . . . . . . . . . . . . . . . . . . Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Trees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Organizational Units . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 3.01 Plan an Administrative Delegation Strategy . . . Delegation of Control Wizard . . . . . . . . . . . . . . . . . . . . . . Plan an Organizational Unit (OU) Structure Based on Delegation Requirements . . . . . . . . . . . . . . . . . . . . . . . . . Authorization Manager . . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 3.02 Implement an Active Directory Forest and Domain Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install and Configure an Active Directory Domain Controller . . . Create the Forest Root Domain . . . . . . . . . . . . . . . . . . . . . . . . . . Create a Child Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install an Additional Domain Controller for an Existing Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . Create a New Tree in an Existing Active Directory Forest . . . Uninstall Active Directory and Remove a Domain . . . . . . Create and Configure Application Data Partitions . . . . . . Set an Active Directory Forest and Domain Functional Level Based on Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domain Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forest Functionality . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Establish Trust Relationships . . . . . . . . . . . . . . . . . . . . . . . . . . . . External Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forest Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Realm Trusts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
76 77 79 81 82
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:27 PM
67 69
83
85 86 88 91
91 92 93 95 97 98 99 101 102 105 107 109 111 112 112
113 116
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
x
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio x
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
4
Managing and Maintaining an Active Directory Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . 119 Objective 4.01 Manage an Active Directory Forest and Domain Structure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
The Role of the Schema . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Directory Object Definitions . . . . . . . . . . . . . . . . . . . . . . . Schema Storage and Schema Cache . . . . . . . . . . . . . . . . Schema Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage Schema Modifications . . . . . . . . . . . . . . . . . . . . Deactivating a Schema Class or Attribute . . . . . . . . . . . . Including an Attribute in the Global Catalog . . . . . . . . . . . Add or Remove a UPN Suffix . . . . . . . . . . . . . . . . . . . . . . . Routing Name Suffixes Across Forests . . . . . . . . . . . . . . . Handling UPN Collisions . . . . . . . . . . . . . . . . . . . . . . . . . . The NETDOM Utility . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 4.02 Restore Active Directory Directory Services . . Significance of the SYSVOL Folder . . . . . . . . . . . . . . . . . . . . . . . Restore Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Perform a Primary Restore Operation . . . . . . . . . . . . . . . . Perform a Nonauthoritative Restore Operation . . . . . . . . Perform an Authoritative Restore Operation . . . . . . . . . . . Objective 4.03 Troubleshoot Active Directory . . . . . . . . . . . . . . . . Diagnose and Resolve Issues Related to Active Directory Replication . . . . . . . . . . . . . . . . . . . . Repadmin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dcdiag . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Replmon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Network Monitor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Directory Service Log in Event Viewer . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
5
120
120 121 122 122 122 125 125 127 128 130 131 132
132 133 134 134 135 136
136 136 137 138 140 143 145
146 149
Planning and Implementing User, Computer, and Group Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Objective 5.01 Plan a Security Group Strategy . . . . . . . . . . . . . . . .
152
Local vs. Domain Accounts and Groups . . . . . . . . . . . . . . . . . . . .
153
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 1:03:27 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xi
Contents
Local Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Domain Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Domain User Account . . . . . . . . . . . . . . . . . . . Using the Command Line . . . . . . . . . . . . . . . . . . . . . . . . . . Moving User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . Moving Objects Between Domains . . . . . . . . . . . . . . . . . . Creating Lots of Users at Once . . . . . . . . . . . . . . . . . . . . . Groups in Windows 2003 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Nesting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Changing Group Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . Impact of Universal Groups on Replication . . . . . . . . . . . . Built-in and Predefined Groups . . . . . . . . . . . . . . . . . . . . . Objective 5.02 Plan a User Authentication Strategy . . . . . . . . . . Plan a Smart Card Authentication Strategy . . . . . . . . . . . . . . . . . Configuring a User for Smart Card Authentication . . . . . . Create a Password Policy for Domain Users . . . . . . . . . . . Recommendations for Strong Passwords . . . . . . . . . . . . . Objective 5.03 Secure Resources with NTFS and Share Level Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Control Access to Files and Folders Using NTFS Permissions . . . Setting Permissions Through the Command Line . . . . . . . NTFS Permission Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Effective Permission . . . . . . . . . . . . . . . . . . . . . . . . . . Defining Access to Files and Folders . . . . . . . . . . . . . . . . . . . . . . Combining Share and NTFS Permissions . . . . . . . . . . . . . NTFS Permissions Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . . Copying and Moving Considerations . . . . . . . . . . . . . . . . . Special Access Permissions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ownership . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Effective Permission . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 5.04 Implement an OU Structure . . . . . . . . . . . . . . . . . . . Create an OU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Move Objects Within an OU Hierarchy . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:27 PM
xi
153 154 155 158 159 160 162 163 164 168 169 169 171 179
179 180 182 183 185
186 186 188 191 191 192 193 194 196 196 199 200
201 201 202
203 207
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
xii
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xii
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
6
7
Planning and Implementing Group Policy . . . . . . . . . . . . . . 209 Objective 6.01 Plan Group Policy Strategy . . . . . . . . . . . . . . . . . . .
210
Group Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . How to Configure the User Environment by Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . The Local Group Policy Object . . . . . . . . . . . . . . . . . . . . . . Local Policy Configuration . . . . . . . . . . . . . . . . . . . . . . . . . Changes to the Administrative Templates . . . . . . . . . . . . Group Policy Application . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Processing Order . . . . . . . . . . . . . . . . . . . . . Exceptions to Group Policy Processing . . . . . . . . . . . . . . . . . . . . Disabling User and Computer Configuration Settings . . . Slow Link Processing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Storage Location . . . . . . . . . . . . . . . . . . . . . Group Policy Behaviors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Inheritance . . . . . . . . . . . . . . . . . . . . . . . . . . Filtering Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . WMI Filtering . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating a GPO for Active Directory Management . . . . . . . . . . . Delegating Control Over a GPO . . . . . . . . . . . . . . . . . . . . . Planning Group Policy Using Resultant Set of Policy (RSoP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using the RSoP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Group Policy Refresh Interval . . . . . . . . . . . . . . . . . . . . . . Objective 6.02 Configure the User Environment by Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Automatically Enroll User Certificates . . . . . . . . . . . . . . . . . . . . . Redirect Folders Using Group Policy . . . . . . . . . . . . . . . . . . . . . . Restricting Group Membership with Group Policy . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
211 211 212 212 217 218 219 219 221 224 224 225 226 227 227 228 229 234 237 237 242 243
244 246 250 252
252 256
Manage Software and Security Using Group Policy . . . . . . 259 Objective 7.01 Distribute Software by Using Group Policy . . . .
260
Windows Installer Technology . . . . . . . . . . . . . . . . . . . . . . . . . . .
262
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 1:03:35 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xiii
Contents
Use of the .zap File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating an .msi File . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Application Advertisement . . . . . . . . . . . . . . . . . . . . . . . . Setting the Software Installation Default Location . . . . . Publishing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Publishing Considerations . . . . . . . . . . . . . . . . . . . . . . . . . Assigning . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . To Computers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrading Existing Software Packages . . . . . . . . . . . . . . Creating a Package Modification . . . . . . . . . . . . . . . . . . . Maintain Installed Software by Using Group Policy . . . . . . . . . . Software Removal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Additional Deployment Considerations . . . . . . . . . . . . . . . Objective 6.02 Configure Computer Security Settings Using Group Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Security Templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Creating and Modifying Templates . . . . . . . . . . . . . . . . . . Importing a Template into a GPO . . . . . . . . . . . . . . . . . . . The Security Configuration and Analysis Tool . . . . . . . . . . . . . . . Configuring System Security . . . . . . . . . . . . . . . . . . . . . . . Exporting a Security Template . . . . . . . . . . . . . . . . . . . . . Using Secedit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Objective 6.03 Troubleshoot Group Policy Application and Deployment Issues . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . CHECKPOINT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW QUESTIONS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . REVIEW ANSWERS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
A
xiii
263 265 267 267 269 270 271 271 273 274 276 277 279 280 281
284 288 289 290 291 293 294 295 298
299 302
About the CD-ROM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 305 Mike Meyers’ Certification Passport CD-ROM Instructions . . . . System Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Installing and Running MasterExam . . . . . . . . . . . . . . . . . . . . . . MasterExam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Removing Installation(s) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . LearnKey Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:28 PM
305 305 305 305 306 306 306 306
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
xiv
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xiv
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
B
Career Flight Path . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307 Core MCSE Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Networking Systems Exams . . . . . . . . . . . . . . . . . . . . . . . Core Elective Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elective Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Windows NT 4.0 Upgrade Options . . . . . . . . . . . . . . . . . . . . . . . Windows 2000 Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . Core MCSA Exams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elective Exam . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Alternatives to the Elective Exam . . . . . . . . . . . . . . . . . . . . . . . . Windows 2000 Upgrade Paths . . . . . . . . . . . . . . . . . . . . . . . . . . . For All the Latest Info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
C
307 307 308 308 309 309 309 310 311 311 312 312
DNS: The Backbone for Active Directory . . . . . . . . . . . . . . . 313 Itinerary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . What Is DNS? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DNS Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . FQDNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Understanding Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Resource Records Stored in a Zone File . . . . . . . . . . . . . . Resolving a Host Name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Forward Lookup Resolution . . . . . . . . . . . . . . . . . . . . . . . . Recursive Queries and Iterative Queries . . . . . . . . . . . . . . Reverse Queries . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Install and Configure the DNS Server Service . . . . . . . . . . . . . . . Manage DNS Server Options . . . . . . . . . . . . . . . . . . . . . . Creating a Forward Lookup Zone . . . . . . . . . . . . . . . . . . . . Creating a Reverse Lookup Zone . . . . . . . . . . . . . . . . . . . . Changing the Properties of a Zone . . . . . . . . . . . . . . . . . . Stub Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Configure DNS Forwarding . . . . . . . . . . . . . . . . . . . . . . . . DNS Server Roles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Primary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Secondary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Caching Only . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 1:03:46 PM
313 314 314 315 317 318 319 320 322 322 324 326 326 327 328 331 332 334 334 335 337
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xv
Contents
Integrating DNS with DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Implementing Dynamic DNS . . . . . . . . . . . . . . . . . . . . . . . Integrating DNS and Active Directory . . . . . . . . . . . . . . . . . . . . . Changing the Zone to an Active Directory–Integrated Zone . . . . . . . . . . . . . . . . . . . . . . Benefits of Active Directory–Integration . . . . . . . . . . . . . Transferring Zone Information . . . . . . . . . . . . . . . . . . . . . . . . . . . Monitoring and Management . . . . . . . . . . . . . . . . . . . . . . . . . . . Manage DNS Record Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . Nslookup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ipconfig . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Event Viewer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Setting Debugging Options . . . . . . . . . . . . . . . . . . . . . . . . Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
xv
337 338 340 340 341 342 343 343 345 346 346 346 348
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 349
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:28 PM
This page intentionally left blank
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xvii
Check-In May I See Your Passport? What do you mean you don’t have a passport? Why, it’s sitting right in your hands, even as you read! This book is your passport to a very special place. You’re about to begin a journey, my friend, a journey toward that magical place called certification! You don’t need a ticket, you don’t need a suitcase—just snuggle up and read this passport—it’s all you need to get there. Are you ready? Let’s go!
Your Travel Agent—Mike Meyers Hello! My name’s Mike Meyers. I’ve written a number of popular certification books and I’m the president of Total Seminars, LLC. On any given day, you’ll find me replacing a hard drive, setting up a Web site, or writing code. I love every aspect of this book you hold in your hands. It’s part of a powerful new book series called the Mike Meyers’ Certification Passports. Every book in this series combines easy readability with a condensed format. In other words, the kind of book I always wanted when I went for my certifications. Putting this much information in an accessible format is an enormous challenge, but I think we have achieved our goal and I am confident you’ll agree. I designed this series to do one thing and only one thing—to get you only the information you need to achieve your certification. You won’t find any fluff in here—the author, Brian Culp, packed every page with nothing but the real nitty-gritty of the certification exam. Every page is packed with 100 percent pure concentrate of certification knowledge! But we didn’t forget to make the book readable. I hope you enjoy the casual, friendly style—I want you to feel as though the authors are speaking to you, discussing the certification—not just spewing facts at you. My personal e-mail address is
[email protected]. Please feel free to contact me directly if you have any questions, complaints, or compliments. If you’d like to contact Brian, he’s available as well at
[email protected]. We both appreciate hearing from you, so please feel free to let us know what you think about this book!
xvii P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:28 PM
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
xviii
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xviii
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Your Destination—Windows Server 2003 Active Directory Certification This book is your passport to the Microsoft Windows Server 2003 Active Directory exam (exam 70-294). Microsoft operating systems have become an industry standard, and the Microsoft Certified Professional program is one of the most respected certification tracks available to a computer engineer. Exam 70-294 focuses on Windows Server 2003 and on technologies related to planning, implementing, and maintaining a Windows 2003 Active Directory infrastructure. Topics covered on the exam include determining a strategy for implementing an Active Directory infrastructure, working with forests and domain structures, managing an Active Directory site, working with security strategies, and Group Policy.
Why the Travel Theme? One of my favorite topics is the parallel of gaining a certification to taking a trip. All the elements are the same: preparation, an itinerary, a route—even mishaps along the way. Let me show you how it all works. This book is divided into seven chapters. Each chapter begins with an Itinerary, which provides objectives covered in each chapter and an ETA to give you an idea of the time involved learning the skills in that chapter. Each chapter is broken down by real exam objectives, either those officially stated by the certifying body or, if the vendor doesn’t provide these, our experts’ take on the best way to approach the topics. Also, each chapter contains a number of helpful items to bring out points of interest:
Exam Tip Points out critical topics you’re likely to see on the actual exam.
Travel Assistance Provides you with additional sources, such as books and Web sites to give you more information.
Local Lingo Describes special terms in detail in a way you can easily understand.
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 1:11:14 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio xix
Check-In
xix
Travel Advisory Warns you of common pitfalls, misconceptions, and downright physical peril! The end of the chapter gives you two handy tools. The Checkpoint reviews each objective covered in the chapter with a handy synopsis—a great way to quickly review. Plus, you’ll find end of chapter questions and answers to test your newly acquired skills. But the fun doesn’t stop there! After you’ve read the book, pull out the CD and take advantage of the free practice questions. Use the full practice exam to hone your skills and keep the book handy to check answers. If you want even more practice, log on to www.Osborne.com/Passport, and for a nominal fee you’ll get additional high-quality practice questions. When you’re passing the practice questions, you’re ready to take the exam— go get certified!
The End of the Trail The IT industry changes and grows constantly—and so should you. Finishing one certification is just a step in an ongoing process of gaining more and more certifications to match your constantly changing and growing skills. Read the Career Flight Path (Appendix B) at the end of the book to see where this certification fits into your personal certification goals. Remember, in the IT business, if you’re not moving forward, you are way behind! Good luck on your certification! Stay in touch!
Mike Meyers Series Editor Mike Meyers’ Certification Passport
P:\010Comp\Passport\575-0\fm.vp Tuesday, August 05, 2003 12:48:29 PM
This page intentionally left blank
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
Planning and Preparing for Active Directory
1
ITINERARY
• •
Objective 1.01 Objective 1.02
•
Objective 1.03
Understanding a Directory Service Understanding the Components of Active Directory Installing Active Directory on Windows Server 2003
NEWBIE
SOME EXPERIENCE
EXPERT
1.5 hours
.5 hours
Optional
1
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:45 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
2
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Before we start our study of Windows 2003’s Active Directory, we must take note of a few base concepts upon which we will build our understanding. So while this introductory chapter will not provide vast volumes of information that will be tested when you sit down to take the 70-294 exam, it provides an essential overview of the concepts presented throughout the rest of the book.
Travel Advisory Although these items are the objectives of the chapter, they are not Microsoft exam objectives. This chapter serves as a foundation for our Active Directory learning. In the chapters to come, however, the chapter objectives will map to Microsoft 70-294 exam objectives. That’s not to say that this material isn’t important—with a thorough understanding of the concepts involved, you stand a much better chance of assimilating the information to follow in this book. It’s entirely possible that you already possess the background knowledge necessary to begin delving into the inner workings of Microsoft’s latest and greatest server operating system. If that’s the case, or if you’ve only picked up this book to review vital exam material in as short a time as possible, you can probably begin your quest toward Active Directory Infrastructure certification in the next chapter. If, however, you have picked up this book as a primer for certification, or are new to Windows networking, it is recommended that you invest the time here to get comfortable with some of the underlying conceptual material. In any case, taking an extra half hour or two will do you no harm. In this chapter, we will start with a look at what a directory service is, and then move on to a discussion of Microsoft’s implementation of a directory service: Active Directory. We’ll focus on the types of objects an Active Directory database can contain. Finally, we’ll look at the process of installing a server computer with Active Directory, and some of the choices provided when you make the decision to implement a directory service on your network. It’s worth stating again: make sure you fully understand what’s presented in this chapter before moving on to the rest of the book. Also, this chapter will provide a good reference point if you are confused by a term or concept that appears later in the book and need background information before continuing.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:46 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
Objective 1.01
3
Understanding a Directory Service
A
s a starting point, you need to thoroughly comprehend what a directory service is. At the most basic level of computer networking, you have a server service that accepts connections from a client service for the purpose of making resources from one system available to other systems. In Windows Server 2003, these two software components are called Server and Workstation, respectively, and can be viewed by opening the Services management tool (select Start | All Programs | Administrative Tools | Services).
Travel Advisory Keep in mind that a server is what a computer is doing in the network. Server 2003 is just a name of a Microsoft operating system. It’s entirely possible that a system running Windows 98 will be the company’s print server, and that a PC running Windows Server 2003 will be a client of the 98 machine. It’s also entirely possible that this Windows Server 2003 will provide DNS server services to the Windows 98 machine. Now, you don’t just want anyone accessing a shared resource, so as networking software was developed (some of the earliest network operating systems included NetWare 3.12 and Windows for Workgroups 3.11), developers also included a way for these systems to provide authentication, so that the only users who could access network resources were the ones who were supposed to. To perform authentication, a computer that’s making resources available (for example, files or printers) will need a list of all the users who are allowed to in teract with the resource. In the case of Windows for Workgroups, users were required to know a password in order to connect to resources on remote computers. These remote computers would have a list against which the username and password were checked to determine whether or not to permit access. In its simplest iteration, the directory is the list. It’s a database of users who have the ability to connect to a given system. The service is the software that makes the list available to the operating system. This service works in harmony with the server service (the software that makes resources available) so it can be checked when connection attempts are established.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:46 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
4
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Directory Services in Ancient Times In older networks, like NetWare 3.12 or Windows for Workgroups, the directory was kept separate on each individual machine. This is still true in Windows peer-to-peer networks (or workgroups) where each machine keeps a unique database of the users who can use that machine. As networks grew, this became a prohibitively large administrative task as user accounts would need to be created at each individual server for which the user needed access. In other words, for one user, you often had many accounts. In later versions of their respective networking software products, both Microsoft and Novell worked toward a centralized directory of users that could be checked for access to a network’s resources. With a centralized database of users who were able to use network components, administrators no longer had to create multiple accounts for a single user, and administration could be centralized. Both of these companies’ earlier versions, however, had varying degrees of difficulty accomplishing what some customers most wanted. What you are working with right now, and are studying to master, is the result of years of Microsoft coders trying their best to build the ultimate piece of networking software. Lots of people trying to write a better mousetrap. (And just so you know, Apple is trying to do the same thing with their software, and has been working on it a while, too. If you’re in the networking operating system business, you want your software in as many companies and government agencies as possible.)
Objective 1.02
N
Understanding the Components of Active Directory
ow that you know a little more about directory services and directory databases, you may be asking, what is significant about the current Microsoft version of a directory service—namely, Active Directory? An excellent question. First of all, understand that Active Directory is built upon the networking technologies that preceded it. Active Directory, as a piece of Microsoft software, is certainly not unique in that regard. Microsoft and other software companies have taken existing technologies and/or the ideas of existing software, including those pieces of software that are openly available (such as the TCP/IP protocol suite), and built upon them. (Microsoft’s detractors love to point this out, but there’s nothing wrong with this; you can’t copyright an idea.) They’ve taken what’s out there and made it theirs, by taking the next evolutionary step.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:46 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
5
In the case of Active Directory, Microsoft already had a working (if somewhat grumbled about) domain model built into their Server products. When Microsoft moved to the NT operating system, they added the capability to link domains together with trust relationships. Using one or more trust relationships between domains, the NT domain model became scalable because multiple domains could be made aware of each other’s presence in an enterprise. This linking of domains was done for administrative reasons. Carefully implemented, the enterprise could still be managed centrally or, conversely, could be distributed among multiple administrative groups. This linking also provided for easy access to resources, and it accommodated business mergers and subsidies as organizations redefined themselves.
Travel Advisory Scalable is a tech term that references a system’s capability to grow and accommodate more users. Exactly what’s scalable and what’s not is rather nebulous and frequently a matter of conjecture; also, generally speaking, the term should be avoided in polite conversation. Software can be described as scalable, but hardware can be too. If it can grow relatively easily, it’s said to be scalable. If there are limitations to adding more (users, computers, processors, and so on), it may be termed not scalable. But scalability, like beauty, is a relative term. In other words, NT’s domain model, though scalable, was not very scalable. As you started to add multiple domains to the NT mix, several problems occurred, and these problems usually compounded themselves as the organization began to grow. For example, every time a user accessed a resource in another domain besides the one where their account lived, it increased network traffic. It also caused extra traffic as the domain controllers in these multiple domains maintained the trust relationships.
Local Lingo Trust A logical link between two domains. It facilitates two things: cross-domain login, in which a user in one domain can submit his account credentials across the trust to the domain where his account lives, and universal resource access, in which a user has the ability to access resources in domains that trust the one where his account resides.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
6
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Remember as we discuss the significance of trusts here, that ability to access resources does not necessarily imply permission. It’s entirely possible to be able to access something in another domain—to establish a connection—yet have read-only permission or have permission denied altogether. The NT domain model became somewhat burdensome for growing enterprises. In its next iteration of its Server family of operating systems, Windows 2000, Microsoft set out to address two main areas of concern to help alleviate many of the problems encountered when working with the NT 4 domain model. The two things determined to be most needed in the next version of the directory service software were
• •
A global list of each domain’s directory would need to be available at every domain. A system should exist to automatically manage trust relationships, lessening the administrative overhead involved in ensuring the benefits of multiple domains.
There’s a corollary to these two driving characteristics. It was as if the folks at Microsoft, during a latte-fueled brainstorming session, thought, “If we’re going to go to all this trouble to make this one great authentication database, wouldn’t it be great if we could go beyond just authentication and fill this database up with handy data which would answer queries like, ‘Which one of the printers on the fourth floor prints color?’ or ‘Is that computer located in the North building or the South building?’ Let’s design a directory like that.” So they did. These were the driving motivations for the design of the next domain model, the one that would carry Microsoft into the next millennium. The result was Active Directory, which made its debut in Windows 2000. Now Microsoft has carried forward this domain model and built upon it in its release of Server 2003. Windows Server 2003 includes many improvements to Windows 2000’s version of Active Directory, making it even more versatile, dependable, and economical to use. We won’t go into too much detail here, but Active Directory improvements in Windows Server 2003 provide the following benefits:
•
Easier deployment and management Improved migration and management tools, along with the ability to rename Active Directory domains, make deploying Active Directory significantly easier than when the directory service was first introduced in Windows 2000 Server. Better tools bring drag-and-drop capabilities, multi-object selection, and the ability to save and reuse queries. Plus, improvements in Group
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
7
Policy make it easier and more efficient to manage groups of users and computers in an Active Directory environment.
•
Greater security Cross-forest trust provides a new type of Windows trust for managing the security relationship between two forests— greatly simplifying cross-forest security administration and authentication. Users can securely access resources in other forests without sacrificing the single sign-on and administrative benefits of having only one user ID and password maintained in the user’s home forest. This provides the flexibility to account for the need for some divisions or areas to have their own forest, yet maintain benefits of Active Directory.
•
Improved performance and dependability Windows Server 2003 more efficiently manages the replication and synchronization of Active Directory information. Administrators can better control the types of information that are replicated and synchronized between domain controllers both within a domain as well as across domains. In addition, Active Directory provides more features to intelligently select only changed information for replication—no longer requiring updating entire portions of the directory.
Throughout the rest of the book, we will be dealing with the technologies that make these improvements possible. In fact, most of the terms and tools you will be learning about will impact one of these three areas in some way, and you can be sure that Microsoft will heavily emphasize these areas in the 70-291 exam as well.
The Directory Database Active Directory’s job is to store and make available a directory database. While the term “database” can make cold shivers run down the spine of many a computer user, the concept can be simplified quite dramatically. At its core, a database is a list. If you’ve ever made a shopping list, you have worked—at least in concept—with a database. The biggest difference between a list and a database (besides the fact that when we talk about databases, we are talking about things stored on a computer) is the way the information is organized. In a database, one of the items in the list has a unique value. This unique value sets the item apart as a distinct entity and is known as a key value. In other words, a database stores a distinct object, and then a series of attributes of that object. Take the example of one of the most common and most easily understood objects stored in Active Directory: the user account. To the Active Directory database, the unique part of the account is a number assigned to the account,
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
8
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
called a security identifier (SID). (We’ll talk more about the SID throughout the book, especially in Chapter 5.) Everything else stored in the database about that user account are attributes. The logon name is an attribute of the SID. Likewise the first name, last name, and logon domain are all attributes. Lots of users can have the same domain attribute, and lots of users can even have the object attributes of Brian, as a first name attribute, and Culp, as a last name attribute, although as parents, teachers, coaches, and even book editors are fond of reminding me, one Brian Culp is more than enough, thank you.
The Schema What’s especially significant about Active Directory’s list of objects that can be added to its directory database is that every Active Directory domain in an enterprise of domains contains the exact same list of potential objects and attributes. This list of what’s possible to add to an Active Directory directory database is called the schema, and the schema is consistent throughout the Active Directory enterprise. In Chapter 3, we’ll discuss all of these elements of the enterprise in further detail. Active Directory groups a fixed set of attributes in the schema and defines them as a class. A class is used to describe a type of object. The class—and hence, the schema—can be added to, making Active Directory an extensible database. Active Directory is flexible enough to accommodate any kind of organization and can store just about any type of information. Say, for example, that you wanted to track a user’s favorite charity as part of the information used to describe a user account. The Active Directory schema can be modified to include this information.
The Global Catalog For each domain, we have a directory of information, and certain attributes from each domain will be copied to a Global Catalog. This “index” domain information is then shared among the multiple domains. Active Directory uses a Global Catalog to provide a repository of the most commonly searched for objects and their attributes. Certain objects and attributes from each domain will be copied to the Global Catalog and made available to all connected domains. You can think of the Global Catalog as an index for the domains in the enterprise. Each domain controller stores a copy of all the objects stored in its directory database. But users access the Global Catalog when they want to find information that’s stored in domains other than their own. The Global Catalog’s main function is to make the following activities much easier:
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
•
Logging on at a domain other than the one you’re in In an Active Directory enterprise, it’s possible to use the computers on one domain to log on to another. The Global Catalog is consulted for a list of possible logon domains.
•
Finding objects in other domains If you are looking for color laser print resources throughout the enterprise, for example, the Global Catalog will likely store information about these printers.
9
The Active Directory Namespace When you implement multiple domains in an enterprise, it will be easier to locate objects and to replicate information between domains if you impose some sort of consistent structure on them. The Active Directory software writers have done just this by borrowing from an existing domain structuring technology. This technology is used to provide the composition of the Internet domains, and thus provides a way of linking domains together. It’s called the Domain Naming System (DNS), and now it’s used to provide the backbone of your Active Directory domains. The DNS namespace is one huge, hierarchical, distributed database of resource record mappings to IP addresses. It works by linking each and every domain into one contiguous namespace. You will need to have a pretty good understanding of DNS in order to successfully prepare for the 70-294 exam. Microsoft assumes that you bring DNS knowledge to the table before you study this material, but I haven’t made the same assumption. Please refer to Appendix C for a detailed discussion of DNS. What’s significant as far as Active Directory goes is that, by using an existing hierarchical namespace in which the Active Directory domains will be named, you have created a system where trust relationships can be managed automatically. Why? Because the trusts relationships can be inferred from the domain names. For example, if you had an Active Directory domain called mcgraw-hill.com, and then created a child domain in the mcgraw-hill.com namespace, and named the child domain brianfanmail.mcgraw-hill.com, the trust relationship could be deduced from the names. If these were Windows 2003 Active Directory domains, the two domains would trust each other automatically. Trust relationships will be explored more fully in Chapter 4. By using the DNS namespace, it’s ensured that all your Active Directory domains will have names that are consistent. Additionally, there’s a system that makes sure all this happens. The Domain Naming Master (explained in the next chapter) is the server that handles these duties for an Active Directory enterprise. This system ensures that all domains have names that fit cohesively in the namespace.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
10
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
So, to summarize, these are the three keys to the engine that runs Microsoft’s Active Directory:
• • •
A common schema A common Global Catalog A common configuration
The Objects Stored in Active Directory This may not exactly be news, especially of you’ve ever paid taxes or gotten a driver’s license, but you are an object. At least you are to a Windows Server 2003 machine running Active Directory. In fact, everything is. Computers, groups, resources, Group Policies, and yes, even you, the user. I’ll leave the decision about whether or not to fall into an Orwellian stupor over this piece of somewhat depressing information up to you. It may come as some solace, then, to know why you are viewed the way you are by Active Directory: it’s primarily to simplify security. All objects stored in Windows 2003’s Active Directory database will have the following attributes attached:
• •
Methods Every object will have methods in common, such as creating the object, opening the object, and deleting the object.
•
Collections If an attribute can contain more than a single value (such as the members of a group object), these values are stored as collections or an array of values.
Properties All Active Directory objects have a set of properties or attributes, which you usually see by right-clicking on the object and choosing Properties from the context menu. At a minimum, an object will have a name property and a type property.
By treating everything as an object, Windows 2003 maintains security over the object no matter how a user accesses the object—whether locally, sitting at the domain controller, or remotely from another system. In fact, a significant collection attached to the objects in Active Directory is the Discretionary Access Control List (DACL), as seen in Figure 1.1. This list provides the one and only security model for access to objects in Windows 2003. Every time a connection to the object is attempted the DACL is checked before access is granted. Now that you understand the concept that objects are stored in Active Directory, the question that remains is: What exactly are the objects that can be stored in the Active Directory directory database?
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
FIGURE 1.1
11
The Discretionary Access Control List
Computers A computer object is a software representation of a physical entity, namely, the computer. It represents an important level of participation in the Active Directory domain. This level of participation usually has to do with security. You should also understand, when thinking of computer accounts, that only certain operating systems have this ability to create a computer account in the domain. Any of the Windows Server 2003 or Windows 2000 (both Professional and the varieties of Server) operating systems can participate with a computer account. XP Professional, likewise, can create an account in a 2003 domain. However, the XP Home version, along with the 9x family of operating systems, cannot. This can be significant if you want to implement security options such as restricting a user’s logon to a single computer or group of computers in an enterprise, or if you want to take the administrative steps of deploying software to computers using a Group Policy Object (Group Policies will be discussed at great length in Chapters 6–8). As will be reiterated throughout the book, you can only deploy Group Policy to computers that support it.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:47 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
12
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory Windows NT 4 systems have the ability to participate as a computer account also, but since Microsoft is dropping support of NT 4, it’s usually assumed for the purposes of computer account discussion that only the latest of Microsoft’s operating systems will be used.
Users User accounts comprise the meat and potatoes of Windows 2003 domain administration. All computing activities, whether it be access to a resource or backing up a file, occur in the context of a user account. An account is needed to interact with the network and is issued an access token at logon time. This access token is presented against a resource’s Access Control List (discussed earlier in the chapter) to determine what level of access a user has. Without a valid user account, a user has no access to a Windows 2003 domain.
Groups A group object is just another type of account, much like a user account. However, this account’s purpose is to contain a list. In this list is an inventory of all the user accounts that belong to the container account (the group). It is also used at logon time, in conjunction with the user account, to help generate an access token. In other words, a group object is a gathering of other objects. The advantage of a group is straightforward: it makes administration of permissions and rights simpler. When you grant a level of access permission to a group, the permission applies to all members of that group. This is especially advantageous as domain accounts grow to hundreds and thousands of accounts. In Chapter 5, we’ll take a more leisurely tour of what kinds of groups are possible in Windows 2003 domains and the significance of each.
Printers In a Windows 2003 domain, you have the option of creating a software object in Active Directory for each shared printer in your enterprise. The advantage of creating an Active Directory object for each shared printer (rather than just creating the shared printer on a print server) is that it enables users to find an enterprise’s printers more easily by conducting a search through Active Directory. That way, users don’t have to know the physical location of the resource they’re looking for. Just like when you use the phonebook, you don’t have to know what street the business is on when you’re looking for it, you just have to know what the business does.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:48 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
13
Additionally, more attributes can be listed about the printer than can be with the shared object alone. When you share a printer, you just configure a share name. When you publish a printer in Active Directory, you can include information about the printer’s functionality or what floor it’s on, which can be a big advantage to users who want to send a job to it. Note that even though the a printer object is created in Active Directory, the printer still exists as an object on a local machine, and that computer handles the security for that printer. The printer object that’s stored in Active Directory is really just information about the printer.
Shared Folders Much like printers, these resources are shared out from file servers in your enterprise. But also like printers, information about the shares can be published in Active Directory, facilitating easier searches when users are looking for resources. The computer hosting the share will still be responsible for managing the security permissions on that shared folder when it is accessed from the network.
Travel Assistance For a full discussion of creation of shared resources and printers in a Windows 2003 Active Directory network, please see Mike Meyers’ MCSE/MCSA Windows® Server 2003 Network Passport (Exam 70-293). Also keep in mind that the above are just some of the more common objects you create in an Active Directory directory database. You can also create Contact, InetorgPerson, and MSMQ Queue Alias objects, along with many others, as your needs require. Now that you’ve learned about the background of Active Directory, and about what objects it can and commonly does contain, it’s time to actually implement Active Directory in a Windows 2003 enterprise. The next section looks at how to do this.
Objective 1.03
B
Installing Active Directory on Windows Server 2003
efore you can take advantage of benefits afforded by Microsoft’s Active Directory, you must know how to implement it. The process for installing a
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:48 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
14
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Windows Server 2003 server computer begins by launching the Active Directory Installation Wizard, often referred to by its executable file, DCPROMO.
Travel Advisory There are other ways to launch the Active Directory Installation Wizard, just as there are lots of ways to open the Control Panel. For example, you could choose Configure Your Server Wizard from the list of Administrative tools. The Configure Your Server Wizard is also the first thing that launches after you’ve got Windows 2003 installed. But for purposes of testing, you should know how to launch the Active Directory Installation Wizard from the Run dialog box, and the utility that launches it, as is demonstrated here. But if you like graphical interfaces for all your administrative tasks, you have my blessing. I mean, really, besides book authors with large disability insurance benefits covering carpal tunnel syndrome, who enjoys typing? Using dcpromo.exe, you can install and remove Active Directory from a Windows Server 2003 computer at will. It provides a wizard-based interface that is as easy to use as any other wizard in the Windows environment. In fact, if you can set up a printer on a Windows 98 machine using the Add Printer Wizard, you have all the requisite button-pushing skill to install Active Directory. The hard part, as with all things Windows Server 2003, is not the button clicking, but possession of a full understanding of what will happen when the buttons are clicked.
Running the Active Directory Setup Wizard As we go through this wizard, it is assumed that you are setting up a test environment, and therefore I will demonstrate the most straightforward way possible. As in most wizards, there are many different paths the Active Directory installation can follow, depending on your goals. Before you start the Active Directory Installation Wizard, there are a few important requirements that must be met for successful installation. Here’s a look at what must be in place before installing Active Directory, in no particular order. You probably won’t be tested on this, but it wouldn’t shock me if you saw a question demanding knowledge of these requirements:
• •
An NTFS partition for the SYSVOL folder Free space on your hard disk, about 1 GB
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:48 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
•
The Installation Wizard must be run in the context of an account with administrative permissions in the domain or administrative permissions in the enterprise (the local Administrator account will be sufficient to create a forest root domain, which we will be doing here)
•
DNS, which will be installed if an installation is not present.
15
It’s also important to realize here that as we go further in this book, we will be taking different paths through the Installation Wizard than the one outlined here. These other paths will result in different roles for your Active Directory domain controllers, and will be examined in the detail necessary to fully understand them in later chapters. For now, our goal is just to build an Active Directory domain that we can work with later as necessary. To launch the Active Directory Installation Wizard: 1. Click Start | Run, and then type dcpromo to start the Active Directory Installation Wizard. 2. Click Next to bypass the introductory screen of the Active Directory Installation Wizard. 3. On the Operating System Compatibility page, read the information and then click Next. Note here that the improved security characteristics of Windows Server 2003 set communications requirements of its clients that cannot be met with older operating systems such as Windows 9x and NT 4 with an outdated Service Pack. 4. Here’s where the real forks in the road first appear. Since we are assuming that in this first chapter you may be setting up a test environment for learning purposes, we will create a new domain in a new enterprise of computers (your enterprise of computers, to be precise). On the Domain Controller Type page, select Domain Controller For A New Domain, as shown in Figure 1.2, and click Next. 5. Since we’re starting a brand new enterprise, and not joining an existing one, from the Create New Domain page, select Domain In A New Forest, as shown in Figure 1.3, and then click Next. 6. Enter the full DNS name for the new domain and click Next. We’ll talk extensively about the naming of your domains in the next chapter.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:48 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
16
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 1.2
Creating a new domain
Travel Advisory If you’ve ever surfed the Internet, you have used DNS domains like ebay.com or microsoft.com. You can use a similar namespace in the creation of your Active Directory domain. If you are creating a private namespace (it won’t ever be searched for from a computer connected to the Internet), you can use any namespace you want, like mydoghas.fleas. For this example, I’ll use the fictional namespace of lanscape.net. (At least as of the time of the writing, the name had not been registered.) But while the namespace will be fictional, the Active Directory installation will not. I just won’t have resources available publicly. 7. From the ensuing dialog box, confirm the NetBIOS domain name. This will be important if you plan on having non-Active Directory clients, such as NT 4 clients, access your domain. 8. Confirm the location of the Active Directory database and log files. It is recommended practice that you locate these folders on different drives than the operating system for recoverability, although, as shown in Figure 1.4, the default locations are on the same partition as the operating system.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:49 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
FIGURE 1.3
Creating a new domain tree in a new forest of domains
9. Confirm the location of the SYSVOL, or shared system volume, folder. This folder replaces the NETLOGON share functionality of NT 4 domain controllers and is the communications channel through which logon attempts are submitted.
FIGURE 1.4
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:49 PM
Specifying where the directory services and log files should be located
17
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
18
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory The SYSVOL folder must be placed on an NTFS-formatted drive. In other words, NTFS must be present for installation of Active Directory. 10. The wizard now confirms your DNS server installation on the DNS Registration Diagnostics page. You should receive a warning if a DNS server is not found. If a DNS server is not found, the wizard will offer to install DNS for you, as shown in Figure 1.5.
Travel Advisory DNS installation by the Active Directory Installation Wizard is almost always a good idea when DNS cannot be located. If you choose No from this dialog box, Active Directory will still install, but you will receive numerous startup errors, and indeed Active Directory will not be functional until you address this problem. You must either find or create a DNS server that supports the necessary records that Active Directory creates. Windows 2003’s DNS server supports these records, and the Active Directory Installation Wizard creates them automatically (you’ll likely have to create them manually if using a UNIX DNS server solution, for example), so why not take advantage of the automation the wizard provides? Appendix C spells out in detail just what those records are. 11. Choose the option that begins “Install and configure the DNS server,” and then click Next to let Windows 2003 set up DNS on its own. 12. On the next screen, you’ll receive a security warning. In NT 4 and prior, the Remote Access Server (RAS) had to allow clients to read domain information before authentication. If your RAS servers are down-level (NT 4.0), you will need to allow this weaker level of permissions. Click Next after you’ve made your decision, which should be permissions compatible with Windows 2000 or Windows 2003 server operating systems unless absolutely necessary. 13. Next, you’re prompted for the Directory Services Restore Mode password, as shown in Figure 1.6. This password does not have to be the same as your administrative password, but you should make sure it is safely stored—written down somewhere secure—so that it won’t be forgotten.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:49 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
FIGURE 1.5
The offering of DNS installation
14. The next screen will summarize your choices before starting the Active Directory installation. You can click Back to review and/or change any of your settings before clicking Next. Clicking Next starts the installation process. (If you’ve selected that DNS be configured, you
FIGURE 1.6
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:50 PM
The Directory Services Restore Mode password
19
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
20
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
might be prompted for the location of your Windows Server 2003 installation files.) 15. If all has gone according to plan, you’ll get a final dialog box, as shown in Figure 1.7, confirming the successful installation of Active Directory on the system. Once you’ve closed this dialog box, you’ll be prompted to reboot the server. Congratulations! You’ve just turned an ordinary Windows Server 2003 system into an all-powerful forest root domain controller. Now you’ve got a system that has all the directory services software necessary to run a computing empire such as mighty Microsoft itself, or, more modestly, to simply study the features of Active Directory from the comforts of your home (a somewhat smaller computing empire, I’ll assume). Either way, the concepts will remain the same. After the installation of Active Directory is complete, you will have three new Microsoft Management Console snap-ins added to your administrative tools so that you can, appropriately enough, manage what’s in your Active Directory directory database. These three tools, which you will find by clicking Start | Programs | Administrative Tools, are the following:
Travel Advisory Throughout this book, I will be giving instructions like “Open the Control Panel,” or “Access the TCP/IP Properties page.” There are lots of different ways to accomplish these tasks, but I’ll assume that by this point in your certification studies, you know most of them, or at least the ones that work best for you. Most of my instructions will be given as if you are using my server, which I’ve configured with the XP Theme interface, but with the older Windows 9x-style Start menu and icons like My Computer and My Network Places added to the desktop.
•
Active Directory Users and Computers This will be the tool used to manage most of your Active Directory objects, such as (who would guess!) User accounts, Computer accounts, as well as Group accounts, published printers, and shares, to name a few. You will also be coming here often to do your Group Policy management.
•
Active Directory Domains and Trusts This tool will be used to manage trust relationships between the domains of your Active Directory enterprise and other external domains. Earlier I explained that one of the benefits of Windows 2003’s Active Directory domain model, especially when compared to NT 4’s model, was that
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:50 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
FIGURE 1.7
21
The final dialog box will sum up your accomplishment.
administration of trusts in your enterprise is virtually nonexistent. That’s still true. What you will use this tool for is to specify and manage trusts between either older NT 4 domains or between domains of external organizations and yours.
•
Active Directory Sites and Services This will be used to create and manage the directory services sites, and to further manage the replication of Active Directory information between these sites.
There are other tools installed as well, such as Domain Controller Security Policy and Domain Security Policy, but the tools most important to managing Active Directory objects are listed above. We will be using all of these tools, especially Active Directory Users and Computers and Active Directory Sites and Services, extensively throughout this book, so stay tuned if you’re aching to find out more about the uses of these MMC consoles.
Travel Advisory The Microsoft Management Console is the framework against which the management utilities are written. An MMC can be customized to best suit your needs, but several preconfigured MMCs are automatically installed when you set up Windows Server 2003, and more are added as you add more software components to manage. By itself, however, the MMC has no functionality.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:50 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
22
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
The MMC should be very familiar to Windows 2000 administrators, or even to admins of any of the Microsoft Back Office software products (SQL Server, ISA Server, SMS, and so on). For further information on the MMC, please see the Microsoft Windows 2003 Resource Kit. If you’re upgrading a system—and indeed, a domain model—from Windows NT 4.0 (it’s about time!), you will find great solace in the fact that Active Directory is just as easily uninstalled from any single domain controller. Under the Windows NT 4.0 environment, administrators had to reinstall the operating system in order to reconfigure. That’s because the decision to operate as a domain controller was made at Windows installation time and was thereafter set. Changing server roles was not as flexible as it is today.
Ideal Domain Design Additionally, keep in the back of your mind that Microsoft recommends that, whenever possible, you design your Active Directory infrastructure to include only a single domain. This is because a single Windows 2003 domain is scalable (there’s that word again) to millions of objects. In other words, a single domain has the potential to accommodate organizations of almost any conceivable size, including Microsoft itself. When you implement a single domain, all of the Active Directory concepts still apply, but you can be blissfully unaware of almost every one of them and still have a good working network. If you don’t have testing in mind, Microsoft makes it awfully easy to administer a small to medium sized company with its newest version of Server. But that’s not our goal here, is it? You picked up this book to quickly obtain the information that Microsoft expects you to know for the 70-294 exam. In the next chapter, we start focusing on precisely that information.
CHECKPOINT ✔Objective 1.01: Understanding a Directory Service
In this chapter, we’ve examined the foundational information necessary to understand Windows 2003’s Active Directory. With an understanding of these concepts, we will go forward to explore how to best implement Active Directory. We started with a look at the history of a directory service, and the role a directory database plays in a modern computing network. We also examined how a directory service serves to authenticate users on a network, and how it enables access to resources in multiple domains.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:50 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
CHAPTER 1 Planning and Preparing for Active Directory
23
✔Objective 1.02: Understanding the Components of Active Directory
Next we looked at the parts of an Active Directory environment. These Active Directory components include users, computers, domains, global catalogs, schemas, and domains. We also mentioned that the Active Directory namespace is built on an existing, open-standards based naming technology: DNS. This vital Active Directory concept is further discussed in Appendix C.
✔Objective 1.03: Installing Active Directory on Windows Server 2003
In the chapter’s final section, we walked through the steps to set up Active Directory on a computer running Windows Server 2003. You need to install Active Directory so that you can follow along with some of the steps later in the book. Also, it’s generally a good idea install the software you’re going to spend a considerable time studying. We also looked at the Microsoft recommendation for ideal domain design.
REVIEW QUESTIONS 1. Which of the following attributes are contained in every object created in an Active Directory domain? Choose all that apply. A. B. C. D.
A first name A security identifier A common name A class
2. Which of the following components of Active Directory are shared by all domains in an Active Directory enterprise? Choose all that apply. A. B. C. D.
Schema Global Catalog Parent domain Configuration
3. What are the two items that make up the Active Directory schema? A. B. C. D.
Classes Names Attributes Objects
4. What is the utility used to install Active Directory on a Windows Server 2003 computer? A. promotedc.bat B. dcupgrade.exe
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:51 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
24
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 1
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
C. adinstall.exe D. dcpromo.exe 5. Which of the following components of Active Directory need to be installed on an NTFS partition? Choose all that apply. A. B. C. D.
The SYSVOL folder The Active Directory log files The Active Directory database The 2003 operating system
REVIEW ANSWERS 1.
Every object in Active Directory needs to have a unique security identifier (SID), a unique name that includes the domain name where the object resides, and a class from which the object was created.
2.
There are three elements that are common to all domains in a linked Active Directory enterprise. They are the schema (a list of what’s possible to add to Active Directory), the Global Catalog (an index of commonly used objects and their attributes), and the configuration.
3.
Classes are really preset templates of attributes. There are preset classes for computer, user, printer, and organizational unit Active Directory objects. Attributes store specific information about a class.
4.
dcpromo.exe launches the Active Directory Installation Wizard, which is used to install Active Directory on a given Windows Server 2003 system.
5.
In order for Active Directory to install, the SYSVOL folder must be placed on an NTFS drive. The scripts folder contained within the SYSVOL folder will be shared out as NETLOGON, and will be the location where logon requests to the domain are submitted.
P:\010Comp\Passport\575-0\ch01.vp Monday, August 04, 2003 1:33:51 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
The Physical Active Directory Components
2
ITINERARY
• • •
Objective 2.01 Objective 2.02 Objective 2.03
•
Objective 2.04
•
Objective 2.05
Manage an Active Directory Site Implement an Active Directory Site Topology Monitor Active Directory Replication Failures Using the Microsoft Monitoring and Management Tools Plan a Strategy for Placement of Global Catalog Servers Plan Flexible Operations Master Role Placement
NEWBIE
SOME EXPERIENCE
EXPERT
4 hours
2 hours
1 hour
25
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:37:59 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
26
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
As we outlined in the book’s opening chapter, there are logical components of Active Directory, and there are physical components. This chapter takes a look the physical components: what you can see and touch when managing your Active Directory enterprise. Essentially, there are two Active Directory components considered physical: sites and domain controllers. In Chapter 2, we’ll cover in more detail the domain controllers, the boxes running Windows Server 2003, whose main function is to store a copy of the Active Directory information. We’ll also discuss sites, which are collections of IP subnets, and are used to control Active Directory replication between the domain controllers. Again, a site is considered a physical component, because when you look at the wires, network cards, hubs, routers, and so on, you are also looking potentially at an Active Directory site. Sometimes a domain controller will store additional information beside the Active Directory database for a domain. Sometimes, it will store a copy of the Global Catalog, which contains information from all the other domains in your Active Directory forest. This chapter will examine the purpose of the Global Catalog, and instances where you may want to consider implementing additional Global Catalog servers in your enterprise. Other specialized servers running Active Directory will be responsible for storing and managing specific information about the domain or forest. These specialized servers hold one or more of the Flexible Single Master Operations (FSMO) roles, and are essential to a properly operating Active Directory environment. Knowledge of the FSMO roles is also essential to your exam success. Let’s get started.
Objective 2.01
S
Manage an Active Directory Site
imply defined, a site is a collection of one or more IP subnets. More importantly, a site defines a unit of replication for the Active Directory database. That is, the domain controllers within a site exchange Active Directory database updates much differently than do domain controllers between sites. And that’s not all: not only is a site used to control replication traffic, it is also used as a unit of logon traffic, it keeps requests to the Global Catalog local (if there is at least one Global Catalog server per site, as is recommended), and furthermore is used to optimize traffic for Active Directory–aware applications, such as the Distributed File System (DFS). Most of these terms, and indeed the significance of sites, will be detailed as the chapter continues.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:00 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
27
Travel Assistance For a full discussion of DFS, please see Mike Meyers’ MCSE/MCSA Windows Server 2003 Environment Certification Passport (Exam 70-290) by Eric Daeuber and Dan Newland (McGraw-Hill/Osborne, 2003). Once you understand that a site is a way of controlling Active Directory traffic, you can make more informed choices about how many sites your organization needs. If a company is using Windows Server 2003, and is located in a single office building or office complex, sticking with the default single site configuration that’s created when Active Directory is set up makes sense. This way, you can let automated processes take care of replication with a minimum of administrative interference. Generally speaking, however, it is a good idea to implement a site for each geographic location, as you can better manage how Active Directory replication traffic uses the WAN links that connect the different locations. For example, if your company has major office facilities located in five separate cities, and those offices are connected by WAN links slower than a T3, you should consider a different Active Directory site for each of those cities. You might even want to implement separate sites for office buildings within the same city, if office buildings are connected by slower links. Then again, it might not always be a good idea to implement a separate site just because domain users are separated geographically. In certain cases, especially where branch offices are small or are connected by fast links, implementing multiple sites can actually cause a decrease in LAN performance. Because a site will contain at least one domain controller, creating a site may sometimes cause unnecessary expense. It all depends on the links between physical locations and how many users are at each. There are no right or wrong answers, of course, but Microsoft does expect you to recognize what works best given a specific set of parameters. In short, there’s a lot to consider when configuring and managing Active Directory traffic. To do so, you first need to know the procedure for creating a new site.
Creating a Site When you establish an Active Directory domain, all subnets will be included in a single site that is created when Active Directory is installed on the first domain controller in the forest. The site is called, somewhat aptly, Default-First-SiteName. You start investigating the many properties of and child objects in the site by launching the site management tool, Active Directory Sites and Services from Administrative Tools, as shown in Figure 2.1.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:00 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
28
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.1
The Active Directory Sites and Services MMC
Because there’s only one site so far in your Active Directory enterprise, all domain controllers that you add to the domain will also be placed in this first site. Because they all reside in the same site, these domain controllers will exchange Active Directory information using intra-site replication techniques (we’ll define exactly what these are in just a bit).
Travel Advisory Remember, there are no other sites until you tell Active Directory that it is so. If you have one domain controller in Kansas City and one in Reykjavík, Active Directory assumes they are in the same location and will replicate database changes accordingly. Further, as mentioned above, this Default-First-Site-Name might be all you need. For example, if your network is relatively contained, or the locations are connected by very fast links (you have a T3 line, say, connecting one office to the other), or if there are very few changes to the Active Directory database on a day-to-day basis, you might only need the Default-First-Site-Name for your Active Directory enterprise. If it helps, this default container can be easily renamed
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:00 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
29
to more accurately reflect the geography of your organization. Renaming will be discussed later. If, however, you find that your network is expanding to multiple geographic locations, and more importantly that the links between these locations are slow, you should probably implement multiple sites. Again, that’s up to you—for a network with thousands of users, a T1 might be slow, while a smaller company might only need additional sites if there is less than 128K of available bandwidth. Why should you implement multiple sites? Among the other benefits mentioned earlier, to govern replication. Active Directory information sent within a site is managed using a background process and requires very little, if any, human intervention. The management of how Active Directory information is sent between sites (inter-site), however, requires much more direct configuration by humans. You will have to know more about inter-site replication because that’s what you will be managing as a network administrator. Fortunately, you’re only a few clicks away from adding a second site (or third, or fourth…) to your Active Directory topology. Here’s the procedure you’ll follow: 1. From the Administrative Tools, open Active Directory Sites And Services. 2. Right-click on the Sites folder, and choose New Site from the context menu. 3. Give your new site a name and choose one of the site links this site will use for replication, as shown here. There will be at least one site link, called DEFAULTIPSITELINK, which, like the Default-First-Site-Name, is created when you install Active Directory. We will discuss the importance of site links later in the chapter.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:01 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
30
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
4. After clicking OK, you will receive a dialog box reminding you of next steps. Good news, though: you won’t need this dialog box after absorbing what’s in this chapter.
Good! You’ve just configured a second Active Directory site and are on your way to regulating replication traffic exactly as Microsoft recommends. Note that there’s nothing in the site yet; it’s just an empty container object, but that will soon change. Also, bear in mind that office locales, like the businesses themselves, are fluid, often changing as businesses expand (see Microsoft), acquire other businesses or are acquired themselves (see any company whose software Microsoft likes), or go out of business altogether (see any company Microsoft competes with).
Renaming and Deleting a Site Your existing Active Directory site topology can easily be renamed to reflect these changes. You may further need to delete sites, which is also a very straightforward procedure. The renaming procedure is as follows: right-click on the site and choose Rename. Just like the renaming of a user account, all you’re really doing is changing one of the attributes of the Active Directory object, and not anything fundamental about the object itself. When an Active Directory object is created, humans give the object a name, but for a computer, the most important aspect of the object is the number, known as a security identifier (SID). In fact, the object is a number as far as Active Directory is concerned. When you rename an object like a site or a user account, nothing about the object changes except that single attribute. But when you delete an object, you are deleting that SID. If you were to then create an object and give it the same
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:01 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
31
name as the object you just deleted, you would need to reconfigure all of that object’s properties if you wanted it to behave just like the deleted item. For example, a site containing several domain controllers that was deleted and then recreated with the same name would be void of any domain controllers. If you were to rename the same site rather than delete it, however, the site would keep its domain controller membership intact. This issue will be explored again in Chapter 5, when we configure user accounts. Deleting a site is a little more precarious. Of course, when you delete a site, the subnets and domain controllers within that site—the physical entities—do not vanish into the ether. But their references in Active Directory are deleted, and that can certainly have an impact on replication traffic. Therefore, caution should be taken when removing sites. It’s recommended practice that when you delete a site, you delete only an empty site object. A site is considered empty when all domain controllers have been first removed or moved to other sites. To delete a site, simply right-click on the site and choose the Delete option. You will get a confirmation dialog box, shown here, telling you pretty much what I just did. Of course, your sites will be empty before deletion, right?
Site Properties Once you’ve configured a site, you’ll likely begin its management by changing some of its basic properties. The site has properties because, when created in Active Directory, it’s a piece of code; an Active Directory object and all objects in Active Directory have properties. To access the site’s Properties dialog box, just right-click on the site node in the left pane of Active Directory Sites and Services and choose Properties. You will see these five tabs:
• • •
General
A description for the site.
Location You can enter a location description, usually a geographic description if that’s not apparent by how you name your sites. Object Lets you see the full name of the object and when it was created. Unlike almost every other object tab you’ll encounter, there is nothing editable on this tab.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:01 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
32
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
•
Security Allows you to set the Access Control List for the Active Directory object, and also allows you to delegate administrative permissions over the site object to other users in the organization.
•
Group Policy Lets you create and attach Group Policies that will manage the users and computers who use the resources in the site.
Exam Tip Group Policies make up a large section of test objectives, and a full exploration of Group Policies is to come in Chapters 6–7. You can delegate control of many Active Directory objects, and sites are just one example. You can also delegate administrative responsibility over domains, organizational units, and domain controllers. More about delegation of administration will follow later in this chapter and in Chapter 3.
Configure Site Boundaries The creation of your Active Directory site topology follows a recommended procedure that we’ll present here. It’s okay to get this procedure out of order, but when first creating an Active Directory topology, the procedure outlined in this chapter will help you keep things straight. After you create a site, you will set the boundaries for the site using subnets. You know the simple definition by heart now: sites are one or more well-connected IP subnets. A site will be populated with your network’s domain controllers, but they are made up of subnets. In other words, the subnets really give shape to the sites. The site by itself is just an empty shell. Computers, including domain controllers, get associated with sites based on the IP subnets they belong to.
Travel Advisory Because computers are associated with sites based on their IP subnets, Microsoft recommends that you create your subnets and assign them to sites before installing your domain controllers. That way, the domain controller will assign itself to the appropriate site automatically during installation based on the IP address with which it’s configured. Here are a few quick rules about subnets that are worth keeping in mind:
•
All subnets will be assigned to a site. You won’t create a subnet without assigning it to an existing site, so you want to set up your intended sites before creating subnets.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:01 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
•
A subnet cannot exist in multiple sites. A site may be defined by several subnets, but a subnet can only be assigned to a single site. When configuring your sites, it’s either Democrat or Republican. Pregnant or not pregnant. A or B. You get the idea.
•
A client computer logging on to the domain will try to find a domain controller in the same site as the client computer. This additional benefit of site behavior keeps logon traffic local whenever possible.
33
Exam Tip Make sure you bring a pretty good grasp of TCP/IP to the 294 exam. Microsoft expects you to recognize things like CIDR notation and what a subnet is, since these are the building blocks of your Active Directory sites. To configure the boundaries of your sites, you need to create subnets and then assign these subnets to them as appropriate. Here’s how: 1. Open Active Directory Sites and Services, right-click on the Subnets folder, and choose New Subnet from the context menu. 2. In the New Object – Subnet dialog box, as shown in Figure 2.2, enter the IP address and subnet mask of a computer that will live on the subnet. Alternatively, you can specify a network ID, which will be more inclusive of the computers in the subnet. 3. Note that Windows Server 2003 automatically extracts the network portion of the IP address and lists the network ID in CIDR notation. It uses this CIDR notation to name the subnet. 4. Now assign the subnet to a site and click OK. This is why you create the container object, the site, before you give shape to the site by creating subnets.
Travel Assistance For more information about CIDR notation, please see the McGraw-Hill title, MCSE Windows Server 2003 All-In-One Certification, and turn to the 291 section, Chapter 2. It’s by Brian Culp. Hey, that’s me!! The sheer breadth of my computer knowledge is, at times, staggering. These subnets are created as objects in Active Directory, and just like any other object in Active Directory, the subnets will have a set of properties you can manage. One of these properties is the site it belongs to.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:02 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
34
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.2
Creating a new subnet for a site
Moving a Subnet But what if you change your mind about what site your subnet belongs to? What if a network ID changes? Or what if the network undergoes a minor reorganization, and you need to move a subnet from one site to another? As you might suspect, this is a very painless process. Here’s what you’ll do: 1. From Active Directory Sites and Services, click the Subnets folder, and then in the Details pane, select the subnet you want to move. 2. Right-click and choose Properties. From the General tab of the Properties dialog box, as shown in Figure 2.3, use the Site dropdown menu to select a site where the subnet will now reside. 3. Click OK to complete the move procedure. So if a site is one or more well-connected IP subnets, what exactly does “well-connected” mean? Well-connected usually implies the use of LAN connectivity methods—network cards, hubs, switches, and routers of at least 10Mbps—but the real answer is “It depends.” Is a T1 link between sites well connected? Not if there are thousands of users at each site. Is 128K well connected?
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:02 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.3
35
Moving a subnet from one site to another
In your organization, where you might have offices with only a computer or two at remote locations, it may be. In other words, it depends. Well-connected is whatever you as an administrator decide it will mean. If the sites are not well connected, it’s up to you to control replication traffic so that WAN bandwidth is optimized. The next section deals with just this topic.
Objective 2.02
Implement an Active Directory Site Topology
S
o far, we’ve talked about the physical components that are involved in Active Directory replication—that is, sites and domain controllers—but we haven’t detailed much about the replication itself. That’s about to change. Here’s what gets replicated when Active Directory domain controllers talk to one another:
•
Schema data The actual structure of the database that holds the information that might be included in the Active Directory database.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:02 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
36
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
You might remember from Chapter 1 that all domains in a forest share a common schema. It follows then that all domain controllers in a forest share the same schema information.
•
Configuration data Included in the configuration is the overall design of the Active Directory enterprise. This information entails the domains, their names, and their arrangement in the forest hierarchy. Also included is the information that defines the replication topology.
•
Domain data This is the stuff that most people care about. This information describes the objects in your domain and the attributes of those objects. All domain data about all domain objects is replicated between domain controllers in an Active Directory domain. Also, subsets of information from all domains in a forest are stored on Global Catalog servers.
•
Application data This replicated information is optional, and will be replicated if application data partitions have been configured. These partitions are furthermore only replicated to specific domain controllers that are part of the application data partition. There are several benefits of implementation of an application data partition, including redundancy, availability, and fault tolerance. Additionally, a separate replication does not need to be defined. Data is replicated during Active Directory replication. Only domain controllers running Windows Server 2003 can store and manage a copy of an application directory partition.
Travel Advisory This application data is not replicated until an enterprise administrator sets up an application data partition. So if one of these preceding bullets deserves an asterisk, this is it. (Alternatively, I suppose it could deserve an Exam Tip, wink, wink, nudge, nudge.) The replication within a domain is handled by the domain controllers. The Global Catalog servers handle the other kind of replication, which is responsible for making Active Directory information available throughout the forest. In every Active Directory forest, there is at least one Global Catalog server. Global Catalog servers replicate the following information:
• • •
Schema information for the forest Configuration information for all domains in the forest A subset of domain data for all domains in the forest
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
•
37
All domain data for the domain of which the Global Catalog server is a member
By default, this Global Catalog server is created on the first domain controller installed at the forest root. Other Global Catalog servers should be added as needed. Microsoft recommends you implement one Global Catalog server per site.
Replication: How and Why Replication between the domain controllers in an Active Directory domain works by keeping track of a version number assigned to objects and attributes in the Active Directory database. This version number is called an update sequence number (USN) and is used to track the changes made to each copy of Active Directory. Every time a change is made to an object or attribute, the domain controller updates the USN for that object or attribute, and sends the attribute value, name, and USN for the attribute to other domain controllers. Each domain controller then keeps the USN they receive from their replication partners in a table that reflects the most recent changes. Every domain controller keeps track of its USN and, more importantly, the USNs of its replication partners. When a change is made to an object in one domain controller’s Active Directory database, the domain controller waits 15 seconds (this is the default interval), and then sends an update notification to its closest replication partner. If the source domain controller has more than one replication partner, subsequent notifications go out by default at three-second intervals to each. Furthermore, certain changes, such as changed passwords, are sent using urgent replication, where replication does not wait at all before sending changes to replication partners. If a domain controller finds that its replication partner has an update to its USN, it then requests that all changes since the last known USN be sent. This way, the replication behaves much like a differential backup. Even if a domain controller has been offline for an extended period of time, it can quickly be sent all updates to the Active Directory database when it comes back online.
