|
|
 |
|
|
|
Active Directory® for Microsoft® Windows® Server 2003 Technical Reference
|
|
|
Author
|
|
Stan Reimer and Mike Mulcare
|
|
|
Pages
|
480
|
|
Disk
|
N/A
|
|
Level
|
Int/Adv
|
|
Published
|
04/16/2003
|
|
ISBN
|
9780735615779
|
|
Price
|
$49.99
To see this book's discounted price, select a reseller below.
|
|
|
|
|
|
|
|
|
Index
A
access control entries (ACEs)
overview, 240, 241, 261
role in granting permissions, 265, 270
on Special Permissions interface, 265
viewing, 266-67
access control lists (ACLs)
as basis for permissions, 261, 262, 274
delegating administrative rights, 276-80
modifying Active Directory object permissions, 262
overview, 240-41, 261, 262
viewing, 262, 266-67
access tokens, 241, 250, 261
account domains
decommissioning, 225-26
migrating, 216, 217, 222-26
vs. resource domains, 216
Account Lockout Policy, 372, 374-75
Account Operators group, 366
accounts. See also user accounts
configuring lockout policy, 372, 374-75
lockout duration, 374
lockout threshold, 375
permissions needed to install Active Directory domains, 163
resetting lockout counter, 375
ACEs. See access control entries
ACLs. See access control lists
Active Directory. See also database, Active Directory; objects, Active Directory
administrative autonomy vs. administrative isolation, 118-19
backing up, 423-24
benefits, 12-13
changing domain hierarchy, 129-30
configuring intersite replication, 102-8
conflict resolution, 100, 101
connecting sites together, 103-5
defining domain ownership, 130
delegating GPO administration, 326-27
designing structure, 113-57
domain controller location process, 64-66
Domain Name System and, 61-75, 153
group policy overview, 308-9
history, 3-7
installation options, 163-65
installing, 20, 159-84
installing from restored backup files, 15, 179-80
integrating with other directories, 290-91
key features, 12-13
logical structure, 31-48
migrating from current configuration to, 122, 185-236
monitoring, 395-411
namespace design, 132-43
new features, 14-17
open standards as basis, 7, 8-11
originating updates, 96
partitions in, 15, 32-35
physical structure, 19-31
post-installation tasks, 177
preparing to migrate, 198-205
prerequisites for installing, 159-63
prior directory services, 4-5
removing from domain controllers, 180-84
replicated updates, 96-102
replication model, 77-79
restoring, 424-40
role of LDAP, 7, 10-11
role of schema, 26
role of X.500 namespace, 7, 8-10, 290
scalability, 13
security overview, 239-42
unattended installations, 165, 178-79, 184
upgrading Windows NT domain controllers, 206-9
Active Directory Installation Wizard
completing installations, 176-77
Create New Domain page, 169, 170
Database And Log Folders page, 172
designating file locations, 172-73
Domain Controller Type page, 169, 170
installing Active Directory by using, 167-77
installing DNS Server service, 173-74
NetBIOS Domain Name page, 171, 172
Operating System Compatibility page, 168-69
overview, 164-65
Permissions page, 175-76, 217
removing Active Directory from domain controllers, 180-84
selecting default permissions for user and group objects, 175-76
starting, 164, 167
verifying DNS Server service, 173
Active Directory Migration Tool (ADMT)
identifying service accounts in Windows NT, 227
installing, 219-20
migrating computer accounts, 228-29
migrating global group accounts, 224
migrating service accounts, 230
migrating shared local groups, 229
migrating user accounts, 224-25
overview, 216
Active Directory Schema snap-in
adding new attributes to schemas, 28, 29, 30
associating new attributes with objects, 28
configuring attributes to replicate to GC, 20
deactivating schema objects, 30, 31
registering, 28
transferring schema master role, 23, 25
viewing X.500 OID, 9
Active Directory Services Interface (ADSI), 27, 28. See also ADSI Edit snap-in
administrative autonomy, 118
administrative isolation, 118
administrative rights, delegating, 12, 47, 276-80
administrative templates
components of entries, 388, 389
enhanced help files, 386-87
as Group Policy setting type, 48
how to use, 389
list of selected configuration options, 385-86
list of those installed by default, 388
overview, 48, 385
role of group policies, 308
role of registry, 387-88
storage location, 388
vs. Windows NT System policies, 387
Administrator account, 36, 295, 296
administrators
delegating specific tasks, 145-46
need for trust, 116
sharing among domain controllers, 39
sharing within forests, 39
Administrators domain local group, 295
Adprep.exe tool, 213, 214
ADSI (Active Directory Service Interface), 11, 28
ADSI Edit snap-in
additional information, 28
deactivating schema objects, 30
modifying object attributes, 262, 287
viewing Active Directory objects, 262, 287
viewing GPC details, 309
viewing partitions, 32, 73
viewing X.500 OID, 9
alerts, creating, 404-6
Allow Inheritable Permissions From The Parent To Propagate To This Object And All Child Objects option, 268
Allow Log On Locally permission, 254
Allow permission, 264, 270
anonymous users, 221-22
Application Data folder, redirecting, 369
application directory partitions
creating, 74-75
maintaining permissions, 35
overview, 15, 34-35, 73
replication topology, 90
viewing, 73
ways to create, 74-75
Application log, 408
applications. See software
Apply Group Policy permission, 318, 319, 320
AS. See Authentication Service
atomic operations, 96
attribute objects, 26
auditing
of administrative permission use, 274-76
enabling before domain restructuring, 221
enabling for changes to Active Directory objects, 274-76
group policy audit settings, 378
authentication. See also Kerberos; trusts
across domain boundaries, 250-51
Active Directory and, 13
delegating, 251-53
overview, 241-42
role of sites, 44
shared secret model, 244
trust relationships, 39-43
Authentication Service (AS), 244, 247, 252
authoritative Active Directory database restores, 431-33
authoritative name servers, 56, 57
authorization, 242
