Exam Objectives Frequently Asked Questions

The following Frequently Asked Questions, answered by the authors of this book, are designed to both measure your understanding of the Exam Objectives presented in this chapter, and to assist you with real-life implementation of these concepts. You will also gain access to thousands of other FAQs at ITFAQnet.com. Q How can I configure a smart card user to be able to temporarily log on to the network if the user has forgotten his or her card A In the Properties of the user's account within...

Establishing Trust Relationships

As the name implies, trusts are all about sharing information. For security purposes, you should carefully consider your reasons before creating a new trust relationship, as well as knowing which type of trust to implement. In Active Directory, a shortcut trust doesn't add more trust rather, it can make the trusts you already have more efficient. External trusts are a concept left over from Windows NT, but are still necessary for sharing resources with a Windows NT domain or any other Windows...

Preparing DNS

Any time a client requires access to Active Directory, it activates an internal mechanism called the DC locator for locating DCs through DNS. It uses SRV records for this. If no SRV records are found in DNS, the access fails. To prevent this failure, before renaming an Active Directory domain you need to be sure that the appropriate zones exist for the forest and for each domain. After you create the DNS zones for the new domain name, your DCs will populate each zone through dynamic update....

Self Test

A Quick Answer Key follows the Self Test questions. For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix. Understanding Active Directory Security Principal Accounts 1. You create a new user account and assign it permissions to resources.When this account is created, a SID is given to the account to uniquely identify it.When the user logs on and attempts to access one of these...

What is Exam

Exam 70-294 is one of the four core requirements for the Microsoft Certified Systems Engineer (MCSE) certification. Microsoft's stated target audience consists of IT professionals with at least one year of work experience on a medium or large company network.This means a multi-site network with at least three domain controllers, running typical network services such as file and print services, database, firewall services, proxy services, remote access services and Internet connectivity....

Restructuring the Forest and Renaming Domains

In Windows Server 2003, you can rename domains in an Active Directory forest after the forest structure is in place.This was not true in the Windows 2000 Server family.You build your Active Directory forest structure one domain at a time, and the resulting relationships are the result of the order in which you create them and the DNS names you assign. Renaming domains allows you to change the forest structure. For example, you can raise a child domain to be a new tree-root domain, or lower a...

Secure Sockets Layer Transport Layer Security

Any time you visit a Web site that uses an https prefix instead of http , you're seeing Secure Sockets Layer (SSL) encryption in action. SSL provides encryption for other protocols such as HTTP, LDAP, and IMAP, which operate at higher layers of the protocol stack. SSL provides three major functions in encrypting TCP IP-based traffic Server authentication Allows a user to confirm that an Internet server is really the machine that it is claiming to be. It's difficult to think of anyone who...

Using Active Directory Administrative Tools

Windows Server 2003 includes a number of tools that weren't available for administration of Active Directory in Windows 2000. These tools run from the command prompt, and can perform tasks that could previously only be performed using the GUI consoles. Using these tools, you can connect to remote servers and make modifications to the directory without the added overhead of a GUI interface. Because many tasks can be performed through the MMC (which we'll discuss next) or text-based commands,...

Introducing Directory Services

As anyone familiar with networking knows, a network can be comprised of a vast number of elements, including user accounts, file servers, volumes, fax servers, printers, applications, databases, and other shared resources. Because the number of objects making up a network increases as an organization grows, finding and managing these accounts and resources becomes harder as the network gets bigger. To make a monolithic enterprise network more manageable, directory services are used to store a...

Creating a New Domain in a New Forest

Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next as shown in Figure 4.4. Figure 4.4 The Welcome Dialog Box for dcpromo Figure 4.4 The Welcome Dialog Box for dcpromo 6. In the Operating System Compatibility window, click Next as shown in Figure 4.5. Figure 4.5 The Operating System Compatibility Dialog Box for dcpromo Active Directory Installation Wizard Improved...

Access Control in Active Directory

In Active Directory, permissions can be applied to objects to control how these objects are used. Permissions regulate access by enforcing whether a user can read or write to an object, has full control, or no access. Three elements determine a user's access, and define the permissions they have to an object Active Directory permissions are separate from share permissions (also called shared folder permissions) and NTFS permissions (also called file-level permissions), and work in conjunction...

