Policy Based Administration

Earlier versions of Windows NT had the ability to create policy files to control certain aspects of a user's environment. While this capability was useful, it was limited in scope you could create policies only for users, groups, or computers. The level of control was also limited to a very select set of parameters, things like access to the display options on a computer or ability to disable the Run option on the Startup menu. All in all, administrators had more control than was available with...

Installing NetBEUI

The NetBEUI network protocol is not installed by default when you set up a domain controller with Windows Server 2003 and select network protocols, but it is available on the installation CD-ROM. (Given that NetBEUI is such a chatty protocol, your goal should be to reduce or eliminate its use anyway.) Follow the procedure below to copy files manually to the systemroot, which is the drive and folder that stores the active Windows directory (e.g., C Windows), and then to activate NetBEUI in the...

Distinguished Names

The distinguished name (DN) of any object identifies the entire path through the AD structure to find that object. Every object within an AD tree has a DN. For example, Katie King, who works in the Reno sales department of King Technologies, would have the following DN Katie King is the actual name given to the object in the AD database. Sales is an OU within the Reno container. Reno is an OU within the KingTech container. KingTech is the organization at the top of the structure. com represents...

Forcing Replication

One possible scenario for forcing replication is to synchronize your servers before taking one down for maintenance. Active Directory Sites and Services can force replication between partners. When you click the destination server and open its NTDS settings, its partner(s) are listed in the details pane. Right-click to select one, then choose Replicate Now on the menu. As shown in Figure 14.17, HQ2 is the destination, while DC3