automated system recovery, 430
B
backing up Active Directory, 423-24
backup domain controllers (BDCs), 25, 78, 157, 209
Backup Operators group, 423
base schema objects, 27, 30
baselines, for monitoring Active Directory, 398-99
BDCs. See backup domain controllers
BIND (Berkeley Internet Name Domain) DNS servers, 131, 136, 140-43
Bind/View Corporation, 216
blocking
group policy inheritance, 316-17
inherited permissions, 268, 269
branch offices, site design for, 154
bridgehead servers, 80, 82, 83, 84, 94, 104, 107-8
bridges, site link, 105-6, 152-53
bv-Admin for Windows 2000 and Windows Server 2003, 216
C
caching
caching-only name servers, 55
universal group membership, 21, 155, 156, 295
Canonical Name (CNAME) resource record, 53
CAs (Certificate Authorities), 107, 256, 258
Category 1 objects, 27
Category 2 objects, 27, 30
certificate authorities (CAs), 107, 256, 258
certificate rules, 379
Certificate Services, 256
certificates
group policy settings, 378
mapping to user accounts, 256-57
PKI and, 256, 257
smart cards and, 258
SMTP replication and, 107
Change Password permission, 263
change stamps, 100
child domains, 36, 37
class objects, 26-27
client computers
backward compatibility issues, 14, 168
configuring security settings by using group policies, 372-78
desktop management overview, 362-64
end-user vs. centralized control, 362
group policies as way to manage, 361-91
how GPOs are applied, 321-25
managing user data, 364
managing user profiles, 364-68
monitoring connections to domain controllers, 400
role of scripts in managing, 389-91
ways to build standard desktops for users, 356-57
ways to manage software by using group policies, 335-59
Comma Separated Value Directory Exchange (CSVDE) tool, 27, 28
command-line tools, 306, 329-30, 410-11. See also Ntdsutil command-line tool; Repadmin command-line tool
Compatws.inf template, 383
compression, 16, 80
computer accounts
creating, 300
migrating from Windows NT to Windows Server 2003, 227-29
vs. user accounts, 354-55
viewing management options, 300
Computer Configuration container
configuring domain-level account policies, 372-76
configuring security settings, 372-78
creating software restriction policies, 380-82
Default Domain Policy, 363
Computer Migration Wizard, 228
computer objects
applying GPOs only to, 320-21
domain controller object as, 299-300
group policy settings, 309
overview, 299-300
conditional forwarding, 69-70
Conf.adm administrative template, 388
configuration directory partition
as forest characteristic, 114
overview, 33
sharing among domain controllers, 38
sharing within forests, 38
Configure Your Server Wizard
creating domain controller role, 167
installing Active Directory by using, 165-67
overview, 163-64
conflict resolution, 100, 101
connection objects
configuring, 85-86
creating, 86
global catalog and, 92
KCC creation, 85
modifying, 85-86
overview, 85
renaming, 85
viewing properties, 91
contact objects, 291
containers
assigning scripts, 390
creating customized tools for delegated administration, 280-82
permissions inheritance, 268-69
Create All Child Objects permission, 262
cross-realm trusts, 259-60
CSVDE (Comma Separated Value Directory Exchange) tool, 27, 28
D
DACLs. See discretionary access control lists
database, Active Directory
changing location, 417
checking for integrity, 416
file location, 19-20, 32, 172-73, 420-22
garbage collection process, 411-12
maintenance, 411-17
managing by using Ntdsutil, 415-17
as Ntds.dit file, 19, 20, 159-60, 420
offline defragmentation, 414-15
online defragmentation, 413-14
semantic analysis, 416
storing, 19-20, 32, 172-73, 420-22
transactions, defined, 421
DC security.inf template, 384
Dcdiag command-line tool, 208, 410-11
Dcpromo.exe file, 164-65, 167
dedicated root domains, 36, 124-25, 130
Default Domain Controllers Policy, 308-9
Default Domain Policy, 308, 363
Default-First-Site-Name site, 45, 103
defragmentation
offline, 414-15
online, 413-14
delegated zones, 57, 58
Delegation Of Control Wizard, 12, 278-80, 326
delegation records, 57, 71
Delete All Child Objects permission, 262
Deny permission, 264, 270, 271
Desktop folder, redirecting, 369
DFS (Distributed File System), 341
digital certificates, 256
directory database. See database, Active Directory
directory schema. See schema, Active Directory
Directory Service log, 109, 408, 410, 411
directory services. See also Active Directory
converting existing platform to Active Directory while upgrading domain controller to Windows Server 2003, 186, 187-89
creating Windows Server 2003 infrastructure and migrating objects into it, 187, 189-91
history, 4-7
moving vs. cloning, 190
prior to Active Directory, 4-5
security accounts manager, 4-5, 190
Directory Services Client, 168
directory system agents (DSAs), 244
disaster recovery
backing up Active Directory, 423-24
from failed domain upgrades, 202-4
planning for, 419-20
discretionary access control lists (DACLs), 240, 241, 261, 262
disk cloning, 356
distributed databases, 51
Distributed File System (DFS), 341
distribution groups, 292-93
DNS servers. See also Domain Name System
acquiring IP addresses, 52
authoritative, 56, 57
BIND vs. Microsoft, 131, 136, 140-43
caching-only name, 55
conditional forwarders on, 69-70
distributed database on, 51
event log, 408
installing service, 161, 162, 163, 173-74
internal vs. external, 133
multimaster configuration, 66-67
primary name, 55, 137
replicating partitions to, 73
secondary name, 55
where to locate, 153
Domain Admins group, 35, 36, 119, 273, 295, 296, 326, 366
Domain Controller Diagnostic tool, 208
domain controller objects, 299-300
Domain Controller Security Policy snap-in, 274-75
domain controllers
backing up, 423-24
backward compatibility issues, 14, 168
as bridgehead servers, 80, 82, 83, 84, 94, 107-8
client process for locating, 64-66
conflict resolution, 100, 101
creating to restore Active Directory, 425-29
Default Domain Controllers Policy, 308-9
garbage collection process, 411-12
