R

73 Group Policy Management E Forest flexecom.local B Domains li, Default Domain Policy 3 Brisbane B. - Domain Controllers El - Toronto E Group Policy Objects E S WMI Filters I Starter GPOs 73 Group Policy Management E Forest flexecom.local B Domains li, Default Domain Policy 3 Brisbane B. - Domain Controllers El - Toronto E Group Policy Objects E S WMI Filters I Starter GPOs jiZ Group Policy Modeling Group Policy Results Scope j Details Settings Delegation j Scope j Details Settings Delegation...

Full Transfers Incremental Transfers

Standard zone replication can be classified in two types of transfers full transfer (AXFR transfer messages) and incremental transfer (IXFR transfer messages). Incremental transfer communicates only those records in the primary zone that have changed since the last replication cycle. It assumes that secondary servers already have some version of the zone file with its own serial number. Primary servers keep track of all changes and serial number increments. Servers exchange their serial...

Zone Transfers

To provide reliable and highly available service, you need to maintain at least two copies of each zone. The integrity of information contained in these two zones and the state of synchronization make the difference between a service that works and a service that does not. Replication mechanisms used for this synchronization are getting consistently better in terms of network traffic they generate and the security of exchanges they conduct. The latest improvement in these areas is possible...

Installing LDS

AD LDS, when the role is first installed, is dormant. You will need to run the setup wizard (or adaminstall command with an answer file) in order to initialize what is called an LDS instance. A good analogy here is an AD DS forest the forest is a separate instance of AD. Similarly, an ADAM (or LDS) instance is a separate, independent LDAP directory. When a new instance is added, administrators need to treat it as if it were an application partition (naming context) in Active Directory it has...

Self Test

The following questions will help you measure your understanding of the material presented in this chapter. Read all the choices carefully because there might be more than one correct answer. Choose all correct answers for each question. Plan and Implement an Organizational Unit Structure 1. Which of the following statements about organizational units are true A. An OU is a structure element with the most specific scope in terms of delegation of authority. B. An OU is a structure element with...

Kerberos Authentication Protocol

Beginning with Windows 2000, Microsoft has been relying on Kerberos as the native Active Directory authentication protocol. The currently implemented version of this technology is version 5. Kerberos has a number of advantages over NTLM (NT LAN Manager), which has been used in the past in Windows NT- and DOS-based network environments. These advantages are described here When users attempt to access resources on a member server in a domain, the member server does not need to request...

Netdiag

Successful replication is not possible without functioning network connectivity. Domain controllers must be able to resolve each other's names using DNS and establish a direct network connection using the TCP IP protocol. Before troubleshooting each of the steps involved in this process in detail (running ping, nslookup, tracert, and so on), you should give Netdiag a try. Netdiag runs some two dozen connectivity and network services tests and displays the results according to the following...

Certification Summary

This chapter discussed some of the main aspects of maintaining your Active Directory environment. After your main AD rollout is complete, you may need to adjust things like schemas, site structure, or trust relationships. This chapter took you through the processes and concepts associated with these tasks. We reviewed the process of replication and site link and schedule management. When planning and managing replication, several things should be kept in mind what transports are available for...

Replication Monitor Replmon

Utilities and command-line tools are great when you have to dig deeper, or if you have an automated process running every so often that collects some data and acts accordingly. However, for day-to-day administration, this may not be the best approach. So Windows Server 2008 provides a few familiar graphical user interface tools that allow user-friendly administration, while providing many of the command-line capabilities. The graphical interface tools, such as Replmon, are not included by...

Plan and Implement an Organizational Unit Structure

We started OU discussions in Chapter 5 and briefly reviewed three main OU structure models, those being geographical, functional, and object type. This chapter briefly revisits these concepts and takes this discussion further. The organizational unit (OU) is an Active Directory container that is used for intra-domain object organization purposes. OU structures can be built separately in each domain, but they may follow the same logical scheme. OUs may contain any types of objects printers,...

DNS Security

DNS servers maintain critical two-way name resolution links between private networks and the Internet, and as such, they are exposed to external access. This in turn means that they are likely targets for external attacks. This is more true than ever now that your entire corporate network depends on DNS and uses it to store critical addressing information for many core services. Many organizations have demilitarized zone (DMZ) networks, or in other words, segments of the private network...

Analyzing Administrative Requirements

When it comes to OU structure planning, it is up to individual businesses to decide how they want to partition objects between different containers and what logic to use in an overall structure. You can work from the perspective of centralized or decentralized administration IT, business divisions, objects projects, geographical divisions, and types of users. The main takeaway is that a single approach will not necessarily fit all possible situations. Most successful implementations combine...

Overview of X

DIT is an abbreviation used to refer to which of the following (Choose all that apply.) A. DIT, directory information tree B. DIT, directory instance tree C. DIB, directory information base D. DIB, directory information bit 8. XYZ Corp. has been growing steadily in the last few years and reached a point where centralized administration of directory resources is no longer practical. An administrator wishes to delegate some authority to manage user account objects to another administrator in a...