Replication Within Sites (Intra-Site) Replication within a site is handled by a background process called the knowledge consistency checker (KCC). This is a background process that makes very few demands on you as the domain administrator. The job of the KCC is to evaluate the domain controllers within a site and automatically establish and maintain a ring-based replication topology. The ringbased topology is logical in nature; it does not mean that you need a token-ring
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
38
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
network, nor will the KCC create one. Rather, the ring topology is logical and merely ensures that there is more than one way to get Active Directory information from one domain controller to another. Further, the KCC automatically adjusts the replication topology as network conditions change. That means that as domain controllers or subnets are added or removed from a site, the KCC constantly checks to make sure that each domain controller is able to exchange information with at least two others within the site. The KCC manages the replication within a site by creating connection objects between the domain controllers the site contains. Further, the KCC creates connection objects between sites when needed. If there are two or more Active Directory sites, a site link will need to exist to govern replication between the sites. The KCC creates a default connection object, called DEFAULTIPSITELINK, and all sites created will belong to this link. More about replication between sites is discussed in the following section. A connection object is a network path that’s used to send and receive directory information. That also means, under normal circumstances, there is virtually nothing you will need to do to tweak the performance of the KCC. Your job as a test candidate is to make sure you know what the KCC is for. Here’s what else you need to know about intra-site replication:
•
Replication does not use compression. This behavior reduces the processing load on domain controllers (processing cycles are needed to compress and uncompress information).
•
Replication occurs based on a notification process. This means that when a domain controller has an update to its Active Directory database, it notifies the other domain controllers in the same site. These domain controllers then contact the notifying domain controller and request that the changes to the database be sent.
So while replication within sites is really no big deal, Microsoft expects you to know plenty about replication between sites.
Replication Between Sites (Inter-Site) The replication between sites is a much more complex process. It needs to be; the replication traffic can have a much more dramatic impact on available bandwidth, and as such must include the ability to be governed much more carefully. Here’s some key information about inter-site replication that you should be familiar with:
•
Replication between sites uses compression. The compression of Active Directory changes, while increasing processing load, cuts back on
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
39
bandwidth use, which in Windows 2003’s mind is seen as the more precious resource.
• •
It utilizes scheduling. Replication between sites only occurs during scheduled hours configured by the administrator. It uses a replication interval. The replication is only available during a set schedule, and even then only happens periodically, or at the replication interval, during those set hours.
These last two behaviors of inter-site replication are critical to managing the impact replication traffic has on your WAN. But before you can manage these parameters, you must make sure several things are in place: you will need to create at least one other site, assign subnets to your sites, and move at least one domain controller to each of your other sites. Once these preliminary steps have been competed, you will then create a connection object, or site link, between the different sites. Once you’ve done this, you can manage the properties of the connection object.
Configure Site Links But first, let’s tackle the procedure of moving a domain controller to another site. Like moving other objects, the process is just a matter of a few clicks. Here’s how: 1. From Active Directory Sites and Services, expand the Sites folder and expand the site where the domain controller you will move is currently located. 2. Expand the Servers node, and then right-click on the domain controller you’ll move, and choose Move. 3. In the Move Server dialog box, select the destination site and click OK to complete the procedure.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
40
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory Unless you’ve installed more than one domain controller in your domain using the some of the steps introduced in Chapter 1, you will only have a single domain controller. You can create sites without any domain controllers at all, however. Now that you’ve created a new site, and populated that site with a domain controller, you’re ready to manage the exchange of Active Directory information between the domain controllers in different sites. Before you do, however, you need to set up a site link that will link the sites. This provides the thoroughfare over which replication can take place. Here’s how to create a site link: 1. From Active Directory Sites and Services, expand the Sites folder and expand the Inter-Site Transports. 2. Right-click either the IP or the SMTP folder. Usually it will be IP, but slower links may use SMTP. The following section will examine the differences between these two inter-site replication protocols. For now, let’s use the IP folder. Choose New Site Link. 3. As shown in Figure 2.4, the Site Link dialog box appears, and you will give the site link a name. 4. Choose the sites to be included in the link by clicking them and choosing Add. Note that if there are only two sites created, they will automatically be selected for the new site link. Only if there are more than two sites will you have the choice of selecting which sites will be included. Click OK when you’re done. Here’s the difference between the two replication protocols:
•
IP IP uses remote procedure calls for sending replication. This is also the protocol used for replication within a site, and should be the protocol used if you have a persistent IP connection, as most offices typically do.
•
SMTP SMTP can only be used for replication between sites in different domains. It is not used for replication within a site. By its nature, SMTP is asynchronous. Further, SMTP replication can only send schema, configuration, and Global Catalog data. Domain data is not replicated this way.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.4
41
Creating a new site link
Exam Tip When you create an SMTP site link, you must also install a certification authority. The certification authority issues certificates that are used to sign the SMTP Active Directory replication messages, thus assuring the authenticity of Active Directory updates.
Configure Replication Schedules Now that you’ve created the site link, understand that you’ve just created another Active Directory object, and this Active Directory object can be managed via its Properties pages, as shown in Figure 2.5. In fact, it’s through the use of the Properties pages that you’ll manage how replication behaves between your Active Directory sites. Here are the properties you can configure:
• •
Description
For human consumption, a comment about the link.
Sites In This Site Link Here’s where you can add and remove the domain controllers that will use this site link for replication.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:03 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
42
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.5
The site link Properties
•
Cost This is a relative value, and it is used by Active Directory to determine the best route available when replicating information. The least expensive route is always used. More about site link costs in the section that follows.
•
Replicate Every This is where you set the interval of replication. When the site link is available, replication will take place however often you specify here.
•
Change Schedule This will let you alter the availability of the link. If you want replication between sites to occur only at night, you can set this by clicking the Change Schedule button and editing the dialog box you see in Figure 2.6.
Exam Tip The default replication availability is 24 hours a day, 7 days a week, and the default replication interval is every 180 minutes (3 hours). You can configure the interval anywhere from 15 minutes to 10,080 minutes (1 week). For replication to occur at the scheduled interval, the site link must be available.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:04 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.6
43
Replication takes place at the interval you specify when the link is available.
Configure Site Link Costs If you refer back to Figure 2.5, you see that the cost of a site link is 100. But just what exactly does this cost indicate? Dollar amount? Bandwidth? The answer is neither. The default site link cost is 100. Anything that is higher has a higher cost; lower has a lower cost. For example, if you assign a link with a cost of 200, Active Directory will calculate this link as being twice as “expensive” as the default value. When replicating between two sites, which link to use is an easy decision—the lowest cost will be used if available. When replicating information between sites that aren’t directly connected, the total costs of the links through all sites can be a complex calculation. To set the site link cost, simply enter a value in the Cost section of the site’s Properties dialog box, as shown previously in Figure 2.5.
Site Link Bridges By default, all site links are bridged together. They are transitive in nature, just like the trust relationships between domains in a forest. This enables all sites to talk to each other and exchange Active Directory updates. If this is not physically possible because of the topology of your network, you will need to create a site link bridge. As shown in Figure 2.7, site 4 has no way to get replication information to site 1. In today’s networking environment, the instances where a site link bridge is necessary will be very rare. And just because the link is a dial-up connection does not mean that it’s a nonroutable network. A connection made through an
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:04 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
44
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.7
Site 4’s only connection is to site 3.
RRAS server or a dial-up connection to the Internet is routed like almost any other connection. One example of a dial-up connection that necessitates a site link bridge is a direct-dial connection over the PSTN. To create a site link bridge, you first need to turn off the automatic bridging of the sites, as follows: 1. Open Active Directory Sites and Services, expand the Sites folder, and then expand the Inter-Site Transports node. 2. Right-click the transport for which you want to disable the automatic bridging of site links, and choose Properties. 3. On the General tab, as shown in Figure 2.8, clear the Bridge All Site Links check box, and click OK. On the General tab, note there’s also a selection to ignore schedules. This option will be used to force replication changes to occur regardless of the current availability of the schedule. After you’ve turned off the automatic bridging of links, you need to create the site link bridge for your network. To do so, follow these steps: 1. From Active Directory Sites and Services, expand the Sites folder, and then expand Inter-Site Transports. 2. Right-click the transport for which you’ll create the site link bridge, and choose New Site Link Bridge. 3. Give the bridge a name. From the list of site links not in this bridge, select the site links you want to add. 4. Remove any links you do not want in the bridge, and click OK when you’re finished.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:04 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.8
45
Disabling the bridging of site links
Exam Tip Remember that in a fully routed IP network, a site link bridge is not necessary. Because few companies utilize networks that aren’t IP or fully routed, the chances are quite good that you’ll never have to set up a working site link bridge. Of course, that doesn’t excuse you from not knowing about it on the exam.
Configure Preferred Bridgehead Servers An easy way to think of the bridgehead server is that it’s the “spokesperson” for a site. It is the main server that is used to send and receive replication information between sites. As shown in Figure 2.9, the bridgehead sends replication on behalf of the site, and vice versa. By default, there is one bridgehead server selected by the Inter-Site Topology Generator (ISTG) for each site that contains a domain controller, but you can change this selection using the method outlined next. Normally, you let this background process select the bridgehead server, so this is yet another area of expertise that you will need perform very rarely in a production environment.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:05 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
46
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.9
Role of a bridgehead server
Here’s how to create a preferred bridgehead server: 1. From Active Directory Sites and Services, expand the site where you are creating the bridgehead server. 2. Expand the Servers folder, and then right-click on the server you will make the bridgehead, and choose Properties. 3. In the Transports Available For Inter-Site Transfer area, select the protocol for which you want to make this server a bridgehead server, and click Add. 4. Click OK to commit your changes and then close Active Directory Sites and Services.
The Inter-Site Topology Generator As mentioned, you won’t have to specify a bridgehead server under most circumstances. That’s because yet another Active Directory replication process handles this for you behind the scenes. In every Active Directory site, there will be one domain controller (if there is a domain controller in the site) called the Inter-Site Topology Generator (ISTG). This domain controller’s job is to build the replication topology both between sites and within sites. It checks the cost of connections between sites, including whether domain controllers have been added or removed. The KCC process then uses this polling information to update the Inter-Site replication topology as needed. When you’re designing and implementing your Active Directory sites, you’re mostly concerned with the placement of your domain’s domain controllers, the other physical component of the Active Directory infrastructure. You will need to bring several specifics about these vital computers with you when you sit for the 70-294 exam.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:05 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
47
Domain Controllers The job of a domain controller is to store a writable copy of the Active Directory database. All of the objects in Active Directory, the user accounts, the groups, the computer accounts, the organizational units, and so on are stored on a domain controller, and these domain controllers are peers. When domain controllers act as peers, they engage in multimaster replication. A change to the domain can be made at any of the domain controllers, and these changes will be then reflected on other domain controllers after replication. How is the replication topology built between domain controllers? During the domain controller installation process, each domain controller is connected to other domain controllers within a domain. Eventually, there are multiple domain controllers in the domain and, as we’ve seen, the KCC automatically generates a replication topology between these domain controllers. The knowledge consistency checker ensures that every domain controller has at least one replication partner. The end result of this KCC activity is that domain controllers are able to talk to each other. Furthermore, they’re able to get information to other domain controllers using alternate routes. The other thing the KCC does is let Active Directory or the operating system take care of replication of Active Directory information without you having to worry about it too much or configure it manually as an administrator. In fact, creation of replication links between domain controllers within a site can be done manually, but it’s not recommended by Microsoft. The KCC tries to create at least two connections to replication partners for each domain controller, and no more than three hops between any two domain controllers. The KCC automates the replication process, ensures the replication topology, minimizes replication latency, and checks all replication links every 15 minutes to ensure that the domain controllers are functioning properly. If one of the domain controllers is taken offline, the KCC automatically regenerates a new replication topology for the domain. So again, you don’t have to do much; you can kind of fall backwards into a good working network with Windows Server 2003 and Active Directory.
Creating a Domain Controller A domain controller is created when you run DCPROMO on a computer running the Windows Server 2003 platform. The first chapter of this book looked at this process for installing a first Active Directory domain. In the next chapter, we’ll look at other options in the Active Directory Installation Wizard that will let you add more domain controllers or domains to the enterprise.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:05 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
48
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
You should understand, though, that when you create your network’s first domain controller, you are also configuring the first forest, the first tree, and, for purposes of this chapter, the first site, called Default-First-Site-Name. But knowing how to make a computer a domain controller is not enough. After all, is it wise to make all servers, or even all computers, domain controllers? Certainly not. And how many domain controllers do you need for your enterprise? How many do you need for a site? Do you need any at all? These questions and others are the focus of the next section.
Planning Domain Controller Deployment Generally speaking, it is always good practice to have two domain controllers in your organization. Even if your organization is confined to a single physical location, the other domain controller will provide backup and fault tolerance in the instance where one domain controller has a problem. If you ever need to restore Active Directory, this second domain controller can pay for itself quickly in saved downtime. If you have a really small network, 10–20 users or so, you could get away with one, but realize that any time that server goes down, users will be unable to search or otherwise modify the Active Directory database, and any administrative features of Group Policies will likely not be applied. If fault tolerance in your network is of any concern, get the extra domain controller for redundancy. With the price of hardware today, the peace of mind is well worth the investment. If you are working in a larger network, and have implemented Active Directory sites, it is recommended that you place a domain controller in each site. That way, domain logons will be serviced by a local domain controller (as long as the server is up), keeping such traffic from crossing the LAN. In addition, the network also gains the benefit of fault tolerance with a domain controller at each site, because a logon can still cross the WAN if a local domain controller is down.
Objective 2.03
B
Monitor Active Directory Replication Failures Using the Microsoft Monitoring and Management Tools
ecause replication traffic can have an impact on network performance, you should make it a habit to measure replication performance regularly to help you anticipate problems before they become problems.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:05 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
49
Travel Advisory This book’s purpose is to point you in the right direction toward certification, explaining major concepts along the way. It is not a cookbook of how utilities are used, especially all the command-line utilities. Your job as a test candidate is to recognize what the tools are used for, and not to memorize the proper syntax for every tool.
Monitor Active Directory Replication There are a few tools you should be familiar with to help you in this objective: repadmin This is a command-line utility that reports replication link failures and other diagnostic information between replication partners. The tool can also be used to manually create a replication topology, to force replication to occur between specific domain controllers. Normally, this is not necessary, as the KCC handles the replication topology automatically. Some of the switches used with repadmin include the following:
• • • •
replsummary showreps showreps /csv showvector /latency
These switches are used to detect and diagnose replication problems. When using the repadmin.exe utility, remember the /? option for an explanation of syntax and switches used. dcdiag This is another command-line utility that will check the DNS registration for a domain controller, evaluate the state of domain controllers for an enterprise, and check security identifiers for appropriate permissions. Again, use the /? option with this utility for a complete listing of switches and syntax. Directory Service Event Log If the domain controller encounters errors in replication, they should be logged here. The Event Viewer, which is used to view the contents of the Directory Service Event Log, gets its very own section in Chapter 4. replmon This is the Active Directory Replication Monitor utility. It, too, allows administrators to force replication and generate reports about Active Di rectory replication. It is a powerful tool that can even draw a replication topology map that lets you see your Active Directory infrastructure.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:06 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
50
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
With the exception of the Directory Services Event Log, the tools just listed are part of the Windows Support Tools installation. The Windows Support Tools are located on the Server 2003 CD-ROM under the \Support\Tools directory. The dcdiag, replmon, and repadmin utilities will garner further attention in Chapter 4, when we turn our focus to troubleshooting.
Travel Assistance There is also a tool called the Microsoft Operations Manager for monitoring of large numbers of domain controllers. For more information about this automated tool please see the Microsoft Operations Manager Web site at www.microsoft.com/mom. (Really, it’s mom. I couldn’t make that up.) And for more in-depth information about replication monitoring, check the Resource Kit Web site, which by press time should be available at www.microsoft.com/windowsserver2003.
Monitor File Replication Service (FRS) Replication The file replication service replicates specific files using the same multimaster model that Active Directory uses. It is used by the Distributed File System for replication of DFS trees that are designated as domain root replicas. It is also used by Active Directory to synchronize content of the SYSVOL volume automatically across domain controllers. When a client submits a logon request, he or she submits it to the SYSVOL directory, a subfolder of which, \scripts, is shared on the network as the NETLOGON share. Any logon scripts contained in the NETLOGON share are processed at logon time. Therefore, the FRS is responsible for all domain controllers providing the same logon directory to clients throughout the domain.
Delegating Control over Physical Active Directory Objects Active Directory offers the ability to implement total flexibility when designing the administration of Active Directory objects, and physical objects are no exception. To understand this concept, you must first grasp the concept of the Access Control List (ACL).
Using the ACL Every object in Active Directory has an Access Control List, much like the Access Control List stored for resources like printers and files on an NTFS partition.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:06 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
51
The ACL simply states who can do what to the particular object, in this case an Active Directory physical object. To access the ACL of an object within Active Directory Sites and Services, just right-click on an object and choose Properties from its context menu. The Access Control List is found on the Security tab, as shown in Figure 2.10. To delegate control, edit the entries on this list. For example, if you wanted the built-in group Authenticated Users to be able to add child objects to the site container, you would enable this ability with a single click of the standard permission Create All Child Objects. For even greater flexibility of administrative delegation, you could click on the Advanced button to bring up the Advanced Security Settings dialog box and edit individual Access Control Entries, or add new users and groups and select the level of administrative control as necessary. For example, if you wanted a particular user to be able to modify permissions on the site’s objects, and nothing else, you would add the user from the Advanced Security Settings dialog box, and then click Edit to set the permission. As shown in Figure 2.11, you could select just the Modify Permissions entry, which is just under the Read Permissions selection (you need to read a permission to modify it), and further pinpoint what objects the user could modify permissions on with the Apply Onto dropdown box in this window.
FIGURE 2.10
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:06 PM
A physical object’s Access Control List
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
52
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 2.11
Delegating a specific task to a specific user
As you can see, delegating a task using the Security tab of the object’s Properties requires quite a bit of administrative effort, and can even be overwhelming as you first start to see all the possibilities. Fortunately, however, there’s an easier way. Using the Delegation of Control Wizard, you can delegate specific tasks to specific users using a wizard interface.
Using the Delegation of Control Wizard To start the Delegation of Control Wizard, just right-click on a site object, the Inter-Site Transports folder, the Subnets folder, or the Servers folder below a site, and choose Delegate Control from the context menu. The Delegation of Control Wizard starts and will lead you through several steps as follows: 1. Click Next from the Welcome screen, and you see the Select Users and Groups dialog box. Click Add, then select the person or group to whom you will delegate administrative control. Click Next. 2. The next dialog box has you selecting tasks to delegate. To simplify the delegation, the wizard will group common tasks to delegate. This list
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:06 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
will change depending on what object you are delegating control over. (In the next chapter, we look at the Delegation of Control Wizard again, and you will notice more common tasks are available when delegating control over logical objects.) However, you can also create a custom task to delegate, which we will do here with the selection of the Create a Custom Task radio button, and then click Next. 3. Now the fun begins. In the Object Type dialog box, you select what specific objects or objects you’re delegating control over. The assumption the wizard makes is that you’re delegating control over the object and all contents therein. But as you can see here, you can also select the second radio button, called Only The Following Objects In The Folder, and then select from the laundry list of objects, which are now editable once this radio button is selected. After you’ve made your selections, click Next. In the example here, we’ll just select the entire folder.
4. In the Permissions dialog box that appears, as shown next, you can select the permissions the selected user or group will have over the selected object or objects. Note again that the list can be very extensive. For example, if you were using the wizard to allow creation of all child objects, you could select it as a General permission choice. When you
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:06 PM
53
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
54
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
do, you also have Create Site Settings Objects selected as well, since it’s considered a child object of a site.
5. Click Next, and the Finish page of the wizard displays. You can go back and make corrections if you wish. To sum up, when using the wizard, you first select who will have some measure of administrative control, and then you select what objects they have control over, and then finally select which tasks they can do. Sounds simple, right? But don’t be misled. Although the wizard simplifies the interface for editing the Access Control List, it does not reduce in any way the power of your administrative flexibility. The interface is simple, but what’s going on behind the scenes is anything but, which I suppose is the whole idea. The end result is a modified Access Control List, same as if you were to edit it manually. Using the wizard just requires a lot less effort.
Objective 2.04
S
Plan a Strategy for Placement of Global Catalog Servers
o far in this chapter, I’ve mentioned the significance of the Global Catalog and why it’s vital in an Active Directory forest. But as yet there hasn’t been
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:07 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
55
much accompanying detail. It’s essential, however, to understand the Global Catalog server’s place in the Active Directory enterprise. The Global Catalog is a store of Active Directory information, and this information has three main areas of functionality:
•
It facilitates cross-domain logon. The Global Catalog helps find the domain controller where a user’s account is stored by resolving User Principal Names—the user’s logon name appended to the domain where the account lives—to their respective domains.
•
It facilitates the finding of Active Directory objects in other domains. A Global Catalog lets users search for directory information throughout the forest, regardless of which domain the data is actually stored in. Therefore, having a Global Catalog server nearby can significantly speed up searches within a forest.
•
It handles universal group membership. Information about universal group memberships are only stored in the Global Catalog. When a user logs on to the domain, the Global Catalog is also consulted to provide a list of universal groups the account belongs to, if any. Later in the chapter, we’ll discuss the impact this has on network traffic.
A Global Catalog server, then, holds a copy of the Global Catalog and replicates any changes to other Global Catalog servers. With Windows Server 2003 this replication is handled by treating all the Global Catalog servers throughout the forest as if they were in one site. Therefore, the KCC handles Global Catalog replication automatically. Your job as administrator is to know where and when to implement Global Catalog servers and to manage how often changes are made to the Global Catalog. You do this by either configuring or not configuring a domain controller to hold a copy of the Global Catalog.
Implementing a Global Catalog Server In addition to the domain information for the domains in which they live, a Global Catalog server also holds a copy of the Global Catalog for the Active Directory forest. This means of course that you create a Global Catalog server on a machine that’s already a domain controller. Here’s how: 1. Open Active Directory Sites and Services, and expand the Sites folder where you wish to create the Global Catalog server. 2. Expand the Servers folder, and select the server you will have hold a copy of the Global Catalog.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:07 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
56
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. Right-click the NTDS Settings object, and choose Properties. In the dialog box, as seen in Figure 2.12, make the server a Global Catalog server by checking the Global Catalog box. 4. Click OK and you’re finished. Every forest should have at least one Global Catalog server. In fact, if the Global Catalog server is not available and the user has not logged on to the domain previously, the user will only be able to log on to the local machine. If the user has logged on previously, and the domain is set to Windows 2000 Native mode or higher, the user will log on using cached domain credentials from the previous logon. We’ll discuss the implications of Windows 2000 Native mode, along with all the other domain functional modes, in the following chapter. Fortunately, every forest has one Global Catalog server by default. A Global Catalog server is automatically enabled on the domain controller that establishes the Active Directory forest. You don’t have to keep the Global Catalog on this server, and can move it around to best meet your needs. When evaluating the needs of a Global Catalog server for a site, you must take into consideration the replication traffic generated versus the benefits of keeping Global Catalog searches local.
FIGURE 2.12
Enabling a Global Catalog server
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:07 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
57
Adding Attributes to the Global Catalog Active Directory provides a preconfigured set of attributes that are to be included for Global Catalog replication. Generally, the most commonly searchedfor objects, like user objects, are stored in the Global Catalog, along with the most commonly searched-for attributes, such as the username. To increase search efficiency, however, there will be times where you may want to customize the Global Catalog to include additional Active Directory attributes. But before you do so, a word of caution: changing the attributes stored by the Global Catalog will have an impact on network traffic.
Travel Advisory The contents of the Global Catalog are replicated to all Global Catalog servers. So when you change the contents of the Global Catalog, that information will be replicated among all Global Catalog servers in the Active Directory forest. Adding an attribute to the Global Catalog will require you to use the Active Directory Schema MMC snap-in. Because changes to the schema are so rare, it is not one of the tools found in your set of Administrative Tools from the Start menu. To use this tool, you need to build a custom MMC. But wait! Because management of the schema is so rare (I just said it was), the schema management is not even available until it’s registered on your system. To have it show up as an MMC snap-in option, follow these steps: 1. Open a command prompt (you can choose Start | Run and type cmd, but there are many ways to do this). 2. From the command prompt, type regsvr32 schmmgmt.dll. 3. A dialog box should confirm the successful registration of the schmmgmt file you just registered. Now the Schema Management snap-in has been registered to your computer. That wasn’t so bad, was it? Now you’re ready to add an attribute for inclusion in the Global Catalog. Here’s what you’ll do: 1. Click Start, then Run, and then type MMC. A blank MMC opens. 2. From the File menu, choose Add/Remove Snap-in, and the Add/ Remove Snap-in dialog box opens.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:07 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
58
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. Click Add, and then choose the Active Directory Schema. Click OK, then close the Add/Remove Snap-in dialog box. 4. In the MMC, expand Active Directory Schema, and choose the Attributes node. 5. In the details pane, right-click the attribute you want to add to the Global Catalog, and choose Properties from the context menu. 6. In the Properties dialog box, select the Replicate This Attribute To The Global Catalog check box, as shown in Figure 2.13. In the example, I’ll add the mobile phone attribute to the Global Catalog so it’s easier to find when searching through other domains.
Evaluate Network Traffic Considerations When Placing Global Catalog Servers Because Global Catalog servers store a copy of and replicate changes to the Global Catalog, it follows that any changes to the Global Catalog will have an impact on network communication. Microsoft recommends that you implement at least one Global Catalog server in every site. This keeps queries for forest resources from crossing slow
FIGURE 2.13
Adding an attribute to the Global Catalog
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:07 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
59
WAN links in most instances. Global Catalog servers are also consulted by clients for a list of available domains where they can submit logon credentials. A Global Catalog at each site keeps the retrieval of this list local.
Evaluate the Need to Enable Universal Group Caching If you have a small site, a link between sites that is very slow, or both, it may not be wise to implement an additional Global Catalog server. A small site might not merit the expense of another domain controller running Windows Server 2003, and precious bandwidth can be conserved by not having Global Catalog servers exchanging updates over a WAN link. In these situations, you can still conserve bandwidth and improve Global Catalog efficiency by caching universal group membership information. When you use universal group caching, universal group membership is stored locally on the domain where it’s been enabled. When a user logs on for the first time, the domain controller will go out and discover what, if any, universal groups the user belongs to. It then caches this membership information for the user indefinitely, with a periodic refresh. Now that the domain controller has this information locally, the user gets universal group membership from the domain controller rather than having to query the Global Catalog server. This can dramatically improve logon times for sites without a Global Catalog server, as well as providing these additional benefits:
•
Eliminates potential upgrade of domain controller hardware to handle the extra system requirements needed when storing and replicating a copy of the Global Catalog.
•
Makes WAN usage more efficient since Global Catalog information, other than universal group membership, will not be sent to the domain controller providing the caching service.
Travel Advisory Universal group membership caching is configured at the site level on a specific domain controller. It further requires that all domain controllers in the site are running Windows Server 2003. Here are the steps you’ll need to cache universal group information: 1. Open Active Directory Sites and Services, and select the site where you will enable universal group caching.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:08 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
60
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. In the details pane, select the NTDS Site Settings object, right-click, and choose Properties. 3. As seen in Figure 2.14, select the Enable Universal Group Membership Caching check box. In the Refresh Cache From dropdown box, select a site where the site will obtain its cache information. You want to select the nearest (or fastest-linked) site that contains a Global Catalog, since universal group membership updates will be published there.
Travel Advisory If you leave the refresh location set to <default>, the cache will be refreshed from the nearest site that has a Global Catalog. Otherwise, you can specify a site as you have just seen. Now you’re on the path to optimizing Active Directory replication traffic. The skills you develop here will help you when working within a single domain, and also transfer nicely when planning for larger, multidomain organizations. But to fully understand the kind of information managed in multidomain forests, you need to learn about certain roles that specific Active Directory domain
FIGURE 2.14
Enabling universal group membership caching
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:08 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
61
controllers play. Every Active Directory forest must have servers that hold these roles. These domain controllers are said to hold the flexible single master operations (FSMO, pronounced FIZZ-mo) roles.
Objective 2.05
Plan Flexible Operations Master Role Placement
A
s mentioned earlier in the chapter, all Active Directory domain controllers are peers. Changes can be made to any domain controller, and eventually those changes are known by all other domain controllers in the network. But there are certain changes to Active Directory information that are impractical to replicate using multimaster replication. Therefore, some domain controllers in the network perform single master roles where certain types of changes are made at only one server using the Windows NT 4 single master model of replication. That is, a change of information is made in one location only, and these changes are then pushed to other servers participating in replication. All domain controllers are aware of the changes made at the operations masters, but only one server manages the changes. You can think of the single master operations roles as the workers in a small company. At times, employees at a small company have to wear different hats, one minute working in sales, the next in marketing, the next in customer service or repair. Similarly, a Windows Server 2003 machine can wear several of these Active Directory hats at once when providing these single master roles in the Active Directory enterprise. It’s not at all unlike a server being both a DNS and a DHCP server at the same time. In every forest, there are five FSMO roles that are assigned to one or more domain controllers. Two of these operations masters are forest-wide: there is only one such server in the forest. Three are domain-wide roles: in every forest, certain single master roles will be held on only one server per domain. Let’s take a look at these roles.
Forest-wide Operations Master Roles Every Active Directory must have the following single operations master roles in place:
• •
Schema master Domain naming master
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:08 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
62
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip These two roles are created on the first domain controller installed at the forest root domain. In other words, the first computer in the forest holds these two forest-wide roles by default. As mentioned, these two roles must be unique throughout the forest. For every forest there will only be one domain controller that’s the schema master, and one that’s the domain naming master, even though both of these roles can be located at the same machine. The responsibilities of each are as follows:
•
Schema master The schema master controls all updates and alterations to the schema. Whenever you are extending the schema, or are installing an application that does so, such as Exchange Server, the schema master must be available.
•
Domain naming master The domain controller acting as domain naming master is contacted when you are adding or removing domains in the Active Directory enterprise.
Exam Tip A domain naming master in a forest set to the Windows 2000 functional level must also be enabled as a Global Catalog server. This is not the case when the domain is set to the Windows Server 2003 functionality level. The domain functionality levels will be discussed in depth in Chapter 3.
Domain-wide Operations Master Roles For a domain to function as it should, every domain must have servers providing these single master roles:
• • •
Relative-identifier (RID) master Primary domain controller (PDC) emulator Infrastructure master
Like the forest-wide operations masters are to the forest, these roles must be unique for each domain. Let’s take a look at the importance of each of these roles now.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:09 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
63
RID Master The RID master distributes relative IDs (RIDs) to each of the domain controllers installed for a particular domain. Whenever a domain controller creates an Active Directory user, group, or computer, it assigns a SID. The RID number, then, is affixed to the domain security identifier (SID) number whenever a user, group, or computer object is created by a domain controller. The domain controllers get their RID numbers from the RID master. This ensures that the objects created in a domain all have unique SIDs throughout the forest. Further, when you want to move Active Directory objects from one domain to another, you do so at the computer currently acting as the source domain’s RID master. The object then gets a new SID assigned to reflect the membership in the new domain. There is only one RID master per domain.
PDC Emulator Master In the NT 4 domain model, directory information was replicated using a single master model. All changes to the directory database—such as a change of password—were made at the primary domain controller (PDC), and then replicated to backup domain controllers (BDCs). In a Windows Server 2003 domain, it’s still possible to have Windows NT 4 domain controllers, but they must be BDCs (a PDC would indicate the presence of an NT 4 domain, not a Server 2003 domain). The PDC emulator exists to “fool” Windows NT 4 backup domain controllers into thinking they’re communicating with a PDC. The PDC emulator is also the first domain controller notified whenever password changes are performed by other domain controllers in the domain. If a password is recently changed, it can take some time for all domain controllers to be notified of the change. If a user submits a logon to a domain controller that does not have the updated password, the logon request is forwarded to the PDC emulator before rejecting the logon attempt. The PDC emulator also provides other services not readily apparent from its name. By default, this FSMO server is responsible for synchronizing the time on all domain controllers throughout the domain. It’s often advisable that the server with the PDC emulator role be configured to synchronize with an external time server. You can perform this synchronization of the PDC emulator with an external server using the NET TIME command. The syntax to specify the PDC emulator’s Simple Network Time Protocol server will look like this: net time \\servername /setsntp: timesource
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:09 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
64
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip The PDC emulator is also the computer where Group Policy objects are changed, even if the change is being made from another domain controller. Group Policies will be discussed in Chapters 6 and 7. The physical file of the Group Policy is changed at the PDC so that multiple changes are not made to the same Group Policy objects.
Infrastructure Master The infrastructure master’s job is to update objects in its Active Directory database with the objects stored in other domains. The infrastructure master does this by comparing its data with that of a Global Catalog. If the infrastructure master finds data that is out of date, it requests the latest Active Directory information from the Global Catalog. The infrastructure master then sends the updated data to other domain controllers in the domain. Additionally, the infrastructure master is in charge of updating group-touser references whenever members of groups are modified. This prevents the loss of group memberships that a user account is a part of when the user account is renamed or moved from one container to another within a domain. Unless your domain consists of only one domain controller, the infrastructure master should not be assigned to a domain controller that’s also a Global Catalog server. If the infrastructure master and Global Catalog are stored on the same domain controller, the infrastructure master will not function because the infrastructure master will never find data that is out of date. It therefore won’t ever replicate changes to the other domain controllers in the domain. There are two exceptions:
• •
If all your domain controllers are Global Catalog servers, then it won’t matter, since all servers will have the latest changes to the Global Catalog. If you are implementing a single Active Directory domain, there are no other domains in the forest to keep track of, so in effect the Infrastructure Master is out of a job.
To demonstrate the roles the domain controllers play in holding these FSMO roles, consider a simple forest of one tree and two domains. In this forest, as shown in Figure 2.15, there will be one schema master and one domain naming master, and two each of the RID master, PDC emulator, and infrastructure master.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:09 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.15
65
FSMO roles
Plan for Business Continuity of Operations Master Roles As you have just learned, the operations master roles are vital to the operation of an Active Directory forest. That said, you may not immediately notice when a server holding one or more of these roles is down. As long as the condition is temporary, there is little you need to do other than bring the domain controller back up again. It is possible to move these operations master roles to other computers should the need arise. When moving the location of the FSMOs, you will be performing either a transfer or a seize of the role in question, as explained in the next sections. Transferring a FSMO role is done when there is a planned change. Computers remain operational during this time. Seizing a FSMO role is a more drastic action, performed when the server holding the role has failed and will likely not recover.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:09 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
66
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Transferring the Operations Master Transferring an operations master role means moving it from one domain controller to another with the cooperation of the original role holder. Depending upon the operations master role to be transferred, you perform the role transfer using one of the three Active Directory consoles in the MMC. Transferring a FSMO role is done with one of a couple of tools, depending on what role you wish to transfer, as follows:
• • •
To transfer the role of the RID master, the PDC emulator, or the infrastructure master, use Active Directory Users and Computers. To transfer the role of domain naming master, use Active Directory Domains and Trusts. To transfer the role of schema master, use the Active Directory Schema snap-in.
Once you know what tools to use, the button-pushing is easy. For example, to transfer the role of PDC emulator, follow these steps: 1. Open the Active Directory Users and Computers MMC, then right-click on Active Directory Users And Computers, and choose Connect To Domain Controller from the context menu. 2. Type the name of the domain controller you want to hold the PDC emulator role, or select the domain controller from the available list, and click OK. 3. After selecting the target domain controller, right-click Active Directory Users And Computers again, point to All Tasks, and choose Operations Masters. 4. From the Operations Masters dialog box, as shown in Figure 2.16, click the PDC tab, and then click Change. For transfer of the RID master or infrastructure master, the same procedure will be followed except for the selection of the tab demonstrated in step 4. When you transfer roles, there is cooperation from the existing FSMO master. But sometimes those servers are down, and cooperation is not possible. In that case, you will need to seize the role.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:09 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
FIGURE 2.16
67
Transferring the PDC emulator operations master role
Exam Tip To transfer an operations master role, you must be a member of either the Enterprise Admins group or the Domain Admins in the domain where the current FSMO role lives. To transfer the role of the schema master, you must be in the Schema Admins group.
Seizing the Operations Master The failure of an operations master role can be generally summarized thusly: you probably will never notice the failure of one of these servers, provided that you intend on bringing the server back up in the near future. Why? Because most of the information held by the FSMOs is rarely updated. For example, you won’t notice the failure of the schema master unless you’re trying to update the schema. You won’t know that the domain naming master is gone unless you add or remove a domain. These are not functions that occur daily.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:10 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
68
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
The only server role where you might immediately notice its absence is the PDC emulator. Because this server receives preferential updates of passwords, logons might fail if the PDC is not available and a password has been changed. Therefore, you will almost never need to seize these roles from the other domain controllers. In other words, if you plan on bringing the domain controller back to life, you won’t have to have another domain controller seize the role. In fact, if a domain controller whose schema, domain naming master, or relative identifier roles have been seized by another domain controller, it should never be brought back online. A machine that once served one of those roles must be reformatted and reinstalled, or else chaos will ensue on your network. The utility used to seize an operations master role is called NTDSUTIL. The NT Directory Services Utility is a very powerful and flexible command-line tool, and will be covered in more detail in Chapter 4. In the following example, we’ll use it to seize a domain naming master role: 1. Open the command prompt at the domain controller that will be the new holder of the domain naming master role. There are several ways to do this; one is by typing cmd from the Run dialog box. 2. From the command prompt, type ntdsutil. 3. At the ntdsutil command prompt, type roles. 4. At the fsmo maintenance command prompt, type connections. 5. At the server connections command prompt, type connect to server domaincontroller, where domaincontoller is the target server that will now hold the domain naming master role. 6. At the server connections prompt, type quit. 7. At the fsmo maintenance command prompt, type seize domain naming master. Seizing other master roles will look very similar except for the last step.
Exam Tip You should consider transferring FSMO roles when domain controller performance can be better optimized, but seizure of FSMOs is a drastic step that should almost never be taken. You should not seize the operations master roles if you can transfer them instead.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:10 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
69
CHECKPOINT ✔Objective 2.01: Manage an Active Directory Site
What we can see and touch. Sometimes it’s easier to learn about computing concepts when dealing with tangible properties, rather than abstract ones. In this chapter, we looked at the role of a site as a unit of Active Directory replication, and how we could use sites to manage replication over slow WAN links. We looked at the significance of site links, the connection objects between sites, and the properties of these site links. And, although site links are automatically linked in a routed network, we also looked at some instances where site link bridges are necessary.
✔Objective 2.02: Implement an Active Directory Site Topology
In this objective we created new Active Directory sites, created new subnets, and assigned these subnets to sites. Each subnet can be a part of only one Active Directory site. During this section, we examined such administrative tasks as renaming sites and moving subnets from one site to another.
✔Objective 2.03: Monitor Active Directory Replication Failures Using the
Microsoft Monitoring and Management Tools This objective identified some of the tools used to monitor Active Directory replication traffic. Such tools include the replmon, repadmin, dcdiag, and the Event Viewer. To fully understand these tools, further experimentation is required on your part to help you go beyond what is presented in this book’s condensed format. Also, we discussed the basics of the File Replication Service, and how this is used to synchronize information between domain controllers in a domain.
✔Objective 2.04: Plan a Strategy for Placement of Global Catalog Servers
Global Catalog servers store a copy of the Global Catalog. For each Active Directory forest, the Global Catalog stores information about the most commonly accessed objects and attributes throughout. Included in this information is universal group membership of accounts. The general rule of thumb is that you enable storage of the Global Catalog on one domain controller in every site. This can be mitigated, however, through the use of Universal Group Caching, new to Windows Server 2003.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:10 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
70
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
✔Objective 2.05: Plan Flexible Operations Master Role Placement
Flexible Single Master Operations (FSMO) servers play critical roles in the functioning of both an Active Directory domain and forest. There are five FSMO roles. Three occur once in each Windows Server 2003 domain: RID master, PDC emulator, and infrastructure master. Two are found only once in each forest: the domain naming master and the schema master. We also looked at how to implement bridgehead servers and Global Catalog servers. This chapter also discussed the roles of single master operations in the Active Directory forest, and where and why these server roles might be moved. In the next chapter, we will examine the logical components of Active Directory in the same level of detail.
REVIEW QUESTIONS 1. You are the network admin for a Windows 2003 Active Directory domain. The domain has 25 domain controllers spread among various sites around the country. At one of the locations, you have a 10Mbps network and five floors. You want to create a separate site for each floor to keep replication from using a good portion of the available bandwidth. You create five subnets, assign them to five separate sites, and then create the site links between them, but do not notice an immediate difference in replication traffic. What step should you now take? A. You need to reboot domain controllers for all the new sites. B. You need to wait for the KCC to calculate the new connections. C. You need to move the domain controllers to the subnets created for the sites in Active Directory Sites and Services. D. You must upgrade the network. You have optimized as much as you can given the limitations of your network. 2. You are documenting the procedure for site creation as your company expands to other cities. Like the server guy in the Dell commercials, you will be delegating the creation of new sites to junior administrators while you talk about really good coffee with the CEO. What will you recommend as the best method for creating the new sites? A. Create the site, select the site link, add the subnets, move the domain controllers. B. Move the domain controllers to the Default-First-Site, create the site, add the subnets, add the site links.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:10 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
71
C. Create a temporary site link bridge for existing sites, add domain controllers to the Default-First-Site, add subnets, create test sites, add domain controllers, rename the sites to move them into production. D. Create the subnets, create a site, create site links, move domain controllers to the new sites. 3. You are the architect for a Windows 2003 Active Directory domain, and have decided on three domains arranged in a parent/child relationship for your company’s 1,500 users. The domains are separated by department. You have just implemented a branch office in Atchison, Kansas, that is connected by a 56K link. It will contain users for all three domains. You configure a separate site for this office, and configure the site link to use the SMTP protocol. Now you find that the replication between the sites doesn’t seem to be working. What should you do? A. B. C. D.
Create an enterprise certification authority. Install Microsoft Exchange. Install an SMTP mail system. One word: broadband.
4. You have two sites in your Active Directory domain, one in Kansas City and one in Columbus, Ohio. Users at these two sites report that the links have been slow, and upon investigation you find that they are running near 100 percent capacity. You run Network Monitor, and find that the bulk of the traffic is being caused by Active Directory replication. You investigate the behavior of the site links. What behavior should you check? Choose all that apply. A. B. C. D.
Check on the schedule of the site links. Check the Ignore Schedule option. Check how many users have been added in the last 24 hours. Determine that the links are only checking for changes every four hours during the day and every two hours at night.
5. You have two sites in your Active Directory forest structure connected by a high-speed T1 line. You are now trying to optimize the replication of Active Directory traffic between sites. You have placed a Global Catalog server at each of the sites, and want to ensure successful replication between these two systems. What can you do to assure yourself this will happen? A. Create a separate site for each Global Catalog server and create a site link for these two sites. Configure a site link bridge between these servers and the other domain controllers in your forest.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:11 PM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
72
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
B. Ensure the site link between sites specifies these servers as the preferred bridgehead servers. C. Create a site link bridge that includes the links between the two servers. D. Create a connection object that specifically links the two Global Catalog servers. 6. You are the Network Administrator of a Windows Server 2003 network. You have no NT 4.0 BDCs on your domain. The PDC emulator for your domain fails with a bad motherboard. What should you do? Choose all that apply. A. From a healthy DC in your domain, immediately seize the role of the PDC emulator. B. Nothing. The PDC emulator is not needed because there are no BDCs. C. After replacing the motherboard, bring the original PDC emulator back online. D. Reformat the hard drive of the original PDC emulator computer. 7. You are the Network Administrator for a Windows Server 2003 network. You are setting up a multi-domain and multi-site enterprise. Which of these roles should never exist together on the same computer? A. B. C. D. E.
Schema master and domain naming master Infrastructure master and Global Catalog server PDC emulator and RID master Infrastructure master and RID master Schema master and RID master
8. You are administering a tree of two Windows 2003 domains and have configured several sites. Each site will contain users from both domains. You want to implement a Global Catalog server at each site in your network. You open Active Directory Sites and Services. Where do you configure the Global Catalog servers? A. B. C. D.
In the Inter-Site Transport folder In the Properties page for the site In the NTDS Settings Properties page You choose New | Add | Global Catalog in the subnet where you want to hold the GC server.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:11 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
CHAPTER 2 The Physical Active Directory Components
9. You are the network administrator of a Windows Server 2003 network. The schema master has just failed with a faulty NIC card. What should you do? Choose all that apply. A. B. C. D.
From a healthy DC, immediately seize the role of the schema master. Replace the NIC card. Bring the original schema master back online as soon as possible. Transfer the role of the schema master from the failed machine to a healthy DC.
10. Which service determines the domain controller for a site that will be designated as the site’s bridgehead server? A. B. C. D.
RPC KCC NTDS ISTG
REVIEW ANSWERS 1.
The domain controllers do not know they are at a new site until you move them using Active Directory Sites and Services. The upgrade of the network would make for a faster network, but would not optimize the replication traffic, and might be an unnecessary expense.
2.
This is the best answer for this question. There are many ways to create sites and add domain controllers, but none of them are listed in the answers provided. The method recommended in answer A is also the most straightforward.
3.
If you’re using SMTP-based replication between sites, you will need an enterprise certification authority. The authority appends a digital signature to all replication packets being sent. Note that the SMTP packets are sent between domain controllers using SMTP; they do not rely on a mail server, so both B and C are wrong. And as for D, remember it’s Atchison we’re dealing with here.
4.
You should check the Ignore Schedule option, which can be used to force replication, but needs to be turned off so that site link schedules are respected. You should also verify the frequency of how often the site links check for replication updates. If this value is too frequent, full synchronization may not occur.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:11 PM
73
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
74
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 2
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
5.
You should specify that these two servers are preferred bridgehead servers. Doing so ensures that the two servers will be the first point of contact for the site when replication is being received or sent. When you create a connection object, you specify the path that replication should take, but you would not want to do this between sites, as replication cannot be as easily governed.
6.
The PDC emulator performs many important functions for a domain, even when the domain contains no NT 4.0 BDCs. It is the final authority on passwords, it knows when a password has recently been changed, it keeps the System Time, and it typically houses the Group Policy Containers for Active Directory. In most networks, the role of PDC emulator should be seized as soon as the computer containing that role fails. However, once the role is seized, the original PDC emulator should not be brought back online. You should instead reformat the hard drive of the old PDC.
7.
In a multi-domain environment, the infrastructure masters should not also be Global Catalog servers. There should, however, be a Global Catalog server in the same site with each infrastructure master. The purpose of the infrastructure master is to track each object as it is moved around a forest. The infrastructure master uses Globally Unique ID’s (GUIDs) and contrasting databases to “see” the references of each object. If the infrastructure master can’t see the “big picture” provided by the Global Catalog, it can’t do its job. It does, however, need to have all of the pieces at its disposal, so a Global Catalog server should be located in its site whenever possible.
8.
In the NTDS Properties page for a given domain controller, you will configure it as a Global Catalog server with a single check box. Microsoft recommends one Global Catalog server per site.
9.
You should avoid seizing the role of the schema master. The only time that the schema master is necessary is when you need to change the schema. Since the schema is rarely changed, this scenario should not constitute an emergency. You should therefore replace the NIC and then bring the same schema master back online. The network will function without the schema master in the meantime.
10.
The ISTG in every site will designate a domain controller as a bridgehead server. This server will then accept all replication changes from other sites and pass on those changes to the other servers in its site.
P:\010Comp\Passport\575-0\ch02.vp Monday, August 04, 2003 1:38:11 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
The Logical Active Directory Components
3
ITINERARY
• •
Objective 3.01 Objective 3.02
Plan an Administrative Delegation Strategy Implement an Active Directory Directory Service Forest and Domain Structure
NEWBIE
SOME EXPERIENCE
EXPERT
4 hours
2.5 hours
1.5 hours
75
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:55 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
76
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Earlier in this book, we identified the objects that are stored in an Active Directory database, and then looked at how to physically arrange some of these objects. Now we turn our attention to the logical structure of Active Directory. By learning about the logical structures, we are learning how to best organize our domains into an Active Directory forest hierarchy. These logical components are important because they define how the computing enterprise will be administered. After we learn about what the logical components are, we also learn about features that keep them all running. We’ll examine the role of flexible single master operations servers, and learn about the different levels of functionality that can be applied to both a domain and your Active Directory forest. In addition, we’ll examine the purpose of trust relationships in the Active Directory design, and how trust relationships can be leveraged to grant resource access to outside organizations. By designing and determining the logical elements of Active Directory, we become the architects of the network. Just like building architects, we want to start with the ideal in mind; the structural architect begins with a “perfect” building, and then makes accommodations in form based on the requisite functionality of the building. We, too, as Active Directory engineers, begin with what’s ideal for purposes of administration, and then make changes to the Active Directory hierarchy based on the requirements of the organization. But unlike what building architects sometimes encounter, the function of Active Directory follows form, and the closer we get to the ideal, the more cost efficient and easy to administer our computing environment is.
Logical Active Directory Components In Chapter 1, we listed the components of the Active Directory database. We discussed the significance of the schema, the Global Catalog, and identified the objects that could be stored in the Active Directory database. An example of just such an object is a user account. We also installed the first domain in an Active Directory enterprise. In Chapter 2, we started to build our Active Directory infrastructure, and looked at the physical makeup of Active Directory. We identified physical entities such as sites and domain controllers, and used these objects to control network use when exchanging Active Directory information. In this chapter, we want to now design and implement the logical components of Active Directory. A full understanding of these logical components is critical to exam success and to real-world administration, as they define how our computer network is administered, and, as you’ll see, by whom.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:55 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
77
I’ve found in my classrooms that the discussion of logical computing concepts can be sometimes confusing, because we’re dealing with things that, for the most part, you can’t see. For example, ask yourself, “Where is the Microsoft domain?” If you’ve read the business section of the paper any time over the past decade, you might be inclined to answer with the city that houses the Microsoft corporate campus: Redmond, Washington. But is that were the domain is? The answer is no. The domain is really both everywhere and nowhere at the same time. So to understand the logical components of Active Directory, we must provide answers to some of the many questions that naturally arise when considering computing mechanisms that we can neither see nor touch, but rather are best visualized with pen and paper. (Or, in my case, whiteboard and those wonderful-smelling markers.)
Domains And a good place to start is with the following question: “What is a domain?” It sometimes helps if we think of the logical components of Active Directory as container objects. A domain, then, is the main container where other Active Directory objects, such as user accounts, are stored. In fact, all objects created in Active Directory are created in a domain. You can have multiple domains in your enterprise, but all objects will be stored in one of these domains. Also, like a site, a domain is a unit of replication. All objects and attributes stored in a single domain are replicated to all other domain controllers in the same domain. (Remember, you use sites to control how this information is replicated, not what information is replicated.) Certain objects and their attributes from all domains are stored in the forest’s Global Catalog. But more significantly, a domain is a unit of administration. The objects in one domain are, or can be, administered very differently, and by different people, than the objects in other domains. Simply defined, a Windows Server 2003 domain is a logical collection of users and computers. In other words, it’s an organizational entity that groups together the objects in your enterprise. With a domain in place, you have several benefits over workgroups, including:
• •
They enable you to organize objects within a single department or single location, and all information about the object is available. They act as security boundaries. Domain administrators exercise complete control over all domain objects. Further, in Windows Server 2003 Active Directory, Group Policies, another kind of domain object, can be applied to determine how resources can be managed and accessed.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:55 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
78
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
• •
Domain objects can be made available to other domains. Domain names follow established DNS naming conventions, permitting the creation of child domains to best suit your administrative needs.
What kinds of objects, exactly? To reiterate what was presented in Chapter 1, an object refers to those things which are stored as a piece of software code— usually a number—in the Active Directory database. This number is called a globally unique identifier (GUID), a unique 128-bit number generated by Active Directory for identification of a particular user, computer, application, shared printer, database entry, and so on. For security principals, a number called a security identifier (SID) is also tracked. These SIDs are used to track and evaluate security-related information, such as permissions to perform a certain task. Besides user accounts, as mentioned above, there will be SIDs associated with:
• • • •
Computer accounts Shared folders Shared printers Group Policies
For each of the GUIDs stored in the Active Directory database, there are also many attributes of the GUID tracked as well. A prime example of a GUID’s attribute is an object’s name. In Windows Server 2003 domain, as was the case in Windows 2000 domain, the information about the objects in a domain are stored in the Active Directory database on domain controllers. So if a domain is our cornerstone entity in an Active Directory enterprise, how does the domain fit into the larger picture of Active Directory? To answer this, we ask a few more questions. Now, just what is Active Directory? Active Directory is a collection of all the things in your network. The icon you see representing Active Directory in Windows 2000 and Windows 2003 is a phone book. It’s an analogy that works because a phone book is a list of all the things or objects in a city or municipality enterprise. In a Windows Server 2003 computer domain, Active Directory lists all the things in a computing enterprise and it stores all the attributes about those things. Going back to the analogy of the city or municipality, the phone book has different ways that you can access the information. You can look up organizations by their business names, by their phone number, by what they do. Similarly, in a Windows Server 2003 Active Directory domain, there are lots of ways to reference the objects that are collected therein.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:55 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
79
Not only does Windows Server 2003 Active Directory store the list of the objects in your domain, but it also provides a set of services that make those objects available and searchable by clients of the domain, and in fact, of the forest itself. We’ll talk about forests and trees in the way that domains are organized later in this chapter. So just what kinds of services does an Active Directory provide? It includes such things as authenticated user logons, it manages domain security, it enforces domain policies. It also publishes the locations of resources such as files, printers, and applications. Where is the Active Directory database stored? It’s stored on any Windows Server 2003 domain controller where you have installed Active Directory. A domain also represents a security boundary and an administrative entity. In your Windows 2003 enterprise, a domain is the main boundary around separate administrative units. So, in a multiple-domain enterprise, a domain represents a way that you can manage—from an administrative point of view—one group of users and computers much differently than you manage another group of users and computers. Now, remember, the purpose of building a tree in Active Directory is so you can administratively link two or more domains. But isn’t it possible for some enterprises to have more than one namespace? Of course it is. Microsoft is a perfect example of this. It’s a company that has a wingspan that encompasses other domains such as hotmail.com, msn.com, and so on. When you have multiple domains in your enterprise that you want to link together for administrative purposes, but they do not share a common namespace, it’s time to create an Active Directory forest.
Trees Once you’ve decided to create domains in your enterprise, you may find that you need more than one domain to best reflect the administrative structure of your company. As mentioned before, there are many benefits to a domain, and thus there may be compelling reasons to have these benefits afforded separately to various groups of users and computers in your organization (we’ll discuss some of the scenarios later on). Remember, though, that users and computers actually live in a domain. The domains exist in a tree and subsequently in a forest. If you want to link your Windows Server 2003 domains together for purposes of administration and/or sharing of resources, you’ll need to start building Active Directory trees and forests. The hallmark of a domain tree is that it is a contiguous linking of one or more Active Directory domains that share a common namespace. In other words, the domains are linked together in a parent/child relationship as far as the Domain Naming System (DNS) naming conventions go. Figure 3.1 shows you what an Active Directory tree might look like.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:55 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
80
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.1
A representation of an Active Directory tree
As you see in the illustration, the namespace is contiguous. The parent namespace is called lanscape.net, and the two child domains’ full domain names are sales.lanscape.net and hr.lanscape.net, using the parent namespace of lanscape.net to build their domain names. If the child domains were called something like lebowski.com, they wouldn’t exist in a child namespace, and therefore could not be Active Directory child domains of lanscape.net.
Travel Advisory Don’t ask me why, but the geometric shape given to a domain in every Windows Active Directory schematic you will ever see is a triangle. So there it is: Triangle = Active Directory domain. This Active Directory tree will share a common schema, Global Catalog, and be linked with two-way transitive trust relationships. The trust relationships represent the administrative link between the domains. These terms schema and Global Catalog will be defined later in the chapter. There are cases, however, where a tree full of domains will not work for your enterprise. Say, for example, you run a company like Microsoft, and you decide to purchase the assets of another company (I know this is a stretch, but bear with me). Let’s pretend that said company is hotmail.com. The users, computers, and resources of hotmail.com need to be merged with microsoft.com. These two domains do not share a common DNS namespace, however. Yet you still want to link these two entities in a single administrative structure. You want the domains of these two trees to share a common schema, Global Catalog, and configuration, as you did when creating a tree. In this case, you will be creating an Active Directory forest.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:56 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
81
Forests A forest lets you link together multiple domain trees in a hierarchical arrangement with the goal of maintaining an administrative relationship. By creating a forest, you build into your computing environment the flexibility to reflect the real-world business environment of acquisitions, mergers, and spin-offs from your main company. All this while retaining all of the administrative benefits of domains linked together with trust relationships. Figure 3.2 shows you what a forest might look like if documented on paper. Simply defined, a forest is a group of Active Directory trees that share the following components:
• • •
They share a common schema. They share a common site configuration. They share a common Global Catalog.
When you build an Active Directory forest, it is built from the top down. That is, the forest root is the first domain in the enterprise, and it will be the most
FIGURE 3.2
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:56 AM
A representation of a Windows Server 2003 Active Directory forest
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
82
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
important domain to your forest structure. When upgrading Windows NT 4 domains to Windows Server 2003 domains (or Windows 2000 domains, for that matter), the first domain you upgrade will establish the root of your Active Directory forest. You cannot build child domains and then reverse-engineer your Active Directory forest. Child domains, as well as additional trees, must join existing domains or the forest root tree.
Organizational Units We mentioned the use of an organizational unit in our previous discussion about domains, so let’s define them here. Organizational units are really the workhorses of a Windows Server 2003 Active Directory hierarchy. They are container objects within a domain that represent sub-administrative entities within an Active Directory. Organizational units are used to group domain computers and users and other domain objects into separate logical units. I used the word “group” there, but these are not groups, they are administrative containers. Anything that you can put into the domain, anything that you can put into an Active Directory database, you can put into an organizational unit. That’s not true with groups. The only things groups can contain are users or other groups. Organizational units, on the other hand, can contain computers, shared resources, printers, as well as groups and users. Another big difference between groups and organizational units is that you can apply Group Policy to an organizational unit or an organizational grouping of computers and users. You do not apply a Group Policy to a group. The name might imply otherwise, but that’s not what Group Policies are used for. An organizational unit’s structure may be based on cities, such as Kansas City, St. Louis, Omaha, or Dallas, or on departments, such as IT, HR, Payroll, Sales, Accounting, and so on. You can also nest organizational units in parent/ child relationships, much like you can create parent/child domain affiliations when you set up a tree. Figure 3.3 shows you an example of how a company might build a parent/child OU hierarchy. This also gives you almost unlimited control as the Active Directory architect over how the domain objects are administered within a single domain. In Chapters 6 and 7, on Group Policy, you will see this administration in action. I can’t stress this enough. An organizational unit provides two very significant benefits. First, it allows you to delegate control, or even specific types of control, over certain portions of the domain. Second, by applying a Group Policy, it allows for a set of users in one organizational unit to have a very different end-user experience from the users in another organizational unit. We’ll discuss
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:56 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
FIGURE 3.3
83
You can wield complete flexibility of administration within a domain via OUs.
delegation of administrative responsibility in the next section, and talk about how Group Policies are used to manage organizational units in Chapters 6 and 7.
Objective 3.01
Plan an Administrative Delegation Strategy
I
t’s been mentioned so far in our definition of an OU that one of its main benefits is that it lets administrators delegate control over certain sections of the domains’ objects. This topic was also explored back in Chapter 2, when we delegated control over Active Directory sites. Conceptually, delegating administrative control over organizational units is no different. As shown in Figure 3.4, just like our site container objects, an organizational unit has an access control list that controls who does what.
Travel Advisory To make sure the Security tab is available, make sure the Advanced Features are turned on by clicking the View menu, then selecting Advanced Features.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:57 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
84
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.4
The access control list of an Active Directory container
Exam Tip Some of the default containers such as the Users and the Built In folder are not organizational units, and therefore you cannot delegate control over these containers. Look for the Active Directory icon— the phonebook thing—when you want to delegate control. By editing the contents of this access control list, you can delegate control over the users. By clicking the Advanced button, you get access to the individual access control entries (ACEs), and with these ACEs, you can be very specific about what kind of control is granted. You can give a single user the ability to change passwords for user accounts, and no other administrative ability. To do this, click on Edit for the user’s access control permission entry, and you’ll see the Permission Entry dialog box like the one you see in Figure 3.5. (You might need to add the user or group to the ACE list first.) This is also one of the areas where I think the difference between security groups and organizational units becomes more clear. An organizational unit is
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:57 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
FIGURE 3.5
85
Granting only the ability to change passwords
an administrative entity, and we delegate administrative control over our OUs, but we delegate control to the users in our security groups. Furthermore, the control is granted over the users, computers, and groups, printers, and such contained in the OU.
Delegation of Control Wizard You can also use the Delegation of Control Wizard to delegate administrative tasks to users. The wizard interface simplifies the process of manually editing the ACL, but the end result is the same. You’ve already seen this as well in Chapter 2, so we won’t cover all the steps again. What is worth pointing to, however, is that the delegation of control over organizational units can include a few more steps and some different tasks. For example, you don’t create user accounts in a site, but that responsibility can be easily delegated over an OU using the wizard. Figure 3.6 shows the dialog box where you can select common tasks or configure a custom task to delegate.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:57 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
86
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.6
Delegating administrative control over an OU using the wizard interface
Plan an Organizational Unit (OU) Structure Based on Delegation Requirements With either of the two methods demonstrated above, you can assign basic administrative functions to everyday users of your enterprise while still maintaining control over the more complex administrative tasks. In other words, delegating administrative responsibility no longer confers the ability to royally mess things up the way it did in NT 4. Delegating control lets regional users take responsibility over their local network resources. This ability actually helps you implement a higher degree of security as you can restrict the membership of powerful groups such as the Domain Admins and the omnipotent Enterprise Admins groups. More about these groups in Chapter 5. Windows Server 2003 domains are designed to be self-contained, and through the use of organizational units, you have a lot of flexibility about how that domain is administered. In fact, when you think about organizational units, it’s tempting to think of them as groups. They are not groups. They are Active Directory container objects that serve as sub-administrative entities. Within a domain, you can have separate business units or separate cities that are administered completely separately from one another by completely sepa-
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:58 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
FIGURE 3.7
87
Designing OUs by location
rate people, yet you as a domain administrator still have control over the entirety of the domain. You can specify through your organizational unit that a certain collection of users and computers gets a certain software package, and a different set of users and computers gets a different software package. I know I’m starting to repeat myself here, but we’ll look at how this is done in Chapter 7 as we look at Group Policies. In making the decision about how best to design your organizational units, you need to take into account the structure of your organizations. Are geographic locations self-contained? Can each have its own user who does day-to-day administration? Is your company organized more by department, with department heads in charge of computing decisions? There are no right or wrong answers, of course, but there are two general methods of designing an organizational unit strategy. The first design strategy is to design by location, as shown in Figure 3.7. Alternatively, you can implement the delegation of administration over domain objects by factoring in department considerations, as seen in Figure 3.8. These are not cut-and-dried rules. Most larger companies especially will end up with a hybrid design, resembling something like Figure 3.9. Because of the administrative flexibility afforded by organizational units, Microsoft recommends that instead of creating extra domains, system designers create a single domain, then use organizational units within that single domain to delegate their administrative tasks. Since a single Windows Server 2003 domain
FIGURE 3.8
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:58 AM
Designing OUs by department
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
88
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.9
A hybrid of OU design, which nests OUs in parent/child relationships
can contain millions of objects, scalability and performance are rarely a concern, even in the largest organizations.
Authorization Manager Another tool used to delegate administrative control, new to Server 2003, is the Authorization Manager. Although you’ll probably do the majority of your delegation with the Delegation of Control Wizard, especially as you are delegating the first few administrative tasks, it is not the best tool for every circumstance. Both the Delegation of Control Wizard and the Authorization Manager— along with the old-fashioned method of simply editing the access control list—let you assign rights or permissions to individual users or groups. The biggest difference between the Delegation of Control Wizard and the Authorization Manager is that the Authorization Manager lets you delegate control over certain applications. The Authorization Manager can provide greater flexibility, but is a more complex tool to use. For delegating everyday tasks like adding accounts, it is not the best choice. When you use the Authorization Manager, you will have the option of choosing between of two modes of use:
•
Developer mode Developer mode allows an administrator to create, deploy, and maintain specific applications. In developer mode, you have unrestricted access to all Authorization Manager capabilities.