Creating a New Child Domain in an Existing Domain

Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Domain controller for a new domain Next, as shown in Figure 4.23. Figure 4.23 The Domain ControllerType Dialog Box Used for a New Child Domain in an Existing Domain Figure 4.23 The Domain ControllerType Dialog Box...

Creating User Accounts

Windows Server 2003 provides multiple ways of creating user accounts in Active Directory. As mentioned, Active Directory Users and Computers provides a GUI that allows you to create new accounts quickly and efficiently. As a new method of adding user accounts to Active Directory, you can also use the DSADD command. In the paragraphs that follow, we will look at each of these tools. Active Directory Users and Computers Active Directory Users and Computers is a tool that is installed on DCs, and...

Active Directory Components

When looking at the functions of domains, trees, forests, and OUs, it becomes apparent that each serves as a container. These container objects provide a way to store other components of Active Directory, so that they can be managed as a unit and organized in a way that makes administration easier. OUs also provide the added feature of allowing nesting, so that you can have one OU inside another. The bulk of components in Active Directory, however, are objects that represent individual elements...

Installing Movetree with Active Directory Support Tools

Insert the Windows Server 2003 Server installation CD into your CD-ROM drive. 2. From the Windows Start menu, select Windows Explorer. 3. When Windows Explorer opens, expand the node representing your CD-ROM drive, and then expand the Support Tools folder. 4. When the contents of the Tools folder is displayed in the right pane, right-click on the SUPTOOLS.MSI file and click Install in the context menu. 5. When the Windows Support Tools Setup Wizard appears, click Next to continue. 6. On the End...

Enrolling Users

The process of setting up your company's employees to use smart cards includes hardware, software, and administrative considerations. On the hardware side, you need to purchase and install smart card readers for all your users' workstations. Assuming that the readers are Plug-and-Play compatible, the hardware installation process should be fairly simple. Once the necessary hardware is in place, you'll use the Enrollment Station to install Smartcard Logon or User certificates in each user's...

BuiltIn Domain User Accounts

And user rights that provide different levels of access. The rights and permissions they have vary, because each is designed to be used for a different purpose.You wouldn't want everyone in a domain to be able to view, modify, or delete anything they want on the network. This would be a major security issue, and accidents and malicious actions could have potentially devastating consequences. The Administrator account is the first account that's created when Active Directory is installed. As we...

Planning a Security Group Strategy

Before you can effectively start working with groups in Windows Server 2003, you need to first understand what groups are and why they are used.A group is a collection of objects (user, group, and or computer accounts) that are managed as a single object. The objects that belong to the group are known as group members. In Windows, as with many operating systems, groups are used to simplify the administrative process of assigning permissions and rights to multiple user and computer accounts. A...

Placing the FSMO Roles

It is a good idea to place the RID and PDC Emulator roles on the same DC. Down-level clients and applications target the PDC, making it a large consumer of RIDs. Good communication between these two roles is important. If performance demands it, place the RID and PDC Emulator roles on separate DCs, but make sure they stay in the same site and that they are direct replication partners with each other. As previously stated, you should place the Infrastructure Master on a non-GC server to maintain...

Summary of Exam Objectives

In this chapter, we discussed topics relating to security principals, which are user accounts, computer accounts, and group accounts. Each security principal is assigned a security identifier (SID) when it is created. SIDs are used to uniquely identify the account, and allow the security principal to be used for authentication and access control. In creating these accounts, we saw that there are a number of naming conventions and limitations. Each account name must be under a maximum length of...

Creating a Domain Password Policy

From the Windows Server 2003 desktop, open Start Administrative Tools Active Directory Users and Computers. Right-click the domain that you want to set a password policy for, and select Properties. 2. Select the Group Policy tab, followed by the Default Domain Policy, as shown in Figure 3.4. Click the Edit button. Navigate to Computer Configuration Windows Settings Security Settings Account Policies Password Policy. You'll see the screen shown in Figure 3.5. Figure 3.5 Configuring Password...