E n a m

This may seem a little complicated, so make sure to practice this in the lab. Loopback processing is very important to understand in order to manage server environments efficiently. The bottom line is that without loopback processing, the user policy wins. With loopback processing, regardless of its mode, settings from computer policy are always applied. As mentioned earlier, policies can be set at several levels as local security settings or at the site, domain, or OU level. Remember also that...

Enabling Universal Group Membership Caching

To enable universal group membership caching for a site, follow these steps 1. Launch Active Directory Sites and Services from the Administrative Tools program group. 2. Expand the tree in the left-hand pane, and select the site you wish to adjust this setting for. 3. In the right-hand pane, right-click NTDS Site Settings and select Properties. 4. Ensure that the Enable Universal Group Membership Caching option is selected. 5. In the Refresh Cache From list, select the site where you want to...

Public Key Infrastructure PKI

At the definition level, PKI is a sort of a distributed system of trust. All participants within the system trust another, third-party system. To make any sense of this, let's step back for a second and recall our Kerberos discussions earlier in the book. We established that Kerberos is based on a symmetric cryptographic algorithms. We also established that any new service request involves a third party, the KDC. Both participants of a conversation trust the KDC explicitly. Every new service...

Elements of DNS

Name resolution in DNS is a fairly complicated process. Each part of this process involves several subroutines and deserves a separate discussion. Before proceeding with technical descriptions of DNS functionality, we need to define the elements and establish some terminology, specifically the purposes of zones and domains. We also discuss the following What makes each resource name unique and distinguished from other, similar names Name resolution participants What is the purpose of each type...

Plan and Implement the Ad Ds Forest and Domain Structure

You are an administrator for a large company, administering one of its domains, dev.flexecom. com. You decided to install Exchange 2000 for users of your domain. When you go through the setup process on one of your domain controllers, you get an error. What is the most likely cause of this problem (Select the best answer.) A. You do not belong to the Enterprise Admins group. B. The Schema Master is unavailable. C. The Infrastructure Master is unavailable. D. You do not belong to the Domain...

Using ntdsutil to Seize an FSMO Role

In this exercise, you use ntdsutil to forcibly reconfigure the Active Directory domain naming context to reflect an outage of a PDC Emulator role domain controller. 1. Click Start Run, type ntdsutil, and press enter. This will launch the Ntdsutil command-line interface. 2. At the prompt, type Roles and press enter. This will switch the command context to FSMO Maintenance. 3. Type Connections and press enter again. Before you can seize the FSMO role, you need to establish a connection to a...

Network Traffic Considerations

Placement of the global catalog server requires careful consideration of several factors there is no one size fits all approach when it comes to GC placement. Naturally, users must be able to access at least one GC server in order to log on to the network, and, likewise naturally, local GC servers speed up AD queries submitted by users on the local segment of the network. Other applications may also be dependent on global catalog service availability for instance, Microsoft Exchange 2003 and...

B

Windows Server 2008 Command Reference Appendix B lists the more popular command lines that were book. This list is by no means complete, but the commands be familiar to 70-640 exam candidates. Used to install AD LDS instances, aka ADAM Used to configure and execute synchronization between AD DS and AD LDS This command is used to configure domain security groups during structural preparation in an existing domain forest for Windows Server 2008 domain controller deployment This command is used to...

Active Directory Integrated Replication

Zone replication between AD-integrated zones does not need to be configured separately. Since in AD-integrated zones DNS records are LDAP objects, they will be replicated to other domain controllers as if they were plain AD objects. This replication is based on AD replication topology, which will be covered in Chapter 3 in more detail. For the purpose of this discussion, sites are areas of the network connected using high-speed, reliable media such as Ethernet or better. In addition, there is...

Configure a Computer Environment by Using Group Policy

The computer environment consists of installed software and security controls, such as Registry controls, file system controls, service state, and security control. This part of the chapter covers components that create a computer environment, and how group policies can be used to manage this environment. The last section of group policy that we will look at is computer security. This section can be accessed by expanding Computer Configuration, Policies, then Windows Settings, and then opening...

Implementing DNS Services

The DNS server in Windows Server 2008 implements DNS services and is considered to be a core network service. DNS namespace planning is the first step in implementing DNS services. The MMC-based DNS Manager console is used for the bulk of DNS administration the dnscmd command-line tool must also be used for certain tasks. Secure dynamic updates and application partitions are supported only with Active Directory-integrated zones. Clients must be configured with DNS server addresses and other...

Non Authoritative Restore

Prior to Windows Server 2008, restoring an AD DS database was not possible by simply using wbadmin (ntbackup in pre-Windows Server 2008 implementations) or third-party tools. In order to perform a non-authoritative restore, administrators had to reboot the failed domain controller into a special operations mode called directory services restore mode (DSRM). This mode enabled operation of a limited number of device drivers that were known to work reliably and also enabled Active Directory...