•
Administrator mode Administrator mode has less flexibility than developer mode. In administrator mode, you can deploy and maintain applications. You have access to all Authorization Manager features except those that let you create new applications or define new operations. Administrator mode is the default mode of Authorization Manager.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:58 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
89
The Authorization Manager does for applications what the Delegation of Control Wizard does for Active Directory objects. You can use the Delegation of Control Wizard to delegate a specific administration role, such as changing a password, to a certain user. You would use the Authorization Manager to let a user have a specific role within an application. For example, you might define a role for Auditors that would let them audit the debit and credit transactions from a certain accounting application. They might not otherwise be able to use the application in any capacity other than the role you have defined. You can also configure roles based on a computer’s function. With computer role-based administration, you might allow certain users to install and enable services on a Web or file server, for example. As mentioned, developer mode is used to define roles. However, applications that support administrative roles usually either create an authorization store or use an existing authorization store with predefined operations and tasks. In such an event, the developer mode will not be necessary. Applications that can be used with the Authorization Manager store an authorization policy in the form of an authorization store, which in turn are stored in Active Directory or XML files. The authorization store is the database that holds Authorization Manager policy files. These authorization files apply the configured authorization policy to the selected users or when the application is run.
Travel Advisory To use the Authorization Manager, your domain must first be running in Windows Server 2003 functional mode. The domain functionality modes are discussed later in this chapter. Before you can use the Authorization Manager to delegate a task, you must create an authorization store. Here’s what you do: 1. Open the Authorization Manager by either creating a custom MMC and adding the snap-in, or by typing azman.msc from the Run menu. 2. Right-click the Authorization Manager root, and then choose Options from the context menu. 3. Choose the Developer Mode radio button in the Options dialog box, and click OK. 4. In the Authorization Manager, right-click Authorization Manager again, and choose New Authorization Store.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:58 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
90
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
5. From the New Authorization Store dialog box, choose whether to create an Active Directory or XML file. 6. Type the authorization store name in the Store Name dialog box, or click Locations to find the authorization store, and add a description if you wish. Now that you’ve configured an authorization store, you can use the Authorization Manager to begin delegating tasks. To begin the process, choose either the application level role or the scope level role to which you want to assign a user or group, right-click, and choose Assign Windows Users And Groups. The wizard should lead you the rest of the way. A scope, by the way, is used by an application to keep certain resources separate from other resources within that application. Examples of scopes include a specific folder, an Active Directory container, a collection of files such as all .xls files, or even a URL that can be accessed by the application and its underlying authorization store. You can use scopes to divide the areas of an application over which you want to delegate control, and also use them to prevent unintended access.
Travel Assistance Because it can be a very complex tool, a full discussion of the Authorization Manager is beyond the scope of this book. Typically, application developers define the roles and the authorization store. Like many testable topics, what is important is an understanding of what the tool does. For further information of the Authorization Manager, please see the following title: Windows.NET Server 2003: Best Practices for Enterprise Deployments, by Nelson and Danielle Ruest, from McGraw-Hill/ Osborne Media. Other useful references can be found in the MSDN Library by searching for “application authorization” at msdn.microsoft.com/library. After completing the task of deciding how to best organize your domains and organizational units, it’s time to roll up your sleeves and actually implement the design. The next objective looks at how to realize your blueprint for Active Directory greatness by implementing the forest and domain structures.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
Objective 3.02
91
Implement an Active Directory Forest and Domain Structure
O
nce you’ve decided to create domains in your enterprise, you may find that you need more than one domain to best reflect the administrative structure of your company. As mentioned earlier, there are many benefits to a domain, and thus there may be compelling reasons to have these benefits afforded separately to various groups of users and computers in your organization (we’ll discuss some of the scenarios later on).
Install and Configure an Active Directory Domain Controller You build your Active Directory network by adding domain controllers. Some of these domain controllers will be added to existing domains for purposes of load balancing and fault tolerance, and some will be installed to establish new domains. These new domains, in turn, will either be added as child domains to existing trees, establish new trees in existing forests, or create new forests altogether. As you’ve seen, there are several forks in the road presented as you walk through the Active Directory Installation Wizard. Which forks you choose will determine the behavior of your new domain controller. What follows is an overview of what needs to be done to install Active Directory on your other domain controllers, and how choices in the Active Directory Installation Wizard will affect the configuration of your domain, your tree, and your forest. Since you’ve already seen the Installation Wizard in its entirety, we won’t spend time going over each step in this section. Instead, we will focus on just the dialog boxes that will configure Active Directory for our objectives. Remember, though, that users and computers actually live in a domain. The domains exist in a tree, and the tree is subsequently part of a forest. If your desire is to link Windows Server 2003 domains together for purposes of administration and/or sharing of resources, you’ll need to start building Active Directory trees and forests. And the first domain you’ll build will be the Active Directory forest root.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
92
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Create the Forest Root Domain In Chapter 1, we looked at how to install Active Directory on a first domain controller, thus establishing the root of our Active Directory forest. This was done to get an Active Directory environment up and running as quickly as possible so that you could follow along with the later exercises. We’ll briefly review the concepts behind the procedure here. To reiterate, a forest is a hierarchical arrangement of Active Directory domains that do not have to share a common namespace. All domains in a Windows Server 2003 forest will share the following components:
• • •
A common schema A common site and replication configuration A common Global Catalog
Once you create this forest root, you are also automatically creating the schema in your Active Directory forest, and furthermore setting up the domain controller that manages all changes to this schema. How? By default, the first domain controller created in the first forest serves this purpose. This system is called a schema master, and this kind of system is performing a single master operations role as you saw in Chapter 2. Here are the prerequisites for building an Active Directory forest root:
• •
The Windows Server 2003 platform must be installed and running.
•
The intended domain controller must have TCP/IP installed and correctly configured. TCP/IP is installed on all Windows Server 2003 machines by default, but the intended domain controller should be configured with a static IP address.
•
You need an NTFS partition for the installation of the SYSVOL directory on the domain controller, and need enough space for the Active Directory database. Microsoft recommends about a gigabyte of free space.
•
You should ensure that the system time information is correct. During Active Directory installation, the system will also become the domain’s time server for the other machines on the domain.
A DNS server must be installed and configured with a forward lookup zone for the domain you intend to create. If one is not present, the Active Directory Setup Wizard will offer to install one for you.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
93
Travel Advisory This probably goes without saying, but you must also be logged onto the local computer with an account with administrative privileges, or at least running the wizard in the context of such an account with the Run As command. A normal user account won’t be able to run the Active Directory Installation Wizard. I guess it’s not going without saying anymore, is it? After you have created the first domain controller in the first domain of your enterprise, you have established the organization’s Active Directory forest root domain. Thereafter, you can build the hierarchy by using the DCPROMO utility to launch the Active Directory Installation Wizard on other systems running Windows Server 2003. The wizard will present you with several choices, the results of which will help you implement the Active Directory infrastructure. You have essentially three options about how the domain controllers will behave:
• • •
As an additional domain controller in an existing domain As the first domain controller in a child domain As a domain controller in a domain that will establish a new Active Directory tree
You also run the DCPROMO utility to remove Active Directory from a Windows Server 2003 Server machine. Each of these scenarios are explored in the following sections.
Create a Child Domain When you’re creating a new domain controller for a new domain, your next choice will be whether to create a new domain tree or to create a new child domain in an existing tree. Each of these procedures starts by launching the Active Directory Installation Wizard by using the Configure Your Server utility found in your administrative tools, or by typing DCPROMO from the Run menu. The exact steps are as follows: 1. Launch the Active Directory Installation Wizard (Start | Run, then type DCPROMO in the Run dialog box). 2. On the Operating System Compatibility page, review the contents and click Next.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:44:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
94
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. On the Domain Controller Type page, choose Domain Controller For A New Domain, and click Next. 4. From the Create New Domain page, choose Child Domain In An Existing Domain Tree, as shown in Figure 3.10, and click Next. 5. You’ll now be prompted for the account credentials of a user with the ability to perform this operation. In the Network Credentials page, enter the appropriate credentials and click Next. 6. From the Child Domain Installation page, confirm the name of the parent domain and type the new child domain name. Click Next. 7. On the NetBIOS Domain Name page, verify the NetBIOS name, then click Next. 8. From the Database And Log Folders page, choose the location of the database and log folders, or click Browse to choose a location. Typically, you will accept the defaults. Click Next. 9. On the Shared System Volume page, type the location in which you want to install the SYSVOL folder. This folder must be stored on an NTFS partition. Click Next. 10. From the DNS Registration Diagnostics page, verify the proper DNS configuration settings, and click Next.
FIGURE 3.10
Creating a child domain in an existing Active Directory tree
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
95
11. On the Permissions page, make the permissions compatibility selection, and click Next. 12. From the Directory Services Restore Mode Administrator Password page, enter and then confirm the password used for the administrator for this server, and click Next. This will be a new domain account, different from the Administrator account already on the local machine. The local Administrator account will cease to exist. 13. Review the Summary page, and then click Next to begin the installation. The installation will require a restart when finished. Also recall that the way domains in an Active Directory forest are linked is through two-way transitive trust relationships, and this will of course extend to the new parent/child domain relationship. These trust relationships are automatically created as you start to build your Windows 2003 Active Directory forest. Parent domains are linked transitively with child domains, and a tree and tree roots in a forest are likewise linked in a two-way transitive trust relationship. By combining trees and forests, you have absolute flexibility over the design of your Active Directory enterprise, and, thus, over the administration of the objects in your computing enterprise. Your Active Directory enterprise might not call for additional domains, however. If this describes your organization, you still typically want to install at least one other domain controller for the domain for fault tolerance and load balancing. The Active Directory Installation Wizard makes it almost effortless.
Install an Additional Domain Controller for an Existing Domain Here are the steps necessary to create an additional domain controller: 1. Launch the Active Directory Installation Wizard (Start | Run, then type DCPROMO in the Run dialog box). 2. The Operating System Compatibility page will be the same as before; click Next when you’ve thoroughly read the information (yeah, right). 3. Here’s the moment of truth for this task: from the Domain Controller Type page, choose Additional Domain Controller For An Existing Domain. Click Next. You’ll now be given two choices about where to get a copy of an existing Active Directory database, as shown in Figure 3.11. The additional domain controller can get its information either from the network
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:00 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
96
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.11
Adding an additional domain controller
or from these restored backup files. You will then need to type the location of the restored backup files, or choose Browse to locate the restored files. Click Next once the selection has been made, and then click Next again. 4. The rest of the wizard (the Network Credentials, Database and Log Folders, System Volume, and Directory Service Restore Mode pages) will look the same as before. Enter the appropriate information and click Next on each screen. 5. Review the Summary page, and then click Next to begin the installation. Restart the computer to complete the installation procedure.
Travel Advisory You could run the Active Directory Installation Wizard with the option to create an additional domain controller from restored backup files by running DCPROMO with the /adv switch. The switch would bypass the first few dialog boxes of the wizard.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
97
Create a New Tree in an Existing Active Directory Forest If your company’s enterprise spans several different namespaces, as can be the case when companies merge or are spun off, a convincing case can be made for the creation of additional domain trees. Here’s how this is done: 1. Launch the Active Directory Installation Wizard (I think you know what to do by now). 2. Click Next after reviewing the Operating System Compatibility page. 3. From the Domain Controller Type page, choose Domain Controller For A New Domain, and click Next. 4. Make the selection to Create New Domain Tree In An Existing Forest from the Create A New Domain page, as shown in Figure 3.12. 5. The next steps of the wizard will be the same as when creating a child domain. Enter the needed information, clicking Next each time. 6. Review the Summary page, and then click Next to begin the installation.
FIGURE 3.12
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:00 AM
Creating a new Active Directory tree in an existing forest
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
98
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip To perform any of the preceding measures, you must either be a domain administrator in the forest root domain, or a member of the Enterprise Admins group in the Active Directory forest. Alternatively, your account can be delegated this authority. To add a domain controller to an existing domain, you must be a domain admin in the domain where the domain controller is being added (the Enterprise Admins group has the ability to add domain controllers anywhere they want).
Uninstall Active Directory and Remove a Domain Finally, you should know the procedure to remove Active Directory from a Windows Server 2003 computer. Removing Active Directory turns the server into a member server in the domain where it was previously a domain controller. To do so: 1. Launch the Active Directory Installation Wizard (I really don’t have to explain again, do I?). 2. After the Welcome screen, you get the Remove Active Directory dialog box. There is only one thing here of note: if the domain controller is the last domain controller for the domain, you specify this with the check box here, as shown in Figure 3.13. Doing so will decommission the domain.
Travel Advisory If Active Directory is already installed on a server, removing Active Directory is the only option available. Other than using the renaming tools available when your domain is running in Windows Server 2003 mode, you cannot change the nature of the domain controller without first removing and then reinstalling Active Directory. When you are decommissioning a domain, you need to ensure the “This server is the last domain controller in the domain” check box is checked. Otherwise, the domain naming master will still have a record for the domain’s existence, and could present a problem when domains are added later on. When the last domain controller has been removed from the domain, the domain ceases to exist. Removing a domain results in the permanent loss of any data contained in that domain, including all user, group, and computer accounts. If you want those accounts retained, you must move them into other domains first.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:01 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
FIGURE 3.13
99
Uninstalling Active Directory from the last domain controller
If you want to decommission a forest, you must first decommission all attached domain trees and child domains before removing the forest root domain. This is part of the reason why the naming of the Active Directory forest root domain is such a critical decision. Any changes to the forest root domain will result in considerable administrative time and effort.
Create and Configure Application Data Partitions A new feature available with Windows Server 2003 Active Directory is an application directory partition. This is a directory partition that is replicated between domain controllers, but only to the domain controllers you choose. A domain controller that participates in the replication of a particular application directory partition hosts a replica of that partition. Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Furthermore, these partitions can store any kind of file, folder, shared folder, printer, and any other object, with the exception of security principals.
Local Lingo Security principal Any kind of object used to manage control access to resources is a security principal. A user account is exhibit A, because permissions will be assigned on this kind of object.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:01 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
100
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Application directory partitions are usually created by the applications that will use them to store and replicate data. For testing and troubleshooting purposes, members of the Enterprise Admins group can manually create or manage application directory partitions using the NTDSUTIL command-line tool. One of the benefits of an application directory partition is that, for redundancy, availability, or fault tolerance purposes, the data in it can be replicated to different domain controllers in a forest. The data can be replicated to a specific domain controller or any set of domain controllers anywhere in the forest. This differs from a domain directory partition in which data is replicated to all domain controllers in that domain. Storing application data in an application directory partition instead of in a domain directory partition may reduce replication traffic because the application data is only replicated to specific domain controllers. Some applications may use application directory partitions to replicate data only to servers where the data will be locally useful. Another benefit of application directory partitions is that applications or services that use Lightweight Directory Access Protocol (LDAP) can continue using it to access and store their application data in Active Directory. Yet another benefit of creating an application partition is that you don’t need to worry about configuring a replication topology; Active Directory takes care of it for you through the services of the Knowledge Consistency Checker (KCC). The KCC automatically generates and maintains the replication topology for all application directory partitions in the enterprise. When an application directory partition has replicas in more than one site, those replicas follow the same intersite replication schedule as the domain directory partition. We’ll touch on the KCC again later in the chapter when the discussion turns to the physical elements of Active Directory.
Exam Tip If uninstalling Active Directory from a domain controller, you should ensure that there isn’t an application partition still residing on the domain controller. They should be deleted and/or moved before performing the uninstall. Here’s the procedure you’ll use to set up an application directory partition: 1. Open the command prompt (type cmd from the Run dialog box), and type ntdsutil. 2. At the ntdsutil command prompt, type domain management. 3. At the domain management command prompt, type connection.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:01 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
101
4. At the connection command prompt, type connect to server ServerName, where ServerName is the name of the server where you are creating the application directory. You should now be given a message telling you whether you are successfully connected. 5. At the connection command prompt, type quit. 6. You’re taken back to the domain management command prompt. Once here, do one of the following to set up the directory: To create an application directory partition, type create nc ApplicationDirectoryPartition DomainController. To delete an application directory partition, type delete nc ApplicationDirectoryPartition.
• •
The DomainController variable above will be the full DNS name of the domain controller where you are creating the application partition (or a replica thereof). The ApplicationDirectoryPartition is the distinguished name for the partition. For instance, the distinguished name for the finance.beanlake.com would be dc= finance, dc=beanlake, dc=com.
Exam Tip If you delete the last replica of an application data partition, you will permanently lose all of the data contained in that partition, and will have to recover data from backup.
Set an Active Directory Forest and Domain Functional Level Based on Requirements Prior to Windows Server 2003, there were two levels of domain functionality: native mode and mixed mode. With the domain in mixed mode, you still had the option for adding a Windows NT 4 backup domain controller to the domain. Native mode forbade the addition of NT 4 domain controllers, but gave administrators the ability to implement access to features only available in native mode, such as universal groups. The same design philosophies have been carried forward to the functionality of Windows Server 2003 domains. Now, instead of two levels of functionality, however, there are four. Each level offers certain benefits and certain liabilities. Additionally, there are now three different levels of functionality that apply to the forest. We’ll start with a look at domain functionality.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:01 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
102
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Domain Functionality Configuring the domain functional level enables features that affect the administrative features available for the entire domain. Further, the domain functional level setting affects that domain only. Therefore, it’s possible for a Windows 2003 forest to have some domains using one type of domain functionality, and other domains using another. There are now four domain functional levels available:
•
Windows 2000 mixed This is the default level of domain functional level, and is the most flexible in terms of adding domain controllers. You can add Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers to Windows 2000 mixed level domains.
• •
Windows 2000 native This level allows the addition of Windows 2000 and Windows Server 2003 domain controllers.
•
Windows Server 2003 As you might surmise, this domain functional level supports only Windows Server 2003 domain controllers.
Windows Server 2003 interim This level supports Windows NT 4.0 and Windows Server 2003 domain controllers only, and is specifically designed for organizations making the transition from Windows NT 4.0 domains to Windows Server 2003 domains. It will be an option only when upgrading the first Windows NT domain to a new forest and can be manually configured after the upgrade. If this describes your company, know that Microsoft is dropping support of Windows NT 4 at the end of 2003, so you’d best get cracking.
Travel Advisory You can’t install Active Directory on servers running Windows 2000 if you’ve set the functional level to Windows Server 2003 interim. (Well, you can, but they won’t be able to participate in domains running in the Windows Server 2003 functional level.) More notes about the interim level in the section that follows. Although this is implied in the preceding discussion, I want to make sure that one point gets across with no ambiguity when discussing domain functionality levels: they take into consideration domain controllers only. It does not matter what client operating systems are in use when the domain functional levels are set. Students in my classes sometimes get confused about this, but maybe that’s because I mumble. I won’t here. You can have Windows 98, XP, 2000, and NT 4 clients all participating in a domain, yet the domain is set to Windows Server 2003 functionally. This could
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
103
be the case if all your domain controllers were 1) running Windows Server 2003, and 2) the domain functional level has been upgraded from the default. Briefly stated, when the domain is running at the Windows Server 2003 functional level, all Active Directory features are available. If set to a level that allows addition of down-level domain controllers, some of these Active Directory features are either limited or not available at all. Table 3.1 helps spell out exactly which features are available in what mode. A couple of highlights you should note about Table 3.1:
•
In Chapter 5, we’ll discuss at length the different group types and group scopes available with Windows Server 2003. Notice that universal groups are not available in a Windows 2000 mixed mode domain.
• •
You cannot rename a domain controller unless you’re running the Windows Server 2003 functionality. You can only convert groups in the Windows 2000 native or Windows Server 2003 modes.
TABLE 3.1
Features Available in Different Domain Functional Levels
Domain Feature
Windows 2000 Mixed
Windows 2000 Native
Windows Server 2003
Domain controller rename tool Update logon timestamp User password on InetOrgPerson object Universal groups
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Enabled for distribution groups, but disabled for security groups Enabled for distribution groups. Disabled for security groups, except for domain local that can have global groups as members Disabled
Enabled for both security and distribution groups Enabled for all groups
Enabled for both security and distribution groups Enabled for all groups
Enabled
Enabled
Disabled
Enabled
Enabled
Group nesting
Converting groups SID history
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
104
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Assistance The reason we don’t discuss the Windows Server 2003 interim level is that you shouldn’t be operating in this mode for long, and its features shouldn’t make up any testable information. For more assistance on the Windows Server 2003 interim functionality level, please see the information presented at www.microsoft.com/ windowsserver2003/upgrading/nt4/. Here are the steps needed to raise the level of the domain functional level: 1. Open the Active Directory Domains And Trusts MMC snap-in from your Administrative Tools menu. 2. Select the domain in your forest for which you want to raise functionality, right-click, and then choose Raise Domain Functional Level. 3. In the Domain Functional Level dialog box, as shown in Figure 3.14, choose one of the following from the domain functional level dropdown menu: To raise the functional level to Windows 2000 native, choose Windows 2000 Native, and click Raise.
• •
To raise the functional level to Windows Server 2003, choose Windows Server 2003, and click Raise.
FIGURE 3.14
Changing the domain functional level
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
105
Exam Tip You’re warned this in the dialog box, but just so you don’t forget: changing the functional level is a one-way process. If there’s a possibility that you might introduce Windows 2000 servers as domain controllers in the future, leave the functional level set to Windows 2000 native. There is no way back to the Windows 2000 native functional mode other than decommissioning the domain and reinstalling.
Forest Functionality In addition to setting domain-wide functionality, there are also forest-wide functional levels that apply to a Windows Server 2003 enterprise. Forest functionality enables features across all the domains within your forest. There are three forest functional levels. They are:
•
Windows 2000 This level is the default, and supports the addition of domains running Windows NT 4.0, Windows 2000, and Windows Server 2003 domain controllers.
•
Windows Server 2003 interim This level is meant only for transitions from Windows NT 4.0 domains to Windows Server 2003 forests. It supports servers running Windows NT 4.0 and Windows Server 2003 only.
•
Windows Server 2003 This level supports only Windows Server 2003 domain controllers across the entire forest, to the exclusion of all other domain controllers. It also enables all Active Directory features, as outlined in Table 3.2.
When you create a new Active Directory forest using Windows Server 2003, the forest will be set to the Windows 2000 functional level by default. This enables the addition of other forests running Windows 2000 domain controllers. You can raise the forest functional level to Windows Server 2003.
Exam Tip Here again we won’t spend time on the features of the interim functionality level. If you need to learn more about this level, fine, but don’t spend much of your exam preparation energy on the 2003 interim levels. Table 3.2 summarizes the features available from the different forest functionality levels.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:03 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
106
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE 3.2
Comparing the Forest Functional Levels
Forest Feature
Windows 2000
Windows Server 2003
Global Catalog replication improvements
Enabled if both replication partners are running Windows Server 2003, otherwise improvements are disabled Disabled Disabled Disabled Disabled Disabled
Enabled
Enabled Enabled Enabled Enabled Enabled
Disabled
Enabled
Defunct schema objects Forest trusts Linked value replication Domain rename Improved Active Directory replication algorithms Dynamic auxiliary classes
Note that many of the new improvements gained from switching to Windows Server 2003 are realized when using the Windows Server 2003 forest functionality level. For example, changing the name of a domain was impossible in Windows 2000 without decommissioning the domain and reinstalling Active Directory. Now, if all domain controllers in the forest are running Windows Server 2003, you can rename a domain to better accommodate organization restructuring. Another benefit that might be immediately tangible is the creation of forest trusts, a topic whose significance is explored later in this chapter. Here’s what you’ll do to change the forest functional level: 1. Open Active Directory Domains And Trusts. 2. Since you’re not managing any particular domain, but rather the forest as a whole, right-click the root-level Active Directory Domains And Trusts node, and then choose Raise Forest Functional Level from the context menu. 3. You see the Forest Functional Level dialog box, as shown in Figure 3.15. From the drop-down menu, select an available forest functional level, click Windows Server 2003, and then click Raise. Note that you will not be able to raise the forest functional level to Windows Server 2003 until all domain functional levels in the constituent forest domains have first been raised to Windows Server 2003 (which in turn will mean that all domain controllers are running Windows Server 2003).
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:03 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
FIGURE 3.15
107
Changing the forest functional level
Travel Advisory Similar to raising the domain functional level, the upgrade of the forest functional level is a one-way process. Once forest functionality has been raised, domain controllers running previous versions of Windows cannot be introduced into the forest. In other words, raising the forest functionality for Windows Server 2003 prevents you from adding domain controllers running Windows 2000 Server anywhere in the forest. As was mentioned in this section, one of the things a forest functional level will have an impact on are the kinds of trust relationships available. The trusts between domains will serve as the administrative link, and it’s important that you have a thorough understanding of the different types of trusts available.
Establish Trust Relationships If your enterprise consists of a single domain, it also consists of a single tree and a single forest. One domain is a tree and one tree is a forest, and no trust relationships will be established. Once you create child domains and add additional domain trees, however, trust relationships are created automatically. These trusts between the domains in a forest are both two-way and transitive. The transitive nature of the trusts relationships in Windows Server 2003 simply means that if domain A trusts domain B, and domain B trusts domain C, then domain A will trusts domain C. This was not the case with Windows NT 4
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:03 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
108
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
domains. It was the case, however, with Windows 2000 domains. The two-way nature means that the domains trust each other. In NT 4 domains, all trusts were one-way. One-way trusts are still used to establish trusts to domains outside the Active Directory forest, as we will see. There are two functions of these trust relationships when it comes to making the forest a usable logical structure. They are
•
The trust relationships facilitate cross-domain logon. A user can submit logon credentials to a domain controller in the domain where their account lives from any domain in the forest. The logon follows the path of the trust relationships from one domain controller to another. Note, however, that all the domains in the trust path must be up for this to occur. Figure 3.16 examines the path of the logon through the trust associations.
•
The trust relationships facilitate access to resources in other domains throughout a forest. Also shown in Figure 3.16, the links between domains in a forest mean that users in one domain can be granted permission to access resources in other domains throughout the forest. Within a forest, the accounts in one Active Directory domain are trusted by the other domains.
You can create shortcut trusts to facilitate more direct communication between domains in a forest. This can be especially helpful if your domain structure has been determined by geographic considerations, and the logon must pass over several slow WAN links to be authenticated by a user’s home domain.
FIGURE 3.16
The logon follows the path of the trust links, and allows for universal access to resources.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
109
Also, as mentioned earlier, one of the significant aspects about creating a Windows Server 2003 domain is that it forms a security boundary between it and other domains. These security boundaries do not cross over into other domains. In other words, the domain administrator of a parent domain cannot administer child domains in the hierarchy. There’s only one group with the power to administer every domain in a Windows 2000 enterprise or in a Windows 2003 forest, and that is the Enterprise Admins group, which is created on the forest root’s domain controller. Furthermore, any Group Policy settings that you apply to a parent domain also do not apply to any of the parent’s child domains. These separate security boundaries allow domains—even the ones within a tree that are tied together with these parent/ child naming relationships—to act as distinct administrative units and distinct security units within an Active Directory forest hierarchy.
External Trusts An external trust is used to establish a trust relationship between two domains in different forests, or between a Windows Server 2003 domain and an external Windows 2000 or NT 4.0 domain. They are created to grant access to resources to user accounts that exist in domains that are not part of the Active Directory forest. External trusts are nontransitive, and can be set up as either one-way or two-way trusts, as seen in Figure 3.17. To set up an external trust, follow these steps: 1. Open Active Directory Domains And Trusts from your Administrative Tools. 2. In the console tree, right-click on the domain you want to establish a trust with, and choose Properties.
FIGURE 3.17
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:04 AM
The purpose of an external trust
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
110
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. From the Trusts tab, click the New Trust button at the bottom of the tab, and then click Next. 4. On the Trust Name page, as shown in Figure 3.18, type the DNS name (or NetBIOS name) of the domain, and click Next. 5. From the Trust Type dialog box, choose the External Trust radio button, and then click Next. 6. Now you’ll configure the direction of the trust. You have three choices in the Direction Of Trust page, as follows: Two-way for an external two-way trust Users in the current domain and users in the target domain can access resources in both domains now.
• •
One-way incoming for an external trust Users in the target domain will not be able to access any resources in this domain, but users in the current domain will be able to access resources in the target domain.
•
One-way outgoing to trust users from other domains The inverse of the previous selection. Users in the current domain will not be able to access any resources in the specified domain, but the target domain will be able to access resources in the current domain.
7. The wizard will lead you through the final steps for establishing the trust.
FIGURE 3.18
Entering the name of the external domain you will trust
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
111
Forest Trusts New to Windows Server 2003 is a forest trust. A forest trust lets you create a trust relationship between two separate Active Directory forests. While it’s true that you could create trusts between domains in two different Windows 2000 forests, you could not create trusts between different forests. If you wanted trusts to exist between all the domains in two separate forests, you had to create individual trust relationships for each trusting and trusted domain. Now, when you create a forest trust between forests, that’s no longer the case. That’s because a trust created between Windows Server 2003 forests can be configured as a two-way, transitive trust link. In other words, it’s just like the trust created between the domains and trees within a forest. It’s also possible to create one-way trusts to other forests. With a one-way forest trust, all the domain in one forest would trust all the domains in another forest, but not vice versa. The forests will still maintain Active Directory information separately; the schema and Global Catalogs in each forest will be different.
Exam Tip Before creating a forest trust, set the forest functional level in both forests to Windows Server 2003. Also, ensure that DNS has been properly configured so that the domain controllers establishing the trust between forest will be able to resolve domains to IP addresses. As illustrated in Figure 3.19, a forest trust provides several benefits for organizations that need access to resources in other forests. These include 1. Simplified management of resources. There is less administrative overhead associated with maintaining only a single trust between forests. 2. Complete two-way trust relationships with every domain in each forest, which eases the locating of resources in other domains. 3. Cross-forest logon using the user principal name (UPN), whose syntax is username@domainname, where username is the user’s logon name, and domainname is the domain where the account resides. 4. Flexibility and separation of administration. As mentioned above, the forests are still separate Active Directory entities and are administered as such.
Travel Advisory Forest trusts are only created between two forests and are not implicitly transitive to a third (or fourth, or fifth…) forest.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:04 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
112
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 3.19
Represents the two-way trust link created when you employ a forest trust
Realm Trusts Realm trusts are useful when a Windows Server 2003 domain needs to trust the accounts and resources in a non-Windows domain, such as a UNIX domain. These realm trusts can be configured as either one-way or two-way trusts, and have the built-in flexibility of being able to switch from transitive to nontransitive and back again. To create a realm trust, you’ll follow the same procedure as outlined earlier when discussing external trusts, only when you type the DNS name of the domain to trust you will be given a message that the domain is not a valid Windows domain. You will then be able to select “Realm Trust” or “Trust with a Windows domain” in the Trust Type dialog box. Once the realm trust is selected, you have the option to select whether the trust is transitive or nontransitive.
Travel Advisory The non-Windows domain which you are trusting must support Kerberos v5 authentication for the realm trust to be configured.
CHECKPOINT ✔Objective 3.01: Plan an Administrative Delegation Strategy
In this chapter, we’ve taken a close look at the logical components in our Active Direc-
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
113
tory enterprise, with an eye toward some of the new features available with a Windows Server 2003–based network. We’ve examined the function of a domain, a tree, a forest, and an organizational unit. The logical elements in Active Directory define in large part how your network will be administered, and towards that end we’ve also looked at how to use the OUs in your Active Directory structure to delegate administration, following up on concepts introduced in Chapter 2.
✔Objective 3.02: Implement an Active Directory Directory Service Forest and
Domain In addition, we looked at the different functional levels that both our domains and forests can operate in. We took note that running in the highest level of functionality unlocks all of the potential features of Active Directory. Finally, we examined the default trust relationships built between domains in a forest, and how to configure two separate forests to trust one another. As always you make sure you understand the new features offered by Windows Server 2003. Notice especially that forest trusts and realm trusts are new types of trusts in Server 2003. In the next chapter, we put this foundational understanding of Active Directory to work when we look at management and maintenance of our Active Directory enterprise.
REVIEW QUESTIONS 1. You are administering a Windows Server 2003 domain, and now want to rename the domain controller. In what domain functionality mode must the domain be running in order for you to rename the domain? Choose all that apply. A. B. C. D.
Windows Server 2003 Windows 2000 Native Windows 2000 Mixed Domain controllers cannot be renamed in Active Directory.
2. You are the administrator of a Windows Server 2003 Active Directory enterprise. The forest root has just been upgraded from Windows 2000 native mode, but there are still several child domains that are running a mix of Windows 2000 and Windows NT 4 domain controllers. Because of budget constraints, there are no immediate plans to change the operating systems of the domain controllers in the child domains. Further, the company may merge within the next six months, and you
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
114
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
want the ability to trust other forests. How should you configure the forest functionality level to achieve your goal? A. B. C. D.
Switch to Windows Server 2003 Interim. Use the Windows Server 2003 level at the forest root. Use Windows 2000. There is no level that will meet your objectives.
3. You are the administrator of a large network, and want to nest several global groups in your domain into one large global group for configuring access to printers. However, you find that you are unable to nest these global groups. What is the likely cause of this? A. B. C. D.
The domain is running in Windows Server 2003 mode. The domain is running in Windows 2000 mixed mode. The domain mode has not been set. The Windows Server 2003 domain controllers have just been installed, and the domain level has not been upgraded.
4. To justify upgrade costs, your boss has asked you for a report on the benefits of upgrading all domain controllers in the enterprise to Windows Server 2003. Which features are potentially available when all domain controllers are running Windows Server 2003 and the domains and forest have been upgraded that might help influence her decision? Choose all that apply. A. B. C. D.
The ability to rename a domain. The ability to rename a domain controller. The ability to implement forest trusts. She can always add Windows 2000 domain controllers later.
5. You are the administrator for an Active Directory domain. You have configured several organizational units to correspond to your company’s geographical layout, one OU per city. Corporate password policy dictates that passwords must be changed every three months, but you do not want to get calls from domain users wanting passwords reset. Each geographic location has a manager, but you do not want to give those managers sweeping administrative control. What is the best way to handle the situation while maintaining password security? A. Edit the ACL for each OU. Grant the ability to reset passwords to just the managers of each OU. B. Create a policy where domain password passwords never expire.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
115
C. Create a group called Password Managers. Create a Group Policy for that group that specifies the Reset Password User Right. D. Create a group called Managers. Run the Delegation Of Control Wizard on the domain object, and grant the Managers group the permission to reset passwords. 6. You are administering a company and want to create an application directory partition. Which of the following benefits can be realized when configuring this kind of partition? Choose all that apply. A. Fault tolerance. B. You don’t have to configure a separate replication topology for application partitions. C. Choice of where to replicate application data so that it is locally useful. D. LDAP-aware applications can continue to store information in Active Directory. 7. You are designing an Active Directory enterprise for a medium-size company with ten offices and a corporate headquarters located in Manhattan, Kansas. All of the offices are located in the United States. You want separate administrators for each location, but want to retain overall control over the enterprise. What should your design recommendation be? A. Create a single domain, and then create OUs for each office location. B. Create separate domains for each location and pick who will be the domain administrator for each domain. C. Create separate groups for each office and delegate control over those groups to specific domain users. D. Create separate forests and create forest trusts between the individual forests. 8. You are the Active Directory administrator for a multidomain company that is currently outsourcing research to a third-party entity. This thirdparty company, in order to conduct its research and produce reports, needs access to data files and printers in your network. All of the resources are located in the forest root domain. What should you do to grant access to the resources? A. Create a forest trust. B. Create a shortcut trust.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
116
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
C. Add the researchers from the third-party company to your forest root domain. D. Create a child domain, move the resources requested to the child domain, and add the researchers as users to this child domain. 9. You are administering a Windows Server 2003 forest for a bioengineering firm, and need access to the human genome that’s stored on another company’s UNIX server. The UNIX domain supports Kerberos v5 authentication for its users. You do not want the UNIX domain’s users to have any access to resources in the Windows Active Directory domain because, hey, to be quite honest, you never know about those UNIX folks. (Command-line devotees. Why do it the easy way when there’s a way that requires a lot more typing?) What kind of trust relationship should you configure? A. B. C. D.
A one-way outgoing realm trust A one-way incoming realm trust A two-way realm trust An external Kerberos trust
REVIEW ANSWERS 1.
Only running in Windows 2003 domain functionality gives you the option to rename an entire domain.
2.
There is no way this is possible unless the forest is upgraded to Windows Server 2003 mode. While there are Windows NT 4 domain controllers in the network, the domain cannot be upgraded to Windows Server 2003 functionality mode.
3.
The domain is running in Windows 2000 mixed mode. When you install a domain with Windows Server 2003 domain controllers only the domain functional mode is set to Windows Server 2003 mode, which allows the nesting of global groups.
4.
When the domain is in Windows Server 2003 mode, the ability to rename domain controllers becomes available. When the forest is in Windows Server 2003 mode, the forest trust and renaming of domain features are available. These technologies are only available when all domain controllers are running Windows Server 2003 Server, and when the domain and forest functionality levels have been upgraded.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 3
CHAPTER 3 The Logical Active Directory Components
5.
The way to delegate control is by editing the ACL. The Delegation Of Control Wizard lets you do this with an easy-to-use interface. Because you want to limit administrative control, you should just grant the reset permission to a single user over a single OU, rather than have a group of managers be able to reset any password for any user in the domain.
6.
All of these benefits are available when you implement an application directory partition.
7.
There is no overarching factor here that would keep you from designing a single domain and then using the OUs suggested by the geographical locations to divide up administrative responsibility. This would meet objectives with a minimum of administrative overhead.
8.
Granting access to resources to users in other domains is a matter of creating a shortcut trust. As the administrator of the domain granting the access, you still have control over what permissions these users have, and which resources they have permission to access.
9.
A one-way incoming realm trust would configure the UNIX domain to trust the users of the Windows Server 2003 domain. The UNIX admins, if they could get past the insult of your distrust, could then add the Windows domain users to the access control lists of the folder that holds the data needed.
P:\010Comp\Passport\575-0\ch03.vp Tuesday, August 05, 2003 8:45:05 AM
117
This page intentionally left blank
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
4
Managing and Maintaining an Active Directory Infrastructure ITINERARY
•
Objective 4.01
• •
Objective 4.02 Objective 4.03
Manage an Active Directory Forest and Domain Structure Restore Active Directory Directory Services Troubleshoot Active Directory
NEWBIE
SOME EXPERIENCE
EXPERT
4 hours
2.5 hours
1.5 hours
119
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:40:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
120
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
In the previous chapters, we’ve learned about the components of your Active Directory infrastructure. We’ve examined the objects Active Directory stores and manages, and we’ve built our enterprise using the various physical and logical Active Directory components. In this chapter, we’ll expand on some of these concepts as we manage, monitor, and optimize Active Directory performance. For example, in Chapter 1, we defined the Active Directory schema and its role in the forest. Now we’ll look at the instances where that schema might be extended beyond its default settings, and learn about the procedures involved. We’ll also cover how to back up and restore your Active Directory database, one of the most critical tasks an administrator will ever face. Hopefully, a restore operation is not something you need to do very often, or at all, but if Active Directory information is lost, it’s a situation that can cost your business lots of money and can cost yourself job security. You can be certain that Microsoft expects you to know how to get Active Directory up and running again in the event of a failure.
Objective 4.01
Manage an Active Directory Forest and Domain Structure
I
n Chapter 1, we briefly defined the schema and how it relates to the Active Directory database. This was done to provide solid footing upon which we could begin our Active Directory travels. To briefly review, the Active Directory schema is a listing of all the possibilities of what might be stored in the Active Directory database. This listing consists of two items: a description of objects and a register of attributes that is used to define those objects.
The Role of the Schema Let’s say you want to add something to Active Directory (a user object, for example). Before you create this new object in Active Directory, the object is validated against the appropriate object definition in the schema. Only then can it be added to the Active Directory directory database. If there is no definition for the object or the attribute, the object can’t be written. Because the user object exists in the schema, an instance of it can be added. But you probably gathered that from reading Chapter 1. Beyond that somewhat elementary concept lies the really exciting thing about the schema, and the reason we’re spending some time with it in this chapter as well: the schema is extensible. If there’s an object missing in the default schema that your organization
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:40:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
121
would like to add to Active Directory, or if an existing object would work better if only you could add a different attribute or two, you can change the list of what’s possible in your Active Directory network by modifying the schema. Before you do, there are several factors to consider. Because there is only one schema per forest (managed by the schema master, as you learned in Chapter 3), extending the base schema can have wide-ranging implications for your entire enterprise. For this reason, you should carefully consider each change you make. Later in the chapter, we’ll discuss just what these implications are. First, though, let’s look more closely at some of the properties of the schema.
Directory Object Definitions When you create a new user in Active Directory, you are creating a new instance of an object class. An object class contains a list of attributes that are used to define the instances of the class. As you might guess, the User class includes attributes such as givenName and streetAddress. These two attributes may be used to help define the instance of the User object, but they don’t necessarily have to. An attribute that’s required to create an instance of an object class is called a mandatory attribute, and any other attribute that can describe the object class is an optional attribute. For example, the User object has mandatory attributes that include the objectSID and the SAMAccountName. This means the Active Directory User object must have these attributes defined at the time the object is created. If you don’t define one for the user at the time the object is created, you won’t be successful in creating the object. The default schema contains about 250 objects and about 900 attributes. That means you can add 250 types of things to the Active Directory database, and you can describe these things 900 different ways. The point? You might not have to ever extend your schema. What’s more, there are two ways the schema can be modified: automatically and manually. Several applications are written to be Lightweight Directory Access Protocol (LDAP)-compliant, which is also an open standard that Active Directory adheres to. These applications are said to be Active Directory aware, and some will make changes to the schema. So I take back what I said before about likely never having to extend the schema. You may, but only through the installation of an application like Exchange Server 2000 or 2003, which will be making the changes without your direct intervention. (Similarly, most Windows users have also made changes to the Registry. My mother edits the Registry every time she installs a program, for example, but is no more aware of it than she is of the exact mechanisms of the Electoral College.) The other way to modify the schema is manually, using the Active Directory Schema MMC snap-in. Although it won’t be at the top of your list of Windows Server 2003 administrative chores, you should know what’s involved to manually
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:40:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
122
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
extend the schema for purposes of exam preparation. After that, it may be a long time indeed until you are called upon to perform such an extension on a production network.
Schema Storage and Schema Cache If the schema is a set of software objects and attributes, then that software code needs to be stored somewhere. The schema is stored in the schema directory partition, which in turn is a part of the Active Directory information stored on all domain controllers in a forest. But as we learned in Chapter 3, only one domain controller manages changes to the schema. This domain controller is called the schema master, and the computer providing this role must be available for any changes to the schema to be made. Any changes are then replicated from the schema master to all other domain controllers in the forest. Furthermore, each Windows Server 2003 domain controller caches a copy of the schema in memory to improve performance of schema operations. Each time the schema is modified, the cached version is also automatically updated. This update takes place after a short interval, but you can force a refresh of the schema cache by right-clicking on the Active Directory Schema root from the MMC snap-in of the same name, and from the context menu choosing Reload The Schema.
Schema Security Not just any user can administer the schema. In fact, this privilege is not even extended to most domain administrators in a forest, save for one. There is only one group with the permission to write changes to the schema: the Schema Admins group. Also by default, the group has only one member, the Administrator account in the root domain of the forest. In the next chapter, we’ll talk in more detail about the groups automatically created by Server 2003, of which the Schema Admins is one. The membership of the Schema Admins group is shown in Figure 4.1. Every object and every attribute stored in the schema also has an access control list with it, just like every other Active Directory object. However, management of the ACLs for schema objects is rare indeed. You don’t want many users having access to the schema, if any at all. You also might want to employ a Group Policy to make Schema Admins a restricted group, and thus further control exactly who is in this powerful group. We’ll talk more about using restricted groups in Chapter 6, during the discussion of Group Policy.
Manage Schema Modifications Generally speaking, you view schema changes in the same light that you (should) view Registry changes: proceed with caution. Just like making the wrong changes to the Registry can make the computer unusable, if you make the wrong changes
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:40:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
FIGURE 4.1
123
Default membership in the Schema Admins group
to the schema, your forest can become unusable. For example, you can make it impossible to add objects such as user accounts, or make other objects such as computer objects invalid if you make an incorrect change. It is therefore imperative that you keep the permissions over the schema as tight as possible. Because modifying the schema has such sweeping implications, you should begin with a cursory knowledge of the base schema at the very least. If there are existing schema class objects and/or attributes that meet your needs, then naturally there is no reason to go and monkey with the schema. To keep the schema away from prying eyes, the tool needed to change the schema isn’t even available from the list of MMC snap-ins until you first register the necessary snap-in to the operating system. This was noted in Chapter 2 as well, but to save you from thumbing back, here’s the quick rundown once again: you do this by either opening the command prompt, or going to the Run dialog box from the Start menu, and typing: regsvr32 schmmgmt.dll.
Now you’re ready to add the Active Directory Schema MMC snap-in to a custom-built Microsoft Management Console. Open a blank MMC and from the File menu choose Add/Remove Snap-in. Then add the Active Directory Schema snap-in to the console, as seen in Figure 4.2.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:00 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
124
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 4.2
The Active Directory Schema snap-in
Travel Advisory Microsoft recommends that you create a test forest environment to try out schema changes before applying them to a production environment. Any problems with the schema changes can then be identified without affecting the network users. Or your employment status. Now that the Active Directory Schema tool is open, you will be able to extend the schema by adding or changing either the object classes or the object attributes, as indicated by the two nodes you see in the console. Administrators or developers who know what they’re doing can then modify
• •
A class definition by expanding the Classes node, right-clicking a class designated for modification, and then choosing Properties An attribute definition, by expanding the Attributes node, right-clicking the attribute to modify, and then choosing Properties
Exam Tip Microsoft won’t ask you volumes about how to make specific changes to the schema. It will normally be performed by someone with a programming background—someone with the MCSD certification, for example. You need to understand the general procedure and the tools involved.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
125
Further, a class definition or attribute definition can be added to the schema by choosing the Create Class or Create Attribute selection after right-clicking the Class or Attribute node. Before you can perform this procedure, however, you need to obtain a valid object identifier (OID) from the relevant International Standards Organization (ISO) issuing authority, or from the American National Standards Institute. For more information on obtaining an OID, please visit the Web sites of either of these two organizations at www.iso.ch or www.ansi.org.
Deactivating a Schema Class or Attribute Once you define a new class or attribute for the schema, it cannot be deleted. (In fact, a dialog box should warn you of just that when you go to add something new to the schema.) If you have an attribute or class that is no longer needed, though, or if there was an error made when creating the definition, what can you do? You can deactivate the class or attribute. A deactivated class or attribute is considered defunct. A defunct class or attribute is unavailable for use; instances of that object, or descriptions using a defunct attribute, will no longer be possible. However, defunct objects and attributes can easily be reactivated. The deactivation of an attribute or class can be done with a single check box in the object’s Properties dialog box, as shown in Figure 4.3. To activate or deactivate an attribute, use the Attribute Is Active check box. Also note that certain objects, such as the Computer Class object, and certain attributes, such as the AccountExpires attribute, cannot be deactivated.
Exam Tip Remember that when you create a new class or attribute, you must obtain an object identifier. When your forest functionality has been raised to Windows Server 2003, you can redefine a class or attribute that’s been deactivated. You will have to rename a deactivated attribute before it can be defined. When you redefine an attribute, you are reusing an existing object identifier and LDAP display name for an attribute that has been deactivated. However, you can now specify a new attribute syntax that better suits your needs. You also need to rename the attribute before you can redefine it.
Including an Attribute in the Global Catalog Another useful feature of the Active Directory Schema snap-in is the ability to index schema attributes and/or replicate attributes of the schema to the Global Catalog.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:00 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
126
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 4.3
Deactivating an Active Directory schema attribute
Windows Server 2003, through Active Directory, decides which of the attributes are most commonly used and replicates these attributes to the Global Catalog. But if your network users are constantly performing searches for other attributes, you should include these attributes in the Global Catalog. Doing so can improve performance of queries run against the attribute in Active Directory. To index a schema attribute, or to include the attribute for replication to the Global Catalog, right-click the attribute from the Active Directory Schema snap-in and choose Properties. From the Properties dialog box, as shown in Figure 4.4, include the attribute in the index or replicate it to the Global Catalog with a check of the appropriate box.
Travel Advisory If the forest functional level is not set to Windows Server 2003, adding a new attribute to the Global Catalog will cause a full synchronization of the Global Catalog. This can have a significant impact on network performance, especially as Global Catalog servers synchronize their Global Catalogs between sites. (You do have one Global Catalog server at each site, right?)
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:01 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
FIGURE 4.4
127
Including an attribute for indexing
Add or Remove a UPN Suffix When you create a user account in Active Directory, you give that user a logon name, a pre-Windows 2000 user logon name, and a user principal name (UPN) suffix. This UPN suffix identifies the domain in which the user account is located. The UPN suffix can (and usually is) the domain name of the domain where the account is created, an alternate domain in the Active Directory forest, or an alternative name used just for logon purposes. If an alternate UPN suffix is created, this suffix does not even have to follow valid DNS naming conventions. Figure 4.5 shows the UPN of a new user account created in the lanscape.net domain. The user creating the account configures the user logon name, and Active Directory Users And Computer suggests a pre-Windows 2000 logon name using the first 20 characters of the Windows 2003 logon name. The UPN suffix is appended to the user logon name to create the entire user principal name. By default, this UPN suffix will be the same as the DNS domain name where the account is being created. In most instances, this default UPN suffix will be the only one the user account will ever need. However, you can use alternative UPN suffixes to simplify logon when logging on to other domains throughout the forest, or to provide additional logon security. These alternative UPN suffixes are “aliases” created for the domains in the forest, and let a user log on using a UPN different than the one they are assigned by default. Why might this be desired? Well, you might consider using an alternate UPN suffix for a domain when the domain is very deep in a tree hierarchy. For example, you might have a domain called hr.kansascity.lanscapenet.net. This long domain name would be laborious to enter when using a user principal name to log on. (A user principal name uses the username with the @ symbol, and then the UPN suffix.) In the example above, a user would log on with a user logon name like
[email protected]. You could create an alternate UPN suffix for the domain to reduce the amount of typing needed when using the UPN.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:01 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
128
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 4.5
Notice the UPN suffix when the user account is created.
If you created an alternate UPN suffix like lanscape, the same user could logon using the UPN of Jennifer@lanscape. Here’s how you can add or change the UPN suffix for a user account: 1. Open the Active Directory Domains And Trusts MMC snap-in from the Administrative Tools menu. 2. Select the console root, Active Directory Domains And Trusts, right-click, and choose Properties. 3. From the UPN Suffixes tab as seen in Figure 4.6, type an alternative UPN suffix for the forest, and then click Add. Click OK to complete the procedure. If you need to add more alternative suffixes for the Active Directory domain, simply repeat the procedure as necessary.
Routing Name Suffixes Across Forests When a forest is first put together, all name suffixes are routed across all domains in the forest by default. That is, if a user logs on using the UPN of
[email protected] while in the atchison.lanscape.net domain, the UPN suffix routing mechanism will make sure the logon attempt is routed to the kc.lanscape.net domain. It will do so following the trust path, routing the login to the parent domain of lanscape.net before sending it along to the kc child domain, as shown in Figure 4.7.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:01 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
FIGURE 4.6
129
Add an additional UPN suffix.
Further, forests have a built-in mechanism that routes name suffixes to the appropriate tree roots. As you now have learned, forests can employ multiple name suffixes, such as lanscape.net and beanlake.net. In Active Directory Domains And Trusts, both of these name suffixes appear with a wildcard character (the asterisk) at the beginning of the UPN suffix. Therefore, requests for login authentication for all child domains of beanlake.net from other domain trees will be routed to the beanlake.net tree root domain. That’s because all child domains of beanlake.net will include beanlake.net in their unique UPN suffixes (that is, *.beanlake.net).
FIGURE 4.7
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:01 AM
Default behavior of name suffix routing
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
130
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
You can further manage how these suffixes are routed between two separate Windows 2003 forests by configuring suffix routing. Using the NETDOM utility, you can specify if and how UPN names are routed. The next section looks at use of the NETDOM utility.
Travel Advisory Don’t include the @ symbol in either the username or the UPN suffix. When authentication attempts are routed to trusted forests, all characters before the first @ symbol are interpreted as the username and everything after the @ symbol is interpreted as the UPN suffix.
Handling UPN Collisions Sometimes, when two (or more) forests are joined by forest trust relationships, there exists the possibility that UPN suffixes used in one forest might be the same as UPN suffixes used in another. Thus, when a user sends an authentication request, there is confusion among the routing domain controllers about where to forward the request. This event is called a UPN collision. However, with collision detection, you are able to ensure that each name suffix gets routed only to a single Active Directory forest. Active Directory Domains And Trusts will detect a UPN suffix conflict under these circumstances:
• • •
The Domain Name System (DNS) name is already in use in another trusted or trusting forest. The NetBIOS name is already in use among the forests. One domain name suffix SID conflicts with an existing name suffix SID.
If a second instance of a name suffix is detected, the routing for the most recently added name suffix will be disabled by default. Consequently, the UPN routing will be disabled for the newly added trust partner, but only for the domain with the conflict. For example, if you configure a forest trust from a forest with a domain called kc.beanlake.net to a forest with a domain called kc.lanscape.net, there will be a domain name conflict. In this instance, there will be two domains in the trusting forest enterprise with domains whose NetBIOS names are called kc. When this happens, the kc domain name will be disabled in the newly trusted domain. Despite the naming conflict, however, routing will still work for any other unique name suffixes in the newly trusted forest.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
131
Any UPN suffix conflicts will be listed in Active Directory Domains And Trusts. To view such conflicts, open the forest trust Properties dialog box, and select the Name Suffix Routing tab. If Active Directory Domains And Trusts detects a name suffix conflict during the creation of the forest trust, the New Trust Wizard will prompt you to save a log file of the conflicts.
The NETDOM Utility You should also be aware of the NETDOM utility, which is used to manage Active Directory trusts from the command prompt. Using this tool, you can administer trusts both between domains and between forests. It’s installed as a part of the Support Tools from the Windows Server 2003 CD-ROM in the \Support\Tools folder. The NETDOM utility is a powerful tool that lets you perform a wide variety of administrative tasks. Most of the tasks have to do with the management of computer accounts. They include the following:
• • • • •
Join a Windows 2000 or XP Professional system computer to a Windows Server 2003 or Windows 2000 domain.
• •
Establish one-way or two-way trust relationships between domains.
Specify the organizational unit for a computer account. Generate a random computer password when initially joining the domain. Manage computer accounts for domain member workstations and member servers. Move a computer account from one domain to another within a forest. The move operation also retains the original security descriptor for the computer account. View and change the behavior of a trust relationship.
Additionally, with regard to the routing of UPN suffixes as discussed in the previous section, you also use the NETDOM utility to list all routed names, and to enable and disable routing for certain UPN suffixes should your enterprise require this step. Let’s say you had a forest whose root domain was called lanscape.net, and then create a trust to another forest with a root called beanlake.net. Let’s also say both of these forests had child domains called sales. Even though the DNS names of these two domains would be different (sales.lanscape.net and sales.beanlake.net), each of these child domains would have NetBIOS domain names of sales.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
132
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Once you create the forest trust from the lanscape.net forest to the beanlake.net forest, routing to the sales domain in beanlake.net would be disabled. If, however, you need to route the NetBIOS name sales to the beanlake.net domain instead, and don’t use the sales name when referencing the domain in the lanscape.net forest, then you could use NETDOM to disable the sales domain name in lanscape.net and subsequently enable it in the beanlake.net forest. Besides knowing how to manage your Active Directory relationships between forests, Microsoft also expects you to know how to get a working Active Directory database back again should a domain controller ever fail. The next objective examines how, and specifically points out information that you should expect to see about restoring Active Directory on the 70-294 exam.
Objective 4.02
Restore Active Directory Directory Services
B
y the time you reach this point in your MSCE certification path, you should already know how to perform a backup of data using the Windows Server 2003 Backup utility. You should have also been introduced to the concept of backing up system state data. To review, system state data includes special information critical to the operating state of the computer. Also, the system state takes on different guises from computer to computer, depending on the functions performed. In other words, what makes up the system state will be different on a Windows XP Professional machine than on a Windows 2003 domain controller. In the example of a Windows Server 2003 domain controller, the system state includes the Active Directory service database and the SYSVOL directory. The system state also includes other information, but it’s these two that are critical for a restore of Active Directory. In other words, when you back up the system state on a domain controller, you have the information necessary to restore the domain controller, and thus the domain, back to its original condition at the time of the last backup.
Significance of the SYSVOL Folder So just what is this SYSVOL folder anyway? The SYSVOL folder is critical because it contains the domain’s public files. This directory is shared out (as SYSVOL), and any files kept in the SYSVOL folder are replicated to all other domain controllers in the domain using the File Replication Service, and yes, that’s important to know on the exam.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
133
The SYSVOL folder also contains the following items:
•
Net Logon shares, which is the location where domain logons are sent for processing, and where logon scripts can be stored for client processing at logon time.
• •
Windows Group Policies, as will be discussed in Chapter 6. File replication service folders and files that must be available and synchronized between domain controllers if the FRS is in use. Distributed File System (DFS), for example, uses the FRS to keep shared data consistent between replicas.
It is also recommended by Microsoft that you not make any changes to the folder structure of the SYSVOL directory. When domain controllers replicate SYSVOL information, the directory structure must be consistent among all domain controllers. This advice also extends to backup and restore operations of the SYSVOL structure. Leave things as they are. Because this folder is the initial point of contact between a domain client and a domain controller, and because it stores the domain’s Group Policies, it is a very important folder to back up. Fortunately, all this is automated when you use the Windows Server 2003 backup utility, also known by its executable file, Ntbackup, and perform a backup of the system state. Once backed up, you now have an insurance policy against domain controller failure. Here’s hoping you’ll never need that insurance policy. But as with other insurance policies, if you’re around long enough, eventually you will.
Restore Types Over the course of your administrative career, it’s bound to happen: a domain controller will hit the skids, and you’ll have to perform a restore operation. Once a restore of Active Directory becomes necessary, there are three restore types available for you to choose from:
• • •
Primary restore Normal restore (also known as nonauthoritative restore) Authoritative restore
Each of these restore types gets attention in the following sections. Before you perform any of these Active Directory restore operations, however, it’s crucial to understand that you must first start the domain controller in Directory Services restore mode. To get to Directory Services restore mode, you need to access the Windows Server 2003 Advanced Startup options, which you can do by hitting the F8 key when the computer is starting up. You can also access
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
134
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
the Advanced Startup options from the Boot Loader menu, if your system is configured for dual boot. The next several sections assume that you know how to access this Directory Services restore mode, and further assume you are booted in to this mode to perform the restore.
Perform a Primary Restore Operation You should only need to perform this type of restore operation when you’ve lost the entire domain or are restoring a domain with only a single domain controller. You would specify a primary restore on the single domain controller or the first of several domain controllers for the domain. In either case, you are rebuilding the domain from backed-up Active Directory information. To configure restore as primary, you’ll need to set the advanced options when performing the restore operation. To do so, follow these steps: 1. Open the Backup utility by choosing Start | All Programs | Accessories | System Tools | Backup. The Backup Or Restore Wizard starts. 2. Click the Advanced Mode link on the Backup Or Restore Wizard’s welcome page. 3. Click the Restore And Manage Media tab, select the system state backup file to restore, and then click the Start Restore button. 4. In the Confirm Restore dialog box, click Advanced. 5. Set the advanced restore options you want, and then click OK.
Perform a Nonauthoritative Restore Operation If you open the Windows Server 2003 Backup utility, restore the system state data, and reboot the server, you have just performed a nonauthoritative restore. This is the default mode used when using the Backup utility. When you perform a nonauthoritative restore, you are telling your domain controller to get the latest changes to the Active Directory database once the restore operation is complete. In most cases this is exactly the restore type you want to perform. Active Directory objects restored during a nonauthoritative restore will have their original update sequence numbers (USN), which are tags that help Active Directory determine which is the most recent change to Active Directory. A higher USN indicates a more recent change. If a domain controller goes down, most of the time you will want to perform a nonauthoritative restore. For example, a domain controller goes down, and a user changes his password. You would want the domain controller, upon restore, to have that changed password in its Active Directory database, or the user would be rejected when trying to validate at that restored domain controller.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
135
If you do not want changes in Active Directory to be reflected in the restored Active Directory information, you should perform an authoritative restore.
Perform an Authoritative Restore Operation In certain instances, you will want to restore Active Directory and then have the restored replica, if I may borrow a phrase, become the “master of the domain.” When a restore is marked as authoritative, all other domain controllers will synchronize their Active Directory databases with the one marked as authoritative, or, alternatively, selected objects that have been marked as authoritative, instead of the reverse. Will you do this often? Probably not. In most cases, a domain controller goes down, you restore it from backup, and then let it grab any changes made to the Active Directory database while the server was incapacitated. If, however, there have been unwelcome changes to Active Directory information while the failed domain controller is out of commission, you would need an authoritative restore. For example, if an OU gets deleted while the domain controller is down, restoring the domain controller and performing a nonauthoritative restore would not restore the missing OU. To authoritatively restore Active Directory data, you will still perform a restore as before. However, before you restart the domain controller, you will then run the Ntdsutil utility. The Ntdsutil utility lets you mark some or all Active Directory objects as “masters of the domain.” This is done by setting an update sequence number on the object to be authoritatively restored that’s higher than any other update sequence number in the Active Directory replication system. When the other domain controllers look at the higher USN, they assume the higher USN represents the most recent changes to the object, and therefore will ask for these “new” changes to be sent. Thus, all authoritative restores will eventually be replicated throughout your entire enterprise. In fact, you could have Ntdsutil = authoritative restore tattooed to the inside of your ankle prior to sitting for the exam. I’m not saying you should, but you could. Ntdsutil is installed in the systemroot\system32 directory. It is a command line utility, which means that there is syntax to learn. For full instructions on how to use the Ntdsutil, remember the /? switch.
Travel Advisory As a final thought, you do not necessarily have to perform any of these Active Directory restore procedures. If you have other domain controllers in the domain, you could also just install Windows Sever 2003, install Active Directory, and then let the Active Directory database be repopulated through the process of normal replication with other domain controllers, as happens when you add any other domain controllers. Real world ≠ test world.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:03 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
136
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Objective 4.03
Troubleshoot Active Directory
Y
our boss will also expect you to troubleshoot Active Directory when things go awry. Not that this ever actually occurs, mind you, but just in case, let’s go over a few items here that will help optimize consistent, reliable performance of an Active Directory enterprise.
Diagnose and Resolve Issues Related to Active Directory Replication There are a few tools available to help you monitor replication. You can be certain that a question or two will require familiarity with these tools:
• • •
Repadmin Dcdiag ReplMon
Exam Tip I was just kidding back there when I said nothing ever goes wrong. Microsoft expects you to have an understanding of what tools can help diagnose and resolve problems when they occur. Of these, all except ReplMon are command line–based tools. None of them are installed by default. These tools, along with several others, are stored in the \Support\Tools directory on the Windows Server 2003 CD-ROM. But before you can use any of these tools, they must first be installed. The easiest way to install the support tools is just to double-click the Suptools.msi setup file in \Support\Tools folder. This option will install several support tools besides the tools mentioned in the aforementioned list. If you wish, you could also extract just the tools you want to work with by opening the Support.cab file and then extracting the desired files out of the cabinet.
Repadmin The Replication Diagnostic Tool, more commonly known by its short name of Repadmin, can help you diagnose Active Directory replication problems between domain controllers. Using this tool, administrators can look at the replication topology as seen from the point of view of each domain controller.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:03 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
137
Repadmin can also be used to force replication between domain controllers or to manually create a replication topology. However, this is not normally required, or even recommended, because of the behind-the-scenes work of the KCC.