Check for Primary DNS Suffix Configuration

On a member computer, open the System Control Panel. 2. Click Computer Name Change. 3. Click More, and verify if Change primary domain suffix when domain membership changes is selected (as shown in Figure 4.52). If it is, then the computer will automatically adjust to the new primary DNS suffix. 4. Click OK until all dialog boxes are closed. Figure 4.52 The System Control Panel, General Tab, More Button OH Figure 4.52 The System Control Panel, General Tab, More Button OH

The Required Tools for the Domain Rename Operation

Log on to the control station with at least local administrator rights. 2. Create a directory named X RenameTools on a local disk drive, where X is a local drive letter. ill be executing all rename tools from within this directory. Give it a name you will be comfortable with, but that will alert other administrators as to what it is used for. 3. Insert the Windows Server 2003 Standard Edition, Windows Server 2003 Enterprise Edition, or Windows Server 2003 Datacenter Edition operating system CD...

Defining a Password Policy

Using Active Directory, you can create a policy to enforce consistent password standards across your entire organization.The options you can specify include how often passwords must be changed, the number of unique passwords a user must use before being able to reuse one, and the complexity level of passwords that are acceptable on your network. Additionally, you can specify an account lockout policy that will prevent users from logging on after a specified number of incorrect logon attempts....

Managing Group Accounts

As we've seen, the DSADD command provides a number of options for configuring new groups, while there are only a minimal number of options available when creating them through Active Directory Users and Computers. However, most of these options can be configured and reconfigured at any time by using the object's properties. By modifying the group's properties, you can perform a variety of administrative tasks related to managing group accounts. Accessing the properties of a group account is...

Security Principals and Security Identifiers

Security Identifiers

Security principals get their name because they are Active Directory objects that are assigned SIDs when they are created. The SID is used to control access to resources and by internal processes to identify security principals. Because each SID is unique, unless security is breached, there is no way for accounts to mistakenly gain access to restricted resources when the system is properly configured by an administrator. SIDs are able to remain unique because of the way they are issued. In each...

Digest Authentication

Authentication need to be using Internet Explorer 5 or later. The server and all users attempting to log on to IIS must be members of the same domain or domains that are connected by an appropriate trust relationship. The domain that the IIS server belongs to must contain a domain controller running Windows 2000 or Server 2003. The IIS server itself also needs to be running Windows 2000 or later. Digest authentication requires user passwords to be stored in a reversibly encrypted cleartext...

Creating a New Domain Controller in an Existing Domain Using the New System State Backup Method

Steps 1 through 3 walk you through taking the snapshot. 1. Log in as a local Administrator on the healthy DC. 2. Create a directory called C Backup. If the folder already exists, remove any files that it contains. 3. Using Windows Backup, save the system state. It is a good practice to name the file after your source DC, giving it a .bkf extension. You now must transport the file. Use the backup media of your choice, ensuring your ability to perform the restore at the other end. Remember that...

Managing Computer Accounts

Set Primary Group Greyed Out

As seen previously, accounts can be administered through the properties of the object, which can be accessed using Active Directory Users and Computers. To view the properties, select the object and click Action Properties.You can also right-click on the object, and select Properties from the context menu. Using either method, a dialog box with nine tabs will be displayed. The General tab of a computer account's properties allows you to view common information about the computer.As seen in...

The Role of the Domain

The domain is the starting point of Active Directory. It is the most basic component that can functionally host the directory. Simply put, Active Directory uses the domain as a container of computers, users, groups, and other object containers. Objects within the domain share a common directory database partition, replication boundaries and characteristics, security policies, and security relationships with other domains. Typically, administrative rights granted in one domain are only valid...

Group Scopes in Active Directory

Scope is the range that a group will extend over a domain, tree, and forest. The scope is used to determine the level of security that will apply to a group, which users can be added to its membership, and the resources that they will have permission to access.As we'll discuss in the sections that follow, Active Directory provides three different scopes for groups Universal groups have the widest scope of any of the different group scopes. Members of this group are able to contain accounts and...

Understanding Group Types and Scopes

Windows Server Global Group

In an Active Directory environment, there are two basic group characteristics type and scope. The group type identifies the purpose of the group. There are two group types for Active Directory-based groups in Windows Server 2003 Group scope refers to how the group can be used. Three group scopes can be specified for a group that resides within the Active Directory database Two types of groups can be created in Windows Server 2003 Distribution groups Distribution groups are used for distributing...