installing Active Directory from restored backup files, 15, 179-80
location of Active Directory data files, 19-20, 32, 172-73, 420-22
Metadata Cleanup, 427-28
monitoring usage, 400
moving to new sites, 103
object deletion and, 101-2
operations master roles, 19
originating updates, 96
overview, 20
preventing overload, 209-11
removing Active Directory from, 180-84
replicated updates, 96-102
replicating information between, 77-79
replication process, 95-102
role of configuration directory partition, 33, 38, 114
role of operations masters, 19, 20
role of SRV records, 62-64
security features, 168
at site level, 150
special purpose, 20
update types, 96
upgrading from Windows 2000 Server to Windows Server 2003, 213-15
upgrading from Windows NT to Windows Server 2003, 205-13
upgrading operating system and directory service, 186, 187-89
upgrading to Windows Server 2003, 205-15
what is shared within forest, 38-39
where to locate, 154-55
where to store DNS information, 73-74
domain directory partition, 33, 35
domain local groups
adding global and universal groups to, 296
characteristics, 294
overview, 293, 294
ways to use, 293, 296-98
Domain Migration Administrator (DMA), 216
Domain Migration Wizard, 216
domain models
complete trust, 4
master domain, 4
multimaster domain, 4
single domain, 4, 6, 7
Windows 2000, 6, 7
Windows NT, 4-5
Windows Server 2003, 7
domain modes, 15. See also functional levels
Domain Name System (DNS)
acquiring IP addresses, 52
connecting hierarchical layers, 57, 58-60
designing infrastructure, 131-43
as distributed database, 51
dynamic, 60-61
hierarchical namespace, 50-51, 57
installing service, 161, 162, 163, 173-74
integrating existing and new Active Directory designs, 140-41
internal vs. external namespaces, 132-34, 136
locator service, 61-66
namespace design options, 134-40
overview, 49
prerequisite for Windows Server 2003 to host Active Directory, 161-62
replicating information throughout forest, 73-75
role in locating domain controllers, 61-66
terminology, 54-61
verifying Active Directory support, 161-62
viewing information in Active Directory, 67
ways to deploy service, 153
where to store information, 73-74
Windows Server 2003 Active Directory and, 61-75
Windows Server 2003 enhancements, 69-75
domain names, registered, 134-35
domain naming master, 24, 25, 157, 438, 439
domain owners, tasks of, 130
Domain Rename tools, 189
domain restructure migration path. See also interforest migration
overview, 187, 189-91
performing restructure, 215-17
when to use, 195-96
domain trees, Active Directory, 37-38
domain upgrade migration path
example, 201-2
overview, 186, 187-89
when to use, 193-95
domain upgrade-then-restructure migration path. See also intraforest migration
overview, 187, 191-92
when to use, 197-98
Domain Users group, 274
DomainDnsZones partition, 73, 90
domains, Active Directory. See also root domains
adding to forests, 24, 37
authenticating across, 250-51
boundaries, 121
configuring domain-level security policies for client computers, 372-76
consolidating, 197
converting existing platform to Active Directory while upgrading domain controller to Windows Server 2003, 186, 187-89
creating by using Active Directory Installation Wizard, 169, 170
Default Domain Policy, 308, 363
defining ownership, 130
designing organizational unit structure, 143-49
designing structure, 121-30
functional level concept, 14, 15, 22, 211
hierarchical organization, 36-37, 125-27, 129-30
how many to have, 121-24, 125
implementing group policies between, 327, 328
mixed-mode vs. native-mode settings, 15
multiple, 123-24
naming by using Active Directory Installation Wizard, 171-72
overview, 36
preparing for upgrade of domain controller to Windows Server 2003, 214-15
renaming, 15, 189
restructuring. See domain restructure migration path
single, 121-23
upgrading from Windows 2000 Server to Windows Server 2003, 213-15
upgrading from Windows NT to Windows Server 2003, 125-27, 205-13
upgrading to Windows Server 2003, 205-15
vs. zones, 54
Domains And Trusts administrative tool, 25, 233, 259
drag and drop feature, 305
Dsadd command-line tool, 306
Dsget command-line tool, 306
DsGetDcName function, 65
Dsmod command-line tool, 306
Dsmove command-line tool, 306
Dsquery command-line tool, 306
Dsrm command-line tool, 306
dynamic DNS, 60-61
Dynamic Host Configuration Protocol (DHCP), 60
E
Edb.chk file, 421
Edb.log file, 421
Edbtemp.log file, 421
effective permissions, 270-72
empty root domains, 36, 124. See also dedicated root domains
emulator, PDC, 24-25, 157, 437-38
Enterprise Admins group, 119, 296, 366
event logs
analyzing, 276
Application log, 408
designating file location, 172-73
Directory Service log, 109, 408, 410, 411
DNS Server log, 408
File Replication Service log, 408
group policy settings, 378
Security log, 276, 408
System log, 408
viewing, 408-9
Event Viewer
default logs, 408
as replication monitoring tool, 109, 408
viewing logs, 408-9
Everyone group, 221
Exchange Server, 5, 6, 27, 80, 115, 126, 156, 291, 299
F
file extension activation, 350-51
File Replication Service log, 408
file systems, group policy settings, 378
filtering group policy application, 318-20
flexible single-master operations (FSMO) role, 23
folder redirection
configuring My Documents folder for, 369-72
as Group Policy setting type, 48
location options, 370
offline files and, 372
overview, 368
reasons to use, 368-69
role of group policies, 308
forest root domains. See root domains
forest trusts, 41-43, 232-36
ForestDnsZones partition, 73, 90
forests, Active Directory
adding domains, 24, 37
administrative autonomy vs. administrative isolation, 118-19
assigning functional levels, 22
characteristics, 114
default levels of functionality, 14
defining change control policies, 120
defining ownership, 119-20
designing domain structure in, 121-30
designing structure, 113-20
how many to deploy, 113-19
implementing group policies between, 327, 328
intraforest migration, 231-36