Active Directory Lightweight Directory Services

Active Directory Lightweight Directory Services (AD LDS) is the next version of ADAM, or Active Directory Application Mode, as it used to be known in Windows Server 2003 and Windows Server 2003 R2. Prior to Windows Server 2008, ADAM was available as a stand-alone distribution at no additional cost from Microsoft. It is now rebranded and incorporated into the OS. AD LDS is based on the same technology as AD DS, in that it runs an LDAP directory that looks and feels just like any other...

Group Policy Architecture

The term group policy that is used so commonly typically refers to group policy objects (GPOs). Each GPO consists of a group policy container (GPC) and a group policy template (GPT). GPCs are simply AD DS objects that represent various GPOs. They have properties, they have permissions, and they otherwise behave like a normal AD DS object would. GPTs are a collection of INF files that define actual settings for a given policy. These INFs are stored in the SYSVOL share on all domain controllers...

Nltest

Nltest contains some functions from other tools such as repadmin and netdom. It allows forcing full or partial synchronizations. It also performs unique commands such as verification of secure channel setup with domain, reset of secure channel, changing secure channel password, and calling some API functions (DsGetDcName and others). This tool can be very helpful in diagnosing more advanced issues, where it may be necessary to determine how a client interacts with AD DS and what information it...

Plan and Implement Global Catalog Servers

Global catalog (GC) servers are used to store certain portions of directory information in specific locations as designated by an architect or an administrator. The GC is both a network service and an instance of physical storage of AD DS objects. A DC that also acts as a GC is called a global catalog server all GC servers must be domain controllers, but the opposite need not be true. Suppose we have a corporation with a head office in New York, several locations nationwide, a number of...

Replication and Performance Considerations

With all other factors being equal, it all comes down to how fast you can resolve names. Since DNS name resolution is essentially what makes your network tick (in the absence of major problems elsewhere), DNS performance is paramount. DNS clients do not wait for a reply indefinitely eventually, they time out. The crucial aspect in maintaining optimal performance is not the horsepower of your DNS machines, although holding all other things equal, this is important as well. More fundamental to...

Top Level Domain TLD and Second Level Domain SLD

Historically, TLDs were implemented in order to divide the namespace into autonomous areas for different sectors of the economy for instance, government, education, commercial and nonprofit organizations, and the military all needed their own subdivisions of the namespace, independent of other participants in the namespace. Top-level domains are governed by the Internet Corporation for Assigned Names and Numbers (ICANN), and the number of TLDs available for public use is limited. Queries...

Overview of DNS

PTR records are used for reverse name resolution. 0 A, C, and D. A is incorrect because SOA records are used to maintain the zone itself. C is incorrect because MX records are used for e-mail service location and routing. D is incorrect because SRV records are used to locate network services. 2. 0 C. DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa. 0 A, B, and D. A is incorrect because IPX addresses are resolved using SAP broadcasts, not the DNS service. B...

Performing Autoenrollment

The last step to complete automatic enrollment configuration is to configure group policy for enrollment of users with the Certification Authority. To do this, follow these steps 1. Click on Start Administrative Tools Group Policy Management. 2. Expand your domain container and then the Group Policy Objects container, right-click the Default Domain Policy, and click Edit. 3. Expand the User Configuration container, then Policies, then Windows Settings, then Security Settings, and finally,...

Troubleshoot Active Directory

You were troubleshooting Active Directory replication problems and found that automatically generated connection objects that would normally be displayed in the Active Directory Sites and Services MMC snap-in are missing. What should your next step be in diagnosing this issue A. Run the repadmin kcc command. B. Check KCC-related Registry values. C. Run the repadmin showreps command. D. Run net stop kcc, and then net start kcc. 7. One of the domain controllers in your environment has recently...

Analyzing Business Requirements

AD DS has come a long way since the days of SAM databases in Windows NT 4.0. These days, infrastructure planning is centered a lot more on business requirements and objectives, and not how they fit into technical possibilities and limitations of the Microsoft operating system. Active Directory uses a variety of mechanisms and industry-standard technologies that have made physical limitations of the system a non-problem, even for the largest of companies. If you are upgrading an existing...

Configure Online Responders OCSP

In Exercise 10-1 we installed a CA and an OCSP service on the same lab machine, which happened to be our lab domain controller. This is not a good configuration that you would want to deploy in a real production environment. In a large environment, you may want to separate OCSP services to a dedicated server. Regardless of the deployment model you select, we have to configure the OCSP service so that it can enroll with the CA and obtain a proper Online Responder certificate, which it will then...

User Account Passwords

When users log on to the network, they need to identify themselves to the system using a pair of credentials logon name and password. In addition to technical limitations that apply to logon names, administrators must also carefully craft their password-related restrictions. In this case, it works the opposite way. The longer the password, the less likely someone will be able to guess it through a dictionary or brute-force attack. Password restrictions are aimed at making passwords long and...