Domain Trees

A domain tree can be thought of as a DNS namespace composed of one or more domains. If you plan to create a forest with discontiguous namespaces, you must create more than one tree. Referring back to Figure 4.1, you see two trees in that forest, Cats.com and Dogs.com. Each has a contiguous namespace because each domain in the hierarchy is directly related to the domains above and below it in each tree. The forest has a discontiguous namespace because it contains two unrelated top-level domains.

Locating the Domain Naming Operations Master

Domain Naming Master

Log on as an Enterprise Administrator in the forest you are checking. 2. Click Start Run, type mmc, and then click OK. 3. On the menu bar, click File Add Remove Snap-in, click Add, doubleclick Active Directory Domains and Trusts, click Close, and then click OK. 4. Right-click Active Directory Domains and Trusts in the top left pane, and then click Operations Masters to view the server holding the domain naming master role as shown in Figure 4.37. Figure 4.37 Locating the Domain Naming...

Controls the Primary DNS Suffix for the Computer

There are a few ways to determine whether Group Policy controls the primary DNS suffix for the computer. Log on to a representative member computer and do one of the following Open a command prompt and type gpresult. Look in the output to see if Primary DNS Suffix is listed under Applied Group Policy objects. Open Active Directory Users and Computers, right-click the computer object you want to check, and click All Tasks Resultant Set of Policy L gging . Perform the steps in Exercise 4.19. If a...

Moving Account Objects in Active Directory

Windows Server 2003 provides a number of tools that allow you to move objects within domains and between them.The tools that can be used for moving objects include Active Directory Users and Computers, and two command-line utilities. As we've seen, Active Directory Users and Computers is an MMC snap-in that allows you to interact with Active Directory through a graphical interface. The DSMOVE and MOVETREE are command-line tools that allow you to move objects by entering textual commands at the...

Understanding Forest and Domain Functionality

Windows Server Forest Tree

A Windows Server 2003 domain is group of networked computers that share a common Active Directory database, and a common namespace.You can think of a domain as a limited boundary of network security and administrative control.A namespace is a hierarchical collection of service and object names, typically stored within DNS and Active Directory. There are some similarities between the Active Directory namespace and the DNS namespace, both of which are required by Windows Server 2003. For example,...

Raising the Domain Functional Level

Log on locally as a Domain Admin to the PDC or the PDC Emulator FSMO of the domain you are raising. 2. Click on Start Administrative Tools Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domain and Trusts snap-in. 3. Locate the domain in the console tree that you are going to raise in functional level. Right-click the domain and select Raise Domain Functional Level. 4. A dialog box will appear entitled Select an available domain functional level....

Managing User Accounts

Managing user accounts is done through the properties of the object, which is accessible by using Active Directory Users and Computers.You can access the properties of a user object by selecting the object, and then clicking on Action Properties.You can also right-click on the object and select Properties from the context menu. Upon opening the Properties of the user, you will see a number of tabs that allow you to set various options and provide information dealing with the account General...

Creating Shortcut Trust Relationships

Interaction between domains in your forest is based on the establishment of trusts among the domains. The Active Directory Installation Wizard creates most of these trusts automatically during the domain creation process.Through the manual creation of shortcut trusts, you can maintain that interaction after the domains are renamed. It is only necessary if the forest structure will change as result of the manipulation of the namespace. If you are renaming a domain in place without changing its...

Raising the Forest Functional Level

Log on locally as an Enterprise Administrator on the PDC Emulator FSMO of the forest root domain you are raising. 2. Click on Start All Programs Administrative Tools Active Directory Domains and Trusts, or use the MMC preconfigured with the Active Directory Domains and Trusts snap-in. 3. In the console tree, right-click the Active Directory Domains and Trusts folder and select Raise Forest Functional Level. 4. Where it asks you to Select an available forest functional level, click Windows...

Exam Overview

In this book, we have tried to follow Microsoft's exam objectives as closely as possible. However, we have rearranged the order of some topics for a better flow, and included background material to help you understand the concepts and procedures that are included in the objectives. Following is a brief synopsis of the exam topics covered in each chapter Active Directory Infrastructure Overview In this chapter, we will start with the basics defining directory services and providing a brief...