list of functional levels, 22
multiple-tree, 128
overview, 38-39
preparing for upgrade of domain controller to Windows Server 2003, 213-14
raising functional level to Windows 2000 native or Windows Server 2003, 211, 212, 213
restrictions, 115-16
schemas and, 115
single vs. multiple, 115-17
single-tree, 71-72, 128
storing configuration information, 33
storing schema information, 33
trusts within, 40
what is shared among domain controllers, 38-39
when to deploy more than one, 116-17
where to locate root domain controllers, 155
forward lookup zones, 54
forwarders
conditional, 69-70
overview, 58-59
vs. root hints, 60, 137
when not to use, 68
FSMO. See flexible single-master operations role
Full Control permission, 262
fully qualified domain names (FQDNs), 50-51
functional levels
assigning to domains, 22
assigning to forests, 22
default, 14
overview, 14, 22, 212
raising before domain restructuring, 218
raising from Windows 2000 to Windows Server 2003, 22
raising to Windows 2000 native or Windows Server 2003, 211-13
G
garbage collection, 411-12
GC servers. See global catalog servers
GINAs. See Graphic Identification and Authentication dynamic link library
global catalog (GC) servers
overview, 20-21
restoring, 435, 440
in site design, 150
universal groups and, 295
where to locate, 155-56
global catalogs (GCs)
adding attributes, 20
designating domain controllers as, 20-21
as forest characteristic, 114
overview, 20, 21, 23
reduced need for, 16
replication, 91-93
server role, 20-21, 23
sharing among domain controllers, 38
sharing within forests, 38
storing information, 34
what they're used for, 21, 23
global groups
adding to domain local groups, 296
adding users to, 296
characteristics, 294
illustrated, 298
migrating accounts, 222-23
overview, 293, 294-95
vs. universal groups, 299
ways to use, 294-95, 296, 297
when to use, 299
in Windows NT, 299
globally unique identifiers (GUIDs), 64, 100, 310
GPCs. See Group Policy container objects
GPMC (Group Policy Management Console), 330-32
GPOs. See Group Policy Objects
GPResult command-line tool, 329-30
GPTs. See Group Policy templates
GPUpdate command-line tool, 330
Graphic Identification and Authentication (GINA) dynamic link library (DLL), 241
group policies. See also Group Policy Objects
best practices for designing, 332
computer object settings, 309
how they are applied to computers, 321-25
implementing, 311-28
inheritance issues, 314-16
limitations to their use for managing software, 357-59
local vs. Active Directory, 308-9
management tools, 328-32
managing links, 326
modifying default application, 316-21
organizational unit structure and, 146
overview, 307, 308-11
planning for software distribution, 354-57
replicating, 310, 311
types, 308-9
user object settings, 309
as way to manage client computers, 361-91
as way to manage software on client computers, 335-59
ways to use, 308
Group Policy container (GPC) objects
editing, 309
GUIDs for identifying, 310
overview, 309
viewing details, 309
Group Policy Creator Owners group, 326
Group Policy Management Console (GPMC), 330-32
Group Policy Object Editor snap-in
adding to MMC, 312
configuring user profiles, 366-68
configuring Windows Installer in, 352-54
creating GPOs, 312, 313
managing security templates, 384
modifying GPOs, 309, 312, 313
overview, 47-48
types of settings, 48
Group Policy Objects (GPOs)
administering, 313-14
applying only to computers, 310-21
applying only to users, 310-21
blocking inheritance, 316-17
configuring software package properties using, 343-52
for configuring Windows Installer, 352-54
creating, 311, 312-13
delegating administration, 326-27
deploying software by using, 337-42
desktop management options, 362-64
determining optimum number, 332
disabling, 321
for distributing non-Windows Installer applications, 341-42
elements, 309-11
filtering applications, 318-20
how they are applied, 321-25
implementing between domains or forests, 327-28
inheritance issues, 314-16
list of settings, 314
modifying configuration, 313-14
modifying default application, 316-21
No Override option, 317-18
for removing previously installed software, 351-52
Group Policy templates (GPTs), 310
groups
built-in accounts, 295-96
characteristics, 294
creating, 292
designating scope, 293-96
distribution type, 292-93
domain local, 293, 294
global, 293, 294-95
maximum number of members, 79
membership replication improvements, 17
nested, 293, 294
overview, 292
security type, 292, 293, 296-99
selecting default permissions in Active Directory Installation Wizard, 175-76
types, 292
universal, 293, 294, 295
universal group membership caching, 21, 155, 156, 295
ways to use, 294-95
GUIDs (globally unique identifiers), 64, 100, 310
H
hard disks, requirements for Windows Server 2003 to host Active Directory, 160
hardware, requirements for Windows Server 2003 to host Active Directory, 160-61
hash rules, 379
heterogeneous network environments, 10
high-watermark values, 96, 97-98, 99
Hisecdc.inf template, 383
Hisecws.inf template, 383
Host (A) resource record, 53
I
inetOrgPerson object, 17, 290-91
Inetres.adm administrative template, 388
infrastructure master, 25, 157, 439
inheritance
blocking, 268, 269, 316-17
group policy application issues, 314-16
modifying group policy defaults, 316-20
No Override option, 317-18
permission issues, 268-69
in-place upgrades. See domain upgrade migration path
installing Active Directory
installation options, 163-65
prerequisites, 159-63
from restored backup files, 15, 179-80
unattended installations, 165, 178-79, 184
installing software, role of group policies, 48, 308
integrated zones, Active Directory
advantages, 66-67
combining with secondary zones, 67
disadvantages, 67
interforest migration. See also domain restructure migration path
configuring trusts, 232-36
creating trusts, 233-36
vs. intraforest migration, 232
Internet Explorer, 388
Internet Information Server (IIS) Manager, 257
Internet zone rules, 380
