Review Questions

You are a systems administrator for an environment that consists of two Active Directory domains. Initially, the domains were configured without any trust relationships. However, the business now needs to share resources between domains. You decide to create a trust relationship between Domain A and Domain B. Before you take any other actions, which of the following statements is true Choose all that apply. A. All users in Domain A can access all resources in Domain B. B. All users in Domain B...

Creating and Configuring Application Data Partitions

Organizations store many different kinds of information in various places. For the IT departments that support this information, it can be difficult to ensure that the right information is available when and where it is needed. Windows Server 2003 introduces a new feature, called application data partitions, that allows systems administrators and application developers to store custom information within Active Directory. The idea behind application data partitions is that, since you already...

Using the Security Configuration And Analysis Utility

Click Start > Run, type mmc, and press Enter. This opens a blank MMC. 2. In the File menu, select Add Remove Snap-In. Click Add. In the Add Standalone Snap-In dialog box, select the Security Configuration And Analysis item, then click Add, then click Close. 1 J S acuity Configuration and Analysis j Security Configu-ation and Analysis b an MMC snap-in that provides security configuration and ana sis for Windows computers using security template liles. Security Configu-ation and Analysis b an...

Creating a Group Policy Object Using MMC

Click Start > Run, type mmc, and press Enter. 2. On the File menu, click Add Remove Snap-In. 3. Click the Add button. In The Add Standalone Snap-In dialog box, select Group Policy Object Editor from the list, and click Add. Indexing Service Internet Authentication Seivice (IAS) IP Security Monitor IP Security Policy Management j Link to Web Address Local Users and Groups Performance Logs and Alerts Remote Desktops -' 2 Removable Storage Management Microscit Corporation Microscit Corporation,...

Answers to Assessment Test

Applications cannot be published to computers, but they can be published to users and assigned to computers. See Chapter 9 for more information. 2. A, B. There can be only one Domain Naming Master and one Schema Master per Active Directory forest. The purpose of the Domain Naming Master is to keep track of all the domains within an Active Directory forest. The Schema Master defines the Active Directory schema, which must be consistent across all domains in the forest. The remaining roles...

Assessment Test

Which of the following operations is not supported by Active Directory A. Assigning applications to users B. Assigning applications to computers C. Publishing applications to users D. Publishing applications to computers 2. Which of the following single master operations apply to the entire forest Choose all that apply. 3. Which of the following is not a valid Active Directory object 4. Which of the following pieces of information should you have before you begin the Active Directory...

The seceditexe Command

All of the functionality of the Security Configuration And Analysis utility has also been built into a command-line utility called secedit.exe. One advantage of using secedit.exe is that you can perform a batch analysis without having to use the graphical tools. Just like the Security Configuration And Analysis utility, the command-line utility is database driven, meaning that you can use switches to access database and configuration files. The secedit.exe command performs the following...

Joining a New Domain Tree to a Forest

A forest is formed by joining two or more domains or trees that do not share a contiguous namespace. For example, you could join the organization1.com and organization2.com domains together to create a single Active Directory environment. Any two independent domains can be joined together to create a forest, as long as the two domains have noncontiguous namespaces. (If the namespaces were contiguous, you would actually need to create a domain tree.) The process of creating a new tree to form or...

Reasons for Using Multiple Domains

There are several reasons why you might need to implement multiple domains. These reasons include such considerations as Scalability Although Microsoft has designed Active Directory to accommodate millions of objects, this number may not be practical for your current environment. Supporting many thousands of users within a single domain places higher disk space, CPU (central processing unit), and network burdens on your domain controllers. Determining the scalability of Active Directory is...

Enabling Auditing of Active Directory Objects

Open the Domain Controller Security Policy tool (located in the Administrative tools program group). 2. Expand Computer Configuration, Windows Settings, Security Settings, Local Policies, Audit Policy. fil Default Domain Controller Security Settings Default Domain Controlers Poicy - Computer Confguratlon + J Software settings Q Windows Settings Scripts (Startup Shutc 0 Qp Security Settings 0 tip Account Policies 0 Local Policies S3 p Audit Polcy User Rights At EE-3 Security Optic E0- Event Log...

Creating a Domain Tree

In the previous chapter, you saw how to promote the first domain controller in the first domain in a forest, also known as the root. If you don't promote any other domain controllers, then that domain controller simply controls that one domain and no trees are created. To create a new domain tree, you need to promote a Windows Server 2003 computer to a domain controller. In the Active Directory Installation Wizard, select the option that makes this domain controller the first machine in a new...

Promoting a Domain Controller

Open the Manage Your Server utility, which is located in the Administrative Tools program group. 2. Click Add Or Remove A Role and then click Next to begin the process. For the server role, select Domain Controller (Active Directory) and then click Next. Finally, click Next once more to start the Active Directory Installation Wizard. Alternatively, you can start the Active Directory Installation Wizard by clicking Start > Run and typing dcpromo. 3. Click Next on the Welcome To The Active...