Certification Objective

Although an intra-site replication is configured automatically and does not require administrative input, configuring inter-site replication requires a lot more Active Directory replication knowledge as well as knowledge about your network environment. Replication follows replication topologies generated by the Knowledge Consistency Checker (KCC) and also replication schedules. KCC generates intrasite topology automatically and also configures inter-site topology in a semiautomatic way, but in...

Impact of Master Role Outages

In the case of a Schema Master outage It will not be possible to create new attributes or classes, or perform any schema modifications. You will not be able to install applications that modify schemas Exchange Server is a popular example. An outage of the Domain Naming Master has the following impact Any operations on domains, such as adding or removing domains to or from the forest, will be disabled. An outage of the PDC Emulator will result in the following Urgent replication of...

Global Names Zone

In Windows Server 2008, GlobalNames zone can be configured to enable DNS servers to resolve WINS-like names, i.e., DNS names that do not contain the domain portion of the hostname. This is somewhat similar to using WINS-R records, except with GlobalNames we can completely eliminate WINS servers from the network and fulfill all name resolution requests from the single namespace (that being DNS). GlobalNames zone configuration starts with enabling global names support on all DNS servers on the...

Restartable Active Directory Domain Services

New in Windows Server 2008 is ability to restart Active Directory just as you restart any other system service. This introduces a key advantage over the process just described, without really breaking any functionality described so far. With restartable AD DS, administrators no longer need to reboot domain controllers into DSRM mode to perform any of the administrative tasks that may require taking AD DS offline. So in order to perform authoritative restore, follow the steps 1. Stop AD DS using...

Plan and Implement the AD Site Topology

Active Directory sites are used to define network segments that are connected using a high-bandwidth, reliable network medium, which distinguishes them from the rest of the network. As mentioned earlier in the chapter, whereas AD domains serve the purpose of logical and geographical segmentation of resources and the security organization of the company's IT infrastructure, sites break up intra-domain replication topologies. The concepts of site and domain are completely distinct you can...

Installing DNS Services on Windows Server

To perform this exercise, you will need access to at least one server running Windows Server 2008 RC1 or later. It is highly recommended that you download Release Candidate or trial version of the software from Microsoft's site and deploy at least two virtual guest servers, using free virtualization platforms such as Microsoft Virtual PC 2007 or Microsoft Virtual Server 2005 R2 SP1 (or any other virtualization technology of your choice). You can download the products using the following links...

Plan a User Authentication Strategy

A proper authentication system is essential to both administrators and users. Administrators must ensure that the system makes it reasonably difficult for intruders to take advantage of potential security problems that will surface from time to time. Users, in turn, want to be certain that their information is safe, that there is no interception or misrepresentation going on, and yet it is still reasonably easy to interact with the system. Remember from Chapter 1 that authentication is a...

Operation Master Dependencies

Let's step back for a bit and summarize what we have learned so far. All of the factors outlined in this part of the chapter will influence your placement of the operation masters. Here is a review of common recommendations on how to place your operation masters If your infrastructure has only one domain controller, and hence, one domain, which also happens to be the forest root domain, it holds all five of the operation master roles. Whenever possible, place the RID Master and the PDC Emulator...

Repadmin

The Repadmin utility is used to diagnose replication problems. In addition to the standard functionality accessible through MMC snap-ins, this tool can display some information not available elsewhere. This information includes the time stamp of the last successful replication cycle, error codes if this cycle was not successful, the history of all replication metadata and USNs, lookup of naming context replication parameters, SMTP replication settings, and much more. Repadmin allows digging as...

Monitoring Active Directory with Performance Monitor

In addition to monitoring standard hardware performance counters, administrators should pay special attention to the following two performance counter categories NTDS performance object counters allow for monitoring the extent of activity in Active Directory. They present detailed replication stats and a wealth of LDAP and authentication counters. Database performance object counters provide a wealth of performance information about the Active Directory database functionality and, more...

Active Directory Integrated Zone

In the classic implementation, one primary server stores the only copy of the primary zone. While secondary servers maintain redundant copies of the zone, they would not be able to support DNS zones and respond to queries for records in those zones for a lengthy period of time without being able to contact the primary server. In fact, SOA records contain Expires After fields that control this. Now this problem can be avoided using Active Directory-integrated zones. As discussed previously,...

Delegation and Security Issues

You have two methods for transferring administrative permissions to selected users you can use the Delegation of Control Wizard, or you can add access control entries ACEs to discretionary access control lists DACLs of individual OUs. The Delegation of Control Wizard appears to be easier to use although this is rather subjective . This wizard takes you step-by-step through the delegation process whereas manual configuration is more susceptible to human error and may take more time. To delegate...

Group Policy User Security

You can find associated security policies in the Computer Configuration section I Policies I Windows Settings I Security Settings I Account Policies, which contain three main groups of settings Password Policy, Account Lockout Policy, and Kerberos Policy. Let's reiterate once again, that these settings cannot be modified on an organizational unit or site level settings defined in the domain policy will become effective. Password policy, account lockout policy, and Kerberos policy were reviewed...