interoperability between Kerberos-based systems, 258-60
intersite replication
characteristics, 82
compressing traffic, 16, 80
configuring, 102-8
determining latency, 83
topology generation, 93-95
Inter-Site Topology Generator (ISTG), 94
intraforest migration, 231-32. See also domain upgrade-then-restructure migration path
intrasite replication
characteristics, 81-82
determining latency, 83
topology generation, 86-91
IP addresses, acquiring through DNS, 52
IPSec policies, 378
ISTG. See Inter-Site Topology Generator
K
KDCs (Key Distribution Centers), 243, 244, 247, 248, 249, 252
Kerberos. See also smart cards
authentication process, 245-51
configuration options, 372, 375-76
configuring in Windows Server 2003, 253-54
enforcing user logon restrictions, 375
integrating with PKI, 254-58
interoperability between systems, 258-60
maximum computer clock synchronization tolerance, 376
maximum service ticket lifetime, 375
maximum user ticket lifetime, 376
vs. NT LAN Manager, 13, 242-43
overview, 13, 242, 243-45
Kerberos Tray tool, 249
Key Distribution Centers (KDCs), 243, 244, 247, 248, 249, 252
keys, public and private, 255, 256
KList.exe tool, 249
Knowledge Consistency Checker (KCC), 80, 84-85, 93-95
KRB_AP_REQ message, 248
KRB_TGS_REP message, 248
KRB_TGS_REQ message, 248
L
LAN Manager, 4. See also NTLM
LDAP (Lightweight Directory Access Protocol), 7, 10-11, 65, 290
LDIFDE (LDAP Data Interchange Format Directory Exchange) tool, 27, 28
Ldp.exe tool, 11, 32, 262, 266-67, 287
Lightweight Directory Access Protocol (LDAP), 7, 10-11, 65, 290
lingering object removal, 17
Linux-based systems, in heterogeneous network environments, 10
local group policies, 314
Local Security Authority (LSA), 241
log files. See event logs; transaction logs
logoff scripts, 390
logon
authentication overview, 241-42
Kerberos authentication, 245-48
scripts for, 390-91
universal group membership caching and, 21, 155, 156, 295
loopback processing, 324-25
Lucent VitalQIP DNS servers, 131
M
Mail Exchanger (MX) resource record, 53
mandatory user profiles, 364, 366, 368
mapping certificates to user accounts, 256-57
master domain model, 125
memory, monitoring usage, 400, 401
Metadata Cleanup, 427-28
Microsoft Certificate Authority (CA), 107
Microsoft Exchange Server, 5, 6, 27, 80, 115, 126, 156, 291, 299
Microsoft Management Console (MMC)
as common management interface, 13
creating taskpad views, 281-82
customizing, 280-81
opening, 280
Microsoft Operations Manager (MOM), 276, 397
Microsoft Windows Server 2003. See Windows Server 2003
migration accounts, creating before domain restructuring, 218
migration deployment script, 200-202
migration paths
characteristics of each, 192-98
conducting pilot rollouts, 204
creating deployment script, 200-202
deciding which one to use, 192-98
domain restructure, 187, 189-91, 195-96, 215-17
domain upgrade, 186, 187-89, 193-95, 201-2
domain upgrade-then-restructure, 187, 191-92, 197-98
failed attempts, 202-4
overview, 186-87
preparing for migration, 198-205
recovery plans, 202-4
testing, 204
mixed-mode domain settings, 15
MMC. See Microsoft Management Console
Modify Owner permission, 273
Modify permission, 270
MOM (Microsoft Operations Manager), 276, 397
MS-DOS, 4
.msi files, 336-37, 339, 347
Msiexec.exe program, 336
.msp files, 347
.mst files, 346-47
multicasting, 358
multiple master domain model, 125, 126
My Documents folder, redirecting, 369-72
N
Name Server (NS) resource record, 53
namespaces
hierarchical, 50-51, 57
internal vs. external, 132-34, 136
for new domains, 37
ways to design, 132-43
naming contexts (NCs), 32. See also partitions, Active Directory
native Windows Installer file, 336
native-mode domain settings, 15
nested groups, 293, 294
Net Logon service, 65
Netlogon.dns file, 63
network bandwidth, 340-41
network connectivity, as prerequisite for Windows Server 2003 to host Active Directory, 160
Network Monitor, 161
network operating systems. See LAN Manager; Windows 2000; Windows NT; Windows Server 2003
network share
folder redirection and, 368-72
posting client computer software installation files on, 337
networks, documenting infrastructure, 150
New Taskpad View Wizard, 281-82
New Trust Wizard, 233-36, 259
nonauthoritative Active Directory database restores, 429-31
notifications. See alerts, creating
Notssid.inf template, 384
Novell-based systems, in heterogeneous network environments, 10
NT4Emulator setting, 211
NTDS Site Settings Properties dialog box, 156
Ntds.dit file, 19-20, 159-60, 172, 420
Ntdsutil command-line tool, 23, 24, 415-17, 426, 427, 431, 433, 436
NTLM (NT LAN Manager), 241, 242-43, 260
NTSecurityDescriptor attribute, 261, 266
Ntuser.dat file, 364, 366
O
Object Identifiers (OIDs)
obtaining, 29
viewing in ADSI Edit snap-in, 9
for X.500, 8
object picker feature, 17
objects, Active Directory. See also computer objects; groups; user objects
administering groups, 47-48
blocking group policy inheritance, 316-17
blocking permissions inheritance, 268-69
delegating administrative rights, 276-80
deleting, 101-2
determining ownership, 273
enabling auditing on, 275-76
managing, 285-306
ownership, 273
permissions, 261-74
permissions inheritance, 268-69
printers, 301-3
saving search queries, 305
shared folders, 304-5
viewing Advanced Security Settings, 264-66
ways to grant permissions, 270
Windows Server 2003 command-line tools for administering, 306
offline defragmentation, 414-15
OIDs. See Object Identifiers
Open Systems Interconnection (OSI) directory, 8
operating systems. See Windows 2000; Windows NT; Windows Server 2003
operations masters
domain naming master, 24, 25, 157, 438, 439
infrastructure master, 25, 157, 439
overview, 19, 20, 23
PDC emulator, 24-25, 157
per-domain, 23
per-forest, 23
restoring, 435-40
RID master, 24, 25, 157, 439-40
schema master, 23, 25, 157, 438, 439
transferring, 25
where to locate, 157
organizational charts, vs. organizational units, 145
organizational units, Active Directory