Travel Advisory If you don’t know what you’re doing with this tool, don’t. Incorrect configuration of the replication topology can result in degraded replication performance. The primary use of this tool is for monitoring purposes, or for occasional forcing of replication, not for configuration of replication topology. Repadmin uses the following syntax: repadmin Operation Parameters [/rpc] [/ldap] [/u:Domain\User][/pw:{Password | *}]
The Repadmin tool then uses a variety of switches to tell it what kind of replication to monitor. For example, if you wanted to know the bridgehead servers for a specific site, you would use the /bridgeheads command. It would look something like this: repadmin /bridgeheads [DC_LIST],
where DC_LIST specifies the host name of a domain controller, or a list of domain controllers that you wish to be designated as bridgeheads. The domain controllers in the list need to be separated by spaces. To force a replication event, you use, appropriately, the /replicate command. Use replicate with further arguments that fine-tune replication behavior. For example, to command a full synchronization between domain controllers, the syntax is as follows: repadmin /replicate Destination_DC Source_DC [/full]
The /full switch ensures a full synchronization between the source and destination computer.
Dcdiag The Domain Controller Diagnostics tool is yet another monitoring tool that you can use to analyze the state of the domain controllers in either your domain or forest enterprise. Dcdiag works by letting you select specific domain controllers to run diagnostic tests. These tests utilize given a set of scope parameters you enter at the command prompt. The scope reporting boundaries can include a
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:03 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
138
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
forest, a site, or even a single domain controller. The utility is used with the following syntax: dcdiag /s:DomainController [/n:NamingContext] [/u:Domain\UserName /p:{* | Password | ""}]
There are several switches, then, that will allow you to futher modify the utility’s behavior. For example, if you notice there’s an unresponsive server, and want to perform a simple test to find out why, you could use the Dcdiag tool as follows: dcdiag /s:lanscape1 /u: Domain\administrator p:/ password /e
The /e switch will test the entire enterprise’s domain controllers. You will see a report generated as domain controllers throughout are tested for connectivity, and any domain controllers that do not pass will be identified in this report.
Travel Advisory It is impractical to try to memorize command prompt syntax other than for a few of the most commonly used tools, and Microsoft doesn’t expect you to on its exams. I have mentioned this before, but it’s much more important to learn when a tool might be used, and then to remember the /? switch to get online help as to proper syntax when it’s time to actually use the utility.
Replmon I saved the best for last. If you’re like me, you quickly develop an affinity for anything that saves you from having to type. The Active Directory Replication Monitor is just such a thing. The Replmon tool provides you with a GUI to many varied replication monitoring features, allowing you to see what’s being transferred between domain controllers with a point and click interface. This tool lets you force replication between domain controllers, and allows you to quickly generate a visual map of the network’s replication topology, as well as generate reports on the performance and history of Active Directory replication. To run the Replmon utility, follow these steps: 1. Type replmon from the Run dialog box. The Active Directory Replication Monitor MMC snap-in will open. 2. To select which servers to monitor, right-click on the Monitored Servers node, and then click on the only option, Add Monitored Server. 3. The Add Monitored Server Wizard appears, helping you make a selection. You can type the name of a specific server or browse the directory for a server.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
139
4. If you select the Search The Directory option, you’ll choose a domain from the drop-down list, and then click Next. 5. Browse the site containers for servers to monitor. Expand the appropriate site, and select your server, as shown in Figure 4.8. Now that you know how to open the utility and add a server, you should be aware of what its monitoring capabilities are. Here’s a partial list, along with instructions for a few selections:
• •
See when a replication partner fails.
•
View the properties of directory replication partners: right-click on the server object, and choose Show Domain Controllers In Domain, You’ll get a report similar to the one shown in Figure 4.9.
•
View a snapshot of the performance counters on the computer, and the Registry configuration of the server: right-click the server, then choose Show Current Performance Data.
•
Generate status reports that include direct and transitive replication partners, and detail a record of changes: right-click the server, then choose Generate Status Report.
View the history of successful and failed replication changes for troubleshooting purposes: right-click the server, and choose Generate Status Report.
FIGURE 4.8
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:04 AM
Adding a server to Active Directory Replication Monitor
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
140
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
• • • •
Find all direct and transitive replication partners on the network: right-click the server, then choose Show Trust Relationships. Display replication topology: right-click the server, then choose Show Replication Topologies. Force replication: right-click the server, then choose Synchronize Each Directory Partition With Replication Partners. Monitor replication status of domain controllers from multiple forests.
Given the above list, it’s not a stretch to say it may be the only replication monitoring tool you’ll ever need. Also, you can see the use of this tool is pretty straightforward—everything begins with a right-click.
Network Monitor Like many of the tools discussed in this chapter, you should know the function of Network Monitor. This section gives you an overview of that function, but a full discussion of everything you could do with Network Monitor is not only beyond the scope if this book, but would also eat up precious pages, and we’ve simply got other ground to cover. The Network Monitor is a packet capturing tool. It records packets that are sent to and from the computer on which it’s running. Normally, it captures all traffic sent and received, but you can configure Network Monitor Filters to capture
FIGURE 4.9
Replmon shows all domain controllers in the domain.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
141
only certain kinds of packets, such as DNS queries, or traffic from only certain IP addresses.
Travel Advisory The Network Monitor included with System Management Server (SMS) 2.0 is more robust, allowing for packet capture to and from any node in the network. Network Monitor is a fascinating tool. Many times in your computer education, you’re told about the “layered” nature of the network protocols. This tool lets you peel open the packets and look at the information stored in these layers. For example, the IP header information contains information about the source and destination address of the packet. IT does not include the destination port number. That information is stored in the TCP or UPD layers. Each of these layers can be examined in complete detail using the Network Monitor. The Network Monitor is not installed by default. To add the Network Monitor, you must first install it by opening the Control Panel, opening the Add/Remove Programs application, and then Adding A Windows Component. You’ll find Network Monitor as a component of the Management And Monitoring Tools. Once installed, a menu shortcut is placed in your Administrative tools, and you choose this shortcut to launch the Network Monitor. You could also add the Network Monitor to a custom MMC console. To start capturing network packets with Network Monitor, first select a network interface you want to monitor. Then use the toolbar buttons (you could use the Capture menu as well) in the Station Stats window to start the capture, as seen in Figure 4.10. The Station Stats window gives you general information about the capture, including the duration, how many packets are captured, and what nodes are captured from. You can also use this window to get a feel for overall bandwidth usage on your network. When the capture is finished, either choose Stop or Stop And View to view the packets captured. If the capture is stopped, click the View button (looks like a pair of glasses) in the Station Stats window to go to the Capture Summary window. When you’re viewing the capture, the Capture Summary displays all packets captures, along with general information about the packet, such as where the packet originated, and where its destination was. Double-clicking one of the packets brings up the Capture Detail window, where you can look at the component parts of the packet. As seen in Figure 4.11, this Capture Detail window lets you see exactly what the packet was for. The packet shown here was a query for DNS resolution for the name www.yahoo.com.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:04 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
142
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 4.10
StationStats for the capture
FIGURE 4.11
The Capture Detail window
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
143
Travel Assistance For a more detailed discussion of the Network Monitor, as well as a discussion of the Performance Console, which can generate reports regarding server processor, memory, and disk performance, all which can be affected by replication, please refer to Mike Meyers’ MCSE/MCSA Implementing a Windows Server 2003 Network Infrastructure Certification Passport (Exam 70-291) by Walter Glenn, Mike Simpson, and Jason Zandri (McGraw-Hill/Osborne, 2003). You might note that the Network Monitor is a tool that lets you view the kinds of packets sent and received by a network node, but it doesn’t really help you resolve any issues you might detect. To fix any problems you might uncover using the Network Monitor, you will have to use one of the other tools presented in this chapter or throughout the book. For example, if you are capturing a lot of Active Directory logon traffic from computers that exist in another office, you might want to install a domain controller in that other office and make sure it is in a remote site you’ve set up using Active Directory Sites And Services.
Directory Service Log in Event Viewer Another diagnostic tool that helps troubleshoot and diagnose Active Directory problems is the Directory Service log in Event Viewer. This log file is added to when the Windows 2003 Server machine is acting as a domain controller. To view the Event Viewer logs, open the Event Viewer from the Administrative Tools or through the Computer Management MMC snap-in. Some of the log events captured by the Event Viewer can be very helpful; others are a little esoteric. In the Directory Service log file, there are three types of log events captured:
• • •
Informational Provide information only and do not indicate a problem. Warnings Indicate potential trouble spots, but are not necessarily indicators of impending doom. Errors
Should be immediately investigated and resolved if possible.
To display the information captured by an event in the Directory Service log file, select the Directory Service node from the Event Viewer Console, and double-click on an event to investigate. The results shown in the Properties dialog box of the event will inform you of the time and date of the capture, the user, and the computer involved, among other information. What other information is displayed will depend on what kind of event has been logged. In the example shown in Figure 4.12, you see a general informational message, informing you that a Global Catalog server has been found.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:05 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
144
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 4.12
Event Viewer provides a graphical interface for boring old log files.
Travel Advisory Remember, you won’t see the Directory Service log file in Event Viewer unless your server is configured as a domain controller. All Windows systems with the Event Viewer should have at least three logs: the System, Security, and Application log files. Configuring the log file properties is a fairly straightforward exercise, one which most administrators are familiar with by now. Essentially, you’re just configuring the properties of a text file: how large it will be, where it will be stored, and what happens when it fills up with collected data. By default, the logging policy is set so that when the log gets full, the oldest events are deleted to make room for new events, with the stipulation that events are at least seven days old. You can further customize this policy, referred to as the event log wrapping options, with the radio buttons on the General tab of the log file’s Properties dialog box. With these options, you set the log file wrapping behavior as follows:
•
Overwrite events as needed New events will be written even though the log is full. New events will replace the oldest event in the log. If archiving DNS events isn’t important (usually it’s not), this option is a good choice.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
•
Overwrite events older than x days Retain the log for the number of days you specify before overwriting events. The default is seven days. This option is the best choice if you want to archive log files weekly. This strategy minimizes the chance of losing important log entries and at the same time keeps log sizes reasonable.
•
Do not overwrite events Clear or archive the log manually rather than automatically. Select this option only if you cannot afford to miss an event (for example, for the security log at a site where security is extremely important).
145
You can also set the maximum log file size on the General tab as well using the Maximum Log File Size entry. By configuring a larger maximum log file size than the default of 16384 KB, you can put off some of the wrapping behavior just mentioned when the max log file size is breached.
CHECKPOINT ✔Objective 4.01: Manage an Active Directory Forest and Domain Structure
In this chapter, we’ve built upon our foundation of Active Directory understanding, and now know a little bit more about what to do when Active Directory behaves other than as planned. On those rare occasions where it is warranted, administrators sometimes need to extend the schema. This chapter looked at the tasks involved when this needs to be done. We also discussed the impact that schema modification has on the entire Active Directory forest.
✔Objective 4.02: Restore Active Directory Directory Services
Significant here, especially for real-world purposes, was the discussion of how to back up and restore Active Directory information. We examined the difference between a nonauthoritative and an authoritative restore. We also looked at the restore procedure, and the tools necessary to perform one.
✔Objective 4.03: Troubleshoot Active Directory
We also looked at several tools used to monitor and troubleshoot Active Directory replication. These tools included the Network Monitor and the Event Viewer, as well as replmon, dcdiag, and repadmin. In the next chapter, we turn our attention from the building of Active Directory to the population of Active Directory: we’ll be adding users and groups so that Active Directory can provide a functional and secure computing environment for the users in our enterprise.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
146
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
REVIEW QUESTIONS 1. You are administering a domain controller that has recently failed. As part of the repair, you need to restore the drive that held the SYSVOL directory. You reformat the drive and install Windows Server 2003. You then run the Backup utility and attempt to restore the domain controller, but receive an error. What is the cause of the problem? A. You should use Ntbackup from the command line. B. The drive letter holding the SYSVOL folder should be the same as it was before. C. You should run DCPROMO in restore mode. D. You need to reboot the machine and start in Directory Services restore mode before repairing the SYSVOL directory. 2. You are one of the domain administrators for a corporation that utilizes a multidomain Windows 2003 Active Directory forest structure. The domain you are the administrator for is not the forest root. After meeting to discuss changes to the forest’s base schema, it’s been decided by all the domain administrators in the network to deactivate a few attributes, and the task has been left to you. However, you are unable to open the Active Directory Schema MMC snap-in. What is the problem? Choose all that apply. A. B. C. D.
You are not part of the Enterprise Admins group. You must be domain administrator of the forest root. Your account must be added to the Schema Admins group. A Group Policy must be configured to Allow Schema Management to the domain when the domain is not the forest root.
3. You are one of the domain administrators for a corporation that utilizes a multidomain Windows 2003 Active Directory forest structure. You are using the default administrator account of the forest root domain, and are also in the Enterprise Admins universal group. After meeting to discuss changes to the forest’s base schema, it’s been decided by all the domain admins to extend the schema, and because of your superior knowledge, you will perform the modifications. You log on using one of the computers in a child domain, and then open the Active Directory Schema MMC snap-in. However, changes to the schema are unsuccessful. What could be the cause of the problem? Choose all that apply. A. The schema master is not available. B. You need to log on using a resource in the forest root domain.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
147
C. You have not registered the Active Directory Schema console by running regsvr32 schmmgmt.dll. D. You need to add your account to the Schema Admins group. 4. You are the administrator for a domain with five domain controllers running Windows Server 2003. The system state on each domain controller is backed up nightly. A hard drive on one of the domain controllers has gone bad. While the problem was being fixed, another domain admin accidentally deleted several user accounts. Now the hard drive has been replaced, and Windows Server 2003 has been installed on the domain controller. What is the best way to handle this problem with a minimum of administrative overhead? A. Let the fixed domain controller synchronize with the existing domain controllers, and then recreate all the user accounts with a scripting tool. B. Perform a primary restore using the newly fixed domain controller. C. Use the system state information of the failed domain controller and perform an authoritative restore. D. Extract just the user accounts that have been deleted from the backed-up system data of the failed domain controller, and then let the KCC handle the replication of the accounts. 5. There are several things you can do with the Ntdsutil command line utility. Which of the following is not among them? Choose all the apply. A. B. C. D.
Change FSMO server roles Perform an authoritative restore of Active Directory Change the USN number for an object in Active Directory Perform a nonauthoritative restore of Active Directory
6. You are administering a Windows 2003 Active Directory network in only a single domain. One of the domain controllers fails just after you deleted an organizational unit on that domain controller. You examine the other domain controllers, and determine that replication had not occurred before the failure. What should you do to restore the organizational unit to its original state on the failed domain controller? A. Perform an authoritative restore on the failed domain controller. B. Perform a nonauthoritative restore on the failed domain controller. C. Reinstall Windows Server 2003, run DCPROMO, then recreate the original organizational unit. D. Restart the computer and use the recovery console. Run the Ntdsutil utility to mark the object for authoritative restore.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
148
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
7. You are administering a Windows Server 2003 Active Directory enterprise, and you want to generate a graphical representation of your replication topology for inclusion in a report about site design. What utility can best facilitate this operation? A. B. C. D.
Ntdsutil Network Monitor Event Viewer Replmon
8. You have just extended the schema using the Active Directory Schema MMC snap-in so that users can track a resource ID for each computer object. After running a Network Monitor Capture, you find that queries for this attribute are being run often against domain controllers. What can you do to improve the performance of the queries? A. Configure a site for each subnet in your network and place a Global Catalog server in each site B. Install additional domain controllers to distribute the queries to multiple computers in the network, reducing congestion on domain controllers C. Index the attribute using the Active Directory Schema tool D. Reload the schema cache on the domain controllers 9. You have obtained an OID number for purposes of creating a new attribute object in the schema in your Windows 2003 forest. You create the attribute using that OID, and use it to describe user class objects. Later, a change in the organization makes the attribute obsolete, but another attribute is needed for describing the user objects. You try to create a new attribute using the same OID, but are unable to do so. What is causing the problem? Choose all that apply. A. The forest has not been upgraded to the Windows 2003 functional level. B. The Schema attribute has not been deleted. C. The domain should be running in Windows 2000 mixed mode. Windows 2003 mode does not allow reuse of OIDs. D. The Schema attribute should be deactivated.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
CHAPTER 4 Managing and Maintaining an Active Directory Infrastructure
REVIEW ANSWERS 1.
To restore a domain controller, you need to reboot after installing Active Directory and start in Directory Services restore mode. You can then restore the SYSVOL directory. The drive letter should be the same, but it doesn’t necessarily have to be for the SYSVOL folder to be restored, and because the system has not been restarted in restore mode, that is not the problem here.
2.
To modify the schema, a user must be added to the Schema Admins universal group. This group has only the original administrator account on the forest root’s domain as a member by default, and accounts added to the group do not necessarily have to be admins.
3.
Because you are using the default administrator account for the forest root, you are, by default, the only user added to the Schema Admins group. In the scenario here, the most likely cause is that the Schema Master is not available, and no changes can be written to the schema.
4.
If you want to roll back the clock so that the domain uses a previous version of Active Directory, you should perform an authoritative restore.
5.
Ntdsutil is used to perform authoritative restores in Active Directory after using the Backup utility in Directory Services restore mode. It can also selectively change the USN number for Active Directory objects. It can also be used to transfer certain FSMO server roles. It is not, however, used for nonauthoritative restores. The Backup utility is used for nonauthoritative restores.
6.
Because the deleted object has not been replicated yet, the other domain controllers will have a record for the organizational unit. Therefore, a nonauthoritative restore would cause the OU to be replicated back to the failed domain controller. If the restore was authoritative, the deletion would be replicated.
7.
Replication Monitor can be used to quickly generate a map of replication topology. None of the other tools listed here have this capability.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
149
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
150
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 4
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
8.
To improve performance of queries, you should index the newly added attribute by right-clicking the attribute in the Active Directory Schema tool, then selecting Index This Attribute in the Properties dialog box.
9.
You can reuse an OID for defining schema attributes, but two things have to be in place before you do: the forest must be running at the Windows 2003 functional level, and the attribute must be deactivated in the schema. Once objects or attributes are defined, they cannot be deleted, only deactivated.
P:\010Comp\Passport\575-0\ch04.vp Tuesday, August 05, 2003 9:41:06 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
Planning and Implementing User, Computer, and Group Strategies
5
ITINERARY
• • •
Objective 5.01 Objective 5.02 Objective 5.03
•
Objective 5.04
Plan a Security Group Strategy Plan a User Authentication Strategy Secure Resources with NTFS and Share Level Resources Implement an OU Structure
NEWBIE
SOME EXPERIENCE
EXPERT
6–8 hours
4 hours
2 hours
151
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:56 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
152
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Now that we’ve built our Active Directory infrastructure, it’s time to start populating Active Directory with objects, and then manage those objects. This chapter focuses on strategy. We’ll start with a look at the steps to add user accounts, and then divide those accounts into groups to facilitate easier user management. Learning how to create user accounts is pretty easy from a button-pushing standpoint, but as administrators, we then manage those accounts: move them, reset passwords, disable them, and so on. Users will be created, and then (unfortunately) they will log on to begin accessing domain resources. But just how the users present their logon credentials is yet another area where administrators can exert discretion. Most networks use user names and passwords to access the domain, although other credential presentation methods, such as Smart Cards, are also configurable. Once you’ve defined who can access the domain’s resources, it’s time to define what they can access. NTFS file and folder permissions will be an essential part of securing domain resources, and you’ll be expected to know how they interact with each other and how they interact wth share level permissions. Finally, after adding accounts and creating security groups, we’ll examine more facets of OU strategy. In the chapter’s final section, you’ll then learn more about the Organizational Unit creation process and how they can be used to divide up administrative responsibilities throughout the domain.
Objective 5.01
Plan a Security Group Strategy
A
s first explored in Chapter 1, a user account allows a user to log on to the local computer, or, in the case of a Windows 2003 Active Directory environments, one of the domains in your forest. The user account’s credentials are validated against the directory database to which they are submitted, and if authenticated, the user account is granted an access token at logon time. Included in this access token is the user account security identifier (SID), along with the SIDs for any group account the user is a member of. This access token is presented against access control lists (ACLs) to determine a level of access to a resource. Every user participating in a Windows 2003 Active Directory domain needs a user account and password. Further, user accounts are sometimes used as service accounts when accessing Back Office applications such as Exchange Server and SQL Server. Even if you are not using an Active Directory domain for access
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:56 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
153
to network resources, you still need an account to use the local Windows Server 2003 machine. In this case, you will be using a local account.
Local vs. Domain Accounts and Groups Another important point to understand about user accounts and groups is where they are created. In a Windows 2003 network environment, there are two places where we can create accounts: locally and in the domain.
Local Accounts When we create a local account, we create a new security identifier in a directory database that’s stored in a directory on that machine’s local hard drive. A local account can be created on any computer that’s a part of a workgroup, or on any member computers of an Active Directory domain, as long as the computer is also not a domain controller.
Travel Advisory Potential member computers in a domain include systems running NT 4.0, Windows 2000 Professional, XP Professional, and Server 2003. Other operating systems, such as Windows 98 and XP Home, do not create computer accounts in the domain and are therefore not considered members. You can still log on to a domain from one of these “lesser” operating systems, but the computer itself won’t be a member of the domain. With a local account, a user has the ability to log on locally to the machine where the account resides. However, when using a local account, the user is restricted to using only the resources on that computer. If they want to access a resource on a computer elsewhere in the network, they will have to do so in the context of a user account valid on the target machine (unless the resource has been made available to the Everyone group). This becomes a disadvantage as the network starts to grow and users need multiple accounts defined to access resources that are stored on multiple computers. Figure 5.1 shows you the principals of local accounts in a workgroup environment. How do you know you’re using a local account when logging on? You specify where the account will be submitted in the Log On To section of the Log On To Windows dialog box. If the selection in the drop-down menu says computername (This Computer), then you are trying to submit a local account for logon.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:56 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
154
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 5.1
Using a local account
Domain Accounts A domain user account, conversely, is created on a domain controller and is stored in the Active Directory database. The domain controller stores a replica of this database, keeps it up to date with the latest changes by synchronizing with other domain controllers, and checks the database when validating the user logon attempt. Because the account credentials are submitted to a central location, they can be submitted from any computer in the domain. (Unless, that is, you’ve restricted which computers the user can log on from, as is your prerogative as domain administrator. It’s good to be the king. Look, there are exceptions to almost everything we’re talking about here, and there are few logon contingencies you could bring up which Windows 2003 doesn’t have an answer for. If I were teaching a class, I could just lower my voice or tilt my head or wave my arms in a manner that lets you know that there are exceptions, and you will most assuredly know them all by the time you’re through. However, in print, I’m forced to resort to the mildly bothersome use of frequent parentheticals. So just bear with me.) For that reason, it’s not wise to create two Brian accounts for logon, one for the domain and one for the local computer. All the user needs is the single domain account. The domain account still gives Brian the right to use every computer in the domain (with the exception of the domain controllers themselves, which by default restrict who is able to log on at those machines). As seen in Figure 5.2, a domain account only needs to be defined once per user. I’ve seen this time and time again at companies, by the way: administrators who think they need to be able to use the local administrator account to perform administrative tasks. They don’t. The domain account will do just fine, unless the default group memberships have been toyed with. We’ll discuss some of the default group memberships, especially the Administrators groups memberships, in a few tables later in the chapter.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:57 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
FIGURE 5.2
155
A domain simplifies administration as the network grows.
Creating a Domain User Account You should already know by now how to create a local user account. Unless you’re using the command prompt, you use the Computer Management MMC snap-in and then the Users node under Local Users And Groups. With the Users node selected, right-click and choose New User, and then fill in the blanks of the ensuing dialog boxes. But this book, and the test you’re preparing for, is not concerned with the creation or use of local accounts. If you try to attempt this on a Windows Server 2003 machine and are successful, by the way, there’s one thing I can tell you about the computer: it is not a domain controller. If it were, the creation of a local account would be impossible (unless you started up in safe mode or directory services mode). Because the directory database on 2003 domain controllers is the Active Directory database, creation of any user account will be a domain account. In other words, there aren’t any local accounts on domain controllers. In fact, when you upgrade a member server to a domain controller, all local accounts present are transformed into domain accounts. Creation of a Security Principal Also understand that when you create a user account in Active Directory you are creating a security principal in the Active Directory database. A security principal is a software object over which security settings are applied. This concept is best illustrated by example rather than explained. If you want to restrict access to a resource, you do so by modifying the permissions of a security principal. For example, you edit the access control list (ACL) so that the user account, or security principal, named Brian is allowed read-only access to the resource. Other examples of security principals include group accounts, which get their own section later.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:57 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
156
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
A domain user account is made of two parts:
• •
The prefix, which is the user logon name. It’s also known as the security principal name. The suffix, which identifies the parent domain where the user account is housed.
When you combine the two parts of the username using the @ symbol, you get the user’s universal principal name (UPN). If you’ve ever sent an e-mail, you’re already familiar with this syntax, as the UPN will look something like this:
[email protected]. Furthermore, a user in an Active Directory forest can use the UPN to submit account credentials without selecting from the dropdown list of domains. This can come in handy if the user is logging in remotely, or if there are several domains linked in the forest and the user is using a computer that’s in a domain other than the one where his account resides.
Travel Advisory You can give several users the same name in an Active Directory forest, as long as the full name is unique to the parent OU (container) where the account is created. However, each UPN in a forest must be unique. For example, there can be several users named Jessica Wilson in the forest, but only one
[email protected]. If you have mastered the procedure of creating a local account, you won’t have any problems creating a domain based account either. About the only significant difference, besides where the account will live, is the tool used. Here’s what you’ll do: 1. In Active Directory Users And Computers, select the container where you want to add the user account. You normally put your user accounts in the Users folder or, better, in one of your organizational units, but you can create a user account in any container in Active Directory Users And Computers. You add a user to the domain container or even to the Computers container if you want. After you’ve made the selection, right-click and choose New | User. 2. The New Users dialog box appears. You saw this dialog box in the last chapter when discussing UPN suffixes. Give the user a first name, last name, full name, and logon name. Remember that the logon name must be unique to the forest. Click Next.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:57 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
3. The Password Options dialog box follows, as shown in Figure 5.3, where you set the initial password and set password options. The following password options are available:
•
User must change password at next logon This forces the user to change the password the first time he logs on. It is checked by default to ensure ownership of passwords.
•
User cannot change password This prevents the user from changing the password, and leaves password ownership in the hands of the administrator.
•
Password never expires This will override any password expiration settings you’ve configured through a Group Policy. We will begin discussing Group Policies in the next chapter.
•
Account is disabled This check box is used by the administrator to disable the account. If this box is checked, the account is active, but cannot be used to log on. This can sometimes be useful when creating a template for copying user accounts.
4. Click Next, and you get the Finish dialog box, where you can review the settings of the new account.
FIGURE 5.3
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:57 AM
The password options at account creation time
157
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
158
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory Oftentimes, you perform administration of the domain from a computer other than the domain controller. If you want to have the Active Directory Users And Computers snap-in available on a computer running XP Professional, for example, you need to install the Windows 2003 Administration Tool by running the adminpak.msi installer. This file is placed in the WINDOWS\ system32 directory on all domain controllers, and is also available on the Windows 2003 installation CD-ROM in the \I386 directory.
Using the Command Line This book notwithstanding, I really don’t enjoy typing. If there’s a graphical tool that will accomplish the same thing, I say put it to use and save on those keystrokes. However, Microsoft is usually pretty good at slipping in a question or two about the command line utilities even though nine times out of ten you opt to use the graphical tool instead. Adding and changing a user account can be done with the command line as well as with Active Directory Users And Computers. The utilities used are these:
•
dsadd The Directory Services Add utility lets you add an account to Active Directory. Its syntax is: dsadd user UserDN [-samid SAMName] -pwd {Password|*}
where UserDN is the user distinguished name, and SAMName is the user Security Accounts Manager (SAM) name. If it’s not specified, the SAM name will be generated using the first 20 characters of the UserDN. The -pwd sets the initial password, but if you enter the asterisk as its value, you will be prompted for the password. The dsadd utility can also be used to create new computer and group accounts, as well as new organizational units. For example, if you wanted to create a new user named Kim Frank to an organizational unit called InformationTechnology in a domain called beanlake.com, setting an initial password, the syntax will look something like this: dsadd user cn=kimfrank, cn=InformationTechnology, dc=beanlake, dc=com –samid kimfrank –pwd P@ssw0rd
•
dsmod The Directory Services Modify command line utility is used to alter a wide range of account properties. An example of its syntax is as follows: dsmod user UserDN -disabled {yes|no}
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:58 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
159
In this syntax example, you specify the user account with its DN, and then use the -disabled switch to disable the account. You can use the dsmod to reset user passwords, add users or computer accounts to groups, and convert a distribution group to a security group, to name a few.
•
dsrm The Directory Services Remove utility can delete Active Directory objects from the command line. In the following example, the dsrm tool is used to delete a group: dsrm GroupDN
where the group’s distinguished name is used to specify which group will be deleted. Group accounts can be safely deleted without affecting the user accounts the group contains. However, note that the dsrm tool can be used to delete organizational units as well, and when you do you must take care not to delete all objects the OU contains.
Travel Assistance For detailed information about each of the command line Directory Service utilities, please see the Windows Server 2003 Help Files, and look up Command-Line Reference. Again, why bother learning these tools when the Active Directory Users And Computers graphical tool lets you do these things with a lot less typing? You might see these referenced somewhere in the exam, and I want you to recognize the significance of the acronym. As you just saw, the command line can be used not only to create accounts but also to move them around. Accounts can be moved within a single domain, or between domains in a forest, but the procedure for each operation differs, as explained in the next section.
Moving User Accounts Once a user account is created, you’re free to move the account to other Active Directory containers as your organizational needs require. Moving user accounts between containers within a single Active Directory domain is a very simple process. It’s most often done to move accounts from one OU to another. To do so, follow these steps: 1. Launch the Active Directory Users And Computers snap-in, and navigate through the tree structure to the user you wish to move.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:58 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
160
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. Right-click the account and choose Move from the context menu. 3. From the Move dialog box, shown here, just choose the folder or OU which will be the new residence for the account and click OK when you’re done.
That’s it! You could also use the command line to do the same thing, by the way. The utility is called dsmove, and its syntax is as follows: dsmove ObjectDN [-newname NewName] [-newparent ParentDN] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [{-uc | -uco | -uci}]
The Directory Services Move utility will let you move a single Active Directory object from its current location to another location in the directory, as long as the move operation occurs within a single domain. It can also be used to rename a single object without moving it elsewhere in the directory tree. But no matter which tool you use, moving objects between domains is a fairly straightforward procedure. In fact, using the Active Directory Users And Computers tool in Windows Server 2003, you can even drag and drop accounts between organizational units. The movement between domains, however, is a bit more involved. This is a new feature to Server 2003, so even though it doesn’t take long to explain, it’s certainly a point worth noting.
Moving Objects Between Domains If you are administering a bigger enterprise with several domains, sometimes a user account needs to be moved between domains. This is a more complex procedure to the domain controllers, as the user account contains the SID for the
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:58 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
161
domain as well as the relative identifier of the account in the domain. (Also recall from Chapter 2 that the RID master will be consulted during this procedure; the RID master ensures that all RIDs are unique.) Subsequently, there are two different utilities used for this purpose: the Active Directory Migration Tool (ADMT) and MOVETREE. Using the Active Directory Migration Tool The Active Directory Migration Tool is a graphical, MMC-based utility used for migration of user accounts, computer accounts, and groups from one domain to another. It can be used to move these objects within an Active Directory forest, and is especially valuable when moving accounts from Windows NT 4 domains into the Active Directory environment. The snap-in is available from the installation CD-ROM and is located in the \i386\ADMT folder. You can use the ADMT from the command line as well. The syntax to move an account using the ADMT tool from a command prompt is this: admt user Parameters Subparameters
It can become quite convoluted, and may even become a junior administrator’s specialized area of expertise. For example, to move a user named KimF from a domain called beanlake.com to a domain called lanscape.net, placing the account in the Atchison OU, the command would read thusly: ADMT user /N "KimF" /SD:"beanlake.com" /TD:"lanscape.net" /TO:"Atchison" /MSS:Yes /TRP:Yes /CO:Replace
The MSS parameter migrates the source user SID to the target account, the TRP transfers roaming profiles, and the CO parameter replaces an existing account in the target domain with the migrated account, if a duplicate exists.
Travel Assistance For more information about using the ADMT, install the tool from the \i386\ADMT folder location and refer to the online help files, which will walk you through several usage scenarios.
Using MOVETREE The other utility used for moving objects between domains is called MOVETREE. MOVETREE is installed when you install the Windows Server 2003 support tools from the \Support\Tools folder on the distribution CD-ROM.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:58 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
162
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Once installed, you can run MOVETREE from the command prompt, whose syntax will be as follows: Movetree /operation /s source server /d destination server /sdn source name /ddn destination name /u domain\username /p password
Remember, the /? switch will help you use the proper syntax when it’s actually time to use the tool. It’s important that you know the function of MOVETREE as you prepare for the exam. The important distinction is that Active Directory Users And Computers cannot be used to move users (or computers or organizational units) between domains.
Travel Advisory Although most often used to move user accounts, the MOVETREE utility can also be used to move organizational units and computer accounts. Keep this in mind as we turn our attention to OUs later in this chapter.
Creating Lots of Users at Once If you need to create multiple users in a short period of time, you might want to consider using one of the directory services import utilities. These utilities take the contents of a file and use the entries to quickly generate tens, if not hundreds, of user accounts all in one fell swoop. The CSVDE Utility The Comma Separated Value Directory Exchange utility works with information stored in a comma-separated value (CSV) file. You can use the values in this file to make bulk imports of user information into the Active Directory database. You can also use this utility to export user account values to a .csv file. You’ll use the CSVDE utility in this way: csvde [-i] [-f FileName] [-s ServerName] [-c String1 String2] -v] [-j Path] [-t PortNumber] [-d BaseDN] [-r LDAPFilter] [-p Scope] [-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k] [-a UserDistinguishedName Password] [-b UserName Domain Password]
Almost any application that deals with storing directory records can work with a .csv file. For example, you can export Microsoft Exchange user information to a .csv file (Exchange can import this data as well), and then you can use the file with the CSVDE to quickly create Active Directory users. Further, almost any database can be populated with records that come from a .csv file. Because Active Directory is a database, it is no different.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
163
You can also use the CSVDE utility to export user accounts and all attributes of the user accounts to a comma-separated file. In fact, the default mode of the CSVDE is export mode. (You use the –i switch to import information into Active Directory). Using this method, you could export user information in a particular OU or domain and then use that data to populate the Contacts folder in Outlook. You can also use Active Directory Users And Computers to quickly export Active Directory user information to a .csv file. To do this, choose the container object you want to export data from using Active Directory Users And Computers, right-click and choose Export List from the context menu. You’ll then be given an Export List dialog box, where you can specify a .csv file. The drawback here is that when using this technique, only the information viewable in the MMC display—such as name and description—are exported. The LDIFDE Utility The Lightweight Directory Access Protocol Interchange Format Directory Exchange utility is a close cousin to CSVDE. The LDIFDE, however, is a more flexible tool, allowing you to create, modify, and delete almost any directory object from the command line. Additionally, the LDIFDE tool can also be used to extend the schema, and export Active Directory user and group information to other applications or services. As with its cousin the CSVDE tool, it can also be used to populate Active Directory with records stored in other directory services, like Exchange. Its syntax is as follows: ldifde [-i] [-f FileName] [-s ServerName] [-c String1 String2] [-v] [-j Path] [-t PortNumber] [-d BaseDN] [-r LDAPFilter] [-p Scope] [-l LDAPAttributeList] [-o LDAPAttributeList] [-g] [-m] [-n] [-k] [-a UserDistinguishedName Password] [-b UserName Domain Password] [-?]
The main advantage of the LDIFDE utility when creating large numbers of user accounts at once is that it is not limited to use of .csv files only. It’s pretty much assumed by Microsoft, on its MSCE exams, that you have the skills necessary to create a user account. Although an important part of any network administrator’s daily life, it is not considered a core skill for purposes of testing. We spend some time learning the procedure for creating user accounts so that we can have some accounts to manage with security groups, which is the focus of this objective.
Groups in Windows 2003 First of all, let’s understand why administrators create groups: to make things easier. What kinds of things? Usually, the things that are made easier include the management of permissions and user rights. That’s because any permission you
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
164
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
grant to a group applies equally to all members of a group. So rather than have an access control list populated by tens, hundreds, even thousands of entries, you can secure resources with just an entry or two. It’s also worth delineating the difference between a user right and a user permission. A permission gives a user a level of access to a resource. These resources can include a file or printer, or an active directory object, as we’ve seen. A user right is the ability to perform a task. An example of such a right is the right to back something up. For example, you don’t necessarily need the permission to read something to have the right to back it up. Or you might have the right to access a computer from the network, but you don’t have the permission to access all the files.
Travel Advisory In Active Directory, a group is treated like a user account. In other words, a group is a single account, with a security identifier (SID), just like a user account. The user account just has many other SIDs associated with it. Before we begin using groups to specify permissions and rights, we must first learn how to set them up, and more importantly, learn about all the different kinds of groups that can be set up. The next section examines these issues.
Creating a Group Because the creation of users and groups is, as far as the directory database is concerned, essentially the same operation (that is, creating a new SID), you use the same tool to create both users and groups. This is true when we create local groups; the utility used is Computer Management (unless you want to use the command line). The tool we use to create domain users is Active Directory Users And Computers, and it’s also where we will make our groups. Therefore, you begin the creation of a group just like you do the creation of a user account. Start by selecting the container where the group will live, right-click, choose New, and then choose Group.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:59 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
165
Travel Advisory There are several groups created by the installation process of the Windows Server 2003 operating system, and there are more created by the installation of Active Directory. In Active Directory Users And Computers, these built-in group accounts are created in two places: the Users container and the BuiltIn container. You shouldn’t spend time memorizing all of these built-in groups, but it won’t hurt to be familiar with them. The significance of these groups is that its members have certain predefined user rights, most of which are suggested by the names of the groups. See the section “Built-in and Predefined Groups” later in this chapter for more information. You’ll see the New Group dialog box, as shown in Figure 5.4. Here you will choose to create one of two group types:
•
Distribution If you’ve ever created an e-mail list, you’ve got the gist of what a distribution group is for. They can only be used for distribution purposes (of messages, of e-mail, and so on) and are not used to manage permissions or rights. In other words, you will never see distribution groups used in an access control list.
•
Security These groups are used for assigning either permissions to resources or rights to perform certain tasks. They are therefore used to manage security, and it is these groups that are the focus of the Microsoft exams. You can furthermore use a security group for distribution purposes. The rest of the objective will concentrate on security groups.
So as an administrator, you’ll be mostly concerned with creating security groups, which, like user accounts, are security principals. The security group accounts can be used to define levels of permission or rights to objects in the Active Directory environment. Once you’ve settled on the type of group, the next decision is about what group scope best suits your needs. To make an informed decision, you need to understand the differences among the group scopes. There are three kinds to
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:49:59 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
166
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 5.4
Creating a new Active Directory group account
choose from, and each type has very specific definitions of who can be a member of the group and where the group can be used as a security principal. Make sure you take note of the restrictions (or lack thereof) regarding the who and the where, and you should be fine. The three group scopes are as follows:
•
Global A global group is used to gather accounts from a single domain. No accounts from other domains can be added to a global group. It can be used throughout the forest when configuring ACLs for resources.
•
Domain Local A domain local group can contain user accounts and global groups from any domain in the forest. It can be used to assign security permissions only in the domain where it was created.
•
Universal A universal group can contain user accounts and global groups, as well as other universal groups. It can be used to assign rights and permissions to any resource throughout the entire Active Directory forest. However, universal groups can only be created when the domain functionality mode is set to Windows 2000 native mode or higher.
As you’ve just seen, there are additional considerations you must factor in when creating the groups. One of the places where you’ll be most aware of domain functionality level of your domain is when you’re creating groups. Specifically, notice that the universal group scope is not available when operating in Windows 2000
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
167
mixed mode. There are other differences between modes when dealing with groups, and we’ll touch on them as needed throughout the discussion. Table 5.1 encapsulates what is and is not possible with your Active Directory group scopes when using the differing domain functionality modes. Adding Members to a Group Once the group is created, you can begin to define its membership. Group members can include user accounts, computer accounts, contacts, and other groups (with a few restrictions, as we’ll see). Why would you include a computer as a member of a security group? You might do so to grant access to one computer for a shared resource on another computer, as might be necessary for a remote backup. The steps for adding group members are very easy: 1. Open Active Directory Users And Computers and navigate to the group whose membership you wish to manage. 2. Right-click the group, and choose Properties from the context menu. From the Members tab, click Add. TABLE 5.1
Scope
Groups Behave Differently Based on Domain Functional Level
Windows 2000 Mixed
Domain local
Can contain users and global groups from any domain in the forest.
Global
Can contain only users from within the domain where the group is created. Not available in Windows 2000 mixed mode.
Universal
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:00 AM
Windows 2000 Native
Windows Server 2003
Can contain users and global groups from any domain in the forest, as well as other domain local groups from the same domain. Can also contain universal groups. Can contain users within the domain where the group resides, and other global groups from that same domain. Can contain users, global groups, and universal groups from any domain in the forest.
Can contain users and global groups from any domain in the forest, as well as other domain local groups from the same domain. Can also contain universal groups. Can contain users within the domain where the group resides, and other global groups from that same domain. Can contain users, global groups, and universal groups from any domain in the forest.
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
168
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. The Select Users, Contacts, Computers, Or Groups dialog box opens, as shown here.
You can just type the first letter or letters, and Active Directory will find accounts that match. Use the Advanced interface to help you search for specific accounts. Active Directory will help you find accounts that match when you click the Check Names button or just click OK. Click on OK when you’re done, and you’ll see the list of new members. If you have many users in a group already, and need to create a new group that includes those same members, you have just presented an ideal case for use of group nesting.
Group Nesting One of the benefits of upgrading the domain functionality mode is that you have ability to nest groups. This means simply placing groups of one type inside groups of the same type. In Windows 2000 mixed mode, you can still nest groups by placing a global group inside of a domain local group, which is actually Microsoft recommended practice, and is discussed in the section that follows. But in mixed mode you cannot place a global group inside an existing global group, or a domain local group in an existing domain local group. Once your domain functional level has been upgraded to Windows 2000 native or higher, however, these limitations are no longer in place. Global groups can be nested in other global groups, and domain local groups can be nested in other domain locals. Recommended Group Administration Procedure Microsoft recommends that you follow a specific administration procedure when dealing with group accounts. The procedure can be summarized with the following acronym: A-G-DL-P.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
169
You create user Accounts in Active Directory domains, then gather the user accounts within a domain into Global groups. Next, create Domain Local groups, populate the domain local groups with the global groups in your enterprise, and then finally assign Permissions to the domain local groups. Following this recommendation, ACLs for resources will be populated with only groups and not individual user accounts. This will help you keep groups organized, which in turn both saves administrative overhead and reduces the chance of security breaches caused by users getting inappropriate access to resources.
Changing Group Scope No matter what domain functional level, the group you create will be a security group with a global scope unless you change these defaults. Once you create the group, though, you have the option to change its scope—as long as the domain functional level is Windows 2000 native or Windows Server 2003. If your domain meets this condition, you can then make the following changes to your group scope:
•
Domain local to universal You can make this scope change as long as the group you want to change does not already contain another domain local group as a member.
•
Global to universal You can also convert global groups to universal, but only if the group you want to change is not a member of another global group.
• •
Universal to domain local You can make this change with no limitations. Universal to global This scope change is allowed if the target group does not have another universal group as a member.
Exam Tip To summarize in a sentence: you can change any group to a universal scope, and change a universal back if you want to. Remember, however, that the domain must first be in Windows 2000 native mode or greater. This information will almost certainly appear in an exam question or two.
Impact of Universal Groups on Replication Given the flexibility of universal group membership and use as a security principal, a natural question that arises is, “Why not just make all groups universal and be done with it?”
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:00 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
170
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
The reason is that universal groups—in both their creation and their ongoing use—have an impact on replication traffic. If you don’t carefully manage your universal group membership, this replication traffic can be crippling to network performance. Universal groups affect network performance because membership is published to all Global Catalog servers. And, as we’ve seen, Global Catalog servers participate in replication to keep the contents of the Global Catalog in sync. For this reason, there are two edits that Microsoft strongly recommends when managing your universal groups. They are to keep you universal group membership:
• •
Small Static
Exam Tip Domain local groups and global groups are listed in the Global Catalog, too, but their memberships are not. So how can you do this? You can accomplish both of these objectives by leveraging the power of group nesting, and also by remembering that a group is just a single account to the Active Directory database. For example, say you had 500 users from a single domain that you wanted to place into a universal group called Graphics. You could put all 500 user accounts into the Graphics group, but that would populate the universal group with 500 accounts, and all 500 accounts would be replicated among Global Catalog domain controllers. No group administration secret decoder ring for you. Alternatively, you could place all 500 accounts into a single global group, and then nest that group in the universal group. What’s the account membership total of the universal group now? One. One account, and an office party for you, complete with line dancing and a middle manager who tries in vain to understand why Active Directory is so cool. Figure 5.5 demonstrates the procedure you should use when implementing universal groups. What’s more, you could later decide to add another 100 users to the Graphics universal group. If you added the user accounts to the global group, these 100 new users would also benefit from membership in the universal group, yet the universal group’s membership would still be just the single (global) group account. See? Small and static. A universal group that affects 600 users, but whose membership is a single account.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:00 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
FIGURE 5.5
171
Universal groups should leverage nesting.
Built-in and Predefined Groups There are several groups created by the installation process of the Windows Server 2003 operating system, and there are more still created by the installation of Active Directory. In Active Directory Users And Computers, these built in group accounts are created in two places: the Users container and another container called—would you believe it?—BuiltIn. Table 5.2 is a listing of the default groups created by the installation of Windows Server 2003 and Active Directory. You shouldn’t spend time memorizing all of these built groups, but it wouldn’t hurt to be familiar with them. Generally speaking, the significance of these groups is that its members have certain pre-defined user rights, most of which are suggested by the names of the groups. Members of the Backup Operators group, for example, have the right to back stuff up. Domain Admins and Enterprise Admins have the most far-ranging rights, and the membership in these groups should be carefully guarded. You also might want to take note of the default membership of each group. As you can see, most groups have either no default members or membership that you cannot and should not modify. You add users to these groups to give to the user the predefined rights of the group. Along with built-in user accounts including the Administrator and Guest accounts, there are also several groups created in the Users folder, as shown in Table 5.3. Again, no need to memorize this table of group accounts. They are provided mostly for purposes of reference, so you don’t have to scramble off to read the
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
172
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE 5.2 Group Name
Default Groups in the BuiltIn Container
Description
Account Operators
Members of this group can create, modify, and delete accounts for users, groups, and computers located in the Users or Computers containers and organizational units in the domain, except the Domain Controllers organizational unit. Members of this group do not have permission to modify the Administrators or the Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. Members of this group can log on locally to domain controllers in the domain and shut them down. Administrators Members of this group have full control of all domain controllers in the domain. By default, the Domain Admins and Enterprise Admins groups are members of the Administrators group. The Administrator account is also a default member.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
Default Rights
Allow log on locally; shut down the system.
Access this computer from the network; adjust memory quotas for a process; back up files and directories; bypass traverse checking; change the system time; create a pagefile; debug programs; enable computer and user accounts to be trusted for delegation; force a shutdown from a remote system; increase scheduling priority; load and unload device drivers; allow log on locally; manage auditing and security log; modify firmware environment values; profile single process; Profile system performance; remove computer from docking station; restore files and directories; shut down the system; take ownership of files or other objects.
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
TABLE 5.2
Default Groups in the BuiltIn Container (continued)
Group Name
Description
Default Rights
Backup Operators
Members of this group can back up and restore all files on domain controllers in the domain, regardless of their own individual permissions on those files. Backup Operators can also log on to domain controllers and shut them down. This group has no default members. By default, the Domain Guests group is a member of this group. The Guest account (which is disabled by default) is also a default member of this group. Members of this group can create one-way, incoming forest trusts to the forest root domain. For example, members of this group residing in Forest A can create a one-way, incoming forest trust from Forest B. This one-way, incoming forest trust allows users in Forest A to access resources located in Forest B. Members of this group are granted the permission Create Inbound Forest Trust on the forest root domain. This group has no default members. Members of this group can make changes to TCP/IP settings and renew and release TCP/IP addresses on domain controllers in the domain. This group has no default members.
Back up files and directories; allow log on locally; restore files and directories; shut down the system.
Guests
Incoming Forest Trust Builders (only appears in the forest root domain)
Network Configuration Operators
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
No default user rights.
No default user rights.
No default user rights.
173
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
174
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE 5.2
Default Groups in the BuiltIn Container (continued)
Group Name
Description
Default Rights
Performance Monitor Users
Members of this group can monitor performance counters on domain controllers in the domain, locally and from remote clients without being a member of the Administrators or Performance Log Users groups. Members of this group can manage performance counters, logs, and alerts on domain controllers in the domain, locally and from remote clients without being a member of the Administrators group. Members of this group have read access on all users and groups in the domain. This group is provided for backward compatibility for computers running Windows NT 4.0 and earlier. By default, the special identity Everyone is a member of this group. Add users to this group only if they are running Windows NT 4.0 or earlier. Members of this group can manage, create, share, and delete printers connected to domain controllers in the domain. They can also manage Active Directory printer objects in the domain. Members of this group can log on locally to domain controllers in the domain and shut them down. This group has no default members.
No default user rights.
Performance Log Users
Pre-Windows 2000 Compatible Access
Print Operators
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
No default user rights.
Access this computer from the network; bypass traverse checking.
Allow log on locally; shut down the system.
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
TABLE 5.2
175
Default Groups in the BuiltIn Container (continued)
Group Name
Description
Default Rights
Remote Desktop Users
Members of this group can remotely log on to domain controllers in the domain. This group has no default members. This group supports directory replication functions and is used by the File Replication service on domain controllers in the domain. This group has no default members. You should not add users to this group. On domain controllers, members of this group can log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format the hard disk, and shut down the computer. This group has no default members. Members of this group can perform most common tasks, such as running applications, using local and network printers, and locking the server. By default, the Domain Users group, Authenticated Users, and Interactive are members of this group. Therefore, any user account created in the domain becomes a member of this group.
No default user rights.
Replicator
Server Operators
Users
No default user rights.
Back up files and directories; change the system time; force shutdown from a remote system; allow log on locally; restore files and directories; shut down the system.
No default user rights.
Microsoft help files where you’ll find the exact same information, every time one of these groups is mentioned. Specifically, we’ll be dealing with, or have already dealt with, groups such as the Schema Admins, Enterprise Admins, and Domain Admins. Membership of
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
176
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE 5.3
Default Groups in the Users Folder
Group Name
Group Description
Default User Rights
Cert Publishers
Members of this group are permitted to publish certificates for users and computers. This group has no default members. Members of this group have administrative access to the DNS Server service. This group has no default members. Members of this group are DNS clients that can perform dynamic updates on behalf of other clients, such as DHCP servers. This group has no default members. Members of this group have full control of the domain. By default, this group is a member of the Administrators group on all domain controllers, all domain workstations, and all domain member servers at the time they are joined to the domain. By default, the Administrator account is a member of this group.
No default user rights.
DnsAdmins (installed with DNS)
DnsUpdate Proxy (installed with DNS)
Domain Admins
Domain Computers
This group contains all workstations and servers joined to the domain. By default, any computer account created becomes a member of this group automatically.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
No default user rights.
No default user rights.
Access this computer from the network; adjust memory quotas for a process; back up files and directories; bypass traverse checking; change the system time; create a pagefile; debug programs; enable computer and user accounts to be trusted for delegation; force a shutdown from a remote system; increase scheduling priority; load and unload device drivers; allow log on locally; manage auditing and security log; modify firmware environment values; profile single process; profile system performance; remove computer from docking station; restore files and directories; shut down the system; take ownership of files or other objects. No default user rights.
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
TABLE 5.3
Default Groups in the Users Folder (continued)
Group Name
Group Description
Default User Rights
Domain Controllers
This group contains all domain controllers in the domain. This group contains all domain guests. This group contains all domain users. By default, any user account created in the domain becomes a member of this group automatically. This group represents all users in the domain. Members of this group have full control of all domains in the forest. By default, this group is a member of the Administrators group on all domain controllers in the forest. By default, the Administrator account is a member of this group.
No default user rights.
Domain Guests Domain Users
Enterprise Admins (only appears in the forest root domain)
Group Policy Creator Owners
Members of this group can modify Group Policy in the domain. By default, the Administrator account is a member of this group. Because this group has significant power in the domain, add users with caution.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
No default user rights. No default user rights.
Access this computer from the network; adjust memory quotas for a process; back up files and directories; bypass traverse checking; change the system time; create a pagefile; debug programs; enable computer and user accounts to be trusted for delegation; force shutdown from a remote system; increase scheduling priority; load and unload device drivers; allow log on locally; manage auditing and security log; modify firmware environment values; profile single process; profile system performance; remove computer from docking station; restore files and directories; shut down the system; take ownership of files or other objects. No default user rights.
177
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
178
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE 5.3
Default Groups in the Users Folder (continued)
Group Name
Group Description
IIS_WPG (installed with IIS)
No default user rights. The IIS_WPG group is the Internet Information Services (IIS) 6.0 worker process group. Within the functioning of IIS 6.0 are worker processes that serve specific namespaces. For example, www.beanlake.com is a namespace served by one worker process, which can run under an identity added to the IIS_WPG group, such as MicrosoftAccount. This group has no default members. Servers in this group are No default user rights. permitted access to the remote access properties of users. No default user rights. Members of this group can modify the Active Directory schema. By default, the Administrator account is a member of this group. Because this group has significant power in the forest, add users with caution.
RAS and IAS Servers
Schema Admins (only appears in the forest root domain)
Default User Rights
these groups needs to be closely guarded because of their power throughout the enterprise. Some of the characteristics of groups in Windows Server 2003 at times depends on the functional modes of the domain or forest. In Windows 2000, a domain was either running in Mixed or Native mode. Now, however, there are a few more options for domain modes, as well as a set of forest functional modes. Each offers its own set of advantages and disadvantages, as was examined in detail in Chapter 3.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:01 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
179
And now that you’ve created users in the network, and organized them in groups to ease administration, you’re ready for them to log on and ruin everything. Darn users! In the next section, let’s look at how you can devise a strategy for user authentication.
Objective 5.02
Plan a User Authentication Strategy
N
ow that we’ve defined user accounts so that users can access Active Directory forest resources, we want to specify an authentication strategy. Typically, this involves decisions about the passwords: who will control the passwords, how long must they be, when will they expire? But a username and password, as you’ll see, aren’t the only way a user can be authenticated on the network. The next few topics will examine some alternate strategies, and also look at ways to make your password authentication strategy as secure as possible for your environment.
Plan a Smart Card Authentication Strategy Smart cards are becoming more and more a part of the logon process, as smart cards generally offer an improved security mechanism over traditional usernames and passwords. The username and password mechanism is a relatively weak security measure, as you’ll soon see. One of the advantages of the smart card logon, especially when compared to the username and password methods, is that it implements a “double-layered” security architecture. One layer is physical: there must be a physical device—the smart card—present. The other layer is logical: a user must enter a PIN or password when performing a smart card authentication. In other words, just because your username and password are used to access a network, that doesn’t necessarily prove you’re the one actually using the account. It could be someone else who has either guessed or stolen your logon credentials. (It can be done more easily than you think. If you don’t believe me, go sit at a coworkers desk. I have even money that says it will take you less than 60 seconds to discover their logon credentials.) The smart card’s security is almost exactly like the safeguard present when you get cash from an ATM. You feel pretty safe that only you can get your money because 1) someone needs your card to access your account, and 2) even if your
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
180
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
card was left at a coffee shop table (not that this has happened to me, mind you) the person who finds it will still need to know your PIN in order to swipe your money. In other words, successful logon when using a smart card is proof that you possess the smart card. And what’s more, another big potential security hazard of the username and password model is this: I know your password. You—reading this right now. I have all the information necessary to access your computer. Don’t believe me? Prove me wrong. The point is that your password might be compromised, and you’d have no way to know about it until it’s too late. You could go on using your network resources normally, but then again, so could I. If, on the other hand, I were to steal your smart card, you’d know about it pretty quickly, as you couldn’t use the network without it.
Configuring a User for Smart Card Authentication Once you understand the concepts behind smart card use, you might decide that smart card authentication is the right choice for your network. Before you set up smart card authentication, however, make sure the following technologies are in place:
• • •
Ensure that a Certification Authority (CA) hierarchy is available. This CA can be set up internally, or be an external authority.
•
Install a smart card enrollment station. This will be a computer with a smart card reader. An Enrollment Agent Certificate will also be needed for users who will set up the smart cards at that system.
•
Establish a smart card reader at each computer where smart card authentication will be used.
Configure the CA to issue smart card certificates. Enable the security permissions of the Smart Card User, Smart Card Logon, and Enrollment Agent certificate templates to allow smart card users to enroll certificates.
The step-by-step procedure for setting up smart card authentication, however, is a relatively lengthy one, requiring that a user first acquire a digital certificate. Generally speaking, here’s how it all works:
•
Log on as an enrollment agent for the domain where the user account lives that will be using smart card authentication, and navigate to the Web site of the CA that issues smart card certificates using Internet Explorer.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
•
From the CA’s Web page, request a certificate using the designated hyperlink, and then, if you’re enrolling on behalf of another user, look for the “Request a certificate for a smart card on behalf of another user using the smart card certificate enrollment station.” option.
•
You should then be given two choices about enrolling the Certificate Template: enroll for logon only, or enroll for secure e-mail as well as Windows logon.
•
The next step calls for choosing the name of the CA that will be issuing the smart card certificate, as well as the Cryptographic Service Provider (CSP) of the smart card’s manufacturer. (A CSP is the software that performs the dirty work of encryption and encoding data, including, in this instance, logon credentials.)
•
The Enrollment Agent is then asked to sign the enrollment request, and then chooses the account that will be the recipient of the smart card certificate.
•
The last phase of the smartcard enrollment process is when you’ll be prompted to actually stick you smart card into the smart card reader so that the digital certificate can be copied. A PIN will also be selected at this time.
181
Now that you’ve got the digital certificate installed on the smart card, the Certificate Authority Web page should give you the option of either viewing the certificate you just installed or beginning a new certificate request. Requiring Smart Card Use Once the smart card apparatus is in place, and certificates have been issued, you can then require that the user account use the smart cards for access to domain resources. To do so, access the user’s Properties pages by right-clicking and choosing Properties, and then access the Account tab. From the Account Options section, check the “Smart Card is required for interactive logon” check box. The user will now have to have the smart card at the ready when they want to access the domain.
Travel Advisory Most of these steps will be spelled out for you again by any vendor who’s just sold your company a smart card solution. But securing your domain resources goes beyond obtaining and implementing a smart card solution. In fact, before you choose smart cards, it’s likely that you invest a lot more time trying to make sure the passwords used in your enterprise give you the best security possible.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
182
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip Smart Card User requires that the computer where the smart card reader is installed is a part of the domain.
Create a Password Policy for Domain Users Smart cards aren’t a feasible choice for every network. You can still implement a high level of security for your network when you understand some of the recommended practices for using strong password policies. One thing to know about password policies right off the bat is that the password policy settings configured in Group Policy affect the entire domain. We’ll get into Group Policies in much more detail starting in the next chapter, but for now this is the information you need. The other thing you need to know is how to configure a password policy. Here’s how it’s done: 1. From your Administrative Tools, open the Domain Security Policy MMC snap-in. (Alternatively, you could open Active Directory Users And Computers, select the domain container, and edit its Group Policy, but again, more on that in the chapters to follow.) 2. Now expand your Account Policies node. There you will see three groups of account settings: Password, Account Lockout, and Kerberos settings. There are six password policy settings located under the Password node of the Password Policies, as shown in Figure 5.6, and as described below. You increase the strength of the password settings by double-clicking on one of the settings and making the appropriate edits. If you have worked with Windows 2000, you might notice that some of the default settings have changed.
•
Enforce password history Determines how many unique new passwords must be created for a user account before an old password can be reused. The default setting is that three passwords will be remembered.
•
Maximum password age Determines the number of days a password can be used before it must be changed. Passwords can be set to expire between 1 and 999 days, or you can configure passwords that never expire by setting the number of days to 0. When the password age is set to something over 0, the minimum password age must also have a setting less than the maximum password age. If the maximum password age is 0, the minimum password age can be any number of days between 0 and 998. The default here is 42 days of maximum use.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
•
Minimum password age Determines the number of days a password must be used before the user can change it. This setting prevents users from cycling through a series of passwords quickly until the original password is used. Note that the default is 0, which will allow users to cycle passwords to keep using an old favorite.
•
Minimum password length Self-explanatory. You can set this value of a minimum password length between 1 and 14 characters. Note that the minimum password length is set to 0 characters, which lets users use blank passwords, a security setting you should consider changing right away.
•
Password must meet complexity requirements Described below, this is an on/off setting, and knowledge of its impact is necessary before deciding to enable this policy. This setting is disabled by default.
•
Store passwords using reversible encryption Although this sounds like it might help tighten password security, it actually does the opposite. Storing passwords using reversible encryption means just that: the encryption can be reversed, which is equivalent to storing plaintext versions of the passwords. The policy provides support for applications that require knowledge of the user’s password for authentication purposes. For this reason, it should never be enabled unless application requirements usurp your desire to protect password information. This, too, is disabled by default.
183
Recommendations for Strong Passwords Microsoft also recommends that you implement a stronger password policy model than the defaults configured if your network requires tighter security. You’ll find that most of the default password policies favor usability over security, which may not be desirable for your situation. In no particular order, here are some of those recommendations for designing strong passwords:
•
Use the Enforce Password History policy so that multiple passwords are remembered, preventing users from using the same password when their password expires.
•
Make the Maximum Password Age policy a setting that causes users to change passwords frequently, typically every 30 to 90 days. This prevents hackers who have acquired a password from using that password indefinitely.
•
Use the Minimum Password Age in conjunction with the Enforce Password History so that users cannot simply change their password
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
184
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 5.6
Configuring password policies
for a few minutes and then change it back to their original password, thus circumventing the policy that forces password changes.
•
Define the Minimum Password Length setting so that passwords must be at least a specified number of characters. Longer passwords are generally stronger than shorter ones, if for no other reason than they are harder to pick off by looking over someone’s shoulder. The recommendation is for at least seven characters.
•
Enable the Password Must Meet Complexity Requirements setting. This policy setting ensures that all newly created or changed passwords meet strong password requirements. Understanding what exactly these complexity requirements are merits its own topic.
Complexity Requirements So what are complexity requirements? Glad you asked. When this policy is enabled, new passwords must meet these conditions:
• • •
Passwords must not contain all or part of the user’s account name. They must be at least six characters in length. They must also contain characters from three of the following four categories:
• •
English uppercase characters (A through Z) English lowercase characters (a through z)
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:02 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
• •
185
Base 10 digits (0 through 9) Non-alphabetic characters (for example, !, $, #, %)
Travel Advisory The Password Must Meet Complexity Requirements setting can be changed, but it takes knowledge of the Microsoft Platform Software Development Kit to do so. For my money, it’s better to just understand and use the default complexity requirements.
Objective 5.03
Secure Resources with NTFS and Share Level Resources
O
n a volume or partition formatted with NTFS, each file or folder has associated with it a set of NTFS attributes. Some of these attributes are the NTFS security permissions that are granted to your Active Directory users and groups when accessing the file or folder. Other attributes include the compression attribute, the encryption attribute, and the owner attribute. An important thing to remember right from the start is that these attributes are available only on NTFS partitions, which is one of the many reasons why Microsoft strongly recommends that you store any data that’s accessed by many users on an NTFS partition where possible.