Namespace Considerations

AD uses the DNS namespace as the basis for naming AD domains. Careful planning of the namespace will invariably make it easier to expand AD into new trees and domains, and will also make it easier to access resources using intuitive names. Ease of adding child domains as your network grows will prove critical in the Active Directory namespace life cycle. Choosing a naming structure most appropriate for your organization will undoubtedly be influenced by the business factors. Obviously, domain...

Configuring DNS Zone Transfers

Zone transfers are configured in the properties of the primary zones, and during secondary zone setup. Zone transfers may be denied altogether or allowed to any server, only the servers that are listed on the name servers tab to other authoritative servers of the zone , or other designated servers which are not necessarily authoritative for the zone . Allowing transfers to any server is a pretty dangerous setting, and it is not recommended. Typically, DNS zones should be configured as...

Delegation of Zones

A DNS server configured with one zone and a domain can self-sufficiently serve all requests for records contained in the subdomain, providing that the subdomain has also been created. You can create resource records in the subdomain exactly as you would in the parent domain. However, if your domain name contains a large amount of records or you simply want to have someone else administer the subdomain, you could also delegate authority for the subdomain to a separate DNS server. Delegation was...

About the Technical Editor

Alex Khassanov has been working with Microsoft technologies for the last 15 years, lately with an emphasis on Directory Services and Microsoft Exchange activities. IT infrastructure assessments and project management take up most of his time in his work as a Senior Consultant for Toronto-based CMS Consulting Inc. Along with a Bachelor of Science degree in mathematics, he holds numerous certifications from different vendors including MCITP Enterprise Administrator, MCSE NT 2000 2003, CCSP, CCNA,...

Group Policy Scope in Active Directory

A key feature of group policies is that they can be configured to have different application scope within the infrastructure. Users or computers that fall into the scope of any given policy can be grouped according to several criteria, such as their location within an OU structure. Different types of users will usually require specific computing environment configurations, and hence, configurations implemented by one particular group policy will not suit all of the users. From the group policy...

Federation Service Proxy

A federation service proxy, as the name implies, is an independent participant in the AD FS system that facilitates communication between untrusted Internet applications that are requesting authentication services and an internal AD DS or AD LDS system. A proxy is deployed to DMZ parts of the network and becomes the only system that is exposed to connections from the partner network. Federation service proxies can and should be deployed on both ends of the federation, in resource partner and...

Impact of Domain Functional Levels on Group Management

As discussed previously, Windows Server 2008 has several domain functional levels and forest functional levels. Please refer to earlier chapters for more information on functional levels. In previous versions of the Windows Server operating system, namely, Windows 2000 and Windows Server 2003, the following features were affected by the domain functional level of each domain in the infrastructure Group nesting was restricted to distribution groups in mixed mode environments. Group conversion...

Troubleshooting Replication Failures

Replication problems can be caused by a multitude of situations. To determine whether there is a replication problem, check Event Viewer, or use repadmin showreps to view the status of inbound connections and the most recent replication information. Table 7-2 lists some of the possible error messages and potential causes that result in disrupted replication, but this list is not exhaustive. This condition may be caused by outdated computer account passwords that correspond to domain controllers...

Forwarder Server

As the name implies, forwarder servers are used to designate where to forward queries that cannot be resolved by a DNS server from its locally stored zones or subordinate DNS servers. Windows Server 2003 introduced conditional forwarding, whereby administrators may choose different forwarder servers, depending on the domain name. For example, you can configure to forward all requests for sales.flexecom.com domain to be forwarded to a specific DNS server, as shown in Figure 2-9. Windows Server...

DNS Query Functionality

As we have established, the DNS query process is a dialogue between clients requesting IP addresses of resources and servers that are in possession of this information. Questions and answers are formatted in a special way, and the dialogue is constructed in a special manner depending on the situation. The client asks its preferred DNS server for the IP address of resource ABC. The server then uses its knowledge of the DNS hierarchy to help the client resolve the name. It first checks its cache,...

Configuring Clients

For the DNS service to be used in the name resolution process, clients must be configured accordingly, and at the very minimum they must be configured with the DNS server's IP address. This may be achieved using a variety of methods. In the order of increasing priority, these methods are as follows DHCP-assigned settings, locally configured settings Figure 3-2 , local policy-assigned settings, and domain policy-assigned settings Figure 3-3 . These are discussed in more detail in the following...

Active Directory Domains and Trusts and Active Directory Schema Management Consoles

Schema Master Console

Administrators can look up and transfer forest-wide FSMO server roles, namely, the Domain Naming Master and the Schema Master, using the Active Directory Domains and Trusts and Active Directory Schema management consoles. The AD Domains and Trusts console allows transferring the Domain Naming Master role, and Active Directory Schema, the Schema Master role. Figure 5-1 illustrates the Schema Master properties and transfer page. To use the Active Directory Schema console, you need to register it...