accounts OU, 148
administering groups of objects, 47-48
application OUs, 149
business-unit level, 148
characteristics, 144
as container objects, 46, 262
vs. corporate organizational charts, 145
creating design, 146-49
delegating administrative rights, 47, 145-46, 276-80
department level, 148-49
designing structure, 143-49
group policies and, 146, 314, 316
lower-level, 147-49
overview, 46
project-based OUs, 149
resources OU, 149
top-level, 146-47
types of directory service objects, 46-47
in Windows NT domain model, 5
workstations OU, 149
originating updates, 96
OS/2, 4
OUs. See organizational units, Active Directory
owners, Active Directory objects, 273
P
parent-child model, 36, 37
partitions, Active Directory
application directory, 15, 34-35, 73, 74-75, 90
configuration directory, 33, 38, 114
default storage, 15
domain directory, 33, 35
global catalog, 34
naming scheme, 34-35
overview, 32-35
replicating, 77-79
schema directory, 33
passwords
complexity requirements, 374
configuring policy, 372, 373-74
enforcing history, 373
maximum age, 373
minimum age, 373
minimum length, 374
replicating changes, 84
storing, 374
user account migration and, 224-25
patches, software, 347, 356
path rules, 379-80
PDC emulator, 24-25, 157, 437-38
PDCs (primary domain controllers), 25
peers model, 36
per-domain roles, 23
per-forest roles, 23
performance
adding counters to System Monitor, 408
counters for Active Directory, 399-401
counters for core operating system, 402-3
counters for replication, 401
counters for security subsystem, 402
counters in System Monitor, 406-8
list of counters, 399-401
monitoring Active Directory, 398-409
Performance snap-in
accessing counters, 399
configuring alerts, 403-6
as replication monitoring tool, 109
setting counter properties, 400-403
System Monitor tool, 406-8
permissions
Allow vs. Deny, 270
anonymous users, 221-22
auditing their use, 274-76
avoiding mistakes, 282-83
blocking inheritance, 268, 269
creating delegation structure, 282-83
delegating, 276-80
delegating GPO administration, 326-27
effective, 270-72
inheritance model, 268-69
maintaining in application directory partition, 35
modifying for Active Directory objects, 262, 265-66
needed to install Active Directory domains, 163
planning for delegation, 282-83
vs. privileges, 274
special, 262, 264-67
standard, 262-63
ways to grant, 270
personal identification numbers (PINs), 257
PINs (personal identification numbers), 257
PKI (public key infrastructure), 254-57
Pointer (PTR) resource record, 53
primary domain controllers (PDCs), 25, 78, 157, 206-9. See also PDC emulator
primary name servers, 55, 70-72
primary zones, 55
printer objects
creating, 301
enabling location tracking, 303
managing by using Group Policy Object Editor, 301-2
overview, 301
searching Active Directory for, 301, 302-3
printers
enabling location tracking, 303
publishing in Active Directory, 301-3
pristine forest, 189, 190, 217-22
private keys, 255, 256, 257. See also PKI
privileges, user, 274
propagation dampening, 96, 98
proxy tickets, 251-52
public key infrastructure (PKI), 254-57
Q
queries, Active Directory, saving, 305
R
Read permission, 262, 326
realm trusts, 43, 259-60
Receive As permission, 263
recovery plan, 202-4
registry
group policy settings, 378
HKEY_CURRENT_USER subtree, 364
modifying before domain restructuring, 218-19
neutralizing NT4Emulator setting, 211
path rules, 380
relative identifier (RID) master, 24, 25, 157, 439-40
Remote Installation Services (RIS), 356
remote procedure calls (RPCs), 24, 65
removing Active Directory from domain controllers, 180-84
renaming domains, 15, 189
Repadmin command-line tool, 109, 209, 410
replicated updates, 96-102
replication
Active Directory model, 77-79
boundaries, 121
configuring bridgehead servers, 107-8
conflict resolution, 100, 101
with convergence, 78
determining latency, 82
error examples, 411
of global catalog, 91-93
of group policies, 310, 311
intrasite vs. intersite, 80
loosely consistent, 78
monitoring, 108-9, 410-11
multimaster model, 77, 78
object deletions and, 101-2
partial, 79
performance counters for, 401
process, 95-102
propagation dampening, 87
redundant links, 87-89
role of change stamps, 100
role of site links, 103-5
role of sites, 44
RPC-over-IP connections between sites, 106
RPC-over-IP connections within sites, 106
single-master model, 78
SMTP connections between sites, 106
store and forward process, 78-79
time lag, 83
topology generation, 84-95
transport protocols, 106-7
troubleshooting, 108-9
urgent, 83-84
Windows Server 2003 enhancements, 79-80
replication latency, 83
Replication Monitor
managing replication, 109
overview, 90
starting, 90, 108-9
viewing group policy status, 310, 311
viewing properties of connection objects, 91
viewing USN information, 99
replication rings, 87-91, 92
Res1.log file, 421
Res2.log file, 421
Reset Password permission, 263
resource access boundaries, 121
resource domains, migrating, 216, 217, 226-31
resource records (RRs), 52, 53
Restore Wizard, 434
restored backup files, installing Active Directory from, 179-80
restoring
Active Directory, 425-33
global catalog (GC) servers, 435, 440
operations masters, 435-40
Sysvol folder, 433-34
restricted groups, 378
restricting software use, 379-82
Resultant Set of Policy (RSoP) tool, 326-27, 328-29
reverse lookup zones, 54
RID master, 24, 25, 157, 439-40
rings, replication, 87-91, 92
roaming user profiles, 364, 365, 368
root domains
dedicated, 36, 124-25, 130
designing, 124-25
empty, 36, 124
example, 68
non-dedicated, 36
overview, 36-37
where to locate domain controllers, 155
root hints, 59-60, 68, 69, 71, 137
root servers, 59-60
Rootsec.inf template, 384
RPC-over-IP connections, 106
RSoP tool, 326-27, 328-29
S
SACLs. See system access control lists
SAM (security accounts management), as Active Directory predecessor, 4-5, 190
schema, Active Directory
components, 26
deactivating objects, 30-31
disabling objects, 30-31