Exam Tip Don’t forget—Active Directory requires the presence of NTFS for storage of the SYSVOL folder. The decision to format a drive is usually made at installation time, although you can convert a drive from the FAT file system to NTFS even after you’ve performed the Windows Server 2003 installation. (You can use the convert.exe utility to perform the conversion without destroying data.) To determine whether you’re working with an NTFS partition, right-click the drive letter from Windows Explorer and choose Properties to look at the properties of the drive. The General tab will list what kind of file system the drive is using. Another quick way to know whether the drive is NTFS is to look at the properties of any folder or file (this works on the drive letter itself, as it is really a folder in its own right). If you see a Security tab listed, you’re in business.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:03 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
186
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
On the Security tab of a file or folder, you will configure the NTFS permissions by editing the access control list (ACL), and most of the time you will be working with the standard permissions. But before we define these standard permissions, you should understand that the NTFS standard permissions are collections of individual NTFS security attributes. Click the Advanced button on the Security tab to see a complete, somewhat overwhelming listing of these individual security attributes, as shown in Figure 5.7.
Control Access to Files and Folders Using NTFS Permissions With NTFS permissions, you have a wide range of security possibilities for the file resources on your system. For example, you can configure private storage locations for users.
Setting Permissions Through the Command Line You also have the ability to set permissions to file and folder resources via the command line with a Windows Server 2003 utility called CACLS. With this utility, you can view permissions by typing cacls filename, where filename is the name of the file or folder whose ACL you are looking up.
FIGURE 5.7
The individual NTFS security attributes
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:03 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
187
Next to each user account name, the output of CACLS will display a letter or letters, with each letter representing a level of permission for the particular resource: F for Full Control, C for Change, W for write, R for Read, and so on. Any other settings produce output that is too complex to be effectively interpreted and that is outside the scope of the 70-294 exam. CACLS is useful for quickly finding the permissions for an object if you’re working on a command prompt interface. Like most every command utility, CACLS can be used with one or more switches to modify its behavior. Table 5.4 lists some of the command switches you should be familiar with. For example, the CACLS utility could be used from the command line to give Full Control permission to user Brian for a folder called 294Exam in this way: Cacls "294 Exam" /g brian:f
You need to put the directory name in quotes because of the space in the folder name. The command line interprets spaces as the end of something. Note also that you would be performing the command after first navigating to the directory path where the files are located.
Exam Tip When using the above procedure, all previously assigned permissions for the resource will be removed. There is also an extended version of CACLS called XCACLS, found with the support tools that are included with the Windows Server 2003 setup CD-ROM. The XCACLS utility is more flexible and supports alternate switches to make it
TABLE 5.4
Switches Used with the CACLS Utility
Switch
Use
/T
Changes permissions in the current directory and all subdirectories. Edits access control list instead of replacing. Continues on “access denied” errors. Grants user rights. If used without /E, it will replace the existing permissions. Revokes specified user’s access rights (this one must be used with /E). Replaces specified user’s access rights. Denies access to a specific user.
/E /C /G user:perm /R user /P user:perm /D user
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:04 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
188
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
work. It is the command line equivalent of using the Advanced permissions from the Properties of the file. Extensive knowledge of this tool should not be important for testing purposes, however, if you want to install it you can find it under the following path from the Server 2003 CD: \Support\Tools\Support.cab.
NTFS Permission Behavior One of the hallmarks of the NTFS permissions is that, unlike shared folder permissions, they can be configured at the folder level and the individual file level. Table 5.5 lists the standard folder permissions that can be assigned with the click of a mouse from the Security tab of the Properties dialog box for a folder. These standard folder permissions are collections of the security attributes mentioned previously. With all permissions, you also have the ability to synchronize the folder contents. Additionally, in Windows Server 2003 there have been some changes to the default permissions that are worth noting. When you format a drive with NTFS, the drive gets a set of permissions assigned automatically. In previous
TABLE 5.5
Standard Folder Permissions
NTFS Folder Permission
Lets a User…
Read
See files and subfolders and view folder ownership, permissions, and attributes. Create new files and subfolders within the folder, change folder attributes, and view folder ownership and permissions. See names of the files and subfolders within a folder. Move through folders to reach other files and folders, even if the users don’t have permission for those folders; perform actions permitted by the Read permission and the List Folder Contents permission. Delete the folder, plus perform actions permitted by the Write, Read, and Execute permissions. Change permissions, take ownership, and delete subfolders and files, plus perform actions permitted by all other NTFS permissions. These permissions are set with the Advanced Access Control Entries dialog box, and this check box serves to identify whether or not special permissions apply to the user or group. More about a few of these special permissions to follow.
Write
List Folder Contents Read and Execute
Modify Full Control
Special Permissions
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
189
versions of Windows, this permission granted the Everyone group Full Control over the drive. And, because of the inheritance behavior (discussed later), all subsequent folders and files would also let Everyone have Full Control. That is no longer the case. Now, when you investigate the Security tab for a file or folder, you should see the default permissions shown in Table 5.6. As with share permissions, each of the NTFS standard permissions (as well as individual attributes) has an Allow setting and a Deny setting. Also, as with shares, the Deny trumps the Allow. To explicitly deny all access to a user or group to a particular resource, deny the Full Control permission. This turns off all other access to the resource. So, from the Security tab, you will build the access control list specific for the NTFS permissions for a file or folder. The process will look almost exactly the same as when you built the ACL for shared resources using the Sharing tab.
Exam Tip In a (welcome) departure from the default NTFS permissions behavior used by Windows 2000, the Everyone group is no longer given Full Control. Instead the Everyone group (which includes, well, everyone, hackers included) now has special permissions, which lets this group read and execute files. Additionally, in another departure, the default share permission for the Everyone group is Read. Here’s how to begin to modify this default NTFS security behavior: 1. On the Security tab, click Add to open the Select Users Or Groups interface. From this dialog box, you can select users and groups from the computer’s local accounts database or from a domain, depending on your configuration. You can click the Locations button to browse these other locations.
TABLE 5.6
Default NTFS Permissions in Windows Server 2003
Group
Default NTFS Permission
Administrators Creator Owner Everyone System Users
Full Control Special Special Full Control Read and Execute, List Folder Contents, Read, and Special
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:04 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
190
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Choosing Advanced will let you run a search, just as if you had run one from the Start menu. This will let you look for objects without having to type the name exactly, as you do from the Select Users And Groups dialog box. 2. Select the user or group you want to add and then click the Add User button. If you are selecting an account from a domain, you will notice that the list presented can grow quite large. 3. After you have made an addition to the ACL, configure access to the resource by highlighting a group or user account and selecting or deselecting the check boxes that correspond to the level of access you wish to allow or deny.
Travel Advisory It is possible to configure the ACL so that nobody has access to a resource. If you remove all groups and accounts from the ACL, nobody will be granted any kind of access whatsoever. That goes for you, too! (We’ll discuss how to fix this if it occurs later in this exam objective, when we talk about NTFS ownership.) Although the file permissions are by default inherited from the parent folder in which the files live (more about this in the “NTFS Permissions Inheritance” section to follow), NTFS permissions can also be used to secure individual files. Table 5.7 lists the standard NTFS file-level permissions that you can assign and the type of access that each permission implies. TABLE 5.7
Standard NTFS File-Level Permissions
NTFS File Permission
Lets a User…
Read
Read the file and view file attributes, ownership, and permissions Overwrite the file, change file attributes, and view file ownership and permissions Run applications and perform the actions permitted by the Read permission Modify and delete the file, plus perform all actions permitted by the Write, Read, and Execute permissions Change permissions and take ownership, plus perform the actions permitted by all other NTFS permissions
Write Read and Execute Modify
Full Control
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:04 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
191
The Effective Permission As you can see, the only significant difference between folder and file permissions is that List Folder Contents is not one of the standard file permissions. What is really significant about the two NTFS sets of permissions for folders and files is that file permissions override folder permissions. It is possible, then, for a folder’s NTFS permissions to be set to allow a user Read access, yet that same user would have Full Control to a file within that folder. That’s because the file’s ACL would be king of the mountain when the account was used to access the file. Further, like its relative share-level permissions, NTFS permissions are cumulative. That is, a user’s effective permission is a combination of the group permissions that an account has been assigned to, plus any individual permissions specifically assigned to that user. To illustrate, using the same example used in the discussion of shares, suppose that Brian is a part of the Sales group that has NTFS Read access to the \Bonuses folder. Brian is also part of the Management group, which has the NTFS Full Control permission. What is Brian’s permission when connecting to \Bonuses? It’s Full Control. This example is shown in Figure 5.8.
Defining Access to Files and Folders NTFS permissions differ from share permissions in two significant ways:
• •
NTFS permissions are effective locally when a user accesses a resource. Share permissions apply only when network connections are made to a resource. NTFS permissions can be applied to both folders and individual files. Share permissions can be granted at the folder level only. The share permissions then apply to any files and subfolders within the share.
Local access means that the user is using the local machine. Local access to a file is made through the file system pathname, and shared folder access is made
FIGURE 5.8
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:04 AM
Combining like sets of permissions
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
192
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
using the UNC path. This fact also highlights one of the core differences between the Windows NT-based operating systems (like Windows 2000 and Windows 2003), and the Windows 9x operating system families. Because Windows 9x is not capable of supporting NTFS locally, there is no way for a user of a shared machine to restrict local access to a file or folder. In other words, anything on a partition that is formatted with the FAT (or FAT32) file system can be seen, changed, or deleted by any user who is able to access the machine. In the case of Windows 9x, no logon is even necessary. You can just press the ESC key while in any logon dialog box and then delete files to your heart’s content. This is one of the many reasons why Windows Server 2003, Windows 2000 Professional and Server, and Windows XP Professional are considered secure platforms, and Windows 9x is not. The only way to make sure people don’t have access to files on a Windows 9x machine is to make sure they can only access them over the network; that way, you can at least apply share permissions. As for the second point—NTFS permissions can be applied to both folders and individual files—does that mean that NTFS permissions are effective only locally? A good question, but the answer is no; they are effective both locally and when making connections over the network. This brings us to one of the most significant pieces of the resource permissions puzzle.
Combining Share and NTFS Permissions Unlike when like permissions are combined, different rules apply when different layers of security are evaluated before resource access is granted. When sharelevel permissions and NTFS permissions are combined, the most restrictive permission becomes the effective permission. This is crucial information for you to know both for taking the exam and for troubleshooting real-world access problems in a network. You will not have much success at either if you don’t understand this point. The permission settings behave in this way because ACLs are evaluated independently of one another. The Windows Server 2003 operating system is saying, in effect, “You may have this set of permissions at this level, but you only have that set of permissions at another level. So you only get that level of permission.” This way of combining two sets of permissions, especially when joined with the capability to set individual file permissions on NTFS volumes, gives the administrator a powerful mechanism for controlling the granularity of access to network resources. Let’s illustrate again with the example used previously: suppose that Brian is a part of the Sales group, which has the Read share access to the \Bonuses folder. He’s also in the Management group, which has the NTFS Full Control permission. What is Brian’s permission when connecting to \Bonuses? It’s Read. This example is illustrated in Figure 5.9.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
FIGURE 5.9
193
Combining share and NTFS permissions
Travel Assistance For a full discussion of share permissions, please see Mike Meyers’ MCSE/MCSA Windows® Server 2003 Environment Passport (Exam 70290), by Eric Daeuber and Dan Newland (McGraw-Hill/Osborne, 2003). Here are the things you must remember about NTFS permissions:
• • • • •
NTFS permissions are effective locally, unlike share permissions. NTFS permissions can be applied to files as well as folders. File permissions override folder permissions. NTFS permissions are cumulative, with the exception of Deny, which overrides Allow. When NTFS and share permissions are combined, the effective permission is the most restrictive permission.
Exam Tip Although it’s not listed explicitly as an exam objective, you will need to know about NTFS permissions for this and most other MCSE tests. Also, it provides critical background information for understanding Active Directory permissions. That is, if you understand the permission interactions and inheritance behaviors of NTFS, you’ll find that Active Directory object permissions and Group policy permissions won’t look too much different.
NTFS Permissions Inheritance It’s important in the MCSE track that you have a clear understanding of how NTFS permissions are inherited from parent folders. Not only will this understanding help you when answering questions regarding NTFS permissions, but
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:05 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
194
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
it will set the foundation for understanding other types of permission inheritance as I pointed out in the exam tip previously. Here’s how it works: the default behavior of NTFS permissions is that the permissions you assign at the parent folder level are propagated to the subfolders and files that are contained in the parent. You will see this practice repeated time and again. The good people at Microsoft have given us a visual cue, however, that permissions on a given folder or file have been inherited. When you look at the Security tab of the Properties dialog box, as shown in Figure 5.7, the boxes that are faded out indicate that the permissions checked have been inherited from the parent. But what if you want this inheritance behavior to be prevented? What if you want to set NTFS permissions for individual files and folders, so that a user can be granted Full Control over a file that is stored in a folder that he or she has Read permission for? You can easily prevent this default permission inheritance from parent folder to subfolders and files that are contained within the parent. And when you configure this behavior, the folder for which you prevent permission inheritance becomes the new parent, and any new files or subfolders created in this new parent folder will inherit the new permissions just set. If you want to add additional permissions, you can just go ahead and click to assign the permissions. If you want to take inherited permissions away, however, you need to block permission inheritance. This inheritance blocking is done with a single click: just uncheck the box from the Advanced Permissions dialog box of the Security tab that says “Allow inheritable permissions from the parent to propagate to this object…” You will be given two options when you perform this task: whether to copy previously inherited permissions or to remove existing permissions, as shown in Figure 5.10. Copying existing permissions is preferred, because you can then edit the ACL that is already present. Most of the time, you will be making a few minor tweaks to the ACL. Choosing Remove will empty out the ACL, and you will have to start from scratch. This blocking of permission inheritance is only necessary if you want to remove already assigned permissions for a folder or file. If you wanted to ease security, you could do that just by selecting the Allow check boxes that would add further permissions for the user or group. You can also do this with the Deny permission: this might sound a little strange, but you can add the Deny level permissions, and thereby tighten security, without first blocking permission inheritance.
Copying and Moving Considerations When you copy or move files and folders, the NTFS permissions set on those objects might change. In fact, they often do. You must understand the specific rules
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:05 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
FIGURE 5.10
195
Options when preventing permission inheritance
that control how and when permissions change during copy and move operations. Like the discussion about NTFS permission inheritance, an understanding of concepts presented here will help you understand what happens to other NTFS attributes as they are copied or moved. Whenever you perform a copy from one folder to another, the permissions change. The file or folder copied inherits the permissions set for the destination folder. This behavior occurs regardless of whether your copy is from folder to folder on the same partition or the copy is from one partition to another. Also, when a copy is performed, the user making the copy becomes the owner of the copy and can modify the NTFS permissions on the copied resource. (More on this ownership power is discussed later in “Special Access Permissions”—for now, just think of this behavior as analogous to copying someone’s report on a Xerox machine. You take the copy with you and do whatever you want with it and return the original to its owner.) When a move is performed on a file or folder, the NTFS permissions may or may not change, depending on the destination directory of the move. It can get a little confusing, but here’s how a move operation works:
•
If you move a file or folder within the same NTFS partition—say from one folder to another on the C:\ drive—the file or folder retains its original permissions. The Owner attribute of the object also remains the same.
•
If you move a file or folder between NTFS partitions—like when you drag and drop something from the C:\ drive to the D:\ drive—the file or folder inherits the permissions of the destination folder, and the ownership also changes to the user performing the action. Windows treats a move between partitions, like from a folder on the C:\ drive to a folder on the D:\ drive, as first a copy and then a delete. Thus, what is really happening is that the move operation between different partitions follows the rules of a copy, which to the OS is what the file management operation actually is.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:06 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
196
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory You must have at least the Modify permission for the source file or folder for a move, and you must have the Write permission for the destination folder to perform the move operation. Finally, when you perform a move or copy of files and folders from an NTFS partition to a FAT partition, the files and folders lose their NTFS permissions. Why? FAT partitions don’t support NTFS permissions. So take care when moving files and folders to FAT volumes, because carefully implemented NTFS permissions could be lost instantly.
Special Access Permissions Some 14 special access permissions—14 security attributes—can be assigned to a NTFS folder or file. If you assign the standard NTFS permissions to a resource and then look at the Advanced properties from the Security tab, you will notice that some or all (in the case of Full Control) are checked, as shown earlier. Two special permissions are particularly useful when governing access to resources: Change Permissions and Take Ownership. The Change Permissions attribute is useful for assigning to others the ability to control access to files and folders without giving them the Full Control permission. In this way, a user who has the Change Permissions permission won’t be able to delete or write to the file but can set user access, including setting the user’s own account to include the permission to delete the file. (This paradox is one reason that special permissions are used infrequently.) Take Ownership is a somewhat more powerful permission because of the inherent ability that an owner has over a file or folder. The next section will cover this issue.
Ownership The Owner attribute is set for every file and folder on an NTFS partition. Each and every file placed on an NTFS partition is placed there by its owner, and this owner of a disk resource has the ability to edit the ACL permissions for that resource. That means that the owner of a file can lock everyone out, even the administrator. The Owner attribute is another of the attributes tracked by Windows on an NTFS partition. It is not tracked on FAT volumes. The Owner attribute is also used for several additional Windows functions, such as for tracking disk quota usage and identifying system events. Ownership of a resource can be taken, but never assigned. It’s a one-way street, and this is an important point for you to understand. What can be assigned
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:06 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
197
by the current owner of a file or folder, an administrator, or anyone with the Full Control permission, is the Take Ownership permission, which allows the assignees to take ownership of the resource. Users or groups with this permission will be duly noted, but only when viewing the Advanced security permissions. Changing the Current Owner To view the current owner of a folder or file, open the Access Control Settings dialog box by clicking the Advanced button of the Security tab of an NTFS resource. As seen in Figure 5.11, the Owner tab of this dialog box will show the current owner of the resource. If the current user (or group) has the ability to take ownership, they will see their name listed just below, in the section labeled Change Owner To. Additionally, the permission to Take Ownership is given to users or groups by editing the special permissions of the ACL. The users given the NTFS permission Take Ownership will then be able to take ownership through the Owner tab. This “one-way street” characteristic of ownership is also important when considering disk quotas. It’s not hard to imagine how ineffective quotas would be at limiting disk usage if every time a user was up against his or her quota limit, the user just gave away ownership of a couple megabytes’ worth of files.
FIGURE 5.11
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:06 AM
Viewing and changing the current owner of a file
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
198
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip To become the owner of a resource, a user or group member with the Take Ownership permission must explicitly take ownership. The Full Control permission includes the Take Ownership permission. Ownership may never be given to another user. Notice in Figure 5.11 that even though another user might have the ability to take ownership, their accounts do not appear in the Change Owner To section. This is because at the time the screenshot was taken, I was logged on as the administrator. That’s why only the Administrator account (and Administrators group, as noted below) appears. So even though I’m the admin, I can’t just change the owner to someone else. A user wanting ownership—provided they have permission—will still have to log on and then take ownership of the file. Remember at exam time that you can give someone the right to take ownership of a file and then have that person perform the act of taking ownership, but you cannot give ownership to an individual without his or her knowledge.
Exam Tip Only members of the Administrators group have the right to take ownership of resources by default. As I mentioned earlier in this section, the owner of a file can lock everyone out, even the administrator. What does an administrator do when a user has a file that’s locked out to everyone, and the administrator needs to see what’s in that file? What if that user has left the company? One of the most omnipotent powers of the Administrator account, as well as the Administrators local group, is the ability to take ownership of anything on a disk, regardless of the assigned permissions. So, then, to resolve such a situation, the administrator takes ownership from the user and then, as the new owner, the administrator can modify the ACL.
Travel Advisory When an administrator takes ownership of a resource in Windows Server 2003, she may decide whether her account specifically will be the owner of the resource or whether the entire Administrators group is to be the owner.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:07 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
199
The Effective Permission In classrooms, I have been asked this question many, many times: is there an easy way to see what a user’s effective permission for a resource is? I have the annoying habit of answering with another question: is there an easy way to explain the properties of antimatter? In Windows 2000 Server, figuring out a user’s effective permission was a matter of keeping track of what permissions had been assigned where and to what groups. You had to have a full understanding of how permissions combine, and how permission inheritance behaves, to explain why a particular user had (or didn’t have) access to a file. However, now it’s not such an arduous task. That’s because Windows Server 2003’s supplies an Effective Permission tab that performs these calculations for you. To use it, perform the following steps: 1. Open the Properties dialog box for a file or folder you want to check. 2. Click the Advanced button from the Security tab. Then click the Effective Permissions tab, as shown here.
3. Click the Select button, which will prompt you for either a user or group account.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:07 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
200
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
4. Enter the name of the users or group you want to check effective permissions for, then click OK. The result of the preceding steps shows the effective permission for your selected user (or group). Notice that the dialog box shows you a complete listing for all of the NTFS attributes that are effective for the user, so reading and understanding this dialog box can take some practice. You will have to be familiar with the NTFS special permissions to understand what a Change permission would look like if listed individually in the Special Permissions tab. Also note that you won’t be able to change permissions using the Effective Permissions tab.
Objective 5.04
Implement an OU Structure
A
small company becomes a big company, and soon the number of users in the company becomes too large for one person to manage. If this is the case, you will find it useful to separate your users into other units of administration (you could call them groups of administration, but I try to avoid the word “groups” while discussing organizational units). Organizational units serve just this purpose. With an OU, you can logically arrange all of your Active Directory objects that will need management: users, groups, computers, printers, and so on. With an organizational unit, you can manage one of these units much differently than another unit, yet still retain centralized control of the domain objects. Furthermore, you can delegate to other domain users certain administrative abilities over these units. A branch manager in Kansas City, for example, could administer the users in the KC organizational unit, while a Manhattan (Kansas, of course) branch manager could do the same for the users in her office. You, head honcho over the domain, could still set folder redirection policies for users in both offices, and these policies could not be overridden by the administrators of the branch offices if you so desired. Also, keep in mind that this degree of administrative flexibility was not possible when designing Windows NT 4 domains. The domain was the only organizational entity, and if you wanted to split up administration in the manner just described, you had to create entirely separate domains. The ensuing management of trust relationships and resources in two (or more—I’ve seen companies with 40+ domains) domains greatly increased administrative cost and complexity.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:07 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
201
In a Windows 2003 Active Directory environment, think of a domain as simply a container for Active Directory objects that also serves as a security boundary. How is it a security boundary? To illustrate, take the example of domain administration. Domain admins of one domain do not get to set the administrative directives for another domain, hence the security boundary. Most administrative needs, however, can be met with an organizational unit. Let’s first look at how one is generated.
Create an OU The most important thing to remember about an organizational unit is that it’s a unit of administration. If you begin with that thought in mind, your OU design starts to suggest itself. Once you’ve got the ideal design in mind, actually implementing an OU structure, like most of the button-pushing you do, is a snap (all right, technically it’s a click). Here’s what you’ll do: 1. Open Active Directory Users And Computers, and select the Active Directory container where you intend to create the new OU. You will choose either the domain container or an existing OU.
Exam Tip Notice that you won’t be able to create an OU in the Users folder. This can further help differentiate between groups and OUs. 2. Right-click and, from the context menu, choose New | Organizational Unit. The New Object – Organizational Unit dialog box appears, where you name the OU. That’s all there is to it. Now you can populate the things you’ll be administering in the OU by adding user, computer, and group accounts as described above.
Move Objects Within an OU Hierarchy Moving organizational unit objects within a single domain is also very easy. Rightclick and choose Move. You get the Move dialog box, as shown in Figure 5.12, and you simply make the destination OU selection. This topic might seem like small potatoes, but it is really significant in real-world Active Directory environments. In the NT 4 domain model, once the administrative duties have been divvied up, they are relatively locked in place because of the difficulties in redesigning a domain structure.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:07 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
202
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 5.12
Moving an object from one organizational unit to another
One of the big advantages of organizational units, though, is the flexibility they provide. As you’ve seen, you can easily move OUs within a domain as the administrative needs of the environment evolve.
CHECKPOINT ✔Objective 5.01: Plan a Security Group Strategy
Let’s briefly review the different group scopes you need to know for the 294 exam. Remember, the groups all have rules about who can be in them and where they can be used:
• • •
Global Limited membership to the domain where it is created, but can be used anywhere. Domain Local Open membership, but can be used only in the domain where the group is created. Universal Open membership, with unlimited use throughout the forest. Only possible when domain is in Windows 2000 native mode or higher.
✔Objective 5.02: Plan a User Authentication Strategy
You should also take with you from this chapter a knowledge of how and why to implement smart card authentication, and how to set policies for password use in your domain.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
203
You should understand that smart cards require the use of digital certificates in the domain, and that password policies are set through group policies and are done on the domain level. As users log on to the domain, password policies cannot be configured for individual Organizational Units.
✔Objective 5.03: Secure Resources with NTFS and Share Level Resources
In this objective, we examined the behaviors of NTFS permissions, and how these permissions interact with Share level permissions. Although the topics discussed here do not map precisely to Microsoft’s 70-294 exam objectives, it is assumed that you bring this knowledge with you to this test. It is furthermore essential for real world situations that you understand how to secure the resources of the domain. Also, knowledge of NTFS permission will help you more easily grasp the permission behavior of Active Directory objects, including the security and inheritance behaviors of Organizational Units and Group Policy Objects.
✔Objective 5.04: Implement an OU Structure
Additionally, you should now have a complete understanding of the use and function of organizational units, especially when combined with the topics presented in the previous chapter. In the next chapters, we will be using these OUs extensively as we implement the Group Policies that will govern how the Active Directory network is administered.
REVIEW QUESTIONS 1. You have just created an organizational unit. You now want to delegate authority over the organizational unit to another user for purposes of resetting passwords. How can you accomplish this task? Choose all that apply. A. Use the Delegation of Control Wizard. B. Create a Group Policy that specifies administrative rights over the organizational unit. C. Edit the organizational unit’s access control list. D. Add the user account to the Account Operators built-in group for the organizational unit. 2. You are the administrator for a Windows 2003 server domain. The domain has two new Windows Server 2003 computers, a Windows 2000 Server machine, and three Windows NT 4 BDCs. You create a domain local group. You now want to change the group scope to a
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
204
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
universal group, but are unable to do so. What is the source of the problem? A. You are not a member of the Enterprise Admins group, which is the only group with the right to change group scopes. B. The Windows Server 2003 domain is not running in the necessary functionality mode. C. The group type is a distribution group. D. The operation you are trying is impossible. 3. You are the administrator for a medium-sized company. The company has just spun off an operating division and, for security reasons, has implemented a new child domain for the division. You want to nest a global group from the child domain to an existing global group to grant permissions to resources in the parent domain, but find that you cannot. What is the cause? Choose all that apply. A. The domain has been recently upgraded from the Windows 2000 native mode to the Windows Server 2003 mode. B. The domains are operating in the Windows 2000 mixed functionality mode. C. Only OUs can be nested in an Active Directory environment. D. The Delegation of Control Wizard needs to be run over the child domain before its users can be added to groups in other domains. 4. You are the administrator for a company with a single domain and several branch offices located across the United States. As the company grows, you want to delegate to each location’s branch manager the ability to add computers to the offices they manage. You also want to limit the administrative capabilities of these branch managers as much as possible. Which of the following methods best describes the way to meet your objectives with the least amount of administrative effort? A. Create a universal group for each of the geographic locations. Run the Delegation of Control Wizard and grant each branch manager the Create Computer Objects permissions for the universal group. B. Create an OU for each geographic location. Edit the ACL of each OU and allow the Create Computer Objects permission to each branch manager account over each OU. C. Create a global group for the branch managers. Run the Delegation of Control Wizard over the domain object, and allow the branch managers global group the ability to Create Computer Objects.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
D. Create an OU for each geographic location. Use the ACL of the domain object to grant each branch manager the ability to Create Computer Objects. Use a Group Policy to limit the OUs where the branch managers can create computer accounts. 5. Your Windows 2003 Active Directory domain currently has three backup domain controllers. You are asked to provide written documentation for your group design plans for the domain. What is the acronym that best represents the group design plan you should recommend? A. B. C. D.
AUGDLP AG ADLGP AGDLP
6. You are administering a large company with multiple geographic locations. The company is organized into three Active Directory domains running in the Windows 2003 functionality mode. Several groups of users, about 50 to 75 at a time, need exclusive access to research databases spread throughout the company, and these user groups are from different domains. You have implemented universal groups for the purpose of assigning permissions to these groups, and have edited the ACL of the databases so that only these universal groups have access. Users are complaining, however, that network performance has become very slow. What should you do to alleviate the problem? A. Because the domain functionality of all domains is set to Windows 2003, change the scope of the universal groups to global. B. Create domain local groups for the database access, and place the universal groups in the domain local groups. C. Use global groups in each of the domains and put the global groups in the universal groups. D. Create OUs for database access, and use the Delegation of Control Wizard to assign permissions to the research databases. Replication of OUs will occur with Active Directory replication. 7. You are administering a Windows 2003–based network. The Active Directory infrastructure has five domains, all operating in Windows 2000 native domain functionality mode. There is a group of database administrators in the forest root domain that needs access to databases
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
205
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
206
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
in all the other four domains. What type of group structure should you create to grant access to these database admins? A. B. C. D.
A global distribution group A universal group A domain local security group A global security group
8. You are administering a Windows 2003 domain. The domain has about 500 users. You have been dealing with the research department and have agreed to let them manage their own user accounts. How should you let users manage their own accounts? Choose all that apply. A. B. C. D.
Create a new domain since the domain is a security boundary. Create a new OU for the research department. Use the Delegation of Control Wizard. Place the research accounts in a separate site.
9. A user, Jennifer, has the permission to manage accounts in an organizational unit, and is trying to change the account information of a user who has just changed job function. Jennifer reports, however, that she is unable to change the account information, but is otherwise able to manage the other accounts in the OU. What should you check? A. Check whether the user really has permission to manage the OU. B. Check whether the account has been moved to another OU. C. Check whether the Inherit Permissions behavior is in effect on the account. D. Check whether the domain controller has received the latest Active Directory replication updates. 10. You have just been authorized to upgrade the operating systems on several machines in your organization so that computer accounts can be created, and users can be restricted as to where they can log on from. Where can you set up these computer accounts? Choose all that apply. A. B. C. D.
Universal groups Organizational units Sites Domains
11. You are trying to move a user account from one domain to another. What method should you use to move the user between domains?
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
CHAPTER 5 Planning and Implementing User, Computer, and Group Strategies
A. Active Directory Users And Computers. Just right-click on the user account and select the new container where you want the user moved to. B. Use the MOVETREE command from the command line. C. Delete the user account from the first domain and recreate it in the new domain. D. You cannot move user accounts between domains.
REVIEW ANSWERS 1.
The Delegation of Control Wizard is a wizard-based interface for editing an Active Directory object’s ACL. This ACL will define which users or groups have what kinds of permissions over the object. In Active Directory, you can edit the ACL so that only very specific tasks are delegated to very specific users.
2.
To change group scope from domain local or global to universal, the domain functionality level needs to be set to Windows 2000 native or higher. This domain, because of the presence of the Windows NT 4 backup domain controllers, would necessarily be running in the Windows 2000 mixed mode. Yeah, I guess you could argue D. It is impossible in the current functionality mode, but that’s not the best answer here, now is it?
3.
In the Windows 200 mixed domain functionality mode, you cannot nest global groups in other global groups. Group nesting is possible in both Windows 2000 and Windows Server 2003 domain mode, and nesting is not restricted to OUs.
4.
Using the Delegation of Control Wizard and editing the ACL both make changes to who can do what to an organizational unit. The best answer here is B because while other answers allow the branch managers to add computer accounts, they give away too much control over the domain. Use OUs to limit the scope of your delegated administration.
5.
The Microsoft recommended group design plan is Accounts, Global groups, domain Local Groups, Permissions.
6.
The problem here is that there are too many accounts in the universal groups, and universal group membership is replicated among all Global Catalog servers. If you use global groups, you can dramatically reduce the account membership of the universal groups, and reduce
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
207
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
208
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 5
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
the amount of bandwidth consumed by Global Catalog replication. A would not work because the users who need access come from different domains, and global groups can only contain users from a single domain. B would not alleviate your universal group problem, and D is wrong because an OU is not used to assign permissions to resources. 7.
Because all the user accounts are in a single domain, you should use a global security group, which can then be used to grant permissions in other domains throughout the forest. A distribution group cannot be assigned permissions, a universal group is not necessary because all accounts are in one domain, and a domain local group cannot be used for assigning permissions in other domains.
8.
The best solution to your dilemma is to create a new OU for the research staff at your company, place all the relevant user accounts into that OU, and then use the Delegation of Control Wizard to delegate administrative authority of the research department’s own accounts. This does not mean they will be able to administer other accounts in the domain.
9.
The most likely cause of this problem is that the user account has been moved, and the Inherit Permissions check box has been cleared. B is probably true; the account has likely been moved due to the change in job function, but this is not the likely source of the problem. Remember, the question states that the problem is just occurring with the one account.
10.
You can create computer accounts anywhere you can create other accounts, including in groups. The site is not a container for computers, but a unit of replication and of logon traffic.
11.
The MOVETREE utility is the best way to move a user account between domains. Answer C would be functional, but you’re not technically moving the account, you’re creating a new account, and any settings such as group memberships would be lost.
P:\010Comp\Passport\575-0\ch05.vp Tuesday, August 05, 2003 9:50:08 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
6
Planning and Implementing Group Policy
ITINERARY
• •
Objective 6.01 Objective 6.02
Plan Group Policy Strategy Configure the User Environment by Using Group Policy
NEWBIE
SOME EXPERIENCE
EXPERT
5 hours
3 hours
2 hours
209
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:25 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
210
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Now we get to the fun stuff. Group Policies are your lever for implementing a written administrative policy; they represent the how of Active Directory administration. As in, “How do we administer the objects in Active Directory?” With a Group Policy. This chapter will introduce you to this versatile, mammoth administrative technology, and will help you understand what it is and how it works (how it works is the important part for you). We will then begin to demonstrate the capabilities of Group Policy, starting with management of the end-user experience. But the discussion is simply too broad to end here. The next chapter will pick up where this one leaves off, highlighting some of the security and software installation capacity that’s possible through a Group Policy object. You can figure that about 30–50 percent of the 294 exam will in some way test your ability to understand and implement a Group Policy object. Therefore it’s imperative that you have a good grasp of the concepts and skills in this chapter before even thinking about registering for the test. Additional experimentation with Group Policies in a test environment is also highly recommended for you to get a better feel for how Group Policy behaves when the settings introduced here are configured. This chapter starts with a look at Group Policies in the most general terms, discussing how Group Policies are created, managed, and processed when a user in your Active Directory environment logs on to the domain. Then we’ll start funneling toward specifics later in the chapter. These specifics will include redirecting folders and manipulating the end-user experience. But keep in mind that these are just some examples of how Group Policies can be used. Our discussion will be continued in the following chapter. We’ll start by thinking about what a Group Policy is and how it might best meet your administrative needs.
Objective 6.01
Plan Group Policy Strategy
L
ike files and folders, like users and groups, like domains and organizational units, a Group Policy object (GPO) is just another software object, typically stored in the Active Directory database. (I say typically because there is one stored in the local machine’s directory database as well, but mostly Group Policies are used to manage Active Directory–based computing environments.)
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
211
This software object contains a collection of settings that can potentially affect almost any aspect of user and computer configuration. So far, so good? They’re independent pieces of software, stored somewhere on the hard drive, just like almost anything else. Group Policies can then be linked to the container objects in Active Directory: sites, domains, and organizational units. The linked Group Policies will then configure settings that, by default, affect all objects in the container. They can be used to determine what Start menu options are available, what the background of the desktop will be, or what programs will be available. And these are just of few of the configurable settings, as you will soon see. This chapter focuses on some of the settings that affect the end-user experience.
Group Policy Overview Before we jump into the Group Policies created and linked to the Active Directory containers, let’s start with the local policy mentioned above. There are a couple of reasons to start with an examination of the local policy even though you won’t see questions on the exam that directly test your understanding of it. First, all Windows XP Professional, Windows 2000, and Windows Server 2003 computers have a local policy, so even if you don’t have an installation of Active Directory on Windows Server 2003 handy, you can still study and understand Group Policies by looking at the local policy. Secondly, it gives us a good starting point for Group Policy comprehension.
How to Configure the User Environment by Using Group Policy One of the challenges for any domain administrator is enforcing a corporate policy about how users’ desktops should look. For example, a picture of your favorite NASCAR driver might be appropriate for a home computer, but a bank manager might want something a little more stately when making a first impression to a potential customer. Using a Group Policy to manage users also means controlling what content is provided. The Control Panel, to use one example of user environment management, can be kept from prying, unknowledgeable eyes (or worse, from mischievous, knowledgeable eyes). Looking at specific examples like these is helpful because the scope of manageable settings is so overwhelming. With a Group Policy, an administrator can accomplish the following:
•
Enforce centralized control of user and computer settings at the site, domain, or organizational unit level
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
212
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
•
Provide a desktop environment that enables users to accomplish job functions while also ensuring that applications cannot be changed or removed
• •
Control the end-user experience by managing the appearance of the desktop, including what software is or can be installed Ensure that company written policies regarding computer use and Security settings have a computing mechanism for application
The Local Group Policy Object Every computer running Windows 2000, Windows XP Professional, or Windows Server 2003 also has a local Group Policy object linked to it. With a local GPO, it’s possible to configure the settings of just a single computer without affecting any others. In an Active Directory environment, these local settings are low man on the totem pole, as the settings dictated by a local policy can be overwritten by settings configured at the site, domain, or OU level. (More about this processing hierarchy in just a bit.) However, in a non–Active Directory environment, the local GPO is the only measure of applying a Group Policy setting. By now, you’ve probably used some of the Control Panel tools to make changes to the look and feel of the desktop. You’ve changed screen resolution, desktop wallpaper, mapped network drives, and so on. However, these changes are not a permanent part of the end-user experience. The desktop can be changed; the network drives can be unmapped. But what if the administrator wants to take more control of the user environment, dictating the look and feel of the desktop experience? What if, for example, the administrator of a computer or even a network wants to remove access to Internet Explorer altogether for users of a particular computer? What if he or she wanted all users, for purposes of professionalism, to use a uniform desktop theme? Group Policy is the answer.
Local Policy Configuration Perhaps it’s best to start with a “blank” or unconfigured GPO to get familiar with Group Policy settings. To open a blank GPO that will apply to the local computer, follow these steps: 1. Open an empty MMC console by launching the Start menu, choosing Run, and then typing MMC. 2. An empty console opens. From the File menu, choose Add/Remove Snap-in.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
213
3. From the Add/Remove Snap-in dialog box, click the Add button. The Add Standalone Snap-in dialog box opens, where you will navigate to the Group Policy Object Editor. 4. Select the GPOE, click Add, and then you will see the dialog box shown in Figure 6.1, where you will accept the default choice that the Group Policy will govern the local computer. Click Finish to accept the choice. 5. Close the Add Standalone Snap-in dialog box, then click OK from the Add/Remove Snap-in dialog box to get back to the MMC console. You will now have the MMC loaded with the GPOE, which will in turn be configured to edit a local policy. As you can see in Figure 6.2, there are two main categories of Group Policy settings:
•
Computer Configuration settings These are used to set policies that affect the computers regardless of who logs on. They are applied as the operating system initializes, before the user is presented with the logon screen.
•
User Configuration settings These are used to set policies that apply to users regardless of the computer they are using. User settings are applied after a user identifies himself, usually through a username and password, and before the desktop is presented.
FIGURE 6.1
Adding a GPO for the local computer
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
214
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.2
Settings in a Group Policy object
If you expand each of these main groupings, you will see several subheadings of policy settings. Each grouping includes collections for Software settings, Windows settings, and Administrative Templates. The individual settings for users and computers, however, are not necessarily the same. Software Settings For both user and computer configuration, the Software settings specify Software Installation options. As we will see in Chapter 7, these settings will help you deploy and maintain installed software for the computers and/or users in your organization. For example, you could use the Software settings to ensure that all computers in a site get a service pack update to an application or to ensure that a particular user has an accounting program available to them no matter what computer they log on from. Windows Settings The Windows settings contain Scripts and Security settings. The scripts node is where we can most clearly see the difference between settings that affect the user and settings that affect the computer. Notice that the scripts assigned to computers are startup/shutdown scripts, as computers engage in starting up and shutting down. Users, though, are assigned logon and logoff scripts, because that’s what they do: log on and log off.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
215
In the scripts node, administrators can attach a script to a Group Policy, and there are no limitations to the scripting languages used. The script can be written in any ActiveX language, including VBScript, JScript, Perl, and DOS-based scripts such as .bat and .cmd. The Security settings allow for manual configuration of security levels. These settings include audit policies, password polices, and user rights assignments, to name but a few. There are hundreds of Security settings available, and we will discuss these more in Chapter 7. Additionally, in the User Configuration Windows settings only, you’ll find policies used for Internet Explorer maintenance, and Remote Installation Services. If you’re creating a Group Policy object that will apply to an Active Directory container, you’ll see a folder redirection node. Later in this chapter, as we explore Active Directory–based Group Policies, we’ll get more familiar with folder redirection, as there have been some significant improvements in Windows Server 2003. Administrative Templates The settings configurable with the Administrative Templates are all registry-based. That is, configurations made with the Administrative Templates are written to the registry at either startup or logon time, depending on if the setting applies to a computer or user, respectively. The Administrative Templates include settings for Windows components, system, desktop, Control Panel, and the network. Configuring these settings will have the most noticeable impact on the end-users’ desktops. The system node is used in part to control Group Policy itself, and will be examined when we discuss Group Policy processing exceptions. When you make changes to the status of an Administrative Template setting, you will simply double-click the setting (or right-click and choose Properties) to open the dialog box shown in Figure 6.3. In the setting dialog box, there are three options regarding the configuration of each template setting. A setting can be
•
Enabled This setting will enforce the configuration setting for the GPO being configured. A setting that’s enabled will edit the registry of the computer where the GPO is effective.
•
Disabled This setting will not be enforced for this GPO. The Disabled setting can be used to override a setting configured at a parent container further up in the GPO processing hierarchy (more about that hierarchy later). The Disabled setting will also write a change to the registry.
•
Not Configured This is the default setting. It means the setting will not be set, but instead may be inherited from a parent container. Most settings will be unconfigured as you build your GPOs.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:26 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
216
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.3
Configuring an Administrative Template setting
There are more than 450 settings that will affect either user or computer behavior under the Administrative Templates. Which ones you might need to configure for your environment will be a matter of exploration, trial, and error. When you configure an Administrative Template setting, the change will be written to the registry, thus increasing processing time for the Group Policy object. Note that this includes configuring the policy setting in the negative. Therefore, you want to configure as few of these settings as possible while still meeting your administrative objectives.
Travel Advisory If you don’t want to scroll through all 450+ Administrative Template settings, you can display only those settings that have been configured. To do so, choose the Administrative Templates node, and then from the View menu, choose Filtering. The dialog box shown in Figure 6.4 will display, and you can check the option to “Only show configured policy settings.” Of course, this won’t be effective when you are configuring the settings in the first place.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:27 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.4
217
Filtering the display of Administrative Templates
Changes to the Administrative Templates Also be aware that there are more than 220 new administrative settings that are configurable with Group Policy settings. (That’s according to Microsoft’s documentation; I haven’t bothered to get an exact count of them all, and apparently neither has Microsoft.) The administrative settings themselves are stored in an .adm file, and there are many more .adm files available than you first see when working with the default Administrative Templates. For example, included with the Microsoft Office 2003 Resource Kit is an .adm file that contains additional settings specific to Office application management. This .adm file is not available with the installation of Windows Server 2003; you need to obtain it from the Resource Kit. But before you can use any alternate .adm files, you must first make sure Group Policy knows about them. Here’s what you’ll do: 1. Open the Group Policy Object Editor and expand either the User or Computer Configuration node. 2. Select the Administrative Templates. Right-click, and choose Add/ Remove Templates. 3. In the Add/Remove Templates dialog box, choose Add. 4. Now you’ll select the .adm file to add, as shown in Figure 6.5. If you have copied an .adm file, you would browse for it here.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:27 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
218
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.5
Adding an Administrative Template
There are also .adm files that help you manage Windows Media Player, Internet Explorer, and NetMeeting settings, to name a few.
Travel Assistance For additional information about the many .adm files and how they can be used, please see the Windows 2003 deployment kit at: www.microsoft.com/windowsserver2003/techinfo/reskit/ deploykit.mspx.
Group Policy Application Here’s how the Computer Configuration and User settings are applied at startup and logon time: 1. At computer startup time, a computer obtains a list of GPOs that will be applied to the computer. This list depends on the following: Whether the computer is a member of a Windows Active Directory domain
• •
In what site the computer resides in Active Directory
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:27 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
•
219
Whether the list of GPOs has changed
2. After the list has been obtained, the Computer Configuration settings are processed synchronously in the order dictated by the processing hierarchy, which is discussed later in the chapter. 3. Any startup scripts assigned to the computer are run synchronously: each script must complete before the next one is run. All this occurs before the user gets any user interface, including the Windows logon dialog box. 4. The user presses CTRL-ALT-DELETE and submits user credentials. 5. After the user is authenticated, a list of GPOs for the user is obtained. This list is also dependant on several factors, including: Whether loopback is enabled, as discussed later Where the user account resides in the Active Directory tree structure (assuming a domain account is used; a logon using a local account to a local machine would not have any domain-based policies take effect)
• • •
Whether the list of GPOs has changed
6. The User settings are then processed using the processing hierarchy. 7. Any logon scripts assigned run asynchronously—that is, all scripts are run at the same time by default.
Group Policy Scope GPOs adhere to a specific set of rules when applied to users and computers. It is crucial that you learn and fully understand these rules, and how they sometimes overlap in their application. One set of these rules defines what happens at each Active Directory container where Group Policy is linked, and how Group Policy settings are inherited from container objects above. Another set defines how settings from multiple GPOs are applied when the individual settings conflict. And a third set of rules deals with how GPOs are processed when several are linked to a single container.
Group Policy Processing Order I’ve made reference to this processing order a few times, so I may as well explain it now. Here’s how GPOs are processed, by default: 1. Local Each Windows Server 2003 computer will have exactly one GPO stored locally, which will get processed first.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
220
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. Site Any GPOs associated with a site the computer belongs to, or a user is logging in from, will be processed next. 3. Domain GPOs linked to the domain container are processed next according to the order listed in the Group Policy tab, as discussed in the next section. 4. Organizational Unit (OU) GPOs linked to parent OUs are processed next followed by GPOs linked to child OUs if applicable. In this way the immediate parent object of the user or computer account will be processed last, which has a significant impact on effective settings. You’ll note that the above list spells out the processing order for GPOs from first to last. But the default order of settings precedence is just the opposite. So in looking at the list above, it’s important to understand the local policy, while processed first, resides at the lowest rung on the GPO processing ladder. In other words, the last setting processed becomes the effective setting. But the last setting becomes effective only when there is a conflict between the settings of multiple GPOs. If there aren’t any configuration conflicts, all GPO settings apply. For example, if a local setting specifies auditing of printer access, and the domain level setting redirects the My Documents folder, and an OU setting removes the Control Panel, the user environment will reflect all of these settings. If, however, the OU setting redirects the My Documents folder, but uses different settings than the domain policy, the OU setting will override the domain level setting. Why? It’s the last setting applied. And, boy, do you have to know that. If I could highlight one section from this chapter, that would be it. Until you commit that default processing order to memory, don’t bother sitting for the 294 exam, and in fact, don’t even go on with the rest of the chapter. Here’s a stupid mnemonic that might help you remember this processing order: LSD is a trip to OU. (I said it was stupid.) If it helps you understand Group Policies, though, you’ll thank me for putting that in your head. If you don’t remember anything else from this chapter, remember that. Multiple GPOs Linked to One Site Now, for each Active Directory container object, there may be several Group Policy objects linked. For each object, the Group Policy tab displays the list of GPOs attached to the object, as shown in Figure 6.6. When there is more than one GPO linked, the list is processed from the bottom to the top. This means that GPOs at the bottom are processed first, and the top policy is processed last. (I know. It’s confusing; the inverse of what we just
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.6
221
More than one GPO can be linked to a single object.
learned about the container processing order. I’ll mention it to Mr. Gates in our conference call next week.) But as with the container processing order, the last setting applied becomes the effective setting where there is a conflict. And once you learn the default processing order, including what happens when multiple policies apply to a single logon, you can start to learn about all of the multiple exceptions to this rule.
Exceptions to Group Policy Processing There are several exceptions to the default GPO processing order. They include the following:
•
Workgroup computers process only the local GPO Because the other containers you can link a GPO to—sites, domains, and OUs—are all Active Directory objects, and workgroup computers are not part of an Active Directory environment, the only way to use GPOs with these computers is by configuring the local GPO on a computer-by-computer basis.
•
Block Policy Inheritance At any domain, or OU level, the inheritance behavior of the GPO processing can be blocked (the Block Policy
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
222
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Inheritance option is grayed out at the site level). For example, if you are a junior administrator of the Finance OU, and that Finance OU lives in a domain that has a domain GPO that prevents access to the Control Panel, you can block policy inheritance so that users in your OU have access to the Control Panel. They see the Control Panel because the settings configured higher in the default processing order (the domain) are blocked. This can add to the flexibility of administration available for OUs in the domain. Besides, what does the domain admin know anyway?
Exam Tip Notice that when you block policy inheritance, you block it at the container level, not on an individual GPO. That is, the setting is effective for all GPOs linked to the site, domain, or OU. It doesn’t matter where these GPOs have been originally created.
•
No Override This is the antidote for the Block Policy Inheritance option. Any GPO linked to the site, the domain, or the OU can be configured so that its settings cannot be overridden by other GPOs lower down in the processing chain. If there is more than one GPO that has the No Override setting, the one highest up in the GPO processing chain will be the effective setting. This behavior enables a domain administrator (or an OU admin, and so on) to enforce a container-wide setting that cannot be usurped by some junior administrative despot who doesn’t like the way you’ve configured things.
•
Loopback setting This one is probably the most confusing and is definitely the least often used. It is designed for computers that are part of a closely controlled environment such as laboratories or kiosks. Unfortunately, it merits the most discussion, but it’s a setting you will only configure rarely, if at all. Do you need to know it for the exam? I’d say chances are about one in three, so it’s worthy of a little more attention here.
In essence, the Loopback setting makes the Computer Configuration settings for a system the effective settings, no matter what other GPOs might apply to the user account at logon time. Moreover, the Loopback setting is not even configured from the Group Policy tab like the other behaviors discussed here. It is actually a setting of the Group Policy itself. To configure the Loopback setting, you must edit the GPO
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
223
that would apply to the computer and edit one of the Computer Configuration settings. The full path to the Loopback setting is Computer Configuration \ Administrative Templates \ System \ Group Policy. The full Loopback setting policy is called “User Group Policy loopback processing mode.” When you double-click this setting, you have the option to enable the setting, and then once in the Enabled state, the loopback behavior will operate in one of two modes:
•
Replace This will replace the GPO list obtained for the user with the GPO list obtained for the computer at startup time. It effectively overrides any user-specific settings the user might have.
•
Merge This appends the computer GPO list with the user GPO list. Because the GPO list for the computer is applied after the user’s normal GPO list is received from Active Directory, any settings configured with the local GPO settings override the user’s normal settings where there are conflicts. And remember, there are User Configuration settings even in the local GPO.
An example where you might use the loopback is in a reception area. Let’s say you have a user who is a part of the Graphics OU, and a large software program is distributed to all users in the graphics department via a GPO that makes sure they will always have the application available no matter what computer they are using. That same user logs on to a computer at the reception area to quickly check messages on the way out the door. With the Loopback setting enabled for the computer, the user then would not have the application sent and installed on the reception computer.
Travel Advisory For further information on the Loopback setting, choose the Explain function of the setting (or any setting, for that matter) which is accessible from either the Explain tab of the Loopback setting, or by using the Extended View in the Details pane of the Group Policy Object Editor. At the bottom of the Details pane, you have Standard and Extended view tabs to choose from. The Extended tab gives you access to the Explain contents, and lets you open the Properties dialog box of the setting with a hyperlink. Throughout the book, I use the Standard view more often than not in the screen captures.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
224
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Disabling User and Computer Configuration Settings As you have already seen, not all of your settings in a particular GPO need be configured. In fact, it’s a safe bet to say that the vast majority of settings won’t be configured. For example, if I’ve configured a GPO whose only function is to remove the Control Panel, all Computer Configuration settings will remain untouched. However, these unconfigured settings still have to be processed come logon time. It can therefore improve performance to disable the Computer Configuration settings. In fact, this is recommended practice from Microsoft. You don’t have to apply settings that are unconfigured, and in fact you shouldn’t. The disabling of a part of a GPO can speed up GPO processing at startup and logon time. Disabling a section of a GPO can be done at the Computer Configuration or User Configuration level. Generally speaking, you will notice the performance increase most when several GPOs apply to your user logon. Here’s how to disable the User or Computer settings for a given GPO: 1. Open the Group Policy object that you want to edit. 2. In the console tree, right-click the icon or name of the Group Policy object, and then click Properties. 3. On the General tab, select the Disable User Configuration Settings check box, and then click OK.
Slow Link Processing If you are accessing the settings of a GPO over a slow connection to a domain controller, it can take a long time for those settings to be sent over the network. This most often occurs when a user is logging on over a remote connection with no domain controller at the local site, although if traffic is congested, slow links can also be detected when using the LAN. The Slow Link settings prevent certain GPO settings from being sent, thus improving GPO processing time. By default, however, registry-based settings applied by Administrative Templates and Security settings will always be applied. Other settings are not applied when a slow link is detected. By default, a link is judged fast or slow based on a test ping to the domain controller from where the GPO must be retrieved. If it takes less than two seconds for a response from the server, the link is considered fast, and all policy settings for the GPO will be applied. Most of the settings that apply to slow link detection are located under the Computer Configuration\Administrative Templates\System\ section of the Group
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:28 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
225
Policy Object Editor. Of specific note here is the Group Policy Slow Link Detection setting, which is located within the Computer Configuration\Administrative Templates\System\Group Policy node. Configuring this setting specifies what is considered a slow link for this particular GPO.
Exam Tip If you set the Slow Link setting value to 0, all connections will be considered fast.
Group Policy Storage Location As mentioned previously in the chapter, every system running Windows Server 2003 will have a single local GPO. This local Group Policy is stored in systemroot\ System32\GroupPolicy. Domain-based Group Policy objects, on the other hand, are actually stored in two locations. The Group Policy container is a directory service object, and stores all properties for the GPO including the latest version of the object, as well as the list of all settings that have been configured. The other storage location is the Group Policy template, which is a folder structure within located under the SYSVOL directory. If you recall from earlier in the book, clients connect to the SYSVOL folder when establishing contact with the domain, so it follows that Group Policy information will be stored here. Residing in the Group Policy template are settings that have been configured with Administrative Template settings, Security settings, script files, and any information about applications that will be deployed or managed via software installation settings. The Group Policy template is located in the \Policies subfolder for its domain. The template directories are given automatic names, and there is no need to change these directory names (nor should you). Each template directory can have several subfolders which store Group Policy settings. These subfolders, examples of which are shown in Figure 6.7, may include
• • •
Adm
Contains the .adm files for the Group Policy template.
Scripts Contains the scripts and related files for the Group Policy template. User Includes a Registry.pol file that contains the registry settings that are to be applied to users. When a user logs on, this Registry.pol file is downloaded from this location and applied to the HKEY_ CURRENT_USER portion of the registry. It contains an Applications subfolder.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:29 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
226
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
•
User\Applications Contains the application advertisement script files (.aas) that are used by the operating system–based installation service. These files are applied to users.
•
Machine Includes a Registry.pol file that contains the registry settings that are to be applied to computers. When the operating system initializes, this Registry.pol file is downloaded from this location and applied to the HKEY_LOCAL_MACHINE portion of the registry. It contains an Applications subfolder.
•
Machine\Applications Contains the .aas files that are used by the operating system–based installation service. These files are applied to computers.
Group Policy Behaviors There is a set of rules applied when processing GPOs, and you must absolutely know these rules for the exam.
•
All GPO settings apply unless a conflict is detected. The effective settings are a combination of all settings of all site, domain, and OU Group Policies that might apply to a user login.
•
If there is a conflict, the rules of policy inheritance are followed: local, site, domain, OU. The last setting applied where there is a conflict becomes the effective setting.
FIGURE 6.7
Directories in the Group Policy template
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:29 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
227
•
If more than one GPO is linked to an Active Directory container object, GPOs are processed from the bottom to the top as they are listed in the Group Policy tab in the Properties dialog box. Again, where there is a conflict in settings, the last setting applied becomes the effective setting.
•
Computer settings take precedence over user settings. If a setting is specified from a user and a computer at the same level of GPO processing, the computer settings override the user settings where there is a conflict in settings.
Group Policy Inheritance Unless some of exceptions to the processing order have been configured as discussed above, Group Policy settings are passed down from parent container to child container. For example, a GPO setting you have configured for a top-level OU will also apply to all child containers in the OU. This includes any user and computer objects that are in the parent and child containers. But if a GPO has been set for the child container, and that setting conflicts with the parent-level GPO, the child setting will be the effective setting. If a setting is configured for a parent OU, and the setting is not configured for the child OU, the child inherits the setting from the parent. In this way, Group Policy inheritance works just like the inheritance of NTFS permissions when working with files and folders. This is one of the reasons why it’s very valuable to be familiar with NTFS permissions even they are not specifically mentioned as 294 test objectives.
Filtering Group Policy Each GPO is an Active Directory object, with a set of Properties like any other. Included in these Properties is the access control list. We’ll delve into the significance of the GPO’s ACL later in the chapter. For now, know that you can use the ACL to define what users can Read and Apply Group Policy. With these permissions, you can filter Group Policy application to a specific user or group. For example, suppose you have a user, Tommy, who is the designated administrator of an OU’s users and computers. Suppose further that there was a GPO linked to that OU that removed the Control Panel. To manage the OU effectively, Tommy is going to need access to the Control Panel. This is a perfect instance for use of a filter to the Group Policy. By adding the user, Tommy, to the ACL of the Group Policy object, and then denying him the permission to apply the policy that removes the Control Panel, Tommy will get access to the Control Panel.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:29 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
228
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
This filtering behavior, along with the other exceptions to processing order, gives administrators almost unlimited flexibility when deploying Group Policies to manage Active Directory users and computers. Another level of filtering lets administrators filter certain settings within a single GPO. This is possible through the use of WMI filters.
WMI Filtering Administrators have the option to further manage Group Policy behavior by configuring Windows Management Instrumentation (WMI) filters. These WMI filters allow for additional filtering of Group Policy processing, and are used in much the same way that you use security groups to filter GPO application for a certain group. WMI filters are used to implement exceptions to given policy processing. These WMI filters are written in a language called the WMI Query Language (WQL).
Travel Advisory You should use WMI filters sparingly. The more WMI filters apply to a policy, the longer it will take to process the Group Policy object. To use a WMI filter, one must first be created. WMI filters are written using the WMI Query Language, and can be done right from the WMI Filter tab of the GPO’s Properties dialog box. The Filter tab extension on the Properties page of a Group Policy object allows you to specify a WMI filter for a given Group Policy object. Furthermore, the Resultant Set of Policy (RSoP) tool is sometimes used in conjunction with application of WMI filters, as it can display existing WMI filters and can also be used to specify alternate filters. Here’s how you’ll add a WMI filter: 1. Open Active Directory Users and Computers. 2. In the console tree, right-click the domain or organizational unit for which you want to set Group Policy and choose Properties from the context menu. 3. On the Group Policy tab, select the GPO you’re configuring the filter for, right-click, and choose Properties. 4. Choose the WMI Filter tab, then click This Filter, and then choose Browse/Manage. 5. Click Advanced. 6. Click New to clear the Filter Name, Description, and Queries fields.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:29 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
229
7. Type in information about the new filters you create. Then save the changes and click OK to finish the procedure.
Travel Assistance You need not know how to write these WQL filters to pass the exam. This is a skill usually performed by those with a software development background. More information can be found at www.microsoft.com, by searching for the WMI Software Development Kit (SDK). When you stand back and think about it, it really is a remarkable technology. And now that you’ve spent time learning about some of the background issues regarding Group Policies, it’s time to create a GPO for use in an Active Directory environment.
Creating a GPO for Active Directory Management Here are the steps necessary to create a Group Policy object that will, by default, be linked to the domain container: 1. Open the Active Directory Users and Computers MMC snap-in, and choose the domain object. 2. Right-click, and choose Properties from the context menu. From the Properties tab, click on the Group Policy tab. 3. As seen in Figure 6.8, the Group Policy tab has several buttons that will help you manage the Group Policy objects linked to the domain container. All objects in Active Directory that can have a GPO linked to them will have a Group Policy tab that, except for the listing of the GPOs, will look exactly the same. There are several buttons available in this tab:
•
New Lets you create a new Group Policy object from scratch. Nothing will be configured in this GPO until you edit its settings, so simply creating a GPO will have no effect on the computing environment. Further, this GPO will be linked automatically to the current Active Directory container.
•
Add Lets you add an existing GPO to the list of Group Policies linked to the current container. Adding a GPO will place it at the bottom of the list.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:30 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
230
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.8
The Group Policy tab has several buttons that help you shape behavior of the GPO.
•
Edit Clicking this button opens the Group Policy Object Editor, which will allow you to configure the settings of the selected Group Policy object. After making changes to the GPO, changes are applied according to the Group Policy refresh intervals discussed later in the chapter.
•
Options Lets you configure the options of the GPO, including the option to enable or disable the GPO. It also lets you specify whether its settings may be blocked or overwritten by GPOs lower down in the processing inheritance chain.
•
Delete Seems straightforward, but there are actually a couple of facets to the delete behavior. When you have a GPO selected, clicking this button brings up a dialog box which lets you either delete the link from the GPO to the container, or delete the GPO altogether. If you delete the link, the GPO is still available for processing at other containers. If you delete the GPO completely, settings that you might want applied at other levels will no longer apply.
•
Properties Like any other Active Directory object, the GPO has a set of properties with which you will manage the object. Especially
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:30 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
significant here is the Security tab of the GPO. This holds the access control list of the GPO, and just like the ACLs we examined earlier when looking at delegating authority over OUs, the tab specifies who can do what to the object. In the case of a GPO, we can use the ACL to control who can apply the settings of the GPO. More about this when we talk about filtering the scope of the GPO.
•
Up and Down These buttons will become available when there are two or more GPOs listed for a single Active Directory entity. These buttons, as you probably surmise, let you move the GPOs up and down the list, which can have a significant impact on the effective settings because of the processing order. Remember that the processing occurs from bottom to top, and the last settings processed are the effective settings where conflicts are present.
•
Block Policy Inheritance Also take note of the check box at the bottom of the Group Policy tab. This button allows you to block settings inheritance from parent-level Group Policies, much like the blocking of NTFS permissions when configuring properties of file and folder resources. More to come about the blocking of Group Policy inheritance later in the chapter.
Travel Advisory Don’t forget: when in doubt, right-click. You can right-click the GPO name in the listing in the Group Policy tab and a context menu appears, letting you configure certain aspects of behavior, such as the no override behavior, that are also available using the buttons just described. 4. Click the New button to create a new GPO that will automatically be linked to this container. The GPO will be created at the bottom of the list if an existing GPO is linked. The GPO will be named New Group Policy Object; you should change this name to something that will indicate what the GPO is for. For example, unless you’re in a test environment, you shouldn’t give GPOs names like My Really Neat Group Policy. No one but you would have any clue as to what the GPO is for and they would have to sift through the mountain of settings available to figure out the significance of the policy. If, on the other hand, the policy was called Software Policy, or better yet, Service Pack Policy, other administrators would have a pretty good idea of where to start looking to make edits to the policy settings. We’ll call this new GPO the No Control Panel policy.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:30 AM
231
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
232
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
5. Click the Edit button after creating a new GPO to begin modifying its settings. If you have the proper permissions, you could also edit existing GPOs you see in the list. 6. This brings up the Group Policy Object Editor (GPOE), as seen in Figure 6.9. There are two main nodes of the GPOE, Computer Configuration settings and User Configuration settings. We’ll be getting into the details of some of these settings throughout the rest of the chapter, and indeed throughout the rest of the book. In the example here, we want to remove the Control Panel from users’ desktops, so we’ll expand the User Configuration settings, then the Administrative Templates. We’ll then choose the Control Panel node. 7. To configure an Administrative Template setting, generally you’ll just double-click on the setting, such as Prohibit Access To The Control Panel, and enable the settings with a click of a check box. Sometimes, you need to also set parameters, as is the case with most of the Security settings. 8. Once you’ve configured the settings, close the Group Policy Object Editor, and then click OK from the Active Directory object’s Properties dialog box. The settings will then apply when the GPO is refreshed.