Infrastructure Master

There must be one Infrastructure Master in each domain in an AD DS forest. The Infrastructure Master is responsible for updating group memberships and SID-to-DN mapping between domains, where security groups in the local domain contain members from other domains. Objects stored on a given domain controller may reference other objects from other domains in the infrastructure. Such references are usually implemented as records that contain the GUID, SID, and DN of the referenced object. SIDs are...

Site Links

In order to expand your replication topology beyond a single site, you should first define site links between the sites. Only after site links have been created can connection objects for domain controllers in different sites be generated. In contrast to intra-site replication, inter-site replication needs more administrative intervention before things start working smoothly. When you define site links, you must assign link cost, or a relative number that takes into account actual bandwidth...

Schema Master

Schema Master, as pointed out previously, is one of the two operation masters that can exist on only one domain controller per forest. This role manages access to the only read write instance of the schema database. To make modifications to the Active Directory schema, you must connect to this server first. In general, schema modifications are not something you do on a daily basis, although schema changes may happen more often in the very early stages of AD and application rollout and break-in...

Dsquery

A standard OS tool set includes Dsquery, which allows querying Active Directory for specific information. It is an LDAP query and modification tool, a typical example of command-line LDAP client application. To find a specific FSMO server, type dsquery server -hasfsmo lt role gt , where lt role gt is the operation master you are looking for. server -hasfsmo schema This has to be one of the following schema, name, infr, pdc, or rid. To find out which server in the forest is responsible for...

Deploying Active Directory in Firewalled Networks Using Static RPC

Instead of opening up your firewall to incoming connections on thousands of ports, you may opt to hard-code a dynamic RPC port to a single value using the Registry and open up just one port. This solution makes Active Directory in firewalled networks more feasible in concept however, it requires a bit of configuration work on the part of domain controller administrators. First, you need to decide which port should be used by your domain controller to replicate. Anything over 50,000 is a valid...

Creating an Organizational Unit

In this exercise, you create an organizational unit. Before you begin, make sure that you have Domain Admins- or Enterprise Admins-level privileges. 1. Launch the Active Directory Users and Computers snap-in. It is located in the Administrative Tools folder in the Control Panel. 2. In the console tree, select the domain you are about to manage. If you wish to create an OU within another OU, select the OU that will become the parent container. 3. Right-click the parent container and click New,...

Group Conversion

Group conversion is a process of modifying group type or scope without changing group object identifiers, or group membership for that matter. You can convert any distribution group to a security group of corresponding scope that is, convert a domain local security group to a domain local distribution group, or vice versa , and you can convert domain local groups or global groups to universal groups, or convert universal groups to global or domain local groups. Note that you cannot convert a...

Caching Server

When you install a DNS server on a fresh Windows Server 2008 installation, it configures itself as a caching-only server by default, until you configure forward lookup zones. Caching is integral to the DNS server, and in the absence of local zones, caching and resolving of domains through root servers is all they do in essence, caching-only servers are DNS servers that are non-authoritative for any of the zones. Caching servers are best used to decrease response times in local area networks...

DNS Management Tools

Administrators familiar with previous implementations of DNS in Windows Server 2003 and earlier will not be surprised to see very much the same tools in Windows Server 2008. There are two primary DNS management tools in Windows Server 2008 the DNS Manager MMC, dnsmgmt.msc shown in Figure 3-1 and the dnscmd.exe command-line tool. DNS administration on the Core installation server can be performed using the dnscmd command locally or remotely from another server. The core installation server can...

Trust Relationships

When a trust relationship is configured between two domains, users from the trusted domain are able to authenticate to the trusting domain. Trusts make it possible to perform cross-domain authentication. Users from the trusted domain are then able to access resources located in the trusting domain, subject to ACL permissions defined on each resource. Trust management operations are available only to enterprise administrators. Trust relationships within each forest in Windows Server 2008 are...

Plan and Implement a Group Policy Strategy

The main objective of group policy implementation is lowered total cost of ownership TCO through streamlined management. Administrators benefit from this technology greatly by saving a lot of time and effort that they would otherwise expend in performing tedious tasks on a regular basis. However, you must still spend the time on careful planning and initial configuration of group policies. Before you proceed with group policy deployment, the following must take place 1. Analyze the existing...

Delegating Permissions

You can create bulk permissions, delegating all the authority to administrative accounts, or you can delegate a very specific role to authorized people. A good example of using delegation is to assign user management rights to a team leader of a department, or to a help desk person responsible for user support in a decentralized administration model. The same effect can be achieved by assigning permissions to security principals manually however, this would make delegation a tedious task that...

Domain Functional Levels

By default, when you install Windows Server 2008, the vast majority of AD features become available at once. Some advanced features may require all domain controllers in the domain to be updated to Windows Server 2008. Beginning with Windows 2000, domains could be configured to operate in two modes mixed mode and native mode. Mixed mode ensures that new features delivered with Windows 2000 will not cause compatibility issues with then-existing Windows NT 4.0 domain controllers. This concept was...