Answers to Review Questions

Because you are supporting Windows NT 4, Windows 2000, and Server 2003 domain controllers, you must run the environment in Windows 2000 Mixed domain functional level. Universal security groups are not available when you are running in Windows 2000 Mixed domain functional level. 2. B, E, G, H. The Active Directory Users And Computers tool allows systems administrators to change auditing options and to choose which actions are audited. At the file-system level, Isabel can specify exactly which...

Bidirectional trust See twoway trust

Bridgehead servers Used in Windows Server 2003 replication to coordinate the transfer of replicated information between Active Directory sites. caching-only DNS server A DNS server that is not the authority for any specific zone but can resolve DNS queries. Caching-only DNS servers are used to improve performance. categories A grouping of applications that is available for installation by users through the Add Or Remove Programs item in the Control Panel. Categories are useful for managing...

Placing Global Catalog Servers

A Global Catalog (GC) server is a domain controller that contains a copy of all the objects contained in the forest-wide domain controllers that compose the Active Directory database. Making a domain controller a GC server is very simple, and you can change this setting quite easily. That brings us to the harder part determining which domain controllers should also be GC servers. Where you place domain controllers and GC servers is very important. Generally, you want to make GC servers...

Optimizing and Troubleshooting Software Deployment

Although the features in Windows Server 2003 and Active Directory make software deployment a relatively simple task, there are still many factors that systems administrators should consider when making applications available on the network. In this section, you will learn about some common methods for troubleshooting problems with software deployment in Windows Server 2003 and optimizing the performance of software deployment. Specific optimization and troubleshooting methods include the...

The Benefits of Active Directory

Most businesses have created an organizational structure in an attempt to better manage their environments. For example, companies often divide themselves into departments (such as Sales, Marketing, and Engineering), and individuals fill roles within these departments (such as managers and staff). The goal is to add constructs that help coordinate the various functions required for the success of the organization as a whole. The IT department in these companies is responsible for maintaining...

Verifying Network Connectivity

Although a Windows Server 2003 computer can exist on a network by itself (or without a network card at all), you will not harness much of the potential of the operating system without network connectivity. Because the fundamental purpose of a network operating system is to provide resources to users, you must verify network connectivity. Before you begin to install Active Directory, you should perform several checks of your current configuration to ensure that the server is configured properly...

Intersite Replication

Intersite replication is optimized for low-bandwidth situations and network connections that have less reliability. Intersite replication offers several specific features that are tailored toward these types of connections. To begin with, two different protocols may be used to transfer information between sites RPC over IP When connectivity is fairly reliable, IP is a good choice. IP-based communications require you to have a live connection between two or more domain controllers in different...

Using ntdsutil to Manage Application Data Partitions

The primary method by which systems administrators create and manage application data partitions is through the ntdsutil command-line tool. You can launch this tool by simply entering ntdsutil at a command prompt. The ntdsutil command is both interactive and context-sensitive. That is, once you launch the utility, you'll see an ntdsutil command prompt. At this prompt, you can enter various commands that set your context within the application. For example, if you enter the domain management...

Creating Bridgehead Servers

By default, all of the servers in one site communicate with the servers in another site. You can, however, further control replication between sites by using bridgehead servers. As we mentioned earlier in the chapter, the use of bridgehead servers helps minimize replication traffic, especially in larger distributed star network topologies, and it allows you to dedicate machines that are better connected to receive replicated data. Figure 4.9 provides an example of how bridgehead servers work....

Delegating Control of Active Directory Objects

Open the Active Directory Users And Computers tool. 2. Create a new user within the Engineering OU, using the following information use the default settings for any fields not specified 3. Right-click the Sales OU, and select Delegate Control. This starts the Delegation of Control Wizard. Click Next. 4. To add users and groups to which you want to delegate control, click the Add button. In the Add dialog box, enter Robert Admin for the name of the user to add. Note that you could specify...

Figure Advanced Features in the System folder in the Active Directory Users And Computers tool

1Active Directory Users and Computers J Fie Action tfew Wndow Help - flj xj Active Directory Users and Computers Ifl- Qj Saved Queries l-l jjj sybexl.com Buifcln ' O Computers S 1 Domain Controllers ForeignSecurityPrincipals El _J LostAndFound El NTDS Quotas B Program Data CjAdmin5DHolder Container Ml BCKUPKEY_a.,. secret III BCKUPKEY.b.,. secret j SBCKUPfiEY_P r secret BCKUPfiEY_P secret CjComParljtlons Container CjComParljtion.r. Cortainer Default Dome,,. Domain Policy CjDfs-Confiaur,,,...

Setting Up a Smart Card for User Logon

Log on to the computer as the user or administrator that you configured in the previous exercise. 2. Open Internet Explorer by selecting Start gt All Programs gt Internet Explorer. 3. In the Address field, enter the address of the CA that issues smart card certificates and press Enter. 4. In the Internet Explorer IE window, click Request a Certificate, and then click Advanced Certificate Request. 5. Click Request A Certificate For A Smart Card On Behalf Of Another User Using The Smart Card...