Travel Advisory Although you can get to the Properties of almost any other file, folder, printer, or Active Directory object by double-clicking, if you do it on the name of a GPO, you’ll launch the Group Policy Object Editor, not the Properties of the GPO. When you set the permissions of a Group Policy object, you define two types of behaviors:
• •
Which users can make changes to the Group Policy object itself Which users will have the Group Policy apply
To understand this better, it helps to take a look at the default behaviors of a newly created GPO. When a new Group Policy is created, as in the example above, it inherits the access control list of its parent container, if applicable. When you’re working in a domain, the parent container of an organizational unit is the domain container. Organizational units, then, can be the parent containers of other OUs.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:30 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.9
233
The Group Policy Object Editor
Exam Tip Just like when dealing with NTFS, printer, or share level permissions, the Deny permission is a trump card of sorts. The Deny permission is stronger than the Allow permission. By default, the Authenticated Users group is granted the permission to Read and Apply Group Policy. This simply means that everyone who is able to log on successfully—provided their account lives in an OU where a Group Policy has been created—will have the Group Policy processed. You will use the following procedure to set permissions on a Group Policy object:
Travel Advisory This process is really not different than editing the ACL for an OU to decide who does what to the OU. The only real difference is that the Group Policy object does not include a handy Delegation of Control Wizard to help you through the process.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:31 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
234
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
1. Open Active Directory Users and Computers and select the domain container where the Group Policy you want to configure permissions for is linked. 2. Right-click and choose Properties, and then navigate to the Group Policy tab. Select the GPO you want to configure and click the Properties button. 3. The GPO Properties page includes the Security tab, where you set the permissions over the objects, as shown in Figure 6.10. There are several standard permissions to choose from, outlined in Table 6.1.
Delegating Control Over a GPO The bigger your Active Directory enterprise is, the further away you’re going to be from the daily tasks of administering users. As we’ve seen, some of the first tasks to be delegated away are things such as the adding of user accounts and the changing of passwords. But as the organization continues to grow, this delegation ability will eventually extend to your Group Policy objects. Fortunately, the same mechanism exists for the delegation of Group Policy control: the access control list. As you’ve just seen, the ACL defines who does
FIGURE 6.10
The Security tab of the GPO Properties
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:31 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
TABLE 6.1
Standard GPO Permissions
Permission
Significance
Full Control
Gives the user or group the ability to perform all administrative tasks over the GPO. This includes changing the permissions of the GPO and deleting the GPO itself. Allows a user or group to read the settings of the GPO. This permission is also required to apply the GPO, and is a default permission of the Authenticated Users group. Lets a user or group make changes to the settings of the GPO. Note that to make changes you also need the Read permission, because in order to make GPO edits, you must be able to read the GPO first. This standard setting lets a user or group add objects to GPO settings. This comes into play mostly when using the Software Installation settings, as users who associate software packages with a GPO are also adding child objects. More about the Software Installation settings in the next chapter. Inverse of Create All Child Objects, this permission allows removal of an object that may have been created for an OU. As the name implies, you need this permission to apply the Group Policy settings. This permission is also granted to the Authenticated Users group by default so that users who successfully log on have the policy settings apply.
Read
Write
Create All Child Objects
Delete All Child Objects Apply Group Policy
235
what to the GPO. There are three permissions you use to delegate control over the GPOs in your enterprise:
• • •
Permission to create Group Policy objects Permission to edit Group Policy settings Permission to link Group Policies
The significance of these three permissions is fairly self-explanatory by now, and the procedure for each looks almost exactly the same. In the interests of space and tree conservation, let’s take a look at how to delegate the editing of any particular GPO. Here’s how: 1. Open the Group Policy Object Editor. 2. In the console tree, right-click the icon or name of the Group Policy object, and then click Properties.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:31 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
236
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. Do any of the following: To add a user or group of users, click the Security tab, and then click Add. Type the name of the user or group of users, and then click OK.
• •
To give a user or group the ability to edit a Group Policy object, in the Permissions For Authenticated Users section, select the check boxes for the permissions you want to give. When you are finished, click OK.
•
If you do not want a policy to apply to a group or an individual user, under Permissions For Authenticated Users, clear the Allow check box for Apply Group Policy. When you are finished, click OK.
By delegating control over the settings of a GPO, a user is able to change the way a certain Active Directory container is administered without otherwise affecting the administrative structure of the Active Directory enterprise. Further, by associating many GPOs to a container, you can subdivide the settings other users can affect. User and Group Permission Interaction over Group Policy Objects If you’re familiar with NTFS and share-level permissions (they are briefly discussed in Chapter 5), you are aware that when access to an object is evaluated, the effective permission is the combination of the user and group permissions. That is, if a security group has the Change permission over an object, and a user has the Read permission, the effective permission for the user is Read and Change. This same behavior, by the way, also applies to Active Directory objects like organizational units and domains: permissions are cumulative.
Travel Assistance For a detailed discussion of user and group permissions, please see Mike Meyers’ MCSE/MCSA Windows Server 2003 Environment Certification Passport (Exam 70-290) by Eric Daeuber and Dan Newland (McGraw-Hill/Osborne, 2003). When evaluating the effective permissions to Group Policy objects, however, we need to shift, as the President would say, our paradigms. When evaluating effective Group Policy object permissions, the user-level permissions take precedence over any group-level settings for which the user is a member. For example, if a user is a part of a group that has the Read and Create Child Objects permission, but the user is granted the Read permission only, the effective permission would be the Read permission to the GPO.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:32 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
237
When you are creating a delegation strategy for your GPOs, also bear in mind that only members of the Domain Admins and Enterprise Admins security groups can grant the Write permission to a Group Policy object, thus giving the user the ability to edit the GPO. This means that even if you have delegated a high level of administrative privileges over an OU in your enterprise, that user will still not be able to delegate control over the GPOs she might create to manage that OU unless their account is added to one of the aforementioned groups.
Exam Tip This user-level primacy of Group Policy permissions makes the filtering of GPO scope easier to implement.
Planning Group Policy Using Resultant Set of Policy (RSoP) Whenever I taught Group Policy to students in Windows 2000 classes, I would invariably get the question, “How do you tell which Group Policy is configuring a particular setting?” The answer was, “You don’t.” True, there’s a tool in Windows 2000 which lets you see what Group Policies are effective for users, but that tool doesn’t tell you anything about what settings are being configured by a particular GPO. You still had to open each of the effective GPOs to try to determine the cause of the setting you were trying to troubleshoot. But that’s no longer the case with Windows Server 2003 because of a feature called the Resultant Set of Policy (RSoP). This new addition to Group Policy makes policy troubleshooting much easier than it was in the Windows 2000 Active Directory environment. Furthermore, you can use the RSoP engine to plan and test a set of GPOs before actual implementation. You might have noticed that I’ve referred to it as a engine, not a tool. That’s because at its heart, the RSoP is a reporter. You do not actually use the RSoP, but rather you use tools that are written for the RSoP query engine. This query engine polls existing policies, and also any potential planned policies, and then reports results of those queries to the various reporting tools. It is capable of polling policies based on site, domain, and organizational unit, as you might expect, and also the local policy effective for a domain controller.
Using the RSoP The RSoP has the capability of supplying details about all policy settings configured, including Group Policy settings from Administrative Templates, Folder Redirection, Internet Explorer, Security Settings, Scripts, and even Software Installation.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:32 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
238
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
As you now have learned, a user logging on can have multiple Group Policy objects applied to not only his user account, but to the computer at startup time as well. As you have also seen, these settings can sometimes conflict, and certain policies take precedence over others depending on a variety of variables. It can be confusing determining who got what setting from where. The RSoP will help you sort it all out. The RSoP reporting mechanism can be used in one of two modes:
• •
Planning mode Lets you simulate what would happen if you were to apply the settings in a GPO or group of GPOs to a computer or user. Logging mode Simply provides reportage about the existing policy settings, and is a wonderful troubleshooting feature for the reasons outlined above. It lets you quickly identify the effective settings for a computer and user, and where those settings came from.
It’s probably easier to understand the Resultant Set of Policy feature when we actually see it in action. The query engine relies on the use of the following three tools to extract meaningful results about how to best configure Group Policy, as discussed in the following sections. The RSoP Snap-in You can run an RSoP query on almost any object from within Active Directory Users and Computers using the following procedure. In the example, we’ll run a query on an OU. 1. In the console tree of Active Directory Users and Computers, right-click the organizational unit on which you want to run the RSoP. 2. From the context menu, choose All Tasks, and then click Resultant Set Of Policy (Planning). 3. This launches the Resultant Set of Policy Wizard, as shown in Figure 6.11. Using the wizard, you will have the options to simulate settings for an individual user, all users in a container, an individual computer, or all computers in a container. 4. The next few pages of the wizard can help you fine-tune the query, simulating changes to particular security groups. 5. When you’re done, click Finish on the summary page of the wizard. You might find the results a bit anticlimactic, however, in that there aren’t any results you can view—yet. You have created a query, but must use the RSoP MMC snap-in to actually view the results of your query. Fortunately, it will launch after
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:32 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.11
239
Running an RSoP query
your query has finished. You can also add the Resultant Set of Policy snap-in to any custom MMC. The RSoP snap-in will present you with a view similar to the Group Policy Object Editor. The difference is that the query will only show you configured settings, as shown in Figure 6.12. You can also use the RSoP MMC tool in logging mode as described earlier. Here’s how: 1. With the Resultant Set of Policy snap-in loaded into an MMC, right-click Resultant Set Of Policy node, and then choose Generate RSoP Data. 2. The Resultant Set of Policy Wizard launches. Click Next from the opening page. 3. From the Mode Selection page, choose Logging Mode | Next. (Note that you can use this tool for planning here without using Active Directory Users and Computers.) 4. From the Computer Selection page, specify the computer where to run RSoP, click Next, then do the same from the User Selection page. Click Next.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:32 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
240
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.12
The results of a query in the RSoP snap-in
5. The Summary of Selections page will let you review selections. Click Next to let RSoP finish processing the data. Then click Finish on the Completing The Resultant Set Of Policy Wizard page. 6. Now in the RSoP console tree, as shown in Figure 6.13, expand the newly created RSoP query to view the data. Notice that the logging data will help you identify what the effective setting is, and where that policy setting has come from. You won’t be tested on the mechanics of the RSoP Wizard, so I won’t chew up page after page taking you through all the permutations. Why and when to use the tool is what you need to know. Advanced System Information—Policy This tool is accessed through the Help and Support Center, but uses the same RSoP engine to turn out meaningful information. With the Advanced System Information—Policy tool, you can view a printable HTML report of Group Policy settings applied to the computer and the user currently logged on. In this way, it behaves much the same as the logging mode of the MMC snap-in, but presents information in a more user-friendly,
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:32 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.13
241
Viewing logging data with the RSoP snap-in
portable manner. There is no planning mode equivalent when using this RSoP utility. Here’s the procedure to generate an HTML report using the Advanced System Information—Policy tool: 1. From the Start menu, open the Help and Support Center. 2. Click the Tools link under the Support Tasks section. 3. Under the Tools section, expand the Help and Support Center Tools, and then click Advanced System Information. 4. In the Advanced System Information Details section on the right side, choose View Group Policy Settings Applied. 5. After processing, a report will be generated like the one shown in Figure 6.14. Scroll to locate the results that you want to view. At the bottom of the report, you’ll find the link that will let you save the report to an .htm file. This can help make the report available to a wider audience. Gpresult You can use Gpresult at the command line to produce a detailed report similar to the information generated by the RSoP MMC utility in logging mode. One possible reason you might select the Gpresult over the RSoP snap-in is that it lets you export query results to a text file for use in other applications. Here’s the syntax for the Gpresult utility: gpresult [/s Computer [/u Domain\User /p Password]] [/user TargetUserName] [/scope {user | computer}] [{/v | /z}]
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:33 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
242
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.14
Using the Advanced System Information—Policy tool to view policy settings
You can use Gpresult with the /s switch to specify the target computer on which to run the utility. The default computer the report will run on will be the local machine. The /u switch lets you specify a user other than the one currently logged on, and the /user switch, for example, would let you identify the name of the user whose RSoP information is to be displayed.
Group Policy Refresh Interval Active Directory domain controllers check for any changes to Group Policy objects and refresh Group Policy application every five minutes. Member servers running Windows Server 2003 and Windows 2000 Server, or client computers running Windows 2000 Pro and XP Pro, refresh their Group Policy settings every 90 minutes with a 30-minute random offset. This prevents all client computers from refreshing their Group Policy settings from domain controllers simultaneously, thereby keeping the network free of crippling amounts of Group Policy traffic. The refresh mechanism occurs by checking the version number of the GPO. Each time a setting is changed, the version number is incremented, and if a newer
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:33 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
243
GPO is found, it is requested from the client machine. Under most circumstances, you won’t have to spend any time worrying about Group Policy refreshes; they take care of themselves quite nicely. There is a way, however, to force an immediate refresh of Group Policy settings. The Gpupdate Utility Another command-line utility used to manage Group Policy objects is the Gpupdate utility. Gpupdate is used most commonly to force an immediate refresh of the Group Policy at a particular computer instead of waiting the default interval for a GPO to naturally refresh. This can be especially effective when making a change to Security settings that you want instantly applied. Also, the command utility is quite flexible in its application—it can be used to refresh both Active Directory as well as local Group Policy objects, and can refresh User settings only, Computer settings only, or both. This utility replaces and enhances the functionality of the Secedit /refreshpolicy utility used in Windows 2000. The Gpupdate utility is used with the following switches:
•
/target:{computer|user} Lets you specify that only Computer settings or current User settings get refreshed, depending on the switch used. By default, the Gpupdate processes both the computer settings and the user settings.
• •
/force Ignores all processing optimization settings for Group Policy Objects and reapplies all settings.
•
/boot Restarts the computer after the refresh has completed. This is required for Group Policy settings that do not process on a background refresh cycle but that do process when the computer starts up. A perfect use for this is when you have configured a new computer Software Installation policy.
/logoff Logs off after the refresh has completed. This is required for those Group Policy settings that do not process on a background refresh cycle but that do process when the user logs on. For instance, when you have configured a new Software Installation and/or Folder Redirection policy, the settings will not take effect until the user logs back on, thus the need for the switch.
Objective 6.02
A
Configure the User Environment by Using Group Policy
s mentioned at the beginning of the chapter, once you learn the fundamentals of Active Directory administration using Group Policy objects, the rest
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:33 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
244
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
of the discussion just looks at examples of what a GPO can do. Two of the uses of a Group Policy object specifically mentioned in Microsoft exam objectives include the enrollment of a user certificate and the redirection of special folders. Keep in mind, however, that these are just a few examples of what’s possible. You might see others specified on the exam; these two discussed here are likely candidates for a question or two. Generally, there are two ways to manipulate the end-user experience for Windows users: you can either change settings with the various applets in the Control Panel, or you can use the Administrative Templates setting when configuring Group Policies. When you edit the Control Panel, essentially you are editing the registry of the local machine. Changes made will apply either to all users of the machine or just a single user, depending on what configuration change is made. What’s more, the changes made via the Control Panel can be overwritten by a user with access to the Control Panel and with knowledge of what they’re doing (actually, knowing what to do isn’t necessarily a requisite for making the changes with the Control Panel, much to the bane of many a system admin). The advantage of using Group Policies is that the changes you make become a permanent part of the user desktop, and these changes can be configured on multiple computers at once. Conversely, changing Control Panel settings (and remember, when you do something like right-click on the desktop and choose Properties, you are really editing a Control Panel applet) is done on a computer-by-computer basis, and these changes can be undone by a user with knowledge of the Control Panel’s applets. In other words, in an Active Directory environment, typically you will be managing the end-user environment using Group Policy. The following sections look at some of the ways to effectively manage this environment.
Automatically Enroll User Certificates Another way a GPO can affect the end-user experience is when it is used to automatically enroll a digital certificate. These certificates can be used to positively identify users, computers, or sometimes applications in an open network. A common use of certificates is during Internet communication, when credit card or other confidential information must be passed over a public network. How do you know the computer you’re sending your credit card information to is who it claims to be? Through use of a digital certificate. Certificates present yet another way to positively identify users when accessing network resources. The end result is the same as though the user provided a username and password, yet the process can be automated with certificates.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:33 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
245
Before a certificate can be put to use, it must be requested and then enrolled. This enrollment process maps a digital certificate to the entity needing identification. Enrollment can be performed either manually or automatically through the settings of a Group Policy object. Certificates take advantage of a public/private key infrastructure. A public key value is bound to the user account, device, or application for communication with a server application service that holds the corresponding private key. The server application then uses public key technology to authenticate the user, app, or computer using this certificate. If authenticated, the account is logged on. Once the certificate has been enrolled, all of this authentication behavior occurs transparently to the end user.
Travel Assistance Another full chapter could be devoted to use of certificates, and is in other books. For a full discussion of user certificates, please see Mike Meyers’ MCSE/MCSA Windows Server 2003 Network Certification Passport (Exam 70-293) from McGraw-Hill/Osborne (2003). Combine this advantage with these: certificates can be widely distributed, issued by multiple parties, and furthermore can be verified by simply examining the certificate, without having to refer to a centralized database, like the Active Directory database. For instance, think of certificates the same way you think of drivers’ licenses (at least the way you think of them in the U.S.; I can’t speak with authority about how it works in other countries, but I’ll wager it’s about the same). Because the certificate is issued by a trusted party, you do not have to verify a person’s identity against the Department of Motor Vehicles’ database. The certificate issued is proof enough, because the certificate issuer is a trusted authority. However, Windows Server 2003, along with other operating systems and administration tools, is built to deal with accounts only, not certificates. The workaround is to create a mapping between a certificate and a user account. By doing so, administrators get the benefits of both certificates and user accounts. The operating system persists with its use of usernames and passwords, while access to additional resources in nonsecure networks can be accomplished with digital certificates. Group Policy objects can help automate this enrollment process. When setting up a GPO to automatically enroll certificates, you’ll need the following baseline information:
•
The certificate type you want the computers to automatically enroll for. Not every certificate can be enrolled automatically, as only certificate
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:34 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
246
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
types associated with computers, not users, can be enrolled automatically. Some examples:
• • • •
Computer certificates Internet Protocol security (IPSec) certificates Web server certificates The identity of the certification authority (CA) that is issuing the certificate
To aid in this setup, there is a list of predefined CAs to choose from. The CA selected must be capable of issuing a certificate of the type you have specified for automatic enrollment to occur. Here are the steps you’ll need to complete for automatic certificate enrollment: 1. Open Active Directory Users and Computers, or Active Directory Sites and Services, and locate the Group Policy object you want to edit. (Remember, you right-click the Active Directory container, and choose Properties, then select the Group Policy tab.) 2. From the GPOE, expand Computer Configuration | Windows Settings | Security Settings | Public Key Policies, and select Automatic Certificate Request Settings. 3. Right-click on Automatic Certificate Request Settings, and from the context menu, choose New | Automatic Certificate Request. 4. The Automatic Certificate Request Setup Wizard launches. Use the steps in the wizard to create an automatic certificate request for all computers for which the GPO will be effective. 5. You’ll get a warning right away that instructs you how to populate Active Directory with certificate templates. You need to complete this step by going to the Run menu and typing certtmpl.msc to continue.
Travel Advisory A certificate based on the selected template will be requested automatically after any of the following events: a user logs on, a GPO refreshes (including a restart), or a computer joins the domain and is subject to an existing GPO setting.
Redirect Folders Using Group Policy Windows Server 2003 now makes it easier to implement folder redirection for commonly used folders like My Documents, the Start menu, and Application
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:34 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
247
Data (which can include the Outlook data store, for example). With folder redirection, a user stores files on what they think is a local drive on their computer. Behind the scenes, however, these files are being sent to a network file server, where they can generally be more easily secured. Whether they are copied or moved to the redirected location is dependant on how you configure the policy behavior. Folder redirection is especially handy if you want to simplify a backup scheme for users’ working data. What’s more, it’s all transparent, so redirecting folders lets you accomplish this without educating users about where their data is stored. They can use the folders they are comfortable with—like My Documents—for their working data, instead of having to be educated about file servers, mapped network drives, and so forth. There are many additional advantages of folder redirection, including these:
•
If your network makes use of roaming profiles, only the network path to the My Documents folder is stored as part of the roaming user profile, rather than the entire contents of the My Documents folder. This is significant because the My Documents folder can become quite large. If it’s the place where users store music, for example, it can quickly reach several GBs in size. Using a roaming profile, the My Documents contents are copied back and forth between the client computer and the server each time the user logs on or off, thus slowing logon times sometimes by several minutes or more. When the folder is redirected, though, just the information about the path is sent and stored, and the logon times can be dramatically improved. (This is a common cause of slow logon times, and why I almost never recommend roaming profiles, except maybe for administrators.)
•
If you are not using roaming profiles and a user logs on from different computers, his or her documents in a redirected folder are always available because, while the profile does not roam, the GPOs will follow the user around.
•
Data that is stored in a shared network folder can be backed up as part of routine system administration. This is safer because it requires no action on the part of the user.
•
You can leverage the ability to set disk quotas on a file server (as long as the redirected location is on an NTFS drive), thus limiting the amount of space a user can commit to all those MP3 files.
•
You don’t have to redirect to a network folder. If you redirect to a different partition than the one storing the operating system, data is safer in the event the OS needs to be reinstalled.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:34 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
248
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Assistance By the time you’ve got this book in your hot little hands, you should have seen and configured disk quotas. For instructions on disk quotas, please see Mike Meyers’ MCSE/MCSA Windows Server 2003 Environment Certification Passport (Exam 70-290) by Eric Daeuber and Dan Newland (McGraw-Hill/Osborne, 2003). The Windows Server 2003 implementation is easier because you no longer have to use variables such as %username% as part of the redirection path. (This variable uses the username when building the redirection path to the server.) Further, there is now an option for redirecting the contents of My Documents to a user’s home directory. Before Windows Server 2003, if administrators wanted to centralize backup, they would typically either redirect the My Documents folder or configure a home directory for a user, but not both. Now you can combine the two behaviors seamlessly into the end-user experience in environments where home directories are already deployed. If you have recently upgraded from a Windows NT 4 network, this might indeed be the case. Here is how to redirect the contents of the My Documents folder to a home directory: 1. Open Active Directory Users and Computers and select the container where you want to implement this redirection setting. This will normally apply to the domain container (to have it affect all users) or an OU (to affect specific users), but you may have it apply to a site as well. 2. From the Properties of the container, select the Group Policy tab and either edit an existing GPO or create a new one with a name like “Folder Redirect,” and edit its settings. 3. In the Group Policy Object Editor, expand User Configuration, then select Windows Settings | Folder Redirection | My Documents. 4. Right-click My Documents, and then click Properties. 5. As shown in Figure 6.15, you configure the redirection location from the Target tab. In the Setting section, select “Basic – Redirect everyone’s folder to the same location.” 6. Under the Target Folder Location, select “Redirect to the user’s home directory,” and then click OK. Close the Group Policy Object Editor when you’re finished.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:34 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
FIGURE 6.15
249
Redirecting folder location for My Documents
Travel Assistance You should only implement redirection to a home folder location if the network has already deployed home folders. You set the user’s home directory from the Properties pages in Active Directory Users and Computers. For more information about setting a home folder location, please see Mike Meyers’ MCSE/MCSA Windows Server 2003 Environment Certification Passport (Exam 70-290) by Eric Daeuber and Dan Newland McGraw-Hill/Osborne, 2003). Redirecting My Documents to a home folder location is an example of the control you have with folder redirection. Unfortunately, there is not room in this condensed format to explore all redirection settings in detail. It will be up to you to experiment with this until you get the gist of it. I want to point out one more thing before wrapping things up. You further manage the settings of folder redirection with the Settings tab in each folder’s Properties dialog box, as shown in Figure 6.16.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
250
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 6.16
Configuring the settings of redirected folders
Of interest here is the check box labeled “Grant the user exclusive rights to My Documents.” When you select this check box, only the user and the Local System account will have full control over the folder. All other users, administrators included, are denied access to the folder. (Administrators can still get in the folder if they want, but they have to take ownership first and edit the folder’s ACL.) If you clear this check box when you’re configuring the policy settings, no changes will be made to the permissions on the redirected folder, and any permissions currently set will remain in effect.
Restricting Group Membership with Group Policy You can also use Group Policies to control membership in certain Active Directory groups. One security hole that has been found in a number of audits is that the membership of some powerful groups, such as the Domain Admins or Server Operators, is not very well managed. Over time, users are added to groups like these as the people taking care of your network come and go. For example, it’s not uncommon for IT consultants to add themselves to the Administrators local group, or worse, the Domain Admins group, for purposes of tweaking a network’s computers.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
251
Once that consultant leaves, though, it takes a vigilant administrator to remember to take those temporary accounts out of the groups they were in, and any account that’s in the Domain Admins group is a potential security risk to your network. To combat this, you can use the Restricted Groups feature. With Restricted Groups, group membership is defined by a Group Policy, not by the Active Directory Users and Computers MMC snap-in. You can still put members in the Restricted Groups you’ve configured using Active Directory Users and Computers, but those members will be removed during a Group Policy refresh. Conversely, any members who might have been removed from the Restricted Groups with the Active Directory Users and Computers interface will be added. Here’s how you could enforce a Restricted Groups policy: 1. Open up the GPOE on the Group Policy for which you will define a restricted group. You will usually do this on the Default Domain policy. 2. Expand the Computer Configuration settings, then the Windows Settings, and then the Security settings. 3. Right-click on the Restricted Groups node and, from the context menu, choose Add Group. 4. In the Add Group dialog box, type the name of the group for which you will restrict membership, or click Browse to choose the name, and click OK. 5. Now that you’ve defined the restricted group, it’s time to add members to the group. To do so, perform one of the following:
• •
If you created a new group, click Add Members. If you are working with an existing group, select it in the Details pane of the Restricted Groups Group Policy node. Right-click, choose Properties, and then click Add from the Properties dialog box.
6. To add this group as a member of any other group, in the “This group is a member of ” section, choose Add, type the name of the group, and click OK. By configuring restricted groups for your enterprise, you can help close this significant security hole, which is found in most networks today. In fact, when you define this policy for the Administrators group, all members not defined in the Restricted Groups setting will be removed from the Administrators group when the Group Policy object is applied to the local computer.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
252
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
CHECKPOINT ✔Objective 6.01: Plan Group Policy Strategy
I’d estimate that a good 40 percent or so of the 294 test will in some way check your understanding of Group Policy objects, and the material in this chapter has laid the groundwork for that understanding. By the end of the review questions that follow, you should have a pretty clear picture of what Group Policies are used for, what Active Directory objects they can be linked to, the default processing order for Group Policy application, and which settings take precedence when Group Policy settings conflict during processing. Be aware of the inheritance behavior of Group Policy settings as they are applied through the Active Directory hierarchy. Also be aware of the many instances where exceptions to the default processing order might be made. You should see lots of test questions where settings will be configured or not configured for a user or a computer, and you’ll be expected to sort out why these settings have or have not been applied. To do this, you’ll need to draw on the knowledge gained in this objective.
✔Objective 6.02: Configure the User Environment by Using Group Policy
You should understand how to use utilities like Gpresult and Gpupdate to apply Group Policy settings without waiting for the default refresh interval, and how to generate reports on effective Group Policy settings using the Resultant Set of Policy tools. You should have a better understanding of some of the settings that can affect the end-user environment, and know where other settings could be configured from. Specifically, you learned a thing or two about redirecting special folders like My Documents and how to enroll user certificates using Group Policy management. In the next chapter, we’ll continue our look at what’s configurable with a Group Policy object. In fact, this chapter can accurately be concluded with these words: to be continued…
REVIEW QUESTIONS 1. You are administering a Windows Server 2003 domain. The head of the IT department does not want users in this domain to be able to access
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
the Run menu. You configure a Group Policy for the domain, but during testing of the GPO, you notice that members of the Legal department can still access the Run menu. Users in the Marketing department, however, do not have the Run menu. What is the likely cause of the problem? A. Policy inheritance has been blocked at the OU level for users in the Legal OU. B. The GPOs have not had time to refresh at the Legal department yet. C. Replication has not occurred for all domain controllers, and the Legal department is logging on at a domain controller that does not know of the new policy. D. Legal department users are using Windows 2000 Professional computers and must upgrade to XP Professional. 2. You have created a GPO in your organization for the purposes of distributing software to a group of software testers. Because the software used by this group changes so frequently, administering the GPO has become a time-consuming task. One of the users of the Software Testing OU is very familiar with the creation and maintenance of software packages, and you want to assign this user the ability to manage the software for his group. You also want to limit the administrative capabilities of the user to just software management. What is the best course of action? A. Add the user to the Domain Admins global group, and then edit the access control list of the Software Testing GPO. Give the user Full Control over the GPO. B. Use the Delegation of Control Wizard and grant the user administrative privileges over the Software Testing OU. C. Edit the ACL of the Group Policy object and grant the user Read and Write permissions on the GPO. D. Use the Delegation of Control Wizard and grant the user the Edit Software Settings permission for This Object Only over the Software Testing GPO. 3. You are the administrator for an Active Directory enterprise that consists of a single Windows Server 2003 domain. There are two sites and six organizational units. You have configured a set of Group Policy objects as follows:
•
At the domain, you have created a GPO that removes Internet Explorer from the desktop.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
253
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
254
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
• •
At the Management OU, you have created a GPO that removes the Control Panel. You have filtered the GPO in the Management OU so that the Domain Admins group has the Deny Apply Group Policy permission.
•
At the Atchison site, you have created a GPO that removes the Run menu.
Which of the following statements are true regarding the desktop environment of your company? Choose all that apply. A. All users in the Management OU will have a desktop that does not have Internet Explorer, the Run menu, or the Control Panel. B. All users in the Atchison site will not have the Run menu or Internet Explorer. C. The Domain Admins will always have the Control Panel regardless of where they log on. D. Members of the Management OU located in the Atchison site, unless they are Domain Admins, will not have Internet Explorer, the Run menu, or the Control Panel. 4. Group Policy processing occurs in which of the following orders? A. B. C. D.
Global, local, organizational unit Local, site, domain, organizational unit Local, domain, site, organizational unit Organizational unit, site, domain, local
5. You log on to the domain from one of the computers in your enterprise in the context of a user account in the Marketing OU. You have earlier created a domain-level GPO that prevents all users from accessing the Run menu. Nonetheless, you are able to access the Run menu. What could be an explanation for this behavior? A. You’ve logged on to a domain controller, where for increased security, local policies are the effective policies. B. Members of the Domain Admins group are exempt from any restrictions set at the domain level. C. Your account is in an OU with a GPO linked to it that has the No Override setting. D. The computer is running the Windows 98 platform.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:35 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
6. You are the administrator for an Active Directory enterprise that consists of a single Windows Server 2003 domain. All computers are in a single office complex, and therefore you have configured only a single site. Users are organized by department into four organizational units. You have configured a set of Group Policy objects as follows:
• • • •
At the domain, you create a GPO that specifies a specific color scheme.
•
You configure the domain-level Color Scheme GPO with the No Override setting.
At the Management OU, you create a second color scheme GPO for Management users. At the Finance OU, you have created a GPO that removes Internet Explorer from the desktop. At the domain level, you create a GPO that specifies that users only have access to Add/Remove Programs in the Control Panel. You filter this GPO so that it does not apply to Domain Admins.
Which of the following statements are true about the user environment? Choose all that apply. A. Domain admins are able to access all applets of the Control Panel; other users are not. B. Finance users will be able to access Internet Explorer if they use a computer in the Management OU. C. Management users will have a different color scheme than the rest of the domain’s users. D. Users will be able to make color scheme changes to the desktop once they are logged in. 7. You have just delegated administrative control of your company’s Accounting department to the CIO and have created an OU for all accountants. The CIO wants to know how to prevent the removal of the domain policy that prevents users from running Internet Explorer. What do you tell the CIO? A. Block policy inheritance at the Accounting OU level. B. Enable the No Override setting on a new policy created at the Accounting OU. C. Enable the Loopback setting for the Accounting OU. D. Move the policy setting that removes Internet Explorer to the bottom of the list in the Group Policy tab for the OU.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:36 AM
255
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
256
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
8. Which of the following might be good reasons to implement a folder redirection policy? A. Files can be stored in a central file server location rather than at member computers in the domain. B. Folder redirection makes management of the My Documents location on Windows 98 machines easier because the default path of the My Documents folder is different on Windows 98 systems. C. Folder redirection makes backup of client data files more streamlined. D. Files can be always in the same folder for users who use different client machines. 9. You are the administrator for a regional company who has recently converged five Windows NT 4 domains into a single Windows Server 2003 domain. Each of the five domains is now an organizational unit, and you have delegated full administrative privileges to the NT 4 domain administrators over their respective organizational units. Several users call you from one of the OUs and complain that they cannot access many of the applets in the Control Panel. What utility should you use to diagnose the problem and generate a report that can be posted to an intranet Web site? A. B. C. D.
The Gpupdate command-line utility The RSoP MMC snap-in running in logging mode The Advanced System Information—Policy tool The Gpresult command-line utility
REVIEW ANSWERS 1.
The most likely cause here is that policy inheritance has been blocked at the Legal OU level. You could accommodate this by applying the No Override setting on the new domain GPO. Group Policies do apply to Windows 2000 Professional computers, so D is wrong. B is also incorrect because the refresh interval occurs at a random offset, and if refresh of GPO settings were the problem, we should expect it to affect computers in both departments equally. Answer C is a remote possibility, but only if the two departments were geographically isolated, and that is not indicated and therefore is not the most likely cause of the problem.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:36 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 6
CHAPTER 6 Planning and Implementing Group Policy
2.
The least permission necessary to edit a GPO is the Read and Write permission. To give the user this permission over the software GPO, this permission should be granted through the ACL of the object. There is no Delegation of Control Wizard available with an individual GPO, although answer D sounds good. The other two answers would grant the user more administrative leverage then necessary.
3.
Because of the filtering behavior, the Domain Admins group will always have the Control Panel no matter where they go. The GPO of the Management OU will not apply to them. The removal of the Run menu is a site setting, and will affect all users in the Atchison site. Also, members of the Management OU will have all GPO settings apply when logging on from the Atchison site: Site, Domain, and OU.
4.
The processing order for GPO settings is local, site, domain, OU. There are exceptions to whether settings actually get applied or not, but not to the default processing order.
5.
Only Windows Server 2003, Windows 2000, and Windows XP Professional computers have the ability to apply a Group Policy object.
6.
Because of the filtering, the policy that removes all but Add/ Remove Programs from the Control Panel will not apply to the Domain Admins. Management OU members will have the domain’s color scheme because the policy cannot be overridden. Group Policy manages the end-user environment, so unlike using a profile, the user cannot make changes while logged in.
7.
Show the CIO how to block policy inheritance for his Accounting OU. Remember, though, that this will prevent all GPOs from applying to the Accounting OU from levels higher in the processing hierarchy.
8.
All of these are good motivations for folder redirection. B is not a valid reason because Group Policies cannot affect Windows 98 machines, so folders would not be redirected if a domain user logged on from such a platform.
9.
The Advanced System Information—Policy tool will let you easily produce an HTML report that can be shared with any user with access to a Web browser. Gpupdate is used to apply Group Policy settings immediately, and the other tools mentioned are good for producing reports, but not in HTML format.
P:\010Comp\Passport\575-0\ch06.vp Tuesday, August 05, 2003 10:09:36 AM
257
This page intentionally left blank
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
Manage Software and Security Using Group Policy
7
ITINERARY
• •
Objective 7.01 Objective 7.02
•
Objective 7.03
Distribute Software Using Group Policy Configure Computer Security Settings Using Group Policy Troubleshoot Group Policy Application and Deployment Issues
NEWBIE
SOME EXPERIENCE
EXPERT
6 hours
3 hours
2 hours
259
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:40 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
260
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Once you have the basics down about Group Policy behavior, Security settings and Software settings are just two more examples of the capabilities that a Group Policy can be set to manage. If it sounds simple, stay tuned. There’s still quite a bit to learn about implementing both of these technologies. Each requires specialized knowledge that you’re sure to encounter on the 70-294 exam. This chapter will help you use Group Policy objects (GPOs) to configure a system’s security configuration, as well as deploy and manage software. This software managed with Group Policy can be made available to both users and computers in the Active Directory enterprise.
Objective 7.01
Distribute Software by Using Group Policy
I
n the preceding chapter, you were introduced to Group Policy and some of the settings configurable with a Group Policy object. If you followed along with the examples in Chapter 6, you already have a taste of the power of a Group Policy. Distributing software just adds to the scope of that power. This chapter is dedicated to yet another configurable setting of Group Policy: a software distribution policy.
Travel Advisory Remember that a GPO can only apply to a client operating system that’s compatible with Group Policy. This means you can’t deploy software to Windows 9x to NT 4 computers. If this is your goal, you might consider a Systems Management Server (SMS) installation, which can push software to down-level Microsoft clients. Further, your knowledge of SMS can be used as an elective in your pursuit of the MCSE certification. There are four stages of the software life cycle, each of which can be addressed through a Group Policy object:
•
Preparation The preparation stage looks at issues surrounding planning for software deployment and laying groundwork for deployment. These include the creation of a Windows Installer package (an .msi file, to be discussed in detail later in the chapter) if one has not shipped with the software product, and configuration of a network share for storage of the .msi file and the rest of the installation files. Sometimes, applications
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:40 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
261
will not ship with the newer Windows Installer package. You will also check for hardware and software compatibility in the software preparation stage.
•
Deployment This is the stage where the software is actually pushed to the target computer. The software can be configured to be installed no matter which user logs on, or to install upon the presentation of certain user credentials. Because the software is deployed using Group Policy, you have all the administrative flexibility afforded by Group Policies. All of the behaviors inherent in GPOs carry forward into the realm of software deployment. This means that software can be deployed to sites, entire domains, organizational units, or even individual computers at your discretion.
•
Maintenance Because the life cycle of a software product is everevolving, the GPO can be tailored to accommodate changes as the application matures. A perfect example of an evolving software product is the Windows operating system itself. Service packs are changes and updates to files that address security, stability, performance, and compatibility issues, and are released as improvements are made. Microsoft Office behaves in the same manner. As improvements are made to the code of a program, these improvements can be sent to computers via a Group Policy.
•
Removal The fourth stage in the software product life cycle is the removal of software. For example, if you are updating your office’s installation of Microsoft Office, you will most often replace the latest and greatest (by the time you’re reading this, Microsoft Office 2003) with what has preceded it (Microsoft Office XP, 2000, and so on). A user will rarely need both installations. Group Policies have the ability to both install and uninstall software. The only real caveat here is that for software to be removed through a Group Policy, it must have been installed with a Group Policy as well. And if a user does indeed need two versions of the same product, Group Policy can be configured to handle most instances of that situation, too. (Microsoft Outlook is one example of an application that won’t tolerate previous installations of itself on the same computer, but most applications will.)
At the end of the day, it’s all about automation. Software deployment with a Group Policy negates the need for administrators to complete the laborious, expensive, and tedious task of walking around from machine to machine, CD-ROM in hand, installing software at client computers. The automation of software
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:40 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
262
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
deployment, repair, update, and removal that are all available through Group Policy rely on an engine called Windows Installer.
Windows Installer Technology At the heart of the software deployment technology used by Group Policy is the Windows Installer. This technology was first employed in large scale with the rollout of Office 2000, and has been a part of every Microsoft software application ever since. There are two main components of Windows Installer:
• •
The Windows Installer service The Windows Installer package
The Windows Installer service installs and runs on every Windows 2000, Windows XP, and Windows Server 2003 machine as a part of operating system installation. The service facilitates automated installations, and also provides a mechanism to repair or change existing installations without user intervention. The service works behind the scenes to make sure that applications are properly installed and remain problem-free. It’s all a part of Microsoft’s lower TCO initiative.
Travel Advisory As you have no doubt experienced, you don’t have to use a Group Policy to take advantage of a Windows Installer package. You can also install directly from CD-ROM or any other distribution media. Some of the resiliency of the application is lost, however, when the distribution media is removed. A Windows Installer package (.msi file) does not actually install the program files. Rather, it is a miniature database of all the information and settings the Windows Installer service requires to install, repair, or even remove an application. Included in the information contained in an .msi file is the location of the installation files, as well as .ini and registry setting changes that may be needed at installation time. The .msi file is also referred to as the package file. Be aware, however, that the actual software installation package will usually include other supplementary files. When creating a software package for deployment, the Group Policy will search for .msi files. Without an .msi file, the package that a Group Policy will deploy cannot be created (there is an exception, actually, but we’ll get to that later). What’s more, this .msi file can be created, even in the case where one doesn’t ship with the application.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:41 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
263
Here are some of the benefits of a Windows Installer package:
•
Resilient software If an application’s critical files are deleted or otherwise damaged, the Windows Installer service reconnects to the software distribution point and replaces the file with a working copy (this is why the feature is less impressive when installed from a CD; you will have to search out the CD when the Windows Installer wants additional files). This reduces the amount of time an administrator must be at deskside performing application reinstalls.
•
Clean removal A common problem when removing software is that the deletion of one piece of software removes a file needed by another application. One of the services Windows Installer provides is that it keeps track of what files are needed by other applications. Any files critical to the operation of other applications are not removed. Files that the Windows Installer determines are no longer needed are then removed. This occurs for all applications for which the Windows Installer service has performed the installation.
•
Elevated security It’s not uncommon for an application to require installation in the context of a user account with administrative privileges. In a properly implemented Active Directory environment, users are rarely logged on with such administrative privileges. How to proceed? With the Windows Installer service, which runs in the context of the LocalSystem account by default. Again, this prevents the administrator from visiting deskside, logging on with an administrator account, and then performing the installation (and then, often as not, forgetting to log out, opening security compromises galore).
Sometimes, though, an application does not ship with an .msi file. This is especially true if you want to deploy older applications in your network. In such a case, you can create an .msi file for the installation with a third-party tool. You can also use a .zap file in conjunction with the application’s setup.exe installation program.
Use of the .zap File There are more applications out there than there are .msi files to help them install. Prior to Microsoft Office 2000, most applications, Office included, installed by launching the setup executable, setup.exe. Microsoft was aware of this fact at the time they wrote the Windows Installer code, and have accommodated the use of existing setup programs in Windows Installer deployments using a special file called a .zap file.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:41 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
264
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
The .zap file gets its name from its file extension—.zap—and it is simply a text file you can create with any ASCII editor and a little know-how. Notepad, for example, will do just fine. The .zap file is really quite a bit similar to the .msi file in that they both contain information about the program and how it will be set up. For example, a typical .zap file will contain the name of the setup program, the name of the application, any file extensions to be associated with the application, and other parameters used by the setup.
Travel Assistance For an example of a .zap file, please see the Microsoft Windows Server 2003 Resource Kit, at www.microsoft.com/MSPress/ books/5555.asp. Don’t get the wrong idea: package creation is preferred when it is at all possible. There are several drawbacks when comparing .zap files to their more evolved relative, the .msi package:
•
.zap files cannot be assigned to users, only published. You can only publish a software package created with a .zap file, which limits several options you have when deploying the package. Specifically, it prevents you from making software installations mandatory.
•
.zap files are not self-repairing. They’re a dream when installing software for the target user, but once the application has installed, it’s on its own. You lose the benefit of a software package repairing itself when a corrupted file is detected.
•
.zap file installations usually require user intervention. While .msi packages can install the program sometimes before the user ever sees the desktop, the same is not true of a package created with a .zap file. The .zap file’s job is to summon the setup executable, and usually the user needs to provide some kind of input to complete installation. The only possible exception is if the application is configured to install in completely unattended install mode, usually with an /unattend switch following the setup executable.
•
.zap files can’t install using elevated privileges. Another significant benefit of the .msi package is the use of the LocalSystem account, which is not used by packages created with a .zap file. In other words, when using an .msi file, the Windows Installer service actually performs the install, not the user. When a .zap file is used, it calls the setup.exe file, which runs in the context of the user currently logged on. If the user does not have
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:41 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
265
an account with the proper rights, the install fails, defeating the purpose of automating software deployment.
Exam Tip As always, remember that the Group Policy can only be deployed to computers that support GPOs. Clients such as Windows 98 or NT 4 will have to have software deployed through alternate means.
Creating an .msi File It’s been mentioned that one of the options you have when an application does not ship with a Windows Installer file is to create one of your own. In most cases, this will be preferable for software deployment over the use of a .zap file for the reasons just listed. There are several third-party tools and applications that will help you repackage an existing application and create the necessary .msi file for software deployment through Group Policy. One of these is a utility called WinINSTALL LE, from the Veritas corporation. The process of repackaging an application is quite involved and should be configured with two computers. Only a general overview will be given here. It is not the purpose of this book to give instructions on repackaging applications, but rather, for testing purposes, to point out that it is possible and identify what tools are used.
Travel Assistance There is a 98-page white paper from Microsoft called Windows Installer: Benefits and Implementation for System Administrators that, among other things, outlines the many variables of the application repackaging process. One line that stands out: “The amount of time, money, and labor needed to repackage applications is often underestimated.” In other words, seek out applications that already have Windows Installer files if possible. To use WinINSTALL LE, do the following: 1. Prepare a Windows 2000 Professional or Windows XP Professional computer by installing just the operating system. This machine will serve as the reference computer and should not have any other software installed. 2. Prepare a network installation folder for the purpose of holding the new Windows Installer package and any supporting files. This is the
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:42 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
266
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
location users will connect to install the application, or will be the location used by Group Policy to find the deployed application. 3. Install the WinINSTALL LE utility on a second machine. Using this second machine, you will take a “before” image of the reference computer’s configuration. 4. Now that you have the “before” image, proceed with the installation of the application you want to repackage using a normal installation routine. 5. After application installation, use WinINSTALL again to take an “after” image of the reference computer. This image will scan the system for any settings changes, and will use this information to build the repackaged application to the network location along with a new Windows Installer file. It is also recommended by Microsoft that when you make use of repackaged applications you do so by running them on computers that have identical hardware and software. This can improve the reliability of repackaged software. Some common causes of failed installation or poor functionality of repackaged applications can be traced to differences in the platforms that receive them, such as:
• • • • • •
Systems that are all running the same operating systems, but differ in the optional operating system components installed Service pack version Windows 2000 Professional and Windows 2000 Server Windows XP Professional and Windows Server 2003 Different versions of shared components, such as Internet Explorer Different versions of other installed applications, such as Microsoft Office
Travel Advisory Repackaging applications into the Windows Installer format has limitations and might not be supported by every application manufacturer. You should check with each application manufacturer for additional information and recommendations. Now that you know about a few of the files you might encounter when creating software packages, there are a few terms you must be familiar with that define how the packages are deployed.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:42 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
267
Application Advertisement It’s a term that sounds a little strange when used in the discussion of application deployment, but it’s nevertheless one which you must understand. When an application is advertised to a user, it is not physically installed, but a shortcut appears in the Start menu. When a user clicks on the application’s shortcut, the installation actually occurs. Applications can also advertise themselves in the Add/Remove Programs section of the Control Panel. A user opening this applet would see a special section where all published applications will be listed. Any applications the user selects are automatically installed from the installation share. This installation share is specified on each and every software package created. You can streamline the installation process by defining a single network location for all software packages, and then setting the default software installation location to this directory.
Setting the Software Installation Default Location Before we get started creating software packages, know that there are several default settings that affect how applications are deployed, managed, and removed. Some of the choices you set with these default options will affect the dialog boxes you see as you create the software packages, so let’s look at how to set these options now. Additionally, you need to make sure that the software to be deployed is available on the network. You will do this by setting up a software distribution point, which is simply a network share that will hold the packages you create (the .msi files) along with the program files and any associated files such as transform (.mst) files. This share can then be configured as the default software installation location, which will streamline the package creation process. You can even take advantage of the distributed file system (DFS) in the creation of your distribution points, adding the benefits of load balancing and fault tolerance to your application management. After you share out this folder to the network, you should verify that users who will be getting the software can read from the distribution point. They will need the Read permission to read the information in the software package, as well as the files necessary for installation. The default software installation settings are set from the Properties dialog box of the Software Installation node in a GPO. These options will affect the global properties of all new software packages created, and can be set differently
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:42 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
268
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
for User settings than for Computer settings. Follow these steps to configure the default settings: 1. To access these global settings, open the Group Policy Object Editor snap-in, and under either Computer Configuration or User Configuration settings, select Software Settings. 2. Right-click the Software Installation node, then choose Properties. You set the default software installation options from the General tab, as shown in Figure 7.1. 3. In the Default Package Location field, type or browse to the software distribution point. 4. In the New Packages section, set the behavior for new package creation: Display The Deploy Software Dialog Box This gives you the option of publishing or assigning when you create the package, and should be selected for the examples to follow.
• •
Publish This will set the default package creation option to publish the application. This option will be shaded out under the Computer Configuration section, because applications can only be published to users, not computers.
FIGURE 7.1
Configuring default software distribution options
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:42 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
•
269
Assign This will assign the package created by default with standard package properties. Publishing and assigning are discussed next.
5. There are two Installation User Interface Options: Basic Provides only the base display of install process. Maximum To treat your users to a show, choose Maximum, which will display all installation messages and screens during the installation.
• •
Travel Advisory When you create a new software package, the Open dialog box shows all .msi packages located at the software distribution point that you specify as the default. As you start looking at software deployment, it’s important that you understand the difference between assigning an application and publishing an application. Choosing whether to publish or assign is a decision that must be made at package creation time, and it affects how the software is distributed.
Publishing When you publish an application, you are making it available to the users the Group Policy affects, but the application is not automatically installed. That is, no shortcuts are visible on the desktop or from the Start menu, and no changes are made to the local registry on the computer the user is logging on from. So how does the user even know about the application’s existence in the first place? Through Active Directory. Published applications store their advertisement attributes in Active Directory. This means that information about the application is exposed to the user account, enabling that user to install the application either through the Add/Remove Programs applet or by opening a file that’s associated with the application. Both of these features are discussed in the following section. The advantage of publishing an application is that it lets users have more control over the programs that are installed on their computers. A user installs only applications they need in order to work with the files they are trying to open, or applications they selectively install through the Control Panel. Here’s how you publish an application to a user: 1. Open Active Directory Users and Computers, navigate to the OU where you want to create the software installation Group Policy, right-click, and choose Properties.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:42 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
270
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. From the Group Policy tab, open the Group Policy Object Editor for the Group Policy you want to configure. 3. Under the User Configuration node, expand Software Settings, and then select Software Installation. 4. Right-click the Software Installation node, and from the Details pane, choose New | Package, as shown in Figure 7.2. 5. In the Open dialog box, click the Windows Installer package to be published, and then click Open. 6. In the Deploy Software dialog box, click Published.
Exam Tip You do not publish applications to computers, only to users.
Publishing Considerations When publishing software to users, the application is not actually installed until the user invokes installation. There are two ways this happens:
•
File invocation When a user opens a file that’s associated with the deployed software package, installation of the program occurs
FIGURE 7.2
Creating a new software package
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:43 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
271
automatically. By using document invocation instead of having the application already installed on the computer’s hard drive, you conserve disk space and also network bandwidth. Applications are installed on an ad hoc basis rather than having every user get every application installed all at once. For example, if a user who had the Excel spreadsheet application published to their account then opened a file with the .xls extension, Excel would be installed from the network software distribution location. Compare this to what might happen to network performance if all users connected to the distribution point first thing in the morning to install Excel.
•
Add/Remove Programs in the Control Panel If an application is published to a user account, it is listed in a special section of the Add/ Remove Programs utility. This listing can sometimes be subdivided into groups of software categories, and will contain all the programs the user is able to install based on Group Policy settings. This also lets a user selectively install just the applications they need to get work done, and reduces unnecessary use of disk space and network bandwidth. Once a user selects an application, Windows Installer performs the software installation on behalf of the user, so additional privileges are not needed.
Assigning When you assign a software package with a Group Policy, you have the choice of assigning to either a computer or a user, as discussed separately next. The general idea behind application assignment is that it makes software installation mandatory. You can implement package assignment to make sure that a user always has a certain application available no matter where they go, or so that a particular computer or group of computers always has a consistent software environment. For example, you assign software when you want all systems in the office to have the same installation of Office. First, let’s examine the significance of assigning software to a user.
To Users When you configure a Group Policy to assign an application to a user, the application is advertised to that user (or group of users, as will more commonly be the case) with a shortcut on the Start menu the next time the user logs on from a computer capable of processing a Group Policy object. The application is not, however, actually installed until the user either uses the application the first time or opens a document whose file extension is associated with the application.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:43 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
272
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
As mentioned above, the real advantage of this is that the application advertisement follows the user, no matter what physical computer he or she actually uses (again, as long as the system is compatible with Group Policy). For instance, suppose you want all users in your company’s Sales department to have Microsoft Access installed because this database application is the front end for a database full of product and customer information. Furthermore, all users in the Sales department are kept in a single organizational unit. When you modify a Group Policy object linked to the Sales department to assign that department the Access application, Access is advertised on the Start menu of every computer a member of the Sales OU uses. Again, this doesn’t necessarily install the application. If a user in the Sales department used a company laptop simply to check e-mail, Access would not be installed even though a shortcut would be placed on the Start menu. If the user of this same laptop were to open an .mdb file, or click on the Start menu shortcut, Access would then install. Additionally, it is possible for a user to delete an application that’s been assigned to his or her account. However, the assigned application is advertised again the next time the user logs on, and, just as before, installs the next time a user selects it on the Start menu. Here’s what to do to create a software package for assignment to a user: 1. Open Active Directory Users and Computers, navigate to the OU where you want to create the software installation Group Policy, right-click, and choose Properties. 2. From the Group Policy tab, open the Group Policy Object Editor for the Group Policy you want to configure. 3. Under the User Configuration node, expand Software Settings, and then select Software Installation. 4. Right-click and choose New | Package. 5. In the Open dialog box, navigate to the Windows Installer package for the software you want to deploy, and click Open. 6. Now, from the Deploy Software dialog box, choose Assigned, as shown here, and then click OK.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:43 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
273
To Computers When you assign an application to the computer, the application is advertised in the Start menu of the computer and the installation happens automatically when it is safe to do so. Usually “safe to do so” means that installation occurs as the computer starts up. It will take a bit longer to be presented with the logon screen, but this ensures there are no competing processes on the computer when the application is installed.
Exam Tip The preceding leads to an important point when applications are assigned to computers: they are installed when the Group Policy is applied, not just advertised, as they are to users. This distinction can be an important one to make come exam time. Here are the steps necessary to assign an application to a computer. In the following example, I’ll demonstrate how to create a package that will apply to an organizational unit, but keep in mind that you can create a software distribution policy that will affect any of the Active Directory container objects where you can apply Group Policy: 1. Open Active Directory Users and Computers, navigate to the OU where you want to create the software installation Group Policy, right-click, and choose Properties. 2. From the Group Policy tab, open the Group Policy Object Editor for the Group Policy you want to configure. 3. Under the Computer Configuration node, expand Software Settings, and then select Software Installation. 4. Right-click and choose New | Package.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:43 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
274
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
5. In the Open dialog box, navigate to the Windows Installer package for the software you want to deploy, and click Open. 6. From the Deploy Software dialog box, choose Assigned, and then click OK.
Travel Advisory Now that I’ve demonstrated it three times, I’m going to assume you know how to navigate to the Software Installation node in a Group Policy. Henceforth, the directions are implicit; you’ll just be directed to the Software Installation node.
Upgrading Existing Software Packages You can also configure the behavior of a software package to update any existing software applications. Here’s how you configure the package to upgrade software: 1. Choose the appropriate Group Policy, and navigate to the Software Installation node. Create a new software installation package, choosing whether to publish or assign the application. This package will serve as the upgrade of an existing application. 2. Once the new Windows Installer package has been configured, rightclick the package that will be the upgrade, choose Properties, and then choose the Upgrades tab. 3. Click Add from this dialog box to create or add to the list of packages that you want the current package to upgrade, as shown here.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:44 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
275
4. From the Add Upgrade Package dialog box, in the Choose A Package From section, you can configure one of the following:
• •
Choose a current Group Policy object (GPO). Choose a specific GPO by clicking Browse, and then clicking the Group Policy object that you want to upgrade.
5. Review the list of packages under Package To Upgrade, which lists all of the other packages that are assigned or published within the selected Group Policy object. 6. Choose the existing package that you want the new package to upgrade, and then make one of these selections: To replace an application with a completely different application, choose “Uninstall the existing package, then install the upgrade package.” This removes all files from an existing application, and is most commonly used to replace a product from one vendor with a product from another.
• •
To install a newer version of the same product while retaining all user-specific settings the user has configured, choose “Package can upgrade over the existing package.” This would preserve the custom dictionary and AutoCorrect options, for example, when upgrading from Office 2000 to Office 2003.
7. Click OK to close the Add Upgrade Package dialog box. The last selection on the Upgrades tab is optional. You can make the upgrade package a mandatory upgrade by selecting the “Required upgrade for existing packages” check box. Mandatory Upgrades This last point of the preceding instructions merits a bit more discussion. You can make upgrades mandatory. This means, as the moniker would imply, that the deployed application will completely replace any and all existing application files. This occurs because of an uninstall that takes place when you configure the mandatory upgrade with the check box seen in the previous exercise. Any time you leave this selection unchecked, the upgrade is an optional upgrade. By default, application upgrades are optional.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:44 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
276
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Exam Tip If you are configuring an upgrade from the Computer Configuration settings, the “Required upgrade for existing packages” check box is automatically selected and is also unchangeable because packages will be assigned to the computer, not published. Therefore the upgrade will be installed on the computer automatically.
Creating a Package Modification You can also customize a Windows Installer application through Group Policy’s support of software modification. Such software modifications, known as transforms, allow for the deployment of several configurations of the same piece of software. The modifications are performed with a transform file. This file has an .mst extension, and is used in combination with an existing Windows Installer package. In other words, no .msi, no .mst. For example, you can use a transform file to deploy Microsoft Word to make sure users in one part of the globe receive the English dictionary, and users in other parts get the Spanish dictionary. In this case, you would create an .mst file for each dictionary, and furthermore create separate GPOs to deploy the Word software package with their separate .mst files. These transforms allow you to transform the original package using authoring and repackaging utilities. Some applications even provide wizard-based tools that permit a user to create these transform files.
Exam Tip A transform file (.mst) can only be employed before the application package is deployed. The transform is applied to the package at the time of assignment or publication, and the changes the file specifies are carried out at application installation. Once the software has been installed on a user’s machine, it cannot be changed using an .mst file. Here are the steps necessary to deploy a Microsoft transform file to modify the properties of an application deployment: 1. Open the Group Policy Object Editor and expand either the Computer Configuration or the User Configuration settings, and then the Software Installation node. 2. Right-click Software Installation, select New, and then click Package. 3. In the Open dialog box, choose the Windows Installer package you want to modify, and click Open.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:44 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
277
4. In the Deploy Software dialog box, click the Advanced selection, and then click OK. 5. In the Properties dialog box for the package, navigate to the Modifications tab, as shown in Figure 7.3. Once there, perform any of the following actions:
• •
To add modifications, click Add. In the Open dialog box, browse to the transform file (.mst), and then click Open. To remove modifications, on the Modifications tab, click the modification that you want to remove, and then click Remove. Repeat this step until you have removed each modification that you do not want.
6. When you are sure that the modifications are configured exactly how you want them, click OK.
Travel Advisory When you click OK, the package is assigned or published immediately. If the modifications are not properly configured, you will have to uninstall the package or upgrade the package with a correctly configured version.
Maintain Installed Software by Using Group Policy Instead of upgrading a software package, you might find it easier just to reinstall the application on the user’s machine. By redeploying the software, you cause a reinstallation. This method of upgrading software is preferable if you have changed a software package without changing the application’s name, have added or removed files from the package, included a patch or hotfix, added shortcuts, changed registry settings, or have changed an existing package in any other way. To make sure that all users have the updated software, you will likely choose to redeploy the package. Using this method, you can incorporate more comprehensive changes to the application than are typical when simply modifying or upgrading an existing package. When doing so, you should create a new Windows Installer file with a name that is an exact match as the existing package, and then store the file in the same location as the original. As long as the version and the package name are identical, the application, even though it has been modified, is considered to be the same piece of software. The package can then be redeployed as needed.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:44 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
278
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 7.3
Configuring modifications for a Windows Installer package
Here’s what you’ll do to redeploy a software package with included changes: 1. Open Active Directory Users and Computers and then open the Group Policy Object Editor that contains the software deployment settings you want to change. 2. Expand either the Computer or User configuration to the Software Installation node where the original package was created. 3. Right-click the original package, and from the context menu choose All Tasks | Redeploy Application. 4. Close the Group Policy Object Editor to save your changes to the Group Policy object. 5. Click OK to close the container’s Properties dialog box, and then close Active Directory Users and Computers. Not only do the applications in your network need to be prepared for, deployed, and maintained, they also need to be removed when they no longer effectively serve the needs of the computing environment.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
279
Software Removal In the life cycle of a software application, installation is only part of the picture. Applications can be upgraded once installed, as we have just seen, and they can be removed. Group Policy also provides a mechanism to remove software packages once they have been deployed. As with upgrading software packages, there are two choices you have when removing:
•
Optional This allows the user to continue using the software. The application will no longer appear in the list under Add/Remove Programs in the Control Panel.
•
Mandatory As suggested by the name, mandatory removal is forced removal, where files are deleted from the computer’s hard drive. If the package was assigned to the computer, the application is removed the next time the computer restarts.
These software removal settings are configured with a dialog box that presents you with two selections as you configure the removal. Here’s how: 1. Open the Group Policy Object Editor, and navigate to the software package you want to remove. 2. In the Details pane, right-click the application, choose All Tasks from the context menu, and then click Remove. 3. In the Remove Software dialog box, shown here, choose one of the radio buttons to specify the removal method:
•
To have the application removed the next time a user logs on or restarts the computer, choose “Immediately uninstall the software from users and computers.”
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
280
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
•
To allow users the option to continue using the application if they have already installed it, click “Allow users to continue to use the software, but prevent new installations.” If users have previously removed the application, or if they’ve never installed it, it will not be available for installation anymore.
Exam Tip Once the decision has been made to configure an optional or mandatory removal, you cannot reverse course. The package will be removed from the Group Policy object. If a user decides to leave an optional application on his or her system, you cannot later force the removal, as the software package will no longer exist in the GPO.
Additional Deployment Considerations There are two other deployment considerations worth mentioning so that you’re not tripped up by an exam question that mentions them. If you rightclick on a software package assigned or published to users, you can access these two options from the Deployment tab, as shown in Figure 7.4. Here there are two check boxes you can enable independently. They are
•
Uninstall this application when it falls out of the scope of management This option mandates that the application will automatically be removed if and when the Group Policy object no longer manages its deployment. For example, if there were applications assigned to a computer in one OU, and that computer then moved to another OU, the application would uninstall since the GPO that managed the software deployment no longer applied to that computer.
•
Install this application at logon This option is new in Windows Server 2003, and therefore is a good candidate for subject matter on the exam. Selecting this check box will install the application using package defaults. Normally, an assigned program would just advertise itself, but the option will perform the entire install before the user gets the desktop.
When you configure the software settings of a Group Policy object, you’re only dealing with a single node in the Group Policy Object Editor. That might make it seem like something that’s easy to manage, but as you have just seen, there’s still quite a bit to learn about the underlying technology before you start creating and deploying software packages. Remember, this is a condensed presentation, optimized for purposes of getting you only the information essential
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
FIGURE 7.4
281
Advanced deployment options
for exam success. Real-world application of software distribution with a Group Policy will likely require more study. Now we turn our attention to an area of Group Policy that, configuration-wise, is the polar opposite of software deployment: Security settings. Instead of a single node to configure, there are instead multiple security nodes in the Group Policy Object Editor, and collected in each of these nodes are potentially hundreds of individual Security settings that influence the behavior of your system. However, the actual configuration of an individual Security setting is very straightforward, and the impact on security behavior is often self-evident, as you are about to see in the next objective.