Smart Card Authentication

Smart cards store the private key and corresponding public key in the form of a digital certificate. The private key always remains on the card and is highly sensitive if it leaks, the security is compromised. The public key should be distributed to anyone wishing to conduct encrypted communications with the user in question. When the user inserts the smart card into the reader, this substitutes the ctrl-alt-del procedure and login information entry. The user is prompted for his or her PIN...

Configure Replication Schedules

There are two basic events that may trigger Active Directory replication replication schedule, or changes committed to a domain controller. The first mechanism is specific to inter-site replication and is more complicated, requiring administrators to configure replication intervals and schedules to suit the specific needs of each company. The second mechanism applies to intra-site replication, and as such, administrators need not worry about it. Active Directory replication occurs between all...

Domain Naming Master

There can be only one Domain Naming Master per Active Directory forest. This domain controller must be accessible during addition and removal of domains to and from the forest, and also when you create trusts between domains located in different forests. When you create a new domain, the wizard uses the Remote Procedure Call RPC protocol to connect to the Domain Naming Master controller. You must be a member of the Enterprise Admins group to add or remove domains from the forest or have a...

Assigning Permissions

The mechanism described in the steps in the preceding section can be used to assign permissions using one of the categories described in Table 8-4. Note that the table lists only the standard permissions for generic objects such as containers. Overall, there are 15 permissions that you could assign to objects, and depending on how many attributes the object has, it may have in the neighborhood of 100 read and write permissions for each of its attributes. To manage ACLs on a daily basis, it is...

Reliability and Performance Monitor

This familiar performance monitor tool is greatly improved in Windows Server 2008. When you select the top-level node in the tool's left pane, you are presented with a consolidated snapshot of system health, including charts of key CPU, memory, disk, and network metrics. The Performance Monitor part of the tool features several hundred different counters, such as average disk queue length, CPU utilization, current queue length on a network interface, and memory paging, which you can use to...

Configure Site Boundaries

Before you commence configuring your replication objects, you have to plan and understand how many sites your infrastructure will need in order to implement the desired functionality. You also need to determine which of the networks or subnets will be added to which sites. Conceptual topics, such as what sites are needed for, were discussed earlier. Recall that sites are defined as common network areas that share fast and reliable connections, where plenty of inexpensive bandwidth is available...

Account Policies

With the introduction of Windows 2000, account and password policy settings are configured using group policy objects and Active Directory. In short, the Group Policy Management snap-in allows you to manage computer and user configurations according to their location in the Active Directory structure. The next chapter discusses this technology more thoroughly. But for the purposes of this discussion, we will review just one of the groups of settings configurable through group policies. Password...

Round Robin Functionality

As mentioned earlier in the chapter, the DNS system has some load-balancing features, namely, round-robin functionality. It may be helpful to distribute incoming connections equally between a few network hosts, such as web servers. If one web server is getting hit with lots of requests, it may be serving pages slowly or may even be rejecting or timing out some of the requests. In this case, one solution may be to set up a twin web server box and load-balance incoming traffic using DNS this is...

IT Container

Based on practical observations, it is often a good idea to create an internal IT OU at the top level of the structure, and nest all important objects such as administrative security groups, administrative accounts, and servers under it. This way it is easier to exclude it from the delegation structure, and avoid granting help desk staff the ability to modify membership of administrative groups they might be tempted to add their own accounts to Domain Admin and the like . It is also advisable...

Forest Trusts

A subtype of external trusts, forest trusts in Windows Server 2003 and 2008 allow setting up transitive trusts at the forest level. Administrators must ensure that forest functional levels are brought up to Windows Server 2003 or higher in all forests to be linked with a trust relationship. Cross-forest trust relationships as they are sometimes called effectively establish a trust between every domain in one forest with every domain in the other forest using just one link definition. If one or...

Creating a Forward Lookup Zone in Windows Server

This exercise uses the DNS Manager console to create a new forward lookup zone for a future Windows Server 2008 Active Directory Domain Services installation. We make an assumption that AD DS is not yet installed in your lab. 1. Click Start Administrative Tools DNS. The DNS Manager console will be launched. 2. Expand TORDCOl or your server name , right-click the Forward Lookup Zones container, and click the New Zone menu option. 3. On the New Zone Wizard welcome screen, click Next. 4. On the...

Active Directory User Accounts

User accounts we also refer to them as user objects, or instances of the user class are unique security identifiers they are needed to interact with Active Directory. User accounts do not necessarily represent just the users of the system system processes also rely on user accounts, as this defines the process security context and bestows certain privileges in the system. The most significant benefits provided by Active Directory in respect to user accounts are Single sign-on SSO Directory...

Other Automation Techniques

When you use either csvde or ldifde, other switches may be handy, depending on the situation these switches apply to both tools , such as -v Enables verbose mode and shows diagnostic information. -s lt servername gt Indicates which domain controller to use during the operation. -j Provides a log file path. -k Forces ldifde to ignore possible errors during the operation. Errors may be caused if you indicated attribute values that violate value types or constraints, if a nonexistent object class...