Seizing the FSMO Master Roles

Click Start Run, type ntdsutil in the Open box, and then click OK. 3. Type roles, and press Enter. 4. In ntdsutil, type at any prompt to see a list of available commands, and press Enter. 5. Type connections, and press Enter. 6. Type connect to server servername, where servername is the name of the server that will receive the role, and press Enter. 7. At the server connections prompt, type q, and press Enter. 8. Type the appropriate seizing command as shown next. See the example in Figure...

Using Group Policy to Predefine the Primary DNS Suffix Prior to Domain Rename

To prepare for the application of Group Policy, you need to create groupings of member computers for incremental rollout. Perform the following steps for each domain to be renamed. 1. Estimate the largest number of computers that can be renamed in your environment without adverse affects. Microsoft's recommendation is to define groups of 1000 or less for a normal healthy LAN environment. Adjust this number for local conditions. 2. Define rollout groups of the chosen size. 3. Create a schedule,...

Naming Conventions and Limitations

Radioisotope Cameras For Wleding

In looking at the relationship between security principals and SIDs, it becomes apparent that it would be difficult to use SIDs as the sole method of identifying an account.While SIDs uniquely identify users, computers, and groups, trying to remember the SID of users and computers you commonly access through the directory would be almost impossible. For this reason, various naming conventions are used to distinguish objects in Active Directory. Every object in Active Directory has a name to...

Before Applying Group Policy

The purpose of applying this group policy is to avoid replication and DNS update traffic caused by the automatic update of the primary DNS suffix on all member computers following a domain rename. Use Group Policy to revise the primary DNS suffix of all computers in stages to the new domain name before the procedure. That way, domain computers are manually updated and already have the correct primary DNS suffix at the time you perform the domain rename. After you apply the group policy, the DNS...

Nt Lan Manager

Versions ofWindows earlier than Windows 2000 used NTLM to provide network authentication. In a Windows Server 2003 environment, NTLM is used to communicate between two computers when one or both of them is running a pre-Windows 2000 operating system. NTLM will also be used by Windows Server 2003 computers that are not members of a domain. For example, NTLM authentication would be used in the following communications Windows 2000 workstations and Windows Server 2003 stand-alone servers that are...

Security Group Best Practices

Microsoft has a number of different recommended methods for using groups in a domain environment.You should expect to be asked a number of complex questions about the appropriate use of groups. Most of their recommendations fall into one of two models 0 There are three group scopes in a Windows Server 2003 domain domain local, global, and universal. 0 Additional group nesting and universal security groups are only available at the Windows 2000 native and Windows Server 2003 domain functional...

Technical Reviewer

Martin Grasdal MCSE I, MCSE W2K MCT, CISSP, CTT , A is an independent consultant with over 10 years experience in the computer industry. Martin has a wide range of networking and IT managerial experience. He has been an MCT since 1995 and an MCSE since 1996. His training and networking experience covers a number of products, including NetWare, Lotus Notes, Windows NT,Windows 2000,Windows 2003, Exchange Server, IIS, and ISA Server. As a manager, he served as Director of Web Sites and CTO for...

Setting up a Smart Card for User Logon

Log on to your workstation with a user account that has permissions to the appropriate certificate template in the domain where the user's account is located, and permission to enroll other users for certificates. The account used for Exercise 3.04 has these permissions. 2. Open Internet Explorer, and browse to http servername certsrv , where servername is the name of the CA on your network. 3. Select Request a certificate for a smart card on behalf of another user by using the smart card...

Creating Group Accounts

In addition to the built-in groups that are created when Active Directory and other services are installed on DCs, you can also create group accounts to suit the needs of your organization. To create group accounts, you can use either Active Directory Users and Computers or the DSADD command-line tool. Regardless of the method you use, only members of the Administrators group, Account Operators group, Domain Admins group, Enterprise Admins group, or another user or group that's been delegated...

Pre Creating Multiple Parent Child Trust Relationships

If you need to restructure a domain that is both a child domain and a parent domain, you will need to create shortcut trust relationships in two places. For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.48, so that the Striped.angel.fish.zoo.net domain becomes a direct child of Fish.zoo.net, and the Angel.fish.zoo.net domain becomes a child of Catfish.net. This restructure operation calls for four shortcut trusts that will become the two parent-child trust...