Objective 6.02
Y
Configure Computer Security Settings Using Group Policy
et another example of the settings a Group Policy can be used for is the Security settings. There are several areas of the computing environment that
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
282
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
can be secured with Group Policy’s many settings. All of the security areas can be accessed from the Windows Settings in each of the User and Computer Configuration nodes, as shown in Figure 7.5. They include:
• •
Account Policies The settings that apply to user accounts, including password, account lockout, and Kerberos-related settings.
•
Event Log These settings can be set to define the properties of the Application, Security, and System logs in the Event Viewer, along with access rights to each log file and retention settings.
•
Restricted Groups This node can be used to govern group membership. One significant security hole found in research performed by Microsoft was that users, especially in larger environments, would be added to groups and then never removed. This also applied to former administrators: the person would leave the company, but the account would remain, leaving a security hazard to the domain. With Restricted Groups, you can control the membership of groups like the Administrators, Power Users, Print Operators, and Domain Admins through Group Policy settings. Configuring Restricted Groups ensures the group memberships are set as specified by the editor of the Group Policy, and are not subject to change.
•
System Services These settings are used to configure the startup behavior of services running on a computer. The configurable startup settings include automatic, manual, and disabled. They also define what user accounts will have permission to read, write, delete, start, stop, or execute the service.
• •
Registry The registry settings are used to configure security on specific registry keys.
•
Wireless Network Policies These settings allow you to create and manage wireless network policies. A wizard interface will help you create each policy. They can be used to define what wireless networks a system can communicate with by using a wireless network number known as a service set identifier (SSID).
Local Policies These settings are based on the computer you are logged on to, and affect the abilities a user has over that system. The local policies settings include audit policies, user rights assignments, and security options.
File System The file system settings are employed to configure security on specific file paths. The access control list (ACL) to a file or folder is set through a Group Policy.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
283
• •
Public Key Policies These settings are used to define encrypted data recovery agents, domain roots, and trusted certificate authorities.
•
IP Security Policies The settings here are for configuring secure IP traffic. You can use this area to set encryption rules for inbound and outbound traffic, and also specify particular networks or individual computers your system can communicate with. Much like the software restriction policies, IP Security policies are exception-based, configured by either accepting or rejecting traffic based on a set of conditions. The different permutations of IP Security polices if virtually infinite. There are three editable, preconfigured policies to help you on your way: Server, Client, and Secure Server. To configure a GPO with an IP Security policy, right-click on the policy and choose Assign.
Software Restriction Policies These policies let you manage what software can run on a particular machine. This can be an important security level if you are worried about users downloading and running untrusted software in your network. For example, you can use these policies to block certain file type attachments from running in your e-mail program. Software restriction policies are set by first configuring a default security level of Unrestricted, which allows all programs to run within the context of the user currently logged on, or Disallowed, which does not allow programs to run. You then set up rules that provide exceptions to default security level. These rules can be based on hash algorithms or certificates, both of which are used to uniquely identify software. Other rules include path rules, which potentially let users use software if it is located in a specific directory or registry path, or Internet Zone rules, which identify software from a certain zone specified through Internet Explorer.
As you can see, there are hundreds of settings possible that will affect the security of a system or a network. Memorizing all of these settings is an impossible task and would not be helpful for purposes of the exam. Notice, however, that I said memorize. You still need to be familiar with some of the configurable settings. Each of the Security settings could have several pages or even entire chapters of material explaining the various purposes of the settings here. Alas, that is not the purpose of this book, and there simply aren’t enough pages available in the Passport series books to cover each of the Security settings in exhaustive detail. When I mentioned in the previous chapter’s introduction that it would be in your best interest to experiment with some of the settings in a test environment, this is why.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:45 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
284
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE 7.5
The multitude of security-related settings. And these are just the computer-related settings!
Of special importance are the software restriction policies, as they are another new feature of Windows Server 2003, and Microsoft doesn’t want folks with a thorough knowledge of only Windows 2000 to be able to sit down and breeze through the Windows 2003 stuff. It is important that you recognize the types of settings that help define the security environment and understand the tools used to quickly analyze and apply many of these Security settings all at once. The three tools provided that help you do this are the security templates, the Security Configuration and Analysis utilities, which are MMC snap-ins, and the Secedit command-line utility, as explained in the sections to follow.
Security Templates A security template is a single file that stores a series of security-related settings. It’s a physical representation of a security configuration. By storing several security-related settings in one file, you can use this file to quickly apply tens, if not hundreds, of Security settings all at once. The tool used to view and alter these template files is called the Security Templates MMC snap-in. With this tool, you can painlessly alter existing security
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:46 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
285
templates or create new ones. You do not use the utility to create new Security settings, but rather take existing settings and create new configurations of these settings. These configurations are then stored in text-based .inf files. This organization of Security settings can go a long way toward streamlining administration.
Exam Tip There are a couple of exceptions to what can be contained in a security template. IP security and public key policies cannot be set with a security template. To use the Security Templates MMC, you must first add it to an existing MMC console or create a new one. To do so: 1. Click Start | Run, type mmc, then click OK. 2. From the File menu, choose Add/Remove Snap-in. 3. In Add/Remove Snap-in dialog box, click Add. 4. In the Available Standalone Snap-ins window, click Security Templates, choose Add, click Close, and then click OK. As shown in Figure 7.6, you will now have the ability to access the predefined template files,
FIGURE 7.6
The predefined security templates
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:46 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
286
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
which are stored in the path identified in the Security Templates root node: systemroot\security\templates. 5. In the File menu, click Save, and give the new MMC console a name. It will then be added to your list of Administrative Tools. Once you define and/or modify security templates, they can then be imported into a Group Policy object to ease domain and OU security administration. Once imported, any computer accounts or user accounts in the site, domain, or OU where the template has been applied will then receive the security settings defined in the template. Windows Server 2003 includes a collection of preconfigured security templates you can use to rapidly establish a baseline of security settings. The predefined security templates are based on the roles computers play in a computing environment. The roles that these templates configure can be divided into three common security levels:
•
Compatible (compat.inf) The compatible template is used to enable development of new applications to a standard security level in the Windows Server 2003 environment, while still allowing existing legacy applications to run under a less secure configuration. Because of its inherent security limitations that allow for maximum compatibility, it should not be applied to domain controllers, and also should not be imported into either the default domain policy or the default domain controller policy.
•
Secure (secure*.inf) The secure templates configure recommended Security settings for areas except file, folder, and registry key settings. They are commonly used to apply a range of password, audit, and account lockout policies that are much more secure than the default settings used after operating system installation.
•
Highly Secure (hisec*.inf) The highly secure templates enforce all of the Security settings the secure templates do and add even tighter security standards. They impose restriction on data that travels between clients and servers, including use of encryption as part of the communication equation. Further, they employ restricted groups to remove all members of the Power Users group, and to ensure that only Domain Admins and the local Administrator account are members of the local Administrators group.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:46 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
287
Exam Tip Computers configured with highly secure templates may make communication impossible with down-level Windows clients, such as Windows 95 and 98 computers. You’ll note also that there are certain templates, such as the Setup Security (Setup security.inf) template, that act as the “reset button” on security for a given system. The effective settings in the Setup Security template can vary from computer to computer, and represent the default Security settings applied during operating system installation. Other templates such as the System Root Security (rootsec.inf) are used to apply security to just a very specific area of the computer, in this case the permissions for the root of the system drive. It would be used if you were concerned that permissions on the root drive had been altered, and you wanted to hit the “reset button” for the root permissions. Additionally, these predefined templates can serve as a good starting point when creating new templates. For example, you might like the Security settings of the Secure Domain Controller template (securedc.inf), only with a few modifications of the password policies. You can make the needed changes to just the password policies, and then save the changes to a new template file. You will use the predefined security templates to complete the following security tasks based on the needs of your system:
• • • •
Reapplying default settings Implementing a highly secure environment Implementing a less secure but more compatible environment Securing the systemroot directory
Travel Assitance For a detailed breakdown of what the predefined templates can do, type the following help file link into a browser of a Windows Server 2003 system (or you could type it into the Run dialog box): ms-its:C:\WINDOWS\Help\sceconcepts.chm::/ sag_SCEdefaultpols.htm. For example, the Setup security.inf template allows you to reapply default Security settings. This template is created during setup for each computer and must be applied locally. You should not apply the predefined security templates without testing first, as some of the Security settings in the more secure templates
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:47 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
288
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
can make a Windows Server 2003 machine incompatible with other Windows operating systems that do not support the same security features.
Creating and Modifying Templates You can create a new security template to best suit the needs of your organization, or, to save time and effort configuring many of the hundreds of Security settings, use one of the predefined security templates. Before making any changes to your Security settings, though, you should understand what the default settings of your system are and how they influence behavior. Here’s what to do to start creating your own security templates: 1. Open the Security Templates MMC snap-in. 2. In the console tree, right-click the default path folder (systemroot\security\templates), and choose New Template. Give the template a name and optional description, and then click OK. 3. You now have an unconfigured security template you can start modifying. In the console tree of your new template, expand the template to display the security policies, and navigate to the Security setting attribute you want to modify. 4. In the Details pane, right-click the Security setting and choose Properties from the context menu, or simply double-click the setting. 5. From the setting Properties dialog box, select the “Define these policy settings” check box, and make any desired changes to the setting. As shown here, you see how to make audit policy a part of the new template. Click OK when you’re finished.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:47 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
289
Yet another way this tool can be used is to change existing templates. To do so, just expand one of the preconfigured templates and make changes according to the steps outlined above. When you’ve made the necessary tweaks, right-click on the name of the policy and choose Save As from the context menu. You will then be given the Save As dialog box, which will by default open to the same location where the predefined templates are stored, as shown in Figure 7.7. Give the modified template a name, and it should now show in the Security Templates MMC utility.
Importing a Template into a GPO Now that you know how to create and modify security templates, it’s time to actually put them to use. You can use these collections of settings by applying the template file to a Group Policy object. This is the feature that allows the templates to do their magic. Here’s how to import a template into a Group Policy object. In the example, I’ll apply a template to a domain-linked GPO, but the method will be the same no matter what GPO the template is imported to: 1. Open Active Directory Users and Computers, and right-click the domain node. From the Properties dialog box, click the Group Policy tab, and then select the Group Policy to which you want the template applied. Click Edit.
FIGURE 7.7
Saving a modified template
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:47 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
290
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. Expand the Computer Configuration settings, then select the Security settings. Right-click, then choose Import Policy. 3. In the Import Policy dialog box, select the template you want to import. By default, the dialog box will open to the default template location of systemroot\security\templates. 4. And…that’s really it! You can force an immediate refresh of the new Group Policy security settings using the Gpupdate utility, as seen in Chapter 6, or you can wait for the default refresh interval. A reboot will also do the trick. Now the time spent fine-tuning the security templates has paid off. But before you leave this objective, there is still another important tool that will let you try out the security templates before putting them into play in the production environment. It’s called the Security Configuration and Analysis tool.
Travel Advisory Exercise caution when applying templates in a production environment. When you apply a policy, it will remove all existing Security settings, replacing them with the settings stored in the template file. This can cause problems in the network, as settings that are too low will put data at risk, and settings that are too high can make the network impractical for most users.
The Security Configuration and Analysis Tool This MMC utility is a powerful tool that lets you analyze Security settings, view results, resolve any discrepancies between an expected and an actual security configuration, and finally apply those configuration changes to the local machine. The analysis part of the Security Configuration and Analysis tool works by building a database of Security settings and then comparing the local Security settings of the computer against the database of settings built by the utility. The configuration part of Security Configuration and Analysis uses the database of Security settings to rapidly apply the settings to the system. How are the databases of Security settings built? With the template files— both the ones already on the machine in the systemroot\security\templates folder
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:47 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
291
and the custom templates you configure with the Security Templates utility. Remember that the templates are merely text files full of Security settings, and just like almost any other database tool, Security Configuration and Analysis can use these kinds of files to populate the entries of a database table. As you can see, the Security Templates and the Security Configuration and Analysis tools work hand in hand. There’s even another cool way these two utilities work in harmony, as you will see later in the section. Therefore, it’s not uncommon to have both MMC snap-ins loaded into the same console. To add the Security Configuration and Analysis MMC snap-in to a console, follow the same procedure as you did when adding the Security Templates utility, only choose the Security Configuration and Analysis tool, of course.
Configuring System Security The Security Configuration and Analysis utility performs a series of complex analysis and configuration procedures to your machine, but the tool itself is not that difficult to learn. What’s more, you don’t really need to, as there are instructions in the Details pane that will help you use this tool for the first time. Your first order of business when using this tool, however, is to set a working database of Security settings. Until this step is completed, the Security Configuration and Analysis utility really isn’t capable of much. Here are the steps you’ll follow: 1. In the Security Configuration and Analysis snap-in, right-click Security Configuration and Analysis and choose Open Database. This will be your working database of settings that will be either analyzed or applied. 2. Name the database, and then select the security template you want to apply to the database. You can use any of the preconfigured templates or one you have created. Click Open. 3. You won’t see anything change except the instructions in the Details pane of Security Configuration and Analysis. However, something important has occurred, at least as far as the utility is concerned. You now have a database of settings you will use for comparison or application (that is, analysis or configuration). 4. To analyze the system with the template’s database of settings, rightclick the Security Configuration and Analysis root node and then select
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:47 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
292
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Analyze Computer Now. Verify the error log location and click OK, and analysis begins, as shown here.
When the processing is complete, any discrepancies between the local computer settings and the database settings will show up marked with a red “x,” while settings that match will show as a green check mark. Figure 7.8 shows you what to expect when performing the analysis. Settings that do not have either the red “x” or the green check mark are not configured in the database you just created with the template. You can then resolve discrepancies between the database settings and the computer settings if you want. You do this by double-clicking on the settings and
FIGURE 7.8
Results of a security analysis
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:48 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
293
selecting whether or not to define the setting in the database, as shown in Figure 7.9, and furthermore adjusting the setting to best suit your needs. You can also repeat the process and import multiple templates. The database will merge the many different templates to create one composite template. Any conflicts encountered will be resolved by having the last setting imported become the effective database setting. When you are satisfied with the settings in the database, you can apply the settings by right-clicking the Security Configuration and Analysis root node as before, and then choosing Configure Computer Now from the context menu. Set the error log path and click OK. Now, with the Security Configuration and Analysis tool, you’ve just made potentially hundreds of Security setting changes to the local machine with a few clicks of the mouse.
Travel Advisory When you apply the secure or highly secure templates, communication attempts that do not conform to the rules of the template are rejected, and some of these connection and encryption technologies are not even available on Windows 9x or NT 4 systems. To ensure compatibility with these operating systems, you should use either the Compatible or Setup security template. Also note that when using the Security Configuration and Analysis tool, you are applying local Security settings. If this does not produce the results you expect, it could be because the Security settings are being overwritten by site, domain, and organizational unit policies, according to the Group Policy processing statutes that were outlined in the previous chapter.
Exporting a Security Template Another handy feature of the Security Configuration and Analysis tool is the ability to save a database of Security settings to a new template file. This way, you can take a database of carefully adjusted settings and save them for later use when configuring the Security settings of Group Policy objects. Further, you can later redefine these settings using the Security Templates tool, using the two utilities to take Security settings back and forth as often as you please. To export a security template: 1. Open the Security Configuration and Analysis console, and right-click the root Security Configuration and Analysis node.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:48 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
294
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
2. If you have created a security database by importing multiple templates, you can save the database settings into a separate template file. To perform this task, choose Export Template from the context menu. 3. The Export Template To dialog box appears, by default set to the same location as the other security templates. Give the file a descriptive name and click OK. 4. Now you should see that template added to your list of manageable templates in the Security Templates console. If you don’t, right-click the templates folder and choose Refresh from the context menu.
Using Secedit The Secedit command-line utility does pretty much everything the Security Configuration and Analysis tool does, only from the command line. Its advantage is that you can use the Secedit command in the syntax of a batch file or configure it as a scheduled task to automate the creation and application of security templates. Secedit usefulness is most evident when you have multiple computers on which security must be analyzed or configured, and these tasks must be performed without user intervention, including security analysis during off-hours.
FIGURE 7.9
Defining a Security setting in the database
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:48 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
295
The utility is used with the following switches:
•
/analyze Analyzes Security settings, working almost exactly the same as the Analyze Computer Now selection when using Security Configuration and Analysis.
• • •
/configure Configures the local computer using the settings stored in a database populated with a security template.
• •
/validate
/export Lets you export the settings in the configuration database to a template file. /import Allows for importing of a template file into a security configuration database, which can then be used to analyze or configure a local system. Validates the syntax of a template that will be imported.
/generaterollback A very useful feature, this switch generates an “undo” or rollback template. The rollback template can be used to configure the system with the Security settings it had before configuration with another template.
Objective 6.03
Troubleshoot Group Policy Application and Deployment Issues
F
ollowing are some common problems when installing software with a Group Policy object and their possible solutions:
Problem
Resolution
Application cannot be installed.
Commonly, this is a problem with the permissions of the network share where the application package is stored. You should first ensure that the network location is in fact available by establishing a connection (you could use UNC syntax to do this: Start | Run | \\servername\sharename), and then check permissions. The permissions required for a user to install an application are the Read permission on the share, and the NTFS permission Read and Execute on the directory itself. Further, the Read and Execute permissions are required on every file that is a part of the package, not just the Windows Installer (.msi) file.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:48 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
296
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Problem
Resolution
Applications do not appear on the user’s desktop.
You should use RSoP or the Gpresult utility to check the way the application was deployed. If the application was assigned to the user, the shortcut for the application should appear in the user’s Start menu, as assigned applications advertise themselves. If the application was published, however, the application will be installed either from the Add/Remove Programs applet in the Control Panel or via document invocation. If the application does not appear in the Add/Remove Programs section of the Control Panel, it is possible that either the Group Policy object has been filtered for this user (or a group the user is a part of), or was deployed to another Active Directory container than the one you expect. Yet another possibility is that the settings of a Group Policy have been blocked by a child-level organizational unit. You should check the ACL for the Group Policy object to see if any filtering behavior has been configured, and check the properties of the organizational unit to see if inheritance has been blocked. There exists a possibility that when applications are repackaged using third-party software as described earlier in this chapter, the Windows Installer file created might not work properly. If during repackaging the application did not install certain files on the hard drive of the source system, these files will not exist in the package created. If these missing files do not exist in the target computer’s hard drive, the application may not work properly after it is deployed. To correct this, you should repackage the application again, adding the necessary files to the application. This is also likely a repackaging issue. When repackaging an application, the period between the “before” snapshot and the “after” snapshot is crucial. If changes are made to the source computer prior to the “after” snapshot that includes the removal of files, this can cause the package to also include instructions to remove files as well. If the wrong files are removed, other applications may stop functioning. To fix this problem, you should repackage the application, making sure that any file deletion references are not included during the creation of the Windows Installer package. This is mostly due to Group Policy problems, and requires a thorough knowledge of the Group Policy processing behaviors discussed in Chapter 6. Remember that when conflicts occur in Group Policy processing, the last setting processed will become the effective policy by default. You should also keep in mind all of the possible exceptions to the default processing behavior.
Deployed applications do not work properly after installation.
Package installation removes other files.
Applications are not deployed at all.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:48 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
Problem
Resolution
When attempting to edit a Group Policy object, you receive the “Failed to open the Group Policy object” error. When trying to edit a GPO, you receive a “Missing Active Directory Container” error.
This usually is due to a networking problem, specifically, a problem with the Domain Name System (DNS) configuration. Because Group Policy objects are stored in the Active Directory database, and Active Directory requires the presence of DNS to resolve domain resources, you will not be able to locate Active Directory–based GPOs without DNS. To resolve this problem, you should verify that DNS is configured and working properly. This error occurs when Group Policy attempts to link a Group Policy object to an organizational unit that it cannot find. The organizational unit might have been deleted, or it might have been created on another domain controller but not replicated to the domain controller that you are using. To resolve the problem, limit the number of users who can make structural changes to Active Directory, or who can edit a Group Policy object, at any one time. Allow changes to replicate before making changes that affect the same organizational unit or Group Policy object. The client computer has not been restarted. In order for assigned software to be installed on the client computer, the system must first reboot.
Software you have assigned to a computer has not been installed on the computer. Group Policy is not taking effect on the local computer. The user opens an already installed application, and Windows Installer starts. A user receives error messages such as “Active Directory will not allow the package to be deployed” or “Cannot prepare package for deployment.”
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
As discussed in Chapter 6, local Group Policies are the weakest. Any Active Directory–based policy can overwrite them. Check to see what Group Policy objects are being applied through Active Directory and if those Group Policy objects have settings that are in conflict with the local settings. An application might be undergoing automatic repair, or a user-required feature is being added. There is nothing you need to do to correct and/or prevent this behavior.
The package might be corrupted, or there might be a networking problem. You might want to consider redeploying the package using the procedure outlined previously. You should also investigate the possibility of network problems and take appropriate action.
297
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
298
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Assitance For more information about DNS, please see Appendix C at the back of this book, or pick up Mike Meyers’ MCSE/MCSA Implementing a Windows Server 2003 Network Infrastructure Certification Passport (Exam 70-291) by Walter Glenn, Mike Simpson, and Jason Zandri (McGraw-Hill/Osborne, 2003).
CHECKPOINT ✔Objective 7.01: Distribute Software Using Group Policy
All right, flash card time. Here are the word associations I’d like you to have in mind when sitting for the Microsoft exam:
• • • • • • •
.msi Microsoft Installer file, used for creation of software packages. .zap File used in conjunction with programs that do not have an .msi file. .mst Microsoft transform, used to modify an existing .msi deployment. Assign Automatic software installation, used for computers and users. Publish Optional software installation, used only for users, not for computers. Security Templates Use this tool to make changes to security template files, which in turn can be imported into Group Policy objects. Security Configuration and Analysis Use this tool to apply wholesale Security settings changes to a machine, or to analyze the effects of a template before it’s used to configure a system.
✔Objective 7.02: Configure Computer Security Settings Using Group Policy
You can also configure a wide range of Group Policy settings that affect the security behavior of the computer. These settings include password policies, which have been discussed previously, audit policies, and user rights assignment. And that is just the tip of the iceberg. Because the number of Security settings is so extensive, it can sometimes be difficult to remember exactly what has been set, and then take that configuration and port it to other systems in the network. You should also understand how security templates are used to address this concern; how they store multiple Security settings in a single file that can be used to configure
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
299
the Security settings of GPOs throughout the domain. You should also understand how to use the Security Configuration and Analysis tool to quickly analyze the potential impact of a security template, and how to apply the settings of that template to the local computer. You should also know how to take the settings defined with Security Configuration and Analysis and use them to populate a new security template file.
✔Objective 7.03: Troubleshoot Group Policy Application and Deployment
Issues Finally, Microsoft will expect you to know how to troubleshoot Group Policy application when things don’t go according to plan (of course, since computers just take instructions, it could be argued that things don’t go according to plan because of a bad plan). Most of this troubleshooting skill will be acquired as a result of your experience with Windows Server 2003 and, more specifically, Group Policy objects, but it will also draw heavily on how well you understand this awesome administrative technology.
REVIEW QUESTIONS 1. You are the administrator for a Windows Server 2003 domain that is divided into four separate sites. One of these sites is dedicated to testing new hardware and software before they are rolled out into the production network. You are considering a software modification to an existing installation of Microsoft Word XP that was deployed with a GPO, and now want to deploy changes to the application via an .mst file. What should you do since the application has already been deployed? A. Recreate the Software Installation package to include the .mst file, then assign the package to all computers in the site. B. Edit the existing GPO to add the .mst file. C. Create a new GPO for the .mst file and deploy the new software package to users. D. Edit the GPO so that it includes a .zap package to point to the new .mst file. 2. You are the administrator for a medium-sized organization whose users and computers are organized in a single Active Directory domain. One of your junior administrators informs you that he has edited an existing GPO that will force the removal of an accounting application for all users of the OU. However, you visit some of the users in this OU’s department, and note that the application was not removed from
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
300
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
some computers. On other computers in the OU it was. What is the likely cause of the problem? A. To force removal of an application, the GPO needs to be configured at the domain level. B. The computers in question were filtered through the Properties pages of the GPO. C. The users have also been added to the list of OU administrators by the junior admin for the OU; admin computers are exempt from software removal policies. D. The users reinstalled the application by using the Add/Remove Programs utility in the Control Panel. 3. You need to deploy an update to an existing word processing application to take advantage of newly released security measures. The new version is compatible with the files created with the old version, and you want the upgraded version to replace the old version. You do not want users to be able to use the old software once the upgrade has been deployed. How should you handle this? A. Configure an optional upgrade, then configure a software removal policy for the domain. B. Configure the upgrade to stop if it detects a previous installation of the application. Then manually uninstall any necessary installations. C. Configure an optional upgrade and then create an .mst file that will make the .dll files for the existing application inoperable. D. Configure a required upgrade. Have the upgrade uninstall the previous version of the software. 4. A purchasing manager is asking you for recommendations concerning two new accounting software applications. One comes with an .msi file, the other is installed using setup.exe. What can you tell the purchasing manager about the deployment advantages of the application with the .msi file? Choose all that apply. A. You are able to assign the application to both users and computers. B. You will be able to publish the application to individual computers. C. The application will be automatically repaired should critical files become corrupted or deleted. D. You will be able to gather detailed information about how often the program is used.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
301
5. Which of the following is true about the features of a .zap package? Choose all that apply. A. .zap files are used to deploy software applications to down-level clients such as Windows 98. B. .zap packages can be used to deploy down-level software applications without .msi files. C. Packages built with .zap files can be used to configure registry settings and shortcuts. D. .zap packages can be used to install an application even though the user logged in may not have the rights to do so. 6. You are administering the Security settings for a group of Windows Server 2003 computers in your domain’s Research organizational unit. There are two tools that will let you quickly generate analysis reports and will even let you automate this task. Which are they? A. B. C. D.
Secedit Replmon Security Configuration and Analysis Security Templates
7. You have just installed a new software package on your Windows Server 2003 that, for auditing purposes, runs in the context of a user account. Your company presently has a Security setting in the Domain Group Policy that requires users to change passwords every 60 days. Not coincidentally, this just happens to be the time that the application fails, until you run over and change the password of the account that the application uses. What’s the best way you can avoid this problem? A. Configure the account so that the password does not expire. B. Place a user account in the Account Operators built-in group and delegate the task of resetting the application account password to that user. C. Configure the application so that it uses the Administrator account. D. Configure a local policy on the computer where the application runs so that account passwords never expire. 8. You are administering a network with a mixture of Windows Server 2003 along with some Windows NT 4 servers running legacy applications. You configure all the Windows Server 2003 machines to use the highly secure template using the Security Configuration and Analysis MMC snap-in. You receive calls almost immediately after you do this, saying
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
Color profile: Generic CMYK printer profile Passport MCSE/MCSA Windows Server Composite Default/ screen
302
2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
that users of Windows 9x and NT 4 workstation computers cannot connect to the Windows Server 2003 machines anymore. They can still connect to the network’s NT 4 servers. How will you address the situation? Choose all that apply. A. Add the highly secure template to the Windows 9x and NT 4 workstations. B. Upgrade the Windows 9x and NT 4 workstations to Windows XP Professional. C. Give all users administrator-level access to the servers configured with the highly secure template. D. Remove the highly secure template from the Windows Server 2003 systems by reapplying the Setup Security template.
REVIEW ANSWERS 1.
To deploy an application modification, all that is necessary is a change to the existing GPO that performed the deployment. Add the .mst file to the package, and it will modify the application it governs.
2.
The likely reason here is that the computers have been filtered from the scope of the OU with an edit of the Security tab of the GPO’s Properties page. All other answers are not likely and/or are false statements about the behavior of software configuration settings of a Group Policy.
3.
To accomplish your goals, you need to configure a required upgrade for all users, and also configure the GPO to uninstall the previous version of the application.
4.
Using a Windows Installer file to deploy the software package, you gain several important advantages. You can assign the application to both users and computers, and files that become damaged or are missing are automatically replaced. You cannot publish to a computer, only a user. The software metering feature, while available through Systems Management Server, is not a setting configurable through a GPO.
5.
.zap files are used to create software installation packages without the benefit of an .msi file. Packages created with .zap files also have the ability to configure shortcuts and registry settings. Because they are created with a Group Policy object, they cannot be used to deploy software to Windows 98 clients, or any other clients not Group Policy–aware. Answer D is wrong because the Windows Installer
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:49 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows CompositePassport Default /screen
Server 2003 Active Directory Certification Passport / Culp / 222575-0 / Chapter 7
CHAPTER 7 Manage Software and Security Using Group Policy
mechanism cannot run the setup program for an application with elevated privileges. 6.
The two tools that will let you analyze security on a Windows Server 2003 are the Security Configuration and Analysis and Secedit tools. Both can be used to analyze Security settings based on a database of settings built with a template file. Further, the Secedit tool allows for automation of the task because it can be called from the Task Scheduler or from within a batch file. Replmon and Security Templates, while fine utilities in their own right, do not have this ability.
7.
This is the easiest way to reach a solution for this problem. Answer B would work, but it requires much more effort than answer A. C is incorrect because the Administrator account would also need to change its password because of the domain policies in place. D is wrong because the local policy would be overridden by the domain policy.
8.
The highly secure template configuration is only supported for communication only between Windows XP/2000/2003 machines. B would be a solution, albeit a potentially expensive one. D will also work, but of course you would then lose all the secure configuration options that were applied in the first place. The Setup Security template does support communication with Windows 9x and NT 4 systems. A is incorrect because these computers do not support security template configurations. Answer C is also incorrect because the user logged on does not impact the communication channel required between server and client. It is also never a good idea to give users Administrator privileges indiscriminately.
P:\010Comp\Passport\575-0\ch07.vp Tuesday, August 05, 2003 10:17:50 AM
303
This page intentionally left blank
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix A
About the CD-ROM
A
Mike Meyers’ Certification Passport CD-ROM Instructions The CD-ROM included with this book comes complete with MasterExam. The software is easy to install on any Windows 98/NT/2000/XP computer, and must be installed to access the MasterExam feature. To register for the second bonus MasterExam, simply click the link on the main page and follow the directions to the free online registration.
System Requirements The software requires Windows 98 or higher and Internet Explorer 5.0 or above and 20MB of hard disk space for full installation.
Installing and Running MasterExam If your computer CD-ROM drive is configured to AutoPlay, the CD-ROM will automatically start up upon inserting the disk. From the opening screen you may install MasterExam by clicking the MasterExam button. This begins the installation process and creates a program group named LearnKey. To run MasterExam, use Start | Programs | LearnKey. If your CD-ROM drive does not have AutoPlay configured, select Start | Run, click Browse, select the CD-ROM drive, and click the LaunchTraining icon to launch your CD-ROM.
MasterExam MasterExam provides you with a simulation of the actual exam. The number of questions, type of questions, and the time allowed are intended to be a representation of the exam environment. You have the option to take an open-book exam (including hints, references, and answers), a closed book exam, or the timed MasterExam simulation.
305
P:\010Comp\Passport\575-0\appa.vp Tuesday, August 05, 2003 10:19:24 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
306
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix A
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
When you launch the MasterExam simulation, a digital clock will appear in the top-center of your screen. The clock will continue to count down to zero unless you choose to end the exam before the time expires.
Help A help file is provided through the Read Me link on the main page in the lower-left corner. Individual help features are also available through MasterExam.
Removing Installation(s) MasterExam is installed to your hard drive. For best results for removal of programs, use the Start | Programs | LearnKey | Uninstall options to remove MasterExam.
Technical Support For questions regarding the technical content of the MasterExam, please visit www.osborne.com or e-mail
[email protected]. For customers outside the United States, e-mail
[email protected].
LearnKey Technical Support For technical problems with the software (installing, operating, or removing installations), please visit www.learnkey.com or e-mail
[email protected].
P:\010Comp\Passport\575-0\appa.vp Tuesday, August 05, 2003 10:19:24 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
Career Flight Path
B
The Microsoft Windows certification program that you will be joining when you take your 70-294 exam includes an extensive group of exams and certification levels. Passing the Windows Server 2003 Active Directory exam is all that is required for Microsoft’s baseline certification—the Microsoft Certified Professional (MCP). Microsoft’s premier certification is the Microsoft Certified Systems Engineer (MCSE), and the 70-294 exam is a core requirement for this certification.
Core MCSE Exams There are seven exams that every MCSE candidate must pass. These exams test your knowledge of Windows Server 2003 and include four required Networking System exams that every candidate must take, a Client Operating System exam, and a Design Exam. You can choose between exams to fill the Client Operating System and Design exams, but you must complete one for each category. Additionally, you will be required to pass one Elective exam.
Networking Systems Exams The four required exams on the Networking Systems are
• • • •
70-290 Managing and Maintaining a Microsoft Windows Server 2003 Environment 70-291 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure 70-293 Planning and Maintaining a Microsoft Windows 2003 Network Infrastructure 70-294 Planning, Implementing, and Maintaining a Microsoft Windows 2003 Active Directory Infrastructure
307
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:44 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
308
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Core Elective Exams At this point you can begin to customize your MCSE to your personal areas of expertise. For both the Client Operating System and the Design Exam requirements, you choose one exam. For the Client Operating System requirement, you can choose between:
• •
70-210 Installing, Configuring, and Administering Microsoft Windows 2000 Professional 70-270 Installing, Configuring, and Administering Microsoft Windows XP Professional
Travel Advisory For those who opted to take the 70-240 exam, Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0, you have met the MCSE exam requirement for 70-210. For the Design requirement, you can choose from the following exams:
• •
70-297 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure 70-298 Designing Security for a Microsoft Windows Server 2003 Network
Travel Advisory You’ll see these two exams in the next section listed as electives, as well. These exams can count once each as either a core design exam or as an elective choice.
Elective Exam With the core Client Operating System and Design exams you are not given much choice, but with the last elective exam, you can really customize your MCSE around your interests and knowledge. Microsoft currently offers eight exams to choose from:
• •
70-086 Implementing and Supporting Microsoft Systems Management Server 2.0 70-227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:44 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
APPENDIX B Career Flight Path
• • •
70-228 Installing, Configuring, and Administering Microsoft SQL Server 2000, Enterprise Edition
• • •
70-297 Designing a Microsoft Windows Server 2003 Active Directory and Network Infrastructure
309
70-229 Designing and Implementing Databases with Microsoft SQL Server 2000, Enterprise Edition 70-232 Implementing and Maintaining Highly Available Web Solutions with Microsoft Windows 2000 Server Technologies and Microsoft Application Center 2000
70-298 Designing Security for a Microsoft Windows Server 2003 Network 70-299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network
Upgrade Paths Microsoft offers upgrade paths for those holding MCSE credentials on either Windows NT 4.0 or Windows 2000. These paths allow the MCSE to credit previous exams toward the requirements for the Windows Server 2003 credential.
Windows NT 4.0 Upgrade Options If you are an MCSE holding an NT 4.0 credential, you are given credit for the Elective exam requirement by simply having the MCSE credential on NT 4.0. However, to upgrade to a Windows Server 2003 level, you still must complete the following:
• •
All four of the Networking Systems exams (70-290, 70-291, 70-293, and 70-294).
•
For the Design requirement, either a Windows 2000 design exam or a Windows Server 2003 design exam must be passed.
For the Client requirement, either 70-210 or 70-270. If you’ve already passed either of these exams as part of your previous certification path, you will receive credit for this requirement.
Windows 2000 Upgrade Paths If you currently hold a Windows 2000 MCSE certification you have the option of taking either two Networking Systems exams (70-292: Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:44 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
310
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
on Windows 2000, and 70-296: Planning, Implementing, and Maintaining a Microsoft Windows Server 2003 Environment for an MCSE Certified on Windows 2000) or the full four exams as listed above (70-290, 70-291, 70-293, and 70-294). For the Client exam requirement, you’re already in good stead as your Windows 2000 credential required that you pass either 70-210 or 70-270. The same goes for the Design requirement. The Design exam you passed to obtain your Windows 2000 credential now counts toward your Windows Server 2003 credential. And finally, that Windows 2000 MCSE will count as fulfillment of your Elective exam requirement as well.
Core MCSA Exams An alternative to the Microsoft Certified Systems Engineer certification is the Microsoft Certified Systems Administrator certification. The MCSA is designed to certify a candidate’s ability to manage, support, maintain, and troubleshoot a Windows Server 2003 network. Passing Microsoft’s network design exam is not required, so attaining this certification can be a good first step in your new or accelerated career in IT. Every MCSA candidate must pass four exams including three core exams that test your knowledge of the server and client environment as well as the LAN and WAN technologies necessary to support it. Two of these exams focus on Windows Server 2003 and managing the infrastructure associated with its successful deployment. One tests your knowledge of one of the common client OSs you will find in a Windows Server 2003 network.
• •
70–290 Managing and Maintaining a Microsoft Windows Server 2003 Environment 70–291 Implementing, Managing, and Maintaining a Microsoft Windows Server 2003 Network Infrastructure
You can choose one of two exams to satisfy the client operating system portion of the core requirements or take advantage of a retired exam if you happen to have already taken it.
•
70–210 Installing, Configuring, and Administering Microsoft Windows 2000 Professional or
•
70–240 Microsoft Windows 2000 Accelerated Exam for MCPs Certified on Microsoft Windows NT 4.0 (This exam is no longer available, but if you already have it under your belt, you’re set.)
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:44 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
APPENDIX B Career Flight Path
•
311
or 70–270 Installing, Configuring, and Administering Microsoft Windows XP Professional
Elective Exam With the Core Client Operating System and Design exams, you are not given much of a choice, but with the last elective exam, you can customize your MCSA around your interests and knowledge. Microsoft currently offers five exams to choose from:
• • • • •
70–086 Implementing and Supporting Microsoft Systems Management Server 2.0 70–227 Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition 70–228 Installing, Configuring, and Administering Microsoft SQL Server 2000, Enterprise Edition 70–284 Implementing and Managing Microsoft Exchange Server 2003 70–299 Implementing and Administering Security in a Microsoft Windows Server 2003 Network
Alternatives to the Elective Exam In keeping with their commitment to diversity in the workplace, Microsoft allows for a surprising array of substitutions for the elective exam. If you currently hold one of the following certifications, you may substitute it for the elective in the MCSA program:
• • •
MCSA on Microsoft Windows 2000 MCSE on Microsoft Windows 2000 MCSE on Microsoft Windows NT 4.0
You can also substitute one or more of the following third-party certifications for the required elective:
• • •
CompTIA A+ and CompTIA Network CompTIA A+ and CompTIA Server+ CompTIA Security+
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:44 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
312
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix B
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory Using these CompTIA certifications make it possible to add valuable credentials to your resume while satisfying Microsoft’s elective requirement.
Windows 2000 Upgrade Paths There is no meaningful upgrade path for candidates holding certifications in Windows NT 4.0. However, if you currently hold an MCSA in Windows 2000, you can upgrade to an MCSA in Windows 2003 with a single exam:
•
70–292 Managing and Maintaining a Microsoft Windows Server 2003 Environment for an MCSA Certified on Windows 2000
It’s always a good idea to consult Microsoft’s web page to see what changes they may have made to their certification programs. Microsoft has also added a Security specialization for the MCSA in Windows 2000 that may well find its way into the Windows 2003 track of the MCSA. There is a bewildering array of combinations that can make up multiple certifications and satisfy certain upgrade paths. It is well worth your time to look at the certification requirements in detail as you map out your certification plans.
For All the Latest Info As always, you should check Microsoft’s Training and Certification site frequently to make sure that you’re aware of any changes to the program or to specific exams. You can find all the latest information on the MCSE track at www.microsoft.com/ traincert/mcp/mcse/default.asp. Good luck with your certification pursuit and thank you for allowing us to travel with you through this small region of the world of certification. Enjoy the trip!
P:\010Comp\Passport\575-0\appb.vp Tuesday, August 05, 2003 10:18:45 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
DNS: The Backbone for Active Directory
C
Itinerary There are no 294 exam objectives explicitly covered here. However, the 294 test assumes that you already have a firm grasp of DNS. Additionally, it will be tested on heavily on the 70-291 exam. If you are taking this exam before that one, you will find this appendix a valuable study and reference resource.
NEWBIE
SOME EXPERIENCE
EXPERT
5 hours
3 hours
2 hours
Oh, and one more thing. There’s one last topic to be hashed out before you go on to certification greatness. You need to know DNS to understand Active Directory. Period. Because Active Directory relies on the name-to-IP-address resolution engine of the Domain Naming System (DNS), you’ll absolutely need to have a background understanding of this technology to have more than an outside chance at exam survival. First of all, know that it’s only with great reluctance that this chapter is called an appendix. That it is in no way relegates the information here to a role of second class citizen; it is only an appendix because the information here is not specifically mentioned in Microsoft list of 294 exam objectives. If you already have this knowledge, great. As with the first chapter, you can bypass this information and go directly to the practice exams on the CD-ROM included with this book.
313
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:03 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
314
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
If not, however, I beseech you to spend the extra hour or two to read through this information. Even if you have been exposed to DNS concepts before, it is probably a good investment of time to read over what’s presented here, as the discussion is tailored specifically toward what you need as you sit for the 294. What’s more, it takes the human brain a couple of exposures to new information to incorporate it into what’s already floating around up there. (And the more ways you’re exposed to it, generally speaking, the better—reading, listening, touching, and so on.) So if this is your first exposure, it will give you good footing when studying it again. If it’s a second or third exposure, you will find that this appendix helps solidify your understanding. Here we go. First, we need the answer to an important question.
What Is DNS? DNS is the Domain Name System, and it exists to resolve names to IP addresses, as well as aiding in locating services on a network. Furthermore, DNS organizes these resources into a hierarchy of domains. The DNS you implement on a Windows Server 2003 system is built on the same standards as the DNS in use on other TCP/IP networks, such as the Internet. It provides a mechanism through which user-friendly names (such as ftp.beanlake.com) are resolved to IP addresses (such as 10.100.9.23) so that computers can establish a communications channel. More importantly, at least in reference to our study of Windows 2003 networks, DNS provides the naming infrastructure for Active Directory. When you build your Active Directory domains, you name them in accordance with the DNS naming conventions in use on the Internet. That way, Active Directory can easily integrate with existing networks that follow the same naming conventions, using the same name resolution technologies. Most of these existing networks also use DNS. In fact, DNS not only provides a possible namespace, it’s the required namespace for Active Directory. You can choose to integrate with the Internet or create a completely private Active Directory network, but you have no choice about the naming standards. To implement Active Directory, you will use DNS. As implemented in Active Directory, DNS provides a parent/child architecture for the naming of objects, and using this architecture, the DNS namespace allows for a virtually unlimited number of Active Directory objects. The next few sections will serve as a general overview of DNS, with a careful eye toward its relation to Windows Server 2003’s Active Directory.
DNS Components There are three parts of the Domain Name System. These three items are
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:03 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
• • •
315
Domain name servers DNS resolvers The logical namespace
The domain name servers are made up of servers that run the DNS software component and store information about a zone file (we’ll get to zones in just a bit). These name servers provide address resolution and other information about the computers that you access in both Active Directory domains and in the named domains across the entire Internet. DNS resolvers are pieces of code that are built into the operating system. These pieces of code, known also as DNS clients, request resolution of a fully qualified domain name (FQDN) to an IP address. It does so by querying one of their configured name servers. FQDNs are defined in the next section. Finally, the namespace is the logical division of names where DNS objects are stored. The emphasis here is on the word logical. There is nothing you can point to, for example, and say, “That’s the domain.” To illustrate, ask yourself, “Where is the Microsoft domain?” We can’t really say. That’s because the DNS domain, much like an Active Directory domain, is an organizational entity. The only physical thing we can point to are the name servers, which are the computers that store information and service requests about the resources in the domain.
FQDNs As just mentioned, the job of a resolver is to request resolution of a fully qualified domain name (FQDN). A fully qualified domain name is simply a host name appended to the parent namespaces in a hierarchy. So, in the fully qualified domain name, we can see the different levels in the namespace hierarchy. Figure C.1 helps you visualize the root level namespace, top-level domains, and so on, that are used throughout the Internet. Note that the leftmost portion of the FQDN is the host portion of the name. A host name is an alias we give to an IP address. Typically, any computer in a network is also considered a host, but other devices, such as routers and network print devices, can have names assigned to them, too. All other naming information—every name to the right of the first name— contained in the FQDN identifies the logical parent namespace where the host lives. There are organizations outside of your control that manage the topmost levels of the domain namespace. The InterNIC is the organization that manages the top-level namespaces.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:03 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
316
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE C.1
The logical DNS hierarchy
Travel Assistance For full information on the InterNIC and what it governs, please go do some research on your own. Here’s a good Web resource for starters: www.internic.net. It will give you general information about what the InterNIC is and what they control. The InterNIC controls two levels of the DNS namespace: the root-level and top-level domains. There is only one root domain which acts as the starting point of all fully qualified domain names. This root domain is designated with a dot (.), and in days of yore, people had to type this dot when using FQDNs. Now, however, applications like Internet Explorer assume the last dot is implied, and you no longer have to enter the root domain when browsing to an Internet address. The top-level domains, also under the governance of InterNIC, include familiar domains like .com, .edu, .gov, .net, .mil, all of which were intended to be used in the United States. Other top-level domain names include country codes like .ca, .uk, and .au (for Canada, the United Kingdom, and Australia, respectively). New top-level domains like .tv, .law, .info, .biz, and many more are either being proposed or implemented to accommodate new entities entering the Internet fray. To register a first-level domain, you need to ask the InterNIC whether your domain will be unique in the parent namespace. For example, if you want to register beanlake.com, you’re out of luck. However, if you want to register beanlake.org, you may. The domain name beanlake can be used multiple times; the only restriction is that it be unique in the parent-level namespace. Likewise with host names. I’ll warrant a guess that there are several thousand computers out there with the host name of COMPUTER1. That’s okay, as long as the COMPUTER1 name is not reused within a single domain—for instance, there can only be one COMPUTER1 in the beanlake.com parent domain.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
317
Also when you register a name for use on the Internet, you’re responsible for providing the addresses of two name servers (NS records) whose job it is to resolve names of hosts and other domains, as well as other resources, possibly Active Directory resources, in that second-level domain. The second-level domains, then, are controlled by you. From there you’re free to add records on your DNS servers representing individual computers in that domain space, subdomains in that domain space, or even provide the addresses of Active Directory domain controllers. We’ll talk more about the different types of resource records stored on a DNS server below. Furthermore, in order to communicate with other computers, both in your own domain and across the Internet, you need to be able to resolve fully qualified domain names to an IP address. How is this done? You ask your configured DNS server for resolution. But before we examine the process for resolving a name to an IP address, we must understand what information is kept on the name servers. To store the name-to-IP-address mappings, name servers use zone files.
Understanding Zones If domains represent logical divisions of the DNS namespace, zones represent the physical separations of the DNS namespace. In other words, information about records of the resources within your DNS domains is stored in a zone file, and this zone file exists on the hard drive of one of your name servers. So there are logical parts of the DNS namespace—the domains themselves—and there are physical parts—both the name servers and the zone files. Zone database files contain the records consulted by the DNS server to resolve names to IP addresses. The domain name servers in turn are simply computers servers that manage how these files are updated and transferred. Zone files can be one of two basic types:
• •
Forward lookup zone Reverse lookup zone
Provides host name-to-IP-address resolution Provides IP-address-to-name resolution
Generally speaking, humans are more concerned with the proper configuration of a forward lookup zone, as they are indeed more vital for successful computer communications. For example, a forward lookup zone is consulted when a domain user is looking for a domain controller where logon credentials can be submitted. And let’s not forget the Web browser, which also relies on forward lookup zones to resolve FQDNs like ftp.beanlake.com or www.beanlake.com into an IP address, either when typed in the address bar or coded within a hyperlink. And as administrators everywhere know, users without working Internet access are unhappy users.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
318
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Reverse lookup zones, on the other hand, are generally used by utilities like Nslookup. In fact, Nslookup, which we will discuss later in the appendix, requires a properly configured reverse lookup zone in order to work like it should. When a zone file is first created on a DNS server, that server is said to be authoritative for that zone. Then, for each child DNS domain name included in a zone, the zone becomes the authoritative source for the resource records stored in that child domain as well. This means that the DNS server can provide resolution for multiple domains within a zone file, and all changes to the resource records in both domains are made to the authoritative zone it stores. Additionally, keep in mind that a zone can be authoritative for a single domain or multiple domains. This can be a little confusing because it’s possible that one zone file can be authoritative for multiple domains. If you have a DNS hierarchy that, for administrative reasons, you have broken into multiple domains, yet those domains don’t have vast number of resources, it may be good planning to store records about both namespaces (or all three or all five namespaces) on a single DNS server. In this example, this single zone would be authoritative for multiple portions of the DNS namespace. It usually helps if you can remember the distinction between the logical part of DNS (the domains) and the physical part (the zones). In Figure C.2, note that name server A stores a zone file that’s authoritative for two domains, while name server B is authoritative for only a single domain. Zone Categories The DNS zones kept on Windows Server 2003 computers can be further broken down into one of three categories. For each forward or reverse lookup zone, the file will be one of these type of zones:
• • •
Primary zone Secondary zone Stub zone
What’s more, all of the zones you can create in Windows 2003 can be integrated in Active Directory.
Resource Records Stored in a Zone File Each record has a specific purpose for either setting the behavior of the name server, or resolving a name or service into an IP address. Table C.1 explains the most common resource records you will administer, in no particular order.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
FIGURE C.2
319
A zone can be authoritative for one domain or multiple domains.
Resolving a Host Name Now that you understand better the components of a DNS infrastructure, you need to understand how a DNS client resolves an FQDN to an IP address. There’s actually more than one way this happens. Besides consulting with its configured DNS server, a client can sometimes answer a query using information cached from a previously successfully resolved name. In fact, this is the first location the DNS resolver checks. TABLE C.1
Resource Records Stored in a Zone File
Record Symbol
Record Name
Purpose
A
Host
PTR
Pointer
SRV
Service
MX
Mail Exchange
A host record populates a forward lookup zone and is the workhorse record of a DNS zone. It provides name-to-IP-address resolution. This record populates the reverse lookup zone files, if configured, and does just the opposite of an A record: it provides IP-address-to-name resolution. A service record helps identify services running in a domain namespace. When a user submits a domain logon, his DNS server must resolve the domain to the IP address of a domain controller. The SRV records help perform this task. Identifies the IP address of a mail server for a given domain. All mail destined for a domain like yahoo.com is dropped at the IP address specified by the MX record in the zone files authoritative for the yahoo.com domain.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
320
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
TABLE C.1
Resource Records Stored in a Zone File (continued)
Record Symbol
Record Name
Purpose
NS
Name Server
SOA
Start Of Authority
These specify the name servers that are authoritative for a given portion of the DNS namespace. These records are essential when DNS servers are performing iterative queries to perform name resolution. This resource record indicates the name of origin for the zone and contains the name of the server that is the primary source for information about the zone. The information in an SOA record affects how often transfers of the zone are done between servers authoritative for the zone. It is also used to store other properties such as version information and timings that affect zone renewal or expiration. Also referred to as an alias record, the CNAME can be used to assign multiple names to a single IP address. For example, the server hosting the site www.microsoft.com is probably not named www, but a CNAME record exists for resolution of www to an IP address all the same. The CNAME record actually points not to an IP address but to an existing A record in the zone.
CNAME Canonical Name
If the check of the cache does not work, the resolver gets help from its configured DNS server, as outlined in the next section. This process is known as a recursive query. The DNS server in turn can use its own cache of resource record information to answer a query. Barring a quick resolution from the DNS server’s cache, the server begins a “walk” of the DNS tree through a series of iterative queries. These terms will be covered with their own section later in the appendix. The next section describes the navigation through the DNS namespace.
Forward Lookup Resolution Any time you enter a fully qualified domain name into an application, your operating system uses the resolver piece of code to query your DNS server to get an IP address for that name that you have just entered. If the client’s locally configured DNS server has a zone file that contains a record for that resource that you’re trying to browse to (or if it’s contained in the server’s cache), that resource’s IP address is returned to your resolver. In most cases, the zone file is not
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
321
going to hold the IP address for the record that you’re trying to look up. In that case, the DNS server will resolve that name to an IP address on your behalf. The DNS server does this by walking the DNS hierarchy. For example, if you type ftp.atchison.beanlake.com into a browser, the browser needs to look up this fully qualified domain name using its resolver. The computer doesn’t care what the name of the computer is; in order to communicate, it needs the IP address. The first place it looks for resolution is its configured DNS server. This query to the locally configured DNS server is called a recursive query. If the local DNS server does not have a record mapping ftp.atchison.beanlake.com to an IP address, then the local DNS server—if it’s configured to do so—will begin looking through the entire DNS hierarchy on behalf of the DNS client. The local DNS server will talk to other DNS servers using a series of iterative queries. It begins with a check with one of its configured root-level name server. Every Windows Server 2003 installation of DNS comes with several root-level name servers already known, and the server will query one of the servers in the list unless it’s been configured to be a root-level server of a private network not directly connected to the Internet. The root-level name servers won’t know either, but they’ll know to steer the local DNS server to a top-level name server. Subsequently, one of the top-level name servers in the .com-level namespace will be asked the same question: “What’s the IP address for ftp.atchison.beanlake.com?” They won’t have records for that resource in their zone files either, so they’ll return their best answers, which in this case will be the NS records of the DNS servers authoritative for the domain .beanlake. When your local DNS server finds the IP address for the DNS servers for the .beanlake domain, your DNS server will then ask those servers for the record for the name ftp. The DNS server that’s just been queried will indeed have the IP address for that name, and will return said IP address to the local DNS server. The local DNS server, in turn, will hand the IP address back to the resolver, and then communication can be established from one IP address to another IP address (the ftp client and the ftp server in this case). This same procedure that was just described is also diagrammed in Figure C.3 for those who adhere to the principle that a picture is worth more than mere words. After the resolution is complete, the DNS server caches the successful resolution in its DNS cache. If the next request for a resource from the same name is requested, the name can be resolved without a query through DNS. Likewise, the entry is usually cached on the DNS server for the same purpose. If another
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:04 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
322
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE C.3
Iterative queries “walk” the DNS hierarchy.
client of the DNS server were to request resolution before the entry’s timeto-live (TTL) expires, the name would be resolved without walking the DNS tree.
Recursive Queries and Iterative Queries As mentioned, the process takes place with two types of queries. The client asks its local DNS server using a recursive query. A recursive query says, basically, give me the answer or tell me that you can’t find it. It’s a pass/fail type of proposition. The other type of query, where other DNS servers are talking to each other as the local DNS server is walking the domain tree, is called an iterative query. When your DNS server uses an iterative query, what it’s asking for is a “best guess.” So the root-level name servers don’t have the IP address for ftp.atchison.beanlake.com, but they will give you their best response, which is, “I don’t have it, but I’ll send you down to the .com-level name servers—you can go ask them.” And when I say best guess, I literally mean best guess. If you’re asking for something in the .com-level namespace, the root-level name servers aren’t going to send you the IP address of .net name servers or .gov name servers. They will give you the NS records for the name servers that govern the .com-level namespace.
Reverse Queries What was just described was the forward lookup process, where a client is looking for a name-to-IP-address mapping. This is the most common type of lookup,
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:05 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
323
in which an IP address is the expected resource data that is to be provided by the response. But DNS also provides a mechanism to extract names from IP addresses. This enables clients to use a known IP address during a name query and look up a computer name. Instead of asking, “What’s the IP address for ftp.atchison.beanlake.com?” a reverse query asks, “What’s the name of the computer with the IP address of 10.169.254.23?” This is more common with IP utilities like Nslookup, which use the client’s configured DNS address to query the resource records on the server. It is also used by reporting utilities that might collect information about who is accessing a particular Web site. When request packets enter a Web server, the information in the packet contains the IP address of the requester, but not the computer name. Utilities use reverse lookup zones to pinpoint certain users or certain domains that are most frequent guests of the Web site. DNS originally was not built to support this type of query. If you look at Figure C.4, you see an FQDN, with an arrow representing the “flow” of an FQDN from general to specific. Below it, you see an IP address with the same arrow. As you can see, the FQDN resolves from the big namespace to the host from right to left, while the IP address identifies the network and then the host from left to right. So a modification was made to the DNS namespace to get IP addresses to look like FQDNs. To support this reverse lookup query, there’s a special domain called the in-addr.arpa domain, which is an abbreviation for “inverse-address.advanced research projects agency.” (ARPA was the Department of Defense agency that was instrumental in the development of the Internet.) The in-addr.arpa domain is now defined in Request For Comment (RFC) standards, which set the standards for open-standards based Internet technologies, and is reserved in the Internet DNS namespace to provide a practical way to perform reverse queries. To create the reverse namespace, subdomains within the in-addr.arpa domain are formed using the reverse ordering of the numbers in the dotted-decimal notation of IP addresses. In other words, IP addresses are
FIGURE C.4
The “flow” of an FQDN and an IP address
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:05 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
324
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
flipped around so that a query for the host name for 200.23.102.9 becomes a query resembling an FQDN, like so: 9.102.23.200.in-addr.arpa
Notice that the order of IP address will be reversed when building your reverse lookup zone files. The IP addresses of the DNS in-addr.arpa tree can be delegated to companies as they are assigned a specific or limited set of IP addresses within the Internet-defined address classes.
Travel Advisory Forward lookup zones are built with A records, but reverse lookup zones are built with PTR records, which, strangely enough, point to A records in existing forward lookup zones. It doesn’t necessarily matter in what order you create your zones, but you definitely want a forward lookup ready when you’re populating the reverse lookup zone. In fact, you can populate the reverse lookup zone with PTR records at the same time you add host (A) records with a single check box.
Install and Configure the DNS Server Service As should be abundantly clear by now, DNS provides the hierarchy for Active Directory. Therefore, you need to first have a working DNS server before you can install Active Directory. If you don’t have a working DNS server before you install Active Directory with the DCPROMO utility, the Active Directory Installation Wizard will offer to create one for you. So even though it might appear that there’s no DNS server present, and yet you can install Active Directory, what’s happening under the hood is that the Active Directory installation tool is installing DNS before it gets around to installing Active Directory. This section assumes that you know how to install Windows Server 2003 and concentrates on the installation and configuration of the DNS server. One quick note about installation of DNS Server is that you need to install it on either the Windows Server 2003 or Windows 2000 Server or Advanced Server platforms. Additionally, you need to have TCP/IP installed and configured before you proceed. If you’ve chosen the typical options, you should have TCP/IP installed. In fact, there’s almost no case in a modern computer environment where you wouldn’t have TCP/IP installed on a computer that wants to communicate with any other computers.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:06 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
325
It also might be a good idea before you proceed with the installation of DNS to confirm your computer name. To do this, right-click on the My Computer icon and choose Properties. Then click on the Network Identification tab. Make sure the full computer name is correct. If it’s not what you expect (if you click rapidly through the setup screens, or the server is set up by a third party, you can end up with a name that won’t work very well for your intended naming scheme), click on the Properties button from the Network Identification tab and make the necessary changes to your computer name. Now it’s time to install the DNS server. To do so, follow these steps: 1. From the Start menu, open Control Panel, and double-click on the Add/Remove Programs icon. 2. In the Add/Remove Programs applet, click Add/Remove Windows Components. This will open the Windows Components Wizard. 3. Select Networking Services, and then click Details (see Figure C.5).
FIGURE C.5
Adding the DNS component to Windows Server 2003
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:06 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
326
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Travel Advisory If you click on just the Networking Services check box, you’re going to install all the Network Services, which is probably not a step that you want to do. So make sure that you just select Networking Services and choose Details instead. 4. Select the Domain Name Service (DNS), click OK and then click Next. The Configuring Components dialog box appears, showing the progress of the installation. You may also be prompted for the path to Installation Files. 5. Finally, the Completing The Windows Component Wizard screen appears. Click Finish, and then close the Add/Remove Programs dialog box by clicking Close. You can now close the Control Panel. DNS has been installed.
Manage DNS Server Options Now that you’ve installed DNS, you’ll next need to make decisions about what role that DNS server will perform in your computing environment and in your organizational scheme. The role of the server will be dependent on the types of zone files that it stores. You may also want to note that a single DNS server can provide multiple DNS zone roles. In other words, a single DNS server can be a primary server for one zone and a secondary server for another zone. If your Windows Server 2003 DNS server is a standard primary DNS server, the DNS server stores and maintains the original zone file for whatever domain or domains the zone file is authoritative over. The information is kept in a primary zone file stored in the registry, and a copy of the zone information is located in the path WINDOWS\system32\dns by default. This can be significant if your Windows 2003 DNS server is set to integrate with other types of DNS servers.
Creating a Forward Lookup Zone Here’s how you’ll create a forward lookup zone on your Windows Server 2003 DNS implementation: 1. Start DNS Management by selecting Start | All Programs | Administrative Tools | DNS. The Microsoft Management Console starts with the DNS snap-in loaded. 2. Expand the server where you are creating the zone, then right-click on the Forward Lookup Zones node. From the context menu, choose New Zone. This launches the New Zone Wizard.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:06 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
327
3. Click Next to pass the welcome message, and on the next screen choose the type of zone. 4. As shown in Figure C.6, you’ll choose either a primary zone, secondary zone, or stub zone. If Active Directory is installed, and you’re configuring DNS on a domain controller, you will have the option to create an Active Directory–integrated zone with the check box at the bottom of the dialog box. In this example, choose Primary Zone and click Next. 5. Now you’ll choose the replication behavior of the zone. You can replicate zone information to one of the following: All DNS servers in the Active Directory forest All DNS servers in the Active Directory domain All domain controllers in the Active Directory domain All domain controllers specified in a scope of an application directory partition
• • • •
6. Make your selection, then click Next, and in the following dialog box, give the zone a name. 7. Click Next, and then select the Dynamic Updates options. You can choose to allow Only secure dynamic updates, available only in Active Directory–integrated zones Both nonsecure and secure, where dynamic updates are allowed from any DNS client
• • •
Neither, configuring the zone to not accept any dynamic updates
8. Make your selection, click Next, and then click Finish in the final dialog box to set up the zone file.
Creating a Reverse Lookup Zone Creating a reverse lookup zone will be very similar, with only a few twists. To do so, follow these steps: 1. From the Administrative Tools menu, open the DNS console. 2. Expand the server you’re configuring, and select the Reverse Lookup Zone node, right-click, and choose New Zone. 3. Click Next on the welcome page of the New Zone Wizard, and again select the type of zone to create. Click Next after you’ve made the selection. 4. Select the replication options, and click Next to get to the part that differs from creating a forward lookup zone.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:06 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
328
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE C.6
Selecting the type of zone to create
5. From the Reverse Lookup Zone Name dialog box, enter the first part of the IP address—the Network ID—for which the zone will provide IP-address-to-name resolution. This should be your company’s network number. You don’t have to worry about flipping it around, either. The wizard does that for you. For example, if you’re using the network number of 123.45.9.0, you would just type the network portion of that IP address. In the bottom section of that window, as seen in Figure C.7, notice how the wizard takes the network number and reverses it to build the file name that will be used for the reverse lookup zone file. Click Next. 6. Set your Dynamic Updates options as before and click Next. 7. The last page of the wizard confirms your choices. If everything is correct, click Finish. If you see problems, you can click Back to go back and fix the errors.
Changing the Properties of a Zone Once you’ve got your zone configured, you still have the flexibility to change your zones as the needs of your network change. Here’s how to change the properties of a zone file:
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:06 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
329
1. Open DNS Administrative Tools by choosing Start | All Programs | Administrative Tools | DNS Server. 2. Expand the server that contains the zone, forward or reverse, that you want to configure. 3. Expand the reverse or forward lookup zone’s folder. Right-click the zone that you want to configure and choose Properties. There are six tabs in the Properties window of a zone, as seen in Figure C.8, where you will be able to fine-tune the behavior of the zone files:
Exam Tip You should not need an exhaustive knowledge of each and every button and entry in these dialog boxes. For exhaustive information, please see the Microsoft Server 2003 Deployment Kit: www.microsoft.com/ windowsserver2003/techinfo/reskit/deploykit.mspx.