extending, 27, 30
forests and, 115
modifying, 27-28
overview, 26
redefining classes and attributes, 16
sharing among domain controllers, 38
sharing within forests, 38
Schema Admins group, 23, 28, 119
schema directory partition, 33
schema master, 23, 25, 157, 438, 439
Schema snap-in. See Active Directory Schema snap-in
scripts
assigning to containers, 390
configuring for Active Directory, 390-91
as Group Policy setting type, 48
logoff, 390
logon, 390-91
role in managing user desktops, 389-91
role of group policies, 308
shutdown, 389
startup, 389
searches, monitoring, 400
Secedit command-line tool, 385
secondary name servers, 55
secondary zones, Active Directory, 67, 68
secret keys, 245, 246
Secure Sockets Layer/Transport Layer Security (SSL/TLS), 243
Securedc.inf template, 383
Securews.inf template, 383
security
Active Directory overview, 239-42
configuring settings by using group policies, 372-78
considerations when migrating resource domains from Windows NT to Windows Server 2003, 226-27
as Group Policy setting type, 48
NTLM issues, 260
role of Active Directory, 13
role of group policies in configuring, 308
subsystem performance counters, 402
security accounts management (SAM), 4-5, 190
Security Configuration And Analysis administrative tool, 384-85
security descriptors, viewing, 262
security groups
creating design, 296-99
overview, 292, 293
as security principals, 292
security identifiers (SIDs), 24, 190, 240, 261, 286. See also SID-History attribute
Security log, 276, 408. See also event logs
security principals, 190, 240, 265. See also computer accounts; groups; service accounts; user accounts
Security Support Provider (SSP), 241-42
security templates
Compatws.inf template, 383
DC security.inf template, 384
default, 382-83
Hisecdc.inf template, 383
Hisecws.inf template, 383
included, 382-85
Notssid.inf template, 384
overview, 382
predefined, 382-85
Rootsec.inf template, 384
Securedc.inf template, 383
Securews.inf template, 383
Setup Security.inf template, 382-83
semantic database analysis, 416
Send As permission, 263
Send To permission, 263
server GUIDs, 100
Server Message Block (SMB), 168
servers. See also DNS servers; global catalog servers
becoming domain controllers, 159
designing locations, 153-57
hosting Active Directory, 159
monitoring health, 408-9
Service Account Migration Wizard, 227
service accounts, 227, 230
service locator (SRV) records
list of components, 62, 63-64
overview, 62
role in client logon, 64-66
sample format, 62
sample Netlogon.dns file, 63
Service Locator (SRV) resource record, 53
service packs, software, 347
service-level agreements (SLAs), 396, 397
session keys, 246, 247, 248
session tickets, 247, 248, 250, 254
Setup Security.inf template, 382-83
shared folder objects
managing, 304-5
publishing to Active Directory, 304-5
searching for shares, 304-5
shared local groups, migrating, 229
shared secret authentication model, 244
shortcut trusts, 128-29
shutdown scripts, 389
SID-History attribute, 190-91
SIDs. See security identifiers; SID-History attribute
Simple Mail Transfer Protocol (SMTP), 106
single sign-on, 10, 12
single-tree forests, 71-72, 128
site design, 82
site link bridges, 105-6, 152-53
site links
configuring, 151
determining cost, 151-52
overview, 103-5
site-level group policies, 314
sites, Active Directory
additional, creating, 103
connecting, 103-5
creating designs, 150-53
creating replication topology, 151
Default-First-Site-Name site, 45, 103
designing topology, 149-58
determining number needed, 150
as element in SRV records, 64
networking infrastructure and, 150
overview, 43-44, 102
replication of information between, 77, 82
replication of information within, 77, 81-82
role in authentication, 44
role in replication traffic, 44
role in site-aware network applications and services, 44
sending information to clients, 66
ways they manage network traffic, 149
Sites And Services administrative tool, 21, 103, 153, 156, 262
SLAs (service-level agreements), 396, 397
slow network connections, 322-24, 355
smart cards, 257-58
SMB (Server Message Block), 168
SMTP (Simple Mail Transfer Protocol), 106
software
assigning to client computers, 338, 339-40
configuring package properties by using group policies, 343-52
creating categories for, 349-50
deploying to workstations or users by using group policies, 337-42
distributing non-Windows Installer applications, 341-42
distribution planning using group policies, 354-57
installing customized packages, 345-47
limitations of using group policies for managing, 357-59
patches and service packs, 347, 356
publishing to users, 338, 339-40
removing by using group policies, 351-52
restriction policies, 379-82
role of group policy in installation, 48, 308
role of Windows Installer technology, 336
updating existing packages, 347, 356-57
upgrading to new version, 347-49
ways to manage on client computers by using group policies, 335-59
whether to deploy via computer accounts or user accounts, 354-55
Software Update Service (SUS), 356-57
source domains, decommissioning, 231
spanning tree algorithm, 86-87
special permissions, 262, 264-67
Special Permissions permission, 264
SRV records. See service locator records
SSL/TLS. See Secure Sockets Layer/Transport Layer Security
standard permissions, 262-63
Start Menu folder, redirecting, 369
Start of Authority (SOA) resource record, 53
startup scripts, 389
stub zones, 70-72
syntax, attribute, 26
system access control lists (SACLs), 240, 262
System log, 408
System Monitor tool
adding counters, 408
configuring options, 407-8
default counters, 406
illustrated, 407
overview, 406
system requirements, for Windows Server 2003 to host Active Directory, 159-63
system services, group policy settings, 378
System.adm administrative template, 388
Sysvol folder, 310, 388, 433-34. See also Group Policy templates
T
taskpads, creating for administration, 281-82
TCP/IP settings, configuring prior to installing Active Directory, 161