Ease of Administration

Group policy structure must remain manageable after implementation. Planning is needed to avoid situations in which everything works fine, but no one really has enough courage to make a change. When the system works but is complicated to the point that you don't want to touch it, it is safe to say that it is not manageable. Here are some recommendations that may help in avoiding this situation Name your policies using full, intuitive names that reflect the purpose and maybe even the scope of...

Troubleshooting Active Directory Database Failures

When you perform domain controller installation, the Dcpromo Wizard will ask you, among other things, where you wish to place the ntds.dit and edb.log data and transaction log files. By default, the systemroot ntds directory is suggested, but this is far from ideal. You should always place your Active Directory files on a fault-tolerant set of hardware disks, and preferably on a drive that does not contain any system files or pagefile.sys. If your Active Directory domain controllers will be hit...

Restore Active Directory Services

You may run into a situation in which certain changes to Active Directory are found to be undesirable after the fact for instance, if an object or two were deleted, or attribute values were overwritten and these changes were replicated to other domain controllers . You may experience hardware failures such as the Active Directory database hard disk or set of disks going defunct as a result of an environmental event or bad hardware which add to the reasons why you should back up Active Directory...

Authoritative Restore

An authoritative restore differs from a non-authoritative one in that the restored objects are assigned higher USNs than the respective USNs on other domain controllers, causing restored objects to be replicated to other domain controllers instead of being overwritten, as happens in non-authoritative restores. Obviously, in addition to restoring objects, an authoritative restore needs to adjust some of their properties in the Active Directory database. The following table summarizes these...

Installing DNS Services

DNS services are not installed as part of Windows Server 2008 out-of-the-box installations. DNS services have to be added they may be installed either manually by someone with administrative rights on the system or as part of the domain controller installation process. If you install DNS services manually, at the end of the installation process you will have a caching server that does not have any forward lookup zones yet. DNS services can also be deployed automatically as part of the dcpromo...

RMS Requirements

AD RMS deployment requires AD DS installation. It also integrates, optionally, with AD FS where extranet content protection is desirable and AD CS for transport-layer security and encryption. If document distribution will extend outside the realms of a single corporate environment, then obtaining SSL certificates from a trusted third-party CA may be more desirable than using AD CS, which would be considered as a trusted CA only on the corporate network, by default. An RMS server must be a...

Creating a Reverse Lookup Zone using the Command Line

This exercise uses dnscmd to create and configure a new reverse lookup zone for a future Windows Server 2008 Active Directory Domain Services installation. We make an assumption that AD DS is not yet installed in your lab. We further assume that the IPv4 addressing scheme of 10.1.1.0 24 was selected for lab use. Instead of setting up a reverse lookup zone for each subnet on our IP network, we will create a single full Class A reverse lookup zone of 10.in-addr.arpa. The DNS service in Windows...

CNAME Resource Records

It may be necessary to assign more than one FQDN to the same physical host, or more specifically, to the same IP address. You could create multiple A records, but then you would have to update each of them every time the underlying IP address changes. To avoid this situation, you use CNAME resource records, also called aliases. Suppose you have a server with the hostname tordmz01.flexecom.com, and you want to make it available on the Internet for web and ftp services, at the same time providing...

Event Viewer

Most administrators start their troubleshooting work in the Event Viewer. Indeed, the importance of this tool cannot be overstated. Event Viewer can be accessed using the Server Manager console or as a standalone MMC snap-in in Administrative Tools. The Event Log is a convenient display tool of a few .evtx files physically stored in the systemroot system32 Winevt Logs directory. Since most of the readers will be familiar with the Event Viewer, this section only mentions a few things as they...

Bridgehead Servers

As you can see by now, intra-site replication and inter-site replication have plenty of differences between them. Within the same site, each server communicates with several neighboring replication partners. Eventually, one random change committed to any of the domain controllers is replicated to all site domain controllers in less than a minute and just a few hops. Contrary to this, inter-site replication is performed through so-called bridgehead servers. There can be only one domain...

Configure Site Link Costs

Site Link Versus Site Link Bridge

SiteLink objects can be assigned a cost, which is an administrative setting that gives priority to one link over another, where multiple paths between the same two sites exist. The lowest cost, intuitively enough, has the highest priority. When you assign costs to your links, consider available bandwidth, reliability, latency, and actual costs charged by your ISP based on time or amount of data crossing the line if applicable . If you leave the default link costs set to 100, or assign costs...

Twominute Drill

Create and Maintain Groups and User Accounts User accounts form the basis of security and authentication. Each user of the system should have his or her own corresponding user account. Administrators assign user and security group permissions to directory and file system objects. Security groups are used to simplify permissions management and reduce the number of ACEs listed on ACLs. Security groups have different scopes local computer, local domain, global, and universal. Security group scope...