•
General Sections of the General tab include Status, Type, Replication Scope, the choices about whether or not to allow dynamic updates, and aging properties.
FIGURE C.7
Creating and naming a reverse lookup file
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
330
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
FIGURE C.8
Changing the properties of a zone file
•
Start of Authority (SOA) This tab reflects the information found in the SOA record, and specifies startup behavior of the name server, as well as identification of the server that has authority for a particular domain. The SOA tab really defines the startup behaviors of the DNS server and configures the normal DNS parameters that are part of the zone. These include the serial number, the primary server, the responsible person, the retry interval, the expires after interval, and the minimum time to live as well as time to live for this record.
•
Name Servers This is where you’ll see a list of name servers for the zone. Again, it is very possible for fault tolerance or for load balancing purposes that you implement more than one name server for a particular domain. If this is the case, you’ll want the name servers to talk to each other so they keep a consistent zone file. You don’t want one zone file mapping a name to an IP address and then another zone file mapping that same name to a different IP address. So listing a name server here will create an NS or name server record for the zone, and they should match the servers that are registered with the domain one level up. The
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
331
domain one level up then returns these records to any other name server requesting queries of resources in your domain.
•
WINS This tab contains information about any WINS servers that might be present in your network. In a pure Windows Server 2003 environment, as was the case with Windows 2000, you shouldn’t need this record because all of your systems will automatically register their host records with the DNS server automatically. But, if you need to support older Windows clients, such at 9x or NT, you might configure the WINS tab. This WINS tab provides the server with the IP address of one or more WINS servers that your DNS server will use to resolve the query if it doesn’t have a record in its own files. The DNS server does this by taking the leftmost portion of a fully qualified domain name resolution request and passing that request on to the WINS server. The options on this tab include Use WINS Forward Look-up, Do Not Replicate This Record, and IP Address. The advanced options include Cache Time-out and Look-up Time-out.
•
Security This tab is an access control list (ACL) that defines who can manage and modify the zone file. Note that the Authenticated Users group has the ability to Create Child Objects, which makes sense when you consider that these users update their A records dynamically—even though they probably aren’t aware of it—when they get an IP address from DHCP.
•
Zone Transfers Finally, one of your more important tabs, as far as the management of your zone, is the Zone Transfers tab. This tab allows you to configure how zone transfers occur between the name servers on the Name Servers tab. So here’s where you set the server with a primary zone file. You can also do this from the server with a secondary zone file. The options from this tab include whether to allow zone transfers in the first place and where these zone transfers will go—to any server, to only servers listed in the Name Servers tab, or only to specific servers that you choose from this tab. The last button at the bottom-right corner is Notify. With the Notify button you can choose to automatically notify all other name servers when there is a change to a zone file, just the servers in the Name Servers tab, or, again, specific name servers that you specify. It’s through this tab that you really configure your security level and replication topology for your DNS server implementation.
Stub Zones Think of a stub zone as a mini-zone. This mini-zone is kept on a DNS server hosting a parent zone, and its only purpose is to identify the authoritative name
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
332
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
servers in child zones. By keeping just this information at the ready, a DNS server is able to more efficiently route name resolution requests to the authoritative servers hosting child zone files. Records in the stub zone are kept to a bare minimum and contain only these records:
• •
The start of authority (SOA) record, the name server (NS) resource records, and the host (A) records for the delegated zone The IP address of one or more master servers used to update the stub zone’s records
Travel Advisory Master servers for a stub zone can be one or more of the DNS servers authoritative for the child zone. This master server is usually the DNS server hosting the primary zone for the delegated domain name. So when would it be appropriate to use a stub zone? Consider the following scenario: you have set up a DNS that’s authoritative for a parent zone called beanlake.com. Because the number of resource records, you decide to delegate a subdomain called atchison.beanlake.com to another DNS server in your enterprise. When you first set up the delegation, the parent zone contained only two resource records (the NS records) for the atchison.beanlake.com domain. The records in the zone for the subdomain grow, however, and more than two DNS servers have been added that are authoritative for this subdomain. What’s more, you have not been notified of the additional servers. This results in a DNS server that hosts a parent zone, beanlake.com, that is unaware of the new DNS servers that are authoritative for atchison.beanlake.com, and the parent DNS servers continue to query the name servers for which they are aware, even though more have been added to manage records of the zone. To fix this situation, you can configure a stub zone on the DNS server hosting the parent zone of beanlake.com. The stub zone will identify all the servers responsible for the atchison.beanlake.com zone information. After configuration, the stub zone will query the stub zone’s master servers to obtain the addresses of all authoritative DNS servers for the subdomain of atchison.beanlake.com. Now that the stub zone has been properly configured, any new authoritative DNS servers added to the child zone will be (almost) immediately learned about if they are added to the growing atchison.beanlake.com resource domain.
Configure DNS Forwarding It’s very likely that the your network’s computers get their IP addresses and DNS server configuration from an ISP’s DHCP server. As a part of that configuration,
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
333
you are also likely to be handed DNS configuration information from these DHCP servers. But what if, in this case, you implement a DNS server in your network to resolve Active Directory resources. How does that DNS server resolve queries for external resources? Or does it have to? Here’s where a DNS forwarder might be a good solution. A forwarder is a DNS server that takes queries for external resources and passes them on to another DNS server, which in turn will walk the DNS tree to resolve the name to an IP address. You can also configure a Windows Server 2003’s DNS to use conditional forwarders, described in the next section. When you use a forwarder, you can designate that names outside your network get resolved by another DNS server rather than the forwarder. In the example mentioned, why have the local DNS server eat up bandwidth sending iterative requests to other DNS servers, especially when the ISP’s DNS server is there to do just that? The forwarder will still provide name resolution for local resources, thus improving the efficiency of name resolution for the computers in your network. Conditional Forwarders A conditional forwarder is a DNS forwarder that examines the domain name of the query, and then forwards the query to specified servers based on that name or names. In other words, it’s a more precise way of handling forwarding tasks. Continuing the previous example, let’s say that your network frequently requests external resources from the domain beanlake.com. Using a conditional forwarder, the DNS server can be configured to forward all the queries it receives for FQDNs ending with beanlake.com to the IP address of the DNS server (or multiple DNS servers) that is authoritative for the beanlake.com namespace. This, too, helps improve the efficiency of name resolution requests. The conditional forwarder setting for a DNS server consists of the following:
• •
The domain names for which the DNS server will forward queries One or more DNS server IP addresses for each domain name specified
To configure a conditional forwarder: 1. Open the DNS console, access the DNS server’s Properties page, and then click on the Forwarders tab. 2. You can add conditional forwarders by clicking New and entering a specific domain.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
334
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
3. Select the domain you’ve just added and type the IP address of the DNS server where requests for that domain should be sent, as shown here.
When a DNS client or server sends a resolution request to a forwarding DNS server, the server looks to see if the query can be resolved with its own zone files or the data stored in its cache. Then, if the DNS server is configured to forward for the domain name designated in the query, the query is passed directly to the IP address of a name server associated with the domain name. This way, the entire DNS tree does not have to be searched.
DNS Server Roles A DNS server plays one of several roles depending on what kinds of zone files it stores.
Primary The primary DNS server for a zone is the location where all updates to the zone’s records are made. All changes to the zone are then replicated to secondary servers. This replication model is called single master replication, where there is a single entity that controls changes to records. Windows NT 4 used this single master model for directory database replication as well. This also highlights the biggest drawback of the standard primary server model: it includes a single point of failure. Just like when an NT 4 primary domain controller went down and no changes to the Active Directory database could be made, if for any reason the primary server for a zone is unavailable, no updates to the DNS zone are possible. This does not, however, affect resolution of names as long as secondary servers for the zone are available, and name-to-IP-address mappings have not changed. When you create a new zone, the zone will be a primary zone, and the server sorting the zone will be a primary DNS server. You can then use primary zones in one of two ways: as standard primary zones or as primary zones integrated with Active Directory. Using a standard primary zone, only a single DNS server will host and load the master copy of the zone. Further, only that server is allowed to accept dynamic
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:07 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
335
updates, and no additional primary servers for the zone are permitted. You typically implement a standard primary zone when you need to replicate zone information with DNS servers running on other platforms such as UNIX. The good news is that you already know how to set up a primary DNS server. Simply add a primary zone using the procedure described previously and you’ve set up a primary DNS server. There is no button you push to make a server primary or secondary; the designation is made based on the kind of zone(s) it stores. If you want to add more primary servers for a zone, you need to configure an Active Directory–integrated zone, which will then take advantage of Active Directory–integrated storage and replication features of the DNS server service. To do this, you can either set up an Active Directory–integrated zone when the zone is set up or change the properties of an existing zone. There really isn’t a primary server designation once you’ve integrated the zone information in Active Directory, as the zone information adheres to the same replication model as Active Directory information: multimaster. Using multimaster replication there is no single point of failure for zone information, and all DNS servers storing the zone are considered primary. When you instruct a DNS server to hold an Active Directory–integrated zone, that DNS server needs to also be a computer running Active Directory. Then any other DNS servers operating as part of the Active Directory domain namespace can query the Active Directory database and automatically load all such zones that are stored in the directory database. No other steps are necessary. Later in the appendix, we’ll examine how to change the type of zone a DNS server stores. But first, we need to understand how to set up a secondary server.
Secondary So far we’ve been focusing on just configuration of primary name servers where primary zone files will be stored, and configuring some of the options of those zone files. Now we look at secondary name servers. Why secondary name servers? Any time you have a secondary of anything, usually the answer is for load balancing and for fault tolerance. The secondary servers are secondary servers because they store copies of zone files. Changes to the DNS domains are made at the primary zone level and then are copied to secondary zones for secondary zone servers. At the end of the day, they’ll both end up storing the same information; it’s just that changes to the domain are made at the primary level, not the secondary level. The preceding begs an important question: can a DNS server be both a primary name server and a secondary name server at the same time? Yes. The designation is made by what kind of zone file is stored on the server, and you can store both primary and secondary zones on the same machine. The server would then be a primary server for one zone (or more) and a secondary server for another zone(s).
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:08 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
336
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
To set up a secondary name server, all you have to do is configure a secondary zone file that will be stored on that server. The following procedure describes how to set up a secondary name server: 1. Open the DNS MMC from your Administrative Tools. 2. Expand the server that you will configure to be a secondary name server. Right-click on the forward or reverse lookup zone that’s going to be secondary. Choose New Zone. Click Next to pass the welcome to the New Zone Wizard page. 3. Choose Secondary Zone, and make your selection about storing the zone records in Active Directory, and then click Next. 4. Type the name for the zone, and click Next. 5. Here’s where the zone truly becomes secondary. In the dialog box shown in Figure C.9 enter the IP address for the master server from which you will copy the zone information. Click Next. 6. The last page of the wizard verifies your configuration information. Click Back if you have made any errors. Now, another important note about setting your master server is that if you just look at names alone, you might deduce that a secondary server always gets
FIGURE C.9
Selecting a master server
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:08 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
337
its information from a primary server, but that’s not the case. A master server just provides the place where you’re going to get your copied zone file from. So a master server can be either a primary server or another secondary server. Don’t be confused if you see a reference to a master server and think it’s also a primary server. That may not be the case as the information in a zone might just be a copy of a copy.
Caching Only A caching-only server exists only to resolve FQDN queries to IP address, and then cache them for a period of time, usually a bit longer than what is configured on a primary or secondary server. The difference between these servers and caching-only servers is that the caching-only server stores exactly zero zone files. They are not authoritative for any part of the DNS namespace, and the information that they contain is limited to what has been cached while resolving queries. In fact, when you get your IP configuration from your ISP, you are probably getting the IP addresses of caching-only servers. To install a caching-only server, simply install DNS on the Windows Server 2003 computer, and then do not configure any forward or reverse lookup zone files. Additionally you must verify that server root hints are configured or updated correctly. A caching-only server can help optimize usage of the WAN for resolution requests over time. When first installed, the caching-only server has no cached information. This information is obtained incrementally as client requests are serviced. However, if you are dealing with a slow-speed WAN link between sites, this option might be ideal because, once the cache is built, traffic decreases. In addition, the caching-only server does not perform zone transfers, which can also conserve WAN bandwidth when external resources are located over slower links.
Integrating DNS with DHCP Dynamic updates allow a DNS client to register and update their resource records with their configured DNS server. This is especially significant when using a DHCP server to allocate IP addresses, as the name-to-IP-address mappings frequently change. With Dynamic DNS (DDNS), administration overhead of maintaining zone records is reduced dramatically. DDNS used by Microsoft is standards-based, as described in RFC 2136. Being able to update DNS dynamically is especially important because the domain controllers are going to create several records for themselves so that users will be able to find them. These include SRV records, A records, and PTR or reverse lookup records. It’s important that your domain controllers are able to
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:08 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
338
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
create their records dynamically in DNS, because in order to log on, your client first asks its configured DNS server for a list of domain controllers in the client computer’s site for the domain it’s trying to log onto. Without these records, your clients will have a very hard time finding a domain controller. Here’s how client machines update their DNS zones with their resource records. Computers that have statically assigned IP addresses attempt to dynamically register host (A) and pointer (PTR) resource records for all IP addresses configured for their installed network connections. This means that one computer can register several IP addressed if multiple network cards are installed. Also by default, DNS clients attempt to register records based on their domain membership settings.
Travel Advisory You set the domain membership properties of a computer client through its System Properties dialog box, in either the Computer Name or Network Identification tab, depending on the operating system. You can also set advanced DNS name settings with the Advanced properties of TCP/IP. But computers that are Windows 2000 or 2003 DHCP clients will only register their host records. The DHCP server then updates the zone with appropriate pointer record information. Clients running operating systems prior to Windows 2000 will have both their host and pointer resource records updated by the DHCP server on their behalf. This is because, prior to Windows 2000, Microsoft DNS clients were not aware of dynamic DNS. This updating behavior is documented in Figure C.10.
Implementing Dynamic DNS The procedure for allowing dynamic updates is very easy. From the General tab of the Zone Properties, as seen in Figure C.11, the dynamic ability of a zone is set with the drop-down list. As you can see, there are three choices here. If your zone type is Active Directory, you have the additional choice of allowing only secure updates. When you allow only secure updates, the zone information in an Active Directory zone is stored in an Active Directory, and, therefore, you can apply permissions. If you have Secure Only updates selected, then only computers with computer accounts in the Active Directory forest will be able to register their resource records with that DNS server.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:08 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
FIGURE C.10
Dynamic DNS is updated differently depending on the DNS client.
Travel Advisory When using a standard zone, the default behavior is that the zone will not be configured for dynamic updates.
FIGURE C.11
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:09 AM
Configuring a zone for dynamic updates
339
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
340
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Now, how does your client know that it should update DNS in the first place? This update process is initialized either from the client or from the DHCP server in your enterprise or the client itself, and sometimes both. By default, Windows 2000 and XP clients will update resource record information on the DNS server, and there are several instances in which this will occur. These include
• • •
A change to one or more of the local IP addresses
• • •
Any time the user forces an update using ipconfig /registerdns
Any time the IP address is leased from the DHCP server, which most often occurs at startup time Any time the IP address is refreshed or changed, either as a matter of a normal shut-down or an ipconfig /release and then ipconfg /renew command A member server is promoted to a domain controller Any time the computer name is changed
Also, by default, Windows 2000 and XP Professional machines will update the DNS server with its host record mapping every 24 hours. When one of the previous events causes an update to be sent, it’s interesting to note that the DHCP client service, and not the DNS client service, sends the update. This is designed so that if a change to the IP address information occurs because of DHCP, corresponding updates in DNS are performed to synchronize name-to-IP-address mappings for the computer.
Integrating DNS and Active Directory In the discussion of primary zones, we touched on the significance of creating an Active Directory–integrated zone. Creating one is a matter of selecting the appropriate check box when specifying which kind of zone to create. But what if you have created a standard primary zone, and now have migrated all DNS servers to Windows 2003, and want to take advantage of the security, fault tolerance, and reduced administration offered by Active Directory– integrated zones? You need to change the zone type.
Changing the Zone to an Active Directory–Integrated Zone Changing a standard zone to an Active Directory-integrated zone is a very straightforward procedure. To do so, select the zone you want to change, then access its Properties dialog box. From the General tab, click the Change button
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:09 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
341
next to the zone “Type” entry. You get a dialog box that you see in Figure C.12, which you also saw when setting up the zone for the first time. Now you can breathe easy knowing that your zones can adapt to serve the current needs of your DNS implementation with a minimum of administrative effort. When possible, implement Active Directory–integrated zones, as explained in the next section.
Benefits of Active Directory–Integration Converting to an Active Directory–integrated zone makes a couple of significant changes to the way the DNS zones behave or the way DNS updates those zones. One is that the information held in the DNS zones is no longer stored on the files in the DNS directory on your hard drive; they are no longer text files. Instead, they become part of the Active Directory database. Another significant change is the way that DNS information is updated or synchronized. Because the DNS information is now part of the Active Directory database, it is synchronized with the Active Directory database. You no longer have to configure a replication topology between your DNS server like you did before by editing the characteristics of the zone transfers tab. In fact, if you are using Windows Server 2003 for your DNS solution, it’s highly recommended that you go with the Active Directory–integrated zones. It eases the administrative burden of managing DNS. In fact, when you manage Active Directory you’re managing DNS, so it takes one more thing out of your administrative mix. Several important changes are made in your DNS zones when you’re working with Active Directory. Some of these changes take place in only Active Directory–integrated zones, most take place in whatever zone you’re configuring. In
FIGURE C.12
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:09 AM
Converting an existing zone
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
342
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
other words, these changes are made as requirements of installing Windows Server 2003 as a domain controller. The changes include, in an Active Directory–integrated zone, any domain controller running DNS will be able to accept dynamic updates. So, if you’ve decided to combine DNS service with the Active Directory service on the same machine, you don’t even have to worry about configuring dynamic updates. Also, the NetLogon service will register with the DNS server so that users can locate the services, because users submit their logon requests to the NetLogon service. You can also apply security to DNS updates, and, as mentioned before, zone information becomes part of the Active Directory and is replicated automatically during Active Directory replication. You do not have to configure a separate replication strategy.
Travel Advisory Only primary zones can be integrated in Active Directory. If you are configuring a secondary zone, it will be stored as a standard text file. The multimaster replication model of Active Directory removes the need for secondary zones when zone information is stored in the directory database.
Transferring Zone Information If your DNS zone is not integrated, all changes to the zone information will be made at a single server. Therefore, you’ll need to replicate the zone among other secondary DNS servers. When you’re configuring zone transfers in the standard DNS environment, you do this by selecting and creating secondary servers. You then configure another DNS server to copy the zone file from the primary zone file or another secondary server. The server that stores the zone file to be copied is designated as the master server, and this master server can be either a primary or secondary server. In other words, a server doesn’t have to be a primary server to be a master server. One reason why you might do this is to support older, third-party DNS servers that are not part of the Active Directory database. Of course I’m talking about UNIX DNS servers, which make up the majority of the existing DNS servers in use on the Internet. Here’s how you configure Windows 2003 DNS for older UNIX BIND secondary servers: 1. Open the DNS MMC. Right-click on the server you want to administer, and choose Properties from the context menu. 2. On the Advanced tab, make sure the BIND Secondaries option is checked, as shown in Figure C.13, and then close the Properties dialog box.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:09 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
FIGURE C.13
343
Enabling UNIX BIND
Monitoring and Management Once your DNS implementation is in place, it’s vital to the operation of your network that it be kept running, and further, that DNS resolution is optimized. Therefore, it is important that you know how to monitor and manage DNS performance. Fortunately, the knowledge in the preceding section will serve as your best arsenal to help you do this. The next sections will help you leverage that knowledge, and give you a few pointers about what kinds of questions to expect on the exam. Many of the questions on DNS, and indeed the entire exam, will be based on things that have gone wrong, and will test whether you possess the knowledge to put the network right again.
Manage DNS Record Settings The DNS records kept by Windows Server 2003’s implementation of DNS do not stay in the zone files forever. Computers change IPs and change subnets, and the DNS must have a mechanism to deal with all the resource mappings that are
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:10 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
344
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
no longer valid. To do so, Microsoft’s version of DNS supports aging and scavenging features. These features are provided to perform cleanup of the zone files and removal of stale resource records which accumulate over time. As you now know, when you implement DDNS—and most networks running Windows 2000 or Windows Server 2003 do—records are automatically added to zones when computers start on the network. However, sometimes they aren’t removed when computers leave the network. A common occurrence of this is when a system is improperly disconnected from the network, and its host record is not removed from the zone file because the computer doesn’t get a chance to contact its DNS server. If you have a lot of mobile users in the network, this situation can occur frequently. If resource records are not cleaned from the zone files, problems might occur, including:
• •
If a large number of stale records are kept in the zone file, they can use unnecessary server disk space and cause long zone transfers.
• •
Disk space and processing demands of unnecessary records and/or incorrect name resolutions could result in poor DNS server performance.
If DNS servers load stale records, they might answer client queries with these improper name-to-IP-address mappings, potentially causing clients to experience communication difficulty when using FQDNs.
In certain instances, the presence of a stale resource record could prevent an FQDN from being used by another computer or host device.
Fortunately, Windows Server 2003’s DNS implementation combats the existence of stale resource records with the following features:
• •
Time stamping for any records added dynamically to primary zones. The time stamp is set based on the current date and time at the DNS computer.
• •
Aging of resource records occurs based on a specified refresh time period.
•
Scavenging continues for all records that persist beyond the specified refresh period.
For any manually added records, a time stamp value of zero is used, indicating that they are not affected by the aging process and can remain without limitation. Manually added records must be deleted manually, unless you change this default time stamp. Only primary type zones loaded by the DNS are eligible to participate in this process. Secondary zones are scavenged by the primary server, and then updated with the appropriate zone information.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:10 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
345
A DNS server performs a scavenging operation by looking at the time stamp. Using this information, it can determine whether a record has aged to the point of becoming stale. If the record is indeed stale, the record is removed from the zone file. Servers can be configured to perform recurring scavenging operations automatically, or you can initiate an immediate scavenging operation at the server. To set the automatic scavenging of zone files, follow these steps: 1. Open the DNS MMC snap in, right-click the applicable DNS server, and click Properties. 2. Click the Advanced tab. 3. Select the Enable Automatic Scavenging Of Stale Records check box. 4. To adjust the scavenging period, select from the drop-down list an interval in either hours or days, and then type a number in the text box. 5. To perform a manual scavenge of a zone, right-click the applicable DNS server, then select Scavenge Stale Resource Records from the context menu. Because the DNS service is required for proper Active Directory operation, you will need to know how to keep DNS efficiently and reliably resolving names to IP addresses. Following are a few of the utilities that will help you diagnose and resolve DNS issues.
Nslookup A vital troubleshooting tool installed automatically along with DNS is the Nslookup command-line utility. Although it can look deceptively easy to use, it’s actually a somewhat sophisticated command. It has both a command-line interface and what’s known as interactive mode. For the purposes of quick testing, you can use just the command-line interface. For more thorough or exhaustive testing, it’s recommended that you use the interactive Nslookup mode.
Travel Advisory For Nslookup to work properly, you must have an accurately configured reverse lookup zone. If you get error messages as you are trying to perform queries on your DNS server, it’s probably because that reverse lookup zone has not been properly configured.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:10 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
346
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Ipconfig Another important utility for troubleshooting DNS is the Ipconfig command. You’ve probably used Ipconfig or have seen it introduced by this point in your studies, but some of the switches specific to troubleshooting DNS include
• •
/all Provides you information with configuration of each network adapter, including information about your configured DNS servers.
• •
/registerdns Renews any DHCP leases you currently have, and also will register your host name with your locally configured DNS server.
/flushdns Clears all the cached information you have retrieved from DNS servers. You can use this to force your host to reread information from your configured DNS server. This can be especially effective if an IP address has recently changed and you may be resolving from a cached entry.
/displaydns Shows the entries currently in the cache. The /displaydns and /flushdns switches are often used in conjunction with one another.
As a last troubleshooting line of defense, many dynamic entries are created in your DNS zone files by the NetLogon service. You can quickly reregister this information by stopping and restarting the NetLogon service to ensure there are no problems with clients trying to locate NetLogon servers or the NetLogon service for domain authentication.
Event Viewer Under Windows 2000, a separate log was kept for DNS information, but was added to the Event Viewer console when DNS was installed. While that’s still the case, Microsoft has also included the DNS-specific Event Viewer interface right there in the Server 2003 DNS console. That way, you don’t have to flip back and forth between two applications to view and diagnose the DNS events captured by the DNS service. In Figure C.14, you see the DNS node of the Event Viewer and the DNS Events node of the DNS MMC snap-in side by side. Just like viewing the log file with the Event Viewer tool, the DNS console interface lets you set default properties of the file. To do so, right-click on the DNS Events log file and choose Properties, bringing up the dialog box shown in Figure C.15.
Setting Debugging Options To aid in your troubleshooting efforts, you can also enable debug logging. With the debugging feature, you can mine a wealth of information about the behavior of the DNS server.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:10 AM
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
APPENDIX C DNS: The Backbone for Active Directory
FIGURE C.14
347
The DNS console and the Event Viewer are now linked.
The debugging feature can record on a packet-by-packet basis the kinds of traffic your DNS server receives. The information in these packets can help you determine the cause of a problem, or it can be analyzed by Microsoft technical
FIGURE C.15
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:10 AM
Configuring DNS Events log file properties
Color profile: Generic CMYK printer profile Passport / MCSE/MCSA Windows Server Composite Default screen
348
2003 Active Directory Certification Passport / Culp / 222575-0 / Appendix C
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
support who may need to help in cases where debugging is required to figure out root cause. These debugging options are not turned on by default because the writing of packets to a log file can be resource intensive. Make sure there’s a problem that warrants this before enabling these options. That said, setting up DNS to take advantage of the new debugging options is a snap. Here’s how: 1. Open DNS, right-click on the DNS server you are managing, and choose Properties from the context menu. 2. Click the Debug Logging tab. 3. Click the Select Log Packets For Debugging option and select the events that you want the DNS server to record.
Travel Advisory This will take some experimentation on your part, but you need to select a packet direction, a transport protocol, and at least one more option to get meaningful information from debug logging. Notice that several of the options are enabled by default.
Summary DNS serves as the central name resolution component of a Windows Server 2003 network and is even required for certain components like Active Directory. In this appendix, you were introduced to (or reviewed) how the DNS hierarchy is put together, and how it has been integrated in Microsoft software. We examined important tasks when configuring the domains and zones on a DNS server, including how to set up and manage a zone, the different types of zones possible, and how zone information can be replicated from server to server. Finally, we looked at how the DNS service can be managed and monitored, discussing utilities such as Nslookup and the Event Viewer. Much of this book, and indeed the rest of your MCSE studies, rely heavily on your understanding of DNS.
P:\010Comp\Passport\575-0\appc.vp Tuesday, August 05, 2003 10:34:11 AM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 349
Index A A-G-DL-P, group administration sequence, 168–169 A (host) records, 332, 338 access control entries (ACEs), 84 access control lists. See ACLs (access control lists) access tokens logon and, 152 user accounts and, 12 account policies, 184–185, 282 ACEs (access control entries), 84 ACLs (access control lists) access tokens and, 12, 152 DACL (Discretionary Access Control List), 10–11 delegation of control and, 50–52 DNS zones and, 331 Group Policy and, 234 NTFS permissions and, 186 site properties and, 32 user accounts and, 12 Active Directory features in Windows Server 2003, 6–7 GPOs for managing, 229–232 installing. See installing Active Directory logical components. See logical components namespace. See DNS (Domain Name System) objects, 10–13 physical components. See physical components schema. See schema single domain recommendation, 22 technologies built on, 4–5 tools, 20–21 uninstalling, 98–99 Active Directory Domains and Trusts changing forest functional level, 106
functions of, 20–21 Active Directory-integrated zones, 340–341 Active Directory Migration Tool (ADMT), 161 Active Directory Setup Wizard. See DCPROMO Active Directory Sites and Services configuring site boundaries, 33–34 creating Global Catalog servers, 55–56 creating site link bridges, 44 creating sites, 27–30 functions of, 21 moving subnets, 34–35 site link configuration, 39–41 site properties, 31–32 Active Directory Users and Computers BuiltIn, 171–175 functions of, 20 GPO creation, 229–232 group creation, 164 RSoP queries, 238 Users, 171, 176–178 Add/Remove Programs, 279 .adm files, 217–218 administrative control. See delegation of control Administrative Templates, 215–218 changing, 217–218 configuring, 215–216 Administrator mode, Authorization Manager, 88 ADMT (Active Directory Migration Tool), 161 Advanced System Information policy, 240–241 application directory partitions, 99–101 applications advertisement, 267 replicating data, 36 assigning software to computers, 273–274 to users, 271–272
349 P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
350
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 350
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
attributes Active Directory database, 10 deactivating schema attributes, 125–126 Global Catalog, 8, 57–58 NTFS, 185 replicating schema attributes, 126–127 schema, 120 user accounts, 8 authentication exam objectives, 202–203 networking and, 3 password policies, 182–185 smart cards and, 179–182 authoritative restores, 133, 135 Authorization Manager creating authorization store, 89–90 delegation of control and, 88 modes, 88
B Block Policy Inheritance, 221–222, 231 bridgehead servers, 45–46 BuiltIn container, 171–175
C cache schema, 122 universal group membership, 59–61 caching-only DNS servers, 337 CACLS utility setting permissions with, 186–187 switches, 187 career path core elective exams, 308 core exams, 307, 310-311 elective exams, 308–309, 311 latest information, 312 MCP (Microsoft Certified Professional), 307 MCSA (Microsoft Certified Systems Administrator), 310 MCSE (Microsoft Certified Systems Engineer), 307 networking systems, 307 upgrade paths, 309–310, 312 CAs (certification authorities) digital certificates and, 245 smart cards and, 180 CD, accompanying this book help file, 306
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
Master Exam, 305–306 technical support, 306 certification. See career path certification authorities (CAs) digital certificates and, 245 smart cards and, 180 child domains, 93–95 classes deactivating schema classes, 125–126 of schema objects, 8, 121–122 collections, object attributes, 10 comma-separated value (CSV), 162 Comma Separated Value Directory Exchange (CSVDE) utility, 162–163 command line Group Policy utilities, 242–243 permissions management, 186–188 Secedit tool, 294–295 user account management, 158–159 compat.inf, 286 compression inter-site replication and, 38–39 intra-site replication and, 38 computer accounts managing with NETDOM utility, 131–132 overview, 11–12 Computer Management, 164 computer settings, Group Policy applying at start up, 218–219 disabling, 224 overview, 213 software settings, 213 Windows settings, 213–214 computers, assigning software to, 273–274 conditional DNS forwarding, 332–334 configuration data, replicating, 36 core elective exams, MCSE certification, 308 core exams, MCSE certification, 307 costs replication, 42 site links, 43 CSPs (Cryptographic Service Providers), 181 CSV (comma-separated value), 162 CSVDE (Comma Separated Value Directory Exchange) utility, 162–163
D DACL (Discretionary Access Control List), 10–11 database log files, 16
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 351
Index
dcdiag (Domain Controller Diagnostic Tool), 49, 137–138 DCPROMO (Active Directory Setup Wizard) adding additional domain controllers, 95–96 creating child domains, 93–95 creating first domain controller, 47–48 creating new domains, 16 creating new tree in an existing forest, 97–98 database log file location, 16 Directory Services Restore Mode and, 18–19 DNS installation and, 324 DNS server installation, 18–19 domain controller behavior, 93 launching, 15 NetBIOS domain names, 16 RAS and, 18 removing domains, 98–99 SYSVOL location, 17 DDNS (Dynamic DNS), 337, 338–340 debugging options, DNS (Domain Name System), 346–348 delegation of control, 50–54, 83–90 ACLs (access control lists) and, 50–52 Authorization Manager, 88–90 Delegation of Control Wizard, 52–54, 85–86 Group Policy and, 234–237 overview, 83–85 planning OU structure, 86–88 Delegation of Control Wizard, 52–54, 85–86 Deny permissions, Group Policy, 233 deployment. See software distribution policies Developer mode, Authorization Manager, 88 DFS (Distributed File System), 26–27, 267 DHCP (Dynamic Host Configuration Protocol), 337–338 digital certificates, 244–246 directory database centralized database of users, 4 overview, 7–8 directory partitions, 99–101 directory service centralized database of users, 4 overview, 3–4 server and workstation components, 3 Directory Service Event Log, 49 Directory Services Add (dsadd) utility, 158
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
Directory Services Modify (dsmod) utility, 158–159 Directory Services Move (dsmove) utility, 160 Directory Services Remove (dsrm) utility, 159 Discretionary Access Control List (DACL), 10–11 Distributed File System (DFS), 26–27, 267 distribution groups, 165 DNS (Domain Name System) Active Directory-integrated zones, 340–341 components of, 314–315 conditional DNS forwarding, 332–334 debugging options, 346–348 dynamic DNS, 338–340 Event Viewer, 346 forward lookup name resolution, 320–322 forward lookup zones, 326–327 FQDNs, 315–317 host name resolution, 319–320 installing and configuring DNS servers, 324–326 integrating with Active Directory, 340–342 integrating with DHCP, 337–338 Ipconfig utility, 346 iterative queries, 322 managing DNS server options, 326 Nslookup troubleshooting tool, 345 overview, 9–10, 314 recursive queries, 322 resource records, 318–319, 343–345 reverse lookup zones, 327–328 reverse queries, 322–324 server roles, 334–337 stub zones, 331–332 transferring zone information, 342–343 zone properties, 328–331 zones, 317–318 DNS resolvers, 315 DNS servers installing and configuring, 324–326 managing options, 326 roles, 334–337 Domain Admins group, 237 Domain Controller Diagnostic Tool (dcdiag), 49, 137–138
351
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
352
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 352
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
domain controllers adding additional, 95–96 creating, 47–48 data replicated by, 35–36 installing and configuring, 91 ISTG (Inter-Site Topology Generator), 46 overview, 47 planning deployment of, 48 domain data, replicating, 36 domain functional level setting, 101–104 steps in raising, 104 domain local groups, 166, 169 domain models NT domain model, 5 upgrading, 22 Windows 2000, 6 Windows Server 2003, 6–7 domain name servers, 315. See also DNS servers domain naming master functions of, 62 illustration of, 65 name consistency between domains, 9 seizing, 68 transferring, 66 domain structure. See forest and domain structure domain user accounts creating, 155–158 overview, 154 parts of, 156 domain-wide operations master roles, 62–65 domains child domains, 93–95 creating new, 16 design recommendations, 22 GPO processing order and, 220 overview, 77–79 removing, 98–99 trust relationships and, 5–6 dsadd (Directory Services Add) utility, 158 dsmod (Directory Services Modify) utility, 158–159 dsmove (Directory Services Move) utility, 160 dsrm (Directory Services Remove) utility, 159 Dynamic DNS (DDNS), 337, 338–340 Dynamic Host Configuration Protocol (DHCP), 337–338
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
E effective permissions GPOs (Group Policy Objects) and, 236 NTFS permissions, 191–192 viewing, 199–200 elective exams, MCSE certification, 308–309 Enterprise Admins group, 237 errors, event logs and, 143 event logs Directory Service Event Log, 49 security settings and, 282 troubleshooting Active Directory, 143–145 Event Viewer, 346 exam objectives authentication, 202–203 forest and domain structure, 145 Group Policy, 252 groups, 202 NTFS permissions, 203 OUs (organizational units), 203 physical components, 69–70 restoring Active Directory, 145 security settings, 298–299 software distribution policies, 298–299 troubleshooting Active Directory, 145 external trusts, 109–110
F file permissions configuring, 188–189 copying and moving files and, 194–196 NTFS permissions and, 190 overriding folder permissions, 191 File Replication Service (FRS) monitoring, 50 replicating SYSVOL, 132 file system security, 282 files, NTFS attributes, 185 filtering, Group Policy, 227–229 flexible single master operations roles. See FSMO (flexible single master operations roles) folder permissions, 188 configuring, 188–189 copying and moving folders and, 194–196 file permissions overriding, 191 folder redirection, 246–250 advantages of, 247 configuring redirected folder, 250
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 353
Index
example, 248–249 overview, 246–247 folders access control, 186 NTFS attributes, 185 forest and domain structure, implementing adding additional domain controller, 95–96 creating and configuring application data partitions, 99–101 creating child domains, 93–95 creating forest root domain, 92–93 creating new tree in an existing forest, 97–98 external trusts, 109–110 forest trusts, 111–112 installing and configuring domain controllers, 91 Q & A, answers, 116–117 Q & A, questions, 113–116 realm trusts, 112–113 removing domains, 98–99 setting domain functional level, 101–104 setting forest functional level, 105–107 trust relationships and, 107–109 forest and domain structure, managing deactivating schema class or attributes, 125–126 exam objectives, 145 NETDOM utility, 131–132 object definitions, 121–122 Q & A, answers, 149–150 Q & A, questions, 146–148 replicating schema attributes in Global Catalog, 126–127 routing name suffixes across forests, 128–130 schema and, 120–121 schema modifications, 122–125 schema security, 122 schema storage and cache, 122 UPN collisions, 130–131 UPN suffixes, 127–128 forest functional level comparing, 106 setting, 105–107 forest trusts, 111–112 forest-wide operations master roles, 61–62 forests components of, 92
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
creating new tree in an existing forest, 97–98 cross-forest trusts, 7 Global Catalog servers and, 56 overview, 81–82 routing name suffixes across, 128–130 forests root domain, 92–93 forward lookup name resolution, 320–322 forward lookup zones, 317, 326–327 FQDNs (fully qualified domain names), 315–317 FRS (File Replication Service) monitoring, 50 replicating SYSVOL, 132 FSMO (flexible single master operations roles) domain-wide operations master roles, 62–65 forest-wide operations master roles, 61–62 illustration of, 65 seizing, 67–68 transferring, 66 fully qualified domain names (FQDNs), 315–317
G Global Catalog functions of, 55 overview, 8–9 replicating schema attributes in, 126–127 Global Catalog servers adding attributes, 57–58 data replicated by, 36–37 implementing, 55–56 strategy for placing, 54–55, 58–59 universal group caching and, 59–61 global groups, 166, 169 globally unique identifiers (GUIDs), 78 GPOs (Group Policy Objects). See also Group Policy defined, 210 importing security templates into, 289–290 linking multiple GPOs to sites, 220–221 local GPOs, 212–214, 219 managing Active Directory, 229–232 properties, 230 storing, 225–226 Gpresult utility, 241–242 Gpupdate utility, 243
353
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
354
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 354
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
Group Policy, 210–257 administrative control with, 11 Administrative Templates, 215–218 Advanced System Information policy, 240–241 applying, 218 automatic enrollment of user certificates, 244–246 delegation of control and, 234–237 disabling user and computer settings, 224 exam objectives, 252 exceptions to processing order, 221–223 filtering, 227–229 folder redirection, 246–250 functions of, 211–212 GPO permissions, 232–234 GPOs for Active Directory management, 229–232 Gpresult utility, 241–242 Gpupdate utility, 243 group membership restriction, 250–251 inheritance, 227 local group policy object, 212 local policy configuration, 212–214 processing order, 219–221 Q & A, answers, 256–257 Q & A, questions, 252–256 refresh interval, 242–243 RSoP and, 237–240 rules for applying, 226–227 scope, 219 security settings. See security policies site properties and, 32 slow link processing, 224–225 software distribution. See software distribution policies software settings, 214 storage location, 225–226 user environment configuration, 211–212, 243–244 Windows settings, 214–215 Group Policy containers, 225 Group Policy Object Editor accessing, 230, 233 removing software with, 279 Group Policy Objects. See GPOs (Group Policy Objects) Group Policy templates, 225–226 groups adding members to, 167–168
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:39 PM
built-in and predefined, 171–178 compared with OUs, 82 creating, 164–167 domain functional levels and, 167 exam objectives, 202 membership restrictions, 250–251 nesting, 168–169 overview, 12, 163–164 Q & A, answers, 207–208 Q & A, questions, 203–206 scope, 166, 169 types of, 165 universal groups, impact on replication, 169–171 GUIDs (globally unique identifiers), 78
H hisec*.inf, 286 host (A) records, 332, 338 host names, resolving, 319–320
I informational event logs, 143 infrastructure master functions of, 64 illustration of, 65 transferring, 66 inheritance Group Policy, 227 NTFS permissions, 193–194 installing Active Directory, 13–23 Active Directory Setup Wizard, 14–15 overview, 13–14 prerequisites for, 14–15 inter-site replication, 38–39 Inter-Site Topology Generator (ISTG) bridgehead servers and, 45–46 function of, 46 Internet Protocol (IP), 40 InterNIC, 316 intra-site replication, 37–38 IP (Internet Protocol), 40 IP Security policies, 283 Ipconfig utility, 346 ISTG (Inter-Site Topology Generator) bridgehead servers and, 45–46 function of, 46 iterative queries, DNS (Domain Name System), 322
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 355
Index
K KCC (knowledge consistency checker) application directory partitions and, 100 domain controllers and, 47 intra-site replication and, 37–38 key values, in directory database, 7–8 knowledge consistency checker. See KCC (knowledge consistency checker)
L LDAP (Lightweight Directory Access Protocol), 100, 121 LDIFDE (Lightweight Directory Access Protocol Interchange Format Directory Exchange) utility, 163 local GPOs configuring, 212–214 overview, 212 processing order, 219 local policies, 282 local user accounts, 153–154 logical components, 76–83 domains, 77–79 forests, 81–82 OUs (organizational units), 82–83 overview, 76–77 trees, 79–80 logical namespace, DNS, 315 logon access tokens and, 152 applying user and computer settings at, 218–219 Global Catalog and, 55 Install this application at logon option, 280 logon domains, 9 logs, 143 Loopback setting, Group Policy, 222–223
M MCP (Microsoft Certified Professional), 307 MCSE (Microsoft Certified Systems Engineer), 307 members, adding to groups, 167–168 membership restrictions, groups, 250–251 methods, Active Directory object attributes, 10 Microsoft Certified Professional (MCP), 307 Microsoft Certified Systems Engineer (MCSE), 307
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
355
Microsoft Management Consoles. See MMCs (Microsoft Management Consoles) Microsoft Operations Manager (MOM), 50 Microsoft Windows. See Windows migration features, Active Directory, 6–7 MMCs (Microsoft Management Consoles) custom vs. prefigured, 21–22 Schema Management snap-in, 57–58, 121, 123 Security Configuration and Analysis snap-in, 291 Security Templates snap-in, 284–286 MOM (Microsoft Operations Manager), 50 monitoring Network Monitor, 140–143 replmon (Replication Monitor), 138–140 MOVETREE, migration of user accounts, 161–162 .msi files (Windows Installer packages), 265–266 benefits of, 262–263 compared with .zap files, 264–265 creating, 265–266 .mst files (transforms), 267 multiple users, 162–163
N Name Server (NS) records, 317, 330–331, 332 namespace. See DNS (Domain Name System) nesting groups, 168–169 NetBIOS, domain names, 16 NETDOM utility, 131–132 NETLOGON share, 50 Network Monitor, 140–143 Networking Systems exams, 307 No Override option, Group Policy, 222 nonauthoritative restore, 134–135 normal restores, 133 notification process, intra-site replication, 38 NS (Name Server) records, 317, 330–331, 332 Nslookup, 323, 345 NT domain model scalability of, 5 upgrading, 22 NTDSUTIL creating application directory partitions, 100 seizing operations master roles, 68 NTFS permissions access control for files and folders, 186
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
356
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 356
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
combining with share permissions, 192–193 command line management, 186–188 compared with share permissions, 191–192 copying and moving files and folders and, 194–196 default permission for Windows Server 2003, 189–190 effective permissions, 191, 199–200 exam objectives, 203 file-level and folder-level configuration, 188–189 file permissions, 190 folder permissions, 188 inheritance, 193–194 overview, 185–186 Ownership attribute, 196–198 special access permissions, 196–198 summary of, 193
O object identifiers (OIDs), 125 objects ACLs and, 50–52 classes, 121–122 computer accounts, 11–12 definitions, 121–122 Global Catalog, 8 groups, 12 moving within OUs, 201–202 printers, 12–13 schema and, 120 schema classes, 8 shared folders, 13 stored in Active Directory, 10–13 user accounts, 12 OIDs (object identifiers), 125 operations master roles. See FSMO (flexible single master operations roles) organizational units. See OUs (organizational units) OUs (organizational units), 200–202 creating, 201 exam objectives, 203 GPO processing order and, 220 moving objects within, 201–202 organizing Active Directory objects in, 200–201 overview, 82–83
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
planning OU structure, 86–88 Q & A, answers, 117, 207 Q & A, questions, 114-115, 203 Ownership attribute, NTFS permissions, 196–198
P packages, Windows Installer, 262–263 passwords complexity requirements, 184–185 domain user account options, 157 policy settings, 182–183 strong password recommendations, 183–184 PDC Emulator master functions of, 63 illustration of, 65 transferring, 66 performance features in Active Directory, 7 monitoring replication traffic, 48–50 permissions, 234 compared with user rights, 164 contrasted with trusts, 5 delegation of control and, 51 GPO permissions, 232–235 NTFS permissions. See NTFS permissions setting from command line, 186–188 physical components, 25–74 creating domain controllers, 47–48 creating sites, 27–30 data replicated by domain controllers, 35–36 data replicated by Global Catalog servers, 36–37 delegation of control, 50–54 deleting sites, 31 domain-wide operations master roles, 62–65 exam objectives, 69–70 forest-wide operations master roles, 61–62 Global Catalog server attributes, 57–58 Global Catalog server implementation, 55–56 Global Catalog server strategy, 54–55, 58–59 inter-site replication, 38–39 intra-site replication, 37–38 ISTG (Inter-Site Topology Generator), 46
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 357
Index
monitoring Active Directory replication, 48–50 monitoring FRS replication, 50 moving subnets, 34–35 overview, 26 planning domain controller deployment, 48 preferred bridgehead servers, 45–46 Q & A, answers, 73–74 Q & A, questions, 70–73 renaming sites, 30–31 replication schedule configuration, 41–43 seizing operations master roles, 67–68 site boundaries, 32–34 site link bridges, 43–45 site link configuration, 39–41 site link costs, 43 site management, 26–27 site properties, 31–32 transferring FSMOs, 66 universal group caching and, 59–61 pointer (PTR) records, 338 policies. See Group Policy primary DNS servers, 334–335 primary restores, 133, 134 primary zones, 318, 334 printers, 12–13 private keys, digital certificates and, 245 processing order, Group Policy exceptions to, 221–223 overview, 219–221 properties Active Directory object attributes, 10 DNS zones, 328–331 GPOs (Group Policy Objects), 230 sites, 31–32 PTR (pointer) records, 338 public key policies, 283 public keys, 245 publishing software, 269–271
Q Q & A, answers domain structure, 116–117 forest and domain structure, 149–150 Group Policy, 256–257 groups, 207–208 OUs (organizational units), 116–117, 207 physical components, 73–74 user accounts, 207–208
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
Q & A, questions domain structure, 113–116 forest and domain structure, 146–148 Group Policy, 252–256 groups, 203–206 OUs (organizational units), 114, 203 physical components, 70–73 user accounts, 206–207 queries, DNS iterative queries, 322 recursive queries, 322 reverse queries, 322–324
R realm trusts, 112–113 recursive queries, 321, 322 refresh interval, Group Policy, 242–243 registry, security settings, 282 relative ID master. See RID (relative ID) master repadmin (Replication Diagnostic Tool), 49, 136–137 replicating schema attributes in Global Catalog, 126–127 replication, 35–46 data replicated by domain controllers, 35–36 data replicated by Global Catalog servers, 36–37 features in Active Directory, 7 inter-site replication, 38–39 intra-site replication, 37–38 ISTG (Inter-Site Topology Generator), 46 monitoring Active Directory replication, 48–50 monitoring FRS replication, 50 preferred bridgehead servers, 45–46 protocols, 40–41 schedule configuration, 41–43 site link bridges, 43–45 site link configuration, 39–41 site link costs and, 43 troubleshooting, 136–140 USNs and, 37 Replication Diagnostic Tool (repadmin), 49, 136–137 replication interval, 39, 42 Replication Monitor (replmon), 49–50, 138–140
357
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
358
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 358
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
replication traffic controlling, 26 monitoring, 48–50 universal group caching and, 59–61 universal groups impact on, 169–171 replmon (Replication Monitor), 49–50, 138–140 Request for Comments (RFCs), 323 resource records, DNS (Domain Name System), 318–320, 343–345 restoring Active Directory, 132–136 authoritative restore operation, 135 exam objectives, 145 nonauthoritative restore operation, 134–135 primary restore operation, 134 restore types, 133–134 SYSVOL and, 132–133 restricted groups, 251, 282 Resultant Set of Policy. See RSoP (Resultant Set of Policy) reverse lookup zones, 317, 327–328 reverse queries, DNS (Domain Name System), 322–324 RFCs (Request for Comments), 323 RID (relative ID) master functions of, 63 illustration of, 65 transferring, 66 ring topology, intra-site replication, 37–38 root-level, DNS names, 316 RSoP (Resultant Set of Policy) Advanced System Information policy, 240–241 logging mode, 238, 239–240 overview, 237–238 planning mode, 238 queries, 238
S scalability, NT domain model, 5 scheduling, inter-site replication, 39, 41–43 schema deactivating schema class or attributes, 125–126 modifications, 122–125 overview, 8 replicating schema attributes in Global Catalog, 126–127 replicating schema data, 35–36
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
role of, 120–121 security, 122 storage and cache, 122 Schema Admins group, 122 Schema Management snap-in adding attributes to Global Catalog, 57–58 modifying schema with, 121, 123 schema master forest root domain and, 92 functions of, 62 illustration of, 65 scope Group Policy, 219 groups, 166, 169 searches, finding objects in other domain with Global Catalog, 9, 55 Secedit command line tool, 294–295 secondary DNS servers, 335–337 secondary zones, 318 secure*.inf, 286 security DACL (Discretionary Access Control List), 10–11 features in Active Directory, 7 NTFS permissions. See NTFS permissions Security Configuration and Analysis snap-in, 291 Security Configuration and Analysis Tool configuring system security, 291–293 exporting security templates, 293–294 overview, 290 security groups, 165 security identifiers. See SIDs (security identifiers) security policies, 281–297 creating/modifying security templates, 288–289 importing security templates into GPOs, 289–290 list of options for, 282–283 security templates and, 284–288 security principal, 155–156 security settings exam objectives, 298–299 Q & A, answers, 302–303 Q & A, questions, 299–302 security templates creating/modifying, 288–289 exporting, 293–294
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 359
Index
importing, 289–290 overview, 284–288 predefined, 287 security levels and, 286 Security Templates snap-in, 284–286 servers, networking and, 3 service set identifier (SSID), 282 service (SRV) records, 337 share permissions combined with NTFS permissions, 192–193 compared with NTFS permissions, 191–192 shared folders, 13 shared system volume. See SYSVOL (shared system volume) SIDs (security identifiers) access tokens and, 152 directory database and, 8 object names and, 30 security related information and, 78 Simple Mail Transfer Protocol (SMTP), 40–41 single master operations, 92 single master replication, 334 site link bridges, 43–45 site links configuring, 39–41 costs, 43 sites boundaries, 33–34 as collections of subnets, 26 creating, 27–30 deleting, 31 GPO processing order and, 220 linking multiple GPOs to, 220–221 moving subnets and, 32–34 overview, 26–27 properties, 31–32 renaming, 30–31 subnet rules and, 32–33 slow link processing, Group Policy, 224–225 smart cards, 179–182 configuring users, 180–181 overview, 179–180 requiring use of, 181 SMTP (Simple Mail Transfer Protocol), 40–41 SOA (Start of Authority) records, 330, 332 software assigning software to computers, 273–274 assigning software to user, 271–272
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
life cycle, 260–261 maintaining installed, 277–278 publishing, 269–271 removing, 279–280 setting default installation location, 267–269 upgrading, 274–277 software distribution policies, 260–281 .msi files, 265–266 .zap files, 263–265 additional deployment options, 280–281 application advertisement, 267 assigning to computers, 273–274 assigning to users, 271–272 exam objectives, 298–299 maintaining installed software, 277–278 publishing, 269–271 Q & A, answers, 302–303 Q & A, questions, 299–302 removing software, 279–280 setting software installation default location, 267–269 software life cycle and, 260–261 troubleshooting, 295–297 upgrading, 274–277 Windows Installer and, 262–263 software restriction policies, 283 software settings, Group Policy, 214 special access permissions, 196–198 SRV (service) records, 337 SSID (service set identifier), 282 Start of Authority (SOA) records, 330, 332 storage location, Group Policy, 225–226 strong passwords, 183–184 stub zones, 318, 331–332 subnets creating and assigning, 33–34 moving, 34–35 rules, 32–33 sites as collections of, 26 synchronization features, in Active Directory, 7 system security, 291–293 system services, 282 SYSVOL (shared system volume), 132–133 domain public files in, 132 FRS (File Replication Service) and, 50 items contained in, 133 location of, 17
359
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
360
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 360
MCSE/MCSA WINDOWS SERVER 2003 ACTIVE DIRECTORY CERTIFICATION PASSPORT
T TCP/IP, 324 top-level, DNS names, 316 transforms (.mst), 267, 276 transitive trusts, 107–108 trees creating new tree in an existing forest, 97–98 overview, 79–80 troubleshooting Active Directory dcdiag, 137–138 event logs, 143–145 exam objectives, 145 Network Monitor, 140–143 repadmin, 136–137 replication issues, 136–140 replmon, 138–140 troubleshooting software distribution policies, 295–297 trust relationships cross-forest trusts, 7 domains and, 5–6 establishing, 107–109 external trusts, 109–110 forest trusts, 111–112 NETDOM utility and, 131–132 realm trusts, 112–113 two-way trusts, 107
U universal groups caching membership information, 59–61 changing group scope and, 169 Global Catalog and, 55 group scope and, 166 impact on replication, 169–171 UNIX BIND secondary servers, 342 update sequence numbers (USNs), 37 upgrading software, 274–277 UPN (user principal name) adding/removing UPN suffixes, 127–128 collisions, 130–131 domain user accounts and, 156 routing name suffixes across forests, 128–130 urgent replication, 37 user accounts attributes, 8 command line management of, 158–159 creating domain user accounts, 155–158
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
creating multiple users, 162–163 domain accounts, 154 local accounts, 153–154 moving, 159–162 overview, 12, 152–153 Q & A, answers, 207–208 Q & A, questions, 206–207 user environment, configuring, 211–212, 243–244 user principal name. See UPN (user principal name) user rights, 164 user settings, Group Policy applying at start up, 218–219 disabling, 224 overview, 213 software settings, 213 Windows settings, 213–214 users, assigning software to, 273–274 Users folders, default groups in, 176–178 USNs (update sequence numbers), 37
W warnings, event logs, 143 Windows 2000 certification upgrade options, 309–310 domain functional levels and, 102–103 domain model, 6 forest functional level, 105–106 Windows Installer, 262–263 Windows Installer packages. See .msi files (Windows Installer packages) Windows Management Instrumentation (WMI) filters, 228–229 Windows NT 4.0, certification upgrade options, 309 Windows Server 2003 default permissions, 189–190 domain functional levels, 102–103 domain models, 6–7 forest functional level, 105–106 Windows settings, Group Policy, 214–215 Windows Support Tools, 50 Windows.NET Server 2003, forest functional level, 105 WinINSTALL LE, 265–266 WINS servers, 331 wireless network policies, 282 WMI Query Language (WQL), 228
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 361
Index
WMI (Windows Management Instrumentation) filters, 228–229 workgroups compared with domains, 77–78 peer-to-peer, 4 workstations, 3 WQL (WMI Query Language), 228
X XCACLS, 187
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
361
Z .zap files, 263–265 zones, DNS Active Directory-integrated zones, 340–341 categories of, 318 changing zone properties, 328–331 forward lookup zones, 326–327 reverse lookup zones, 327–328 stub zones, 331–332 types of, 317 zone transfers, 331, 342–343
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 362
INTERNATIONAL CONTACT INFORMATION AUSTRALIA McGraw-Hill Book Company Australia Pty. Ltd. TEL +61-2-9900-1800 FAX +61-2-9878-8881 http://www.mcgraw-hill.com.au
[email protected]
SOUTH AFRICA McGraw-Hill South Africa TEL +27-11-622-7512 FAX +27-11-622-9045
[email protected]
CANADA McGraw-Hill Ryerson Ltd. TEL +905-430-5000 FAX +905-430-5020 http://www.mcgraw-hill.ca
SPAIN McGraw-Hill/Interamericana de España, S.A.U. TEL +34-91-180-3000 FAX +34-91-372-8513 http://www.mcgraw-hill.es
[email protected]
GREECE, MIDDLE EAST, & AFRICA (Excluding South Africa) McGraw-Hill Hellas TEL +30-210-6560-990 TEL +30-210-6560-993 TEL +30-210-6560-994 FAX +30-210-6545-525
UNITED KINGDOM, NORTHERN, EASTERN, & CENTRAL EUROPE McGraw-Hill Education Europe TEL +44-1-628-502500 FAX +44-1-628-770224 http://www.mcgraw-hill.co.uk
[email protected]
MEXICO (Also serving Latin America) McGraw-Hill Interamericana Editores S.A. de C.V. TEL +525-117-1583 FAX +525-117-1589 http://www.mcgraw-hill.com.mx
[email protected]
ALL OTHER INQUIRIES Contact: McGraw-Hill/Osborne TEL +1-510-420-7700 FAX +1-510-420-7703 http://www.osborne.com
[email protected]
SINGAPORE (Serving Asia) McGraw-Hill Book Company TEL +65-6863-1580 FAX +65-6862-3354 http://www.mcgraw-hill.com.sg
[email protected]
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:40 PM
Color profile: Generic CMYK printer profile MCSE/MCSA Windows Server CompositePassport Default / screen
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:44 PM
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 363
Color profile: Generic CMYK printer profile Passport Windows Server Composite Default/ MCSE/MCSA screen
2003 Active Directory Certification Passport / Culp / 222575-0 / blind folio 364
LICENSE AGREEMENT THIS PRODUCT (THE “PRODUCT”) CONTAINS PROPRIETARY SOFTWARE, DATA AND INFORMATION (INCLUDING DOCUMENTATION) OWNED BY THE McGRAW-HILL COMPANIES, INC. (“McGRAW-HILL”) AND ITS LICENSORS. YOUR RIGHT TO USE THE PRODUCT IS GOVERNED BY THE TERMS AND CONDITIONS OF THIS AGREEMENT. LICENSE: Throughout this License Agreement, “you” shall mean either the individual or the entity whose agent opens this package. You are granted a non-exclusive and non-transferable license to use the Product subject to the following terms: (i) If you have licensed a single user version of the Product, the Product may only be used on a single computer (i.e., a single CPU). If you licensed and paid the fee applicable to a local area network or wide area network version of the Product, you are subject to the terms of the following subparagraph (ii). (ii) If you have licensed a local area network version, you may use the Product on unlimited workstations located in one single building selected by you that is served by such local area network. If you have licensed a wide area network version, you may use the Product on unlimited workstations located in multiple buildings on the same site selected by you that is served by such wide area network; provided, however, that any building will not be considered located in the same site if it is more than five (5) miles away from any building included in such site. In addition, you may only use a local area or wide area network version of the Product on one single server. If you wish to use the Product on more than one server, you must obtain written authorization from McGraw-Hill and pay additional fees. (iii) You may make one copy of the Product for back-up purposes only and you must maintain an accurate record as to the location of the back-up at all times. COPYRIGHT; RESTRICTIONS ON USE AND TRANSFER: All rights (including copyright) in and to the Product are owned by McGraw-Hill and its licensors. You are the owner of the enclosed disc on which the Product is recorded. You may not use, copy, decompile, disassemble, reverse engineer, modify, reproduce, create derivative works, transmit, distribute, sublicense, store in a database or retrieval system of any kind, rent or transfer the Product, or any portion thereof, in any form or by any means (including electronically or otherwise) except as expressly provided for in this License Agreement. You must reproduce the copyright notices, trademark notices, legends and logos of McGraw-Hill and its licensors that appear on the Product on the back-up copy of the Product which you are permitted to make hereunder. All rights in the Product not expressly granted herein are reserved by McGraw-Hill and its licensors. TERM: This License Agreement is effective until terminated. It will terminate if you fail to comply with any term or condition of this License Agreement. Upon termination, you are obligated to return to McGraw-Hill the Product together with all copies thereof and to purge all copies of the Product included in any and all servers and computer facilities. DISCLAIMER OF WARRANTY: THE PRODUCT AND THE BACK-UP COPY ARE LICENSED “AS IS.” McGRAW-HILL, ITS LICENSORS AND THE AUTHORS MAKE NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE RESULTS TO BE OBTAINED BY ANY PERSON OR ENTITY FROM USE OF THE PRODUCT, ANY INFORMATION OR DATA INCLUDED THEREIN AND/OR ANY TECHNICAL SUPPORT SERVICES PROVIDED HEREUNDER, IF ANY (“TECHNICAL SUPPORT SERVICES”). McGRAW-HILL, ITS LICENSORS AND THE AUTHORS MAKE NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT TO THE PRODUCT. McGRAW-HILL, ITS LICENSORS, AND THE AUTHORS MAKE NO GUARANTEE THAT YOU WILL PASS ANY CERTIFICATION EXAM WHATSOEVER BY USING THIS PRODUCT. NEITHER McGRAW-HILL, ANY OF ITS LICENSORS NOR THE AUTHORS WARRANT THAT THE FUNCTIONS CONTAINED IN THE PRODUCT WILL MEET YOUR REQUIREMENTS OR THAT THE OPERATION OF THE PRODUCT WILL BE UNINTERRUPTED OR ERROR FREE. YOU ASSUME THE ENTIRE RISK WITH RESPECT TO THE QUALITY AND PERFORMANCE OF THE PRODUCT. LIMITED WARRANTY FOR DISC: To the original licensee only, McGraw-Hill warrants that the enclosed disc on which the Product is recorded is free from defects in materials and workmanship under normal use and service for a period of ninety (90) days from the date of purchase. In the event of a defect in the disc covered by the foregoing warranty, McGraw-Hill will replace the disc. LIMITATION OF LIABILITY: NEITHER McGRAW-HILL, ITS LICENSORS NOR THE AUTHORS SHALL BE LIABLE FOR ANY INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES, SUCH AS BUT NOT LIMITED TO, LOSS OF ANTICIPATED PROFITS OR BENEFITS, RESULTING FROM THE USE OR INABILITY TO USE THE PRODUCT EVEN IF ANY OF THEM HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. THIS LIMITATION OF LIABILITY SHALL APPLY TO ANY CLAIM OR CAUSE WHATSOEVER WHETHER SUCH CLAIM OR CAUSE ARISES IN CONTRACT, TORT, OR OTHERWISE. Some states do not allow the exclusion or limitation of indirect, special or consequential damages, so the above limitation may not apply to you. U.S. GOVERNMENT RESTRICTED RIGHTS: Any software included in the Product is provided with restricted rights subject to subparagraphs (c), (1) and (2) of the Commercial Computer Software-Restricted Rights clause at 48 C.F.R. 52.227-19. The terms of this Agreement applicable to the use of the data in the Product are those under which the data are generally made available to the general public by McGraw-Hill. Except as provided herein, no reproduction, use, or disclosure rights are granted with respect to the data included in the Product and no right to modify or create derivative works from any such data is hereby granted. GENERAL: This License Agreement constitutes the entire agreement between the parties relating to the Product. The terms of any Purchase Order shall have no effect on the terms of this License Agreement. Failure of McGraw-Hill to insist at any time on strict compliance with this License Agreement shall not constitute a waiver of any rights under this License Agreement. This License Agreement shall be construed and governed in accordance with the laws of the State of New York. If any provision of this License Agreement is held to be contrary to law, that provision will be enforced to the maximum extent permissible and the remaining provisions will remain in full force and effect.
P:\010Comp\Passport\575-0\index.vp Tuesday, August 05, 2003 12:28:44 PM