Forest and Domain Functional Levels

Functional levels are a mechanism that Microsoft uses to remove obsolete backward compatibility within the Active Directory. It is a feature that helps improve performance and security. In Windows 2000, each domain had two functional levels which were called modes , native mode and mixed mode, while the forest only had one functional level. In Windows Server 2003, there are two more levels to consider in both domains and forests. To enable all Windows Server 2003 forest and domainwide features,...

Creating a New Domain Tree in an Existing Forest

Log in as a local Administrator. 4. Click OK to start the Active Directory Installation Wizard. 5. In the Welcome to the Active Directory Installation Wizard window, click Next. 6. In the Operating System Compatibility window, click Next. 7. In the Domain Controller Type window, click Domain controller for a new domain Next, as shown in Figure 4.18. Figure 4.18 The Domain ControllerType Dialog Box Used for a New Domain Tree in an Existing Forest Figure 4.18 The Domain ControllerType Dialog...

Using ADSI Edit to Add DNS Suffixes To msDSAllowedDNSSuffixes

Click Start Programs Windows Server 2003 Support Tools Tools ADSI Edit. 2. In the scope pane, right-click ADSI Edit and select Connect to. 3. under Computer, click Select or type a domain or server name, and then click OK. 4. Double-click the domain directory partition for the domain you want to modify. 5. Right-click the domain container object, and select Properties. 6. In the Attributes box, on the Attribute Editor tab, double-click the msDS-AllowedDNSSuffixes attribute. 7. In the...

Command Line Tools

Windows Server 2003 provides a number of command-line tools that you can use for managing Active Directory. These tools use commands typed in at the prompt, and can provide a number of services that are useful in administering the directory. The command-line tools for Active Directory include Cacls Used to view and modify discretionary access control lists DACLs on files. Cmdkey Used to create, list, and delete usernames, passwords, and credentials. Csvde Used to import and export data from the...

Logical vs Physical Components

Multimaster Replication Topology

The components making up Active Directory can be broken down into logical and physical structures. Logical components in Active Directory allow you to organize resources so that their layout in the directory reflects the logical structure of your company. Physical components in Active Directory are similarly used, but are used to reflect the physical structure of the network. By separating the logical and physical components of a network, users are better able to find resources, and...

Pre Creating a Tree Root Trust Relationship with the Forest Root Domain

Pre Root Domain

When you restructure a domain to become a new tree root, you must pre-create two oneway, transitive trust relationships with the forest root domain. For example, suppose you have a three-level deep tree and you want to shorten it by creating a new tree. This will move the lowest domain to become a new tree-root domain. Figure 4.50 shows the two one-way shortcut trusts you create, and Figure 4.51 shows the tree-root trust relationship after the restructuring. Stripedangel.fish.zoo.net becomes...

Locating Transferring and Seizing the Infrastructure RID and PDC Operations Master Roles

The Infrastructure Master is responsible for updating references from objects in the local domain to objects in other domains. There can be only one Infrastructure Master DC in each domain. The RID Master processes Relative ID RID pool requests from all DCs in the local domain.There can be only one RID Master DC in each domain.The PDC Emulator is a DC that advertises itself as the PDC to workstations, member servers, and BDCs running Windows NT. It is also the Domain Master Browser, and handles...

Using the New System State Backup Method

Windows 2000 only offered two choices when deploying DCs and GC servers for remote sites, and neither choice was ideal for many companies. The first choice was to build the server at the home office where it could replicate over the LAN, and ship it to the remote location. This worked, as long as you got the new server online within the 60-day tombstone lifetime. If you didn't, the DC or GC could reanimate previously deleted Active Directory objects, including user accounts. The second choice...

BuiltIn Group Accounts

As we saw when we discussed user objects, a number of built-in accounts are automatically created when you install Active Directory. This not only applies to user accounts, but group accounts as well. Many of these groups have preconfigured rights, which allow members to perform specific tasks. When users are added to these groups, they are given these rights in addition to any assigned permissions to access resources. The groups that are created when Active Directory is installed can be...