TGS. See Ticket-Granting Service
TGT. See Ticket-Granting Ticket
Thawte, 256
thresholds, for monitoring Active Directory, 398, 399
Ticket-Granting Service (TGS), 244, 248
Ticket-Granting Ticket (TGT), 244, 245, 246, 248, 252, 257, 258
tombstone objects, 101, 411-12
topology, replication
application directory partitions and, 90
generating, 84-95
intersite, 93-95
intrasite, 86-91
transaction logs
changing location, 417
moving, 417
overview, 421-22
recovering, 415-16
transactions, defined, 421
transform (.mst) files, 346-47
transitive trusts, 40
transport protocols
for replication, 106-7
RPC-over-IP between sites, 106
RPC-over-IP within sites, 106
SMTP between sites, 106
tree root trusts, 40
trusts
creating before domain restructuring, 218, 222
creating between forests, 232-36
cross-realm, 259-60
between domains, 39, 40-41
as forest characteristic, 114
between forests, 41-43
within forests, 39, 40-41
one-way, 40-41
overview, 39-40
realm, 43
shortcut, 128-29
transitive, 40, 114
tree root, 40
two-way, 114
U
unattended Active Directory installations, 165, 178-79, 184
universal group membership caching, 21, 155-56, 295
universal groups
adding to domain local groups, 296
adding users to, 296
characteristics, 294
vs. global groups, 299
overview, 293, 294, 295
ways to use, 295, 296, 297
when to use, 299
UNIX-based systems, in heterogeneous network environments, 10
update sequence numbers (USNs), 96, 97, 99-100
updating software packages, 347, 356-57
upgrading software version, 347-49
UPNs. See user principal names
up-to-dateness vectors, 96, 98, 99, 100
urgent replication, 83-84
user accounts
assigning values to attributes, 286-87
vs. computer accounts, 354-55
creating, 286-88
list of properties, 288
mapping certificates to, 256-57
migrating between domains, 190-91
migrating to Windows Server 2003, 224-25
service-type, 227
specifically for migration, 218
User Configuration container, 363
user desktops. See client computers
user objects
applying GPOs only to, 320-21
attributes, 285-86
vs. contact objects, 291
creating, 286, 287-88
group policy settings, 309
list of account properties, 288
managing, 285-90
mandatory attributes, 286
modifying attributes, 287
naming, 289-90
overview, 285-90
Personal Information property set, 263
property sets, 262-63
security identifiers, 286
selecting default permissions in Active Directory Installation Wizard, 175-76
user principal names (UPNs), 12, 133, 258, 289
user profiles, managing on client computers, 364-68
user rights, group policy settings, 378
users. See user accounts; user objects
Users And Computers administrative tool
creating custom MMC, 280-81
creating user objects, 287-88
Delegation Of Control Wizard, 278-80, 326
domain directory partition and, 33
enabling auditing on Active Directory objects, 275-76
modifying Active Directory objects, 273, 305
multiple item editing, 305
new features, 14
transferring operations master roles, 25
viewing Active Directory objects, 177, 262, 272, 273
V
Validated Write permission, 263
Verisign, 256
W
Windows 95/98, 168
Windows 2000
Active Directory background, 6-7
domain upgrade migration path, 188, 189
how group policies are applied, 322
mixed-mode domain settings, 15
native-mode domain settings, 15
preparing domain for upgrade of domain controller to Windows Server 2003, 214-15
preparing forest for upgrade of domain controller to Windows Server 2003, 213-14
upgrading domains to Windows Server 2003, 213-15
Windows for Workgroups, 168
Windows Installer
configuring by using group policies, 352-54
creating .msi files, 336-37
distributing non-Windows Installer applications, 341-42
overview, 336
Windows Media Player, 388
Windows NT
account domains vs. resource domains, 216, 217
compatibility issues, 175-76
deciding which path to use to migrate to Windows Server 2003, 192-98
decommissioning account domains, 225-26
directory service, 4-5
documenting existing platform before migrating, 199-200
domain models, 4-5
local and global groups, 299
migrating account domains to Windows Server 2003, 222-26
migrating resource domains to Windows Server 2003, 226-31
need for multiple domains, 121-23
neutralizing emulation, 211
preparing for migration to Windows Server 2003 and Active Directory, 198-205
single-master replication model, 78
support for client logon to Windows Server 2003 Active Directory, 168
upgrading domains to Windows Server 2003, 125-27, 205-13
Windows Script Host (WSH), 390
Windows Server 2003
Active Directory administration enhancements, 305-6
Active Directory replication enhancements, 79-80
configuring Kerberos, 253-54
deciding which path to use to migrate to, 192-98
defined, 3
designing server locations, 153-57
DNS enhancements, 69-75
interoperability with other Kerberos implementations, 258-60
new Active Directory features, 14-17
preparing for migration from Windows NT, 198-205
prerequisites for hosting Active Directory, 159-63
upgrading domains, 205-15
Windows Update, 356, 388
Windows XP clients, how group policies are applied, 322
Windows-based systems, in heterogeneous network environments, 10
Winlogon service, 241
Winplayer.adm administrative template, 388
wireless networks, group policy settings, 378
wizards
Computer Migration Wizard, 228
Configure Your Server Wizard, 163-64, 165-67
Delegation Of Control Wizard, 12, 278-80, 326
Domain Migration Wizard, 216
New Taskpad View Wizard, 281-82
New Trust Wizard, 233-36, 259
Restore Wizard, 434
Service Account Migration Wizard, 227
Wldap32.dll file, 11
Write permission, 23, 262, 326
WSH (Windows Script Host), 390
Wuau.adm administrative template, 388
X
X.500 namespace
as basis for Active Directory, 7, 8-10
as naming hierarchy, 8-9, 290
OID for, 8, 29
uniqueness requirement, 9
viewing OID in ADSI Edit snap-in, 9
Z
.zap files, 342
zones
of authority, 56-57
delegated, 57-58
vs. domains, 54
forward lookup, 54
integrated, 66-67
primary, 55
reverse lookup, 54
secondary, 67, 68
Last Updated: April 15, 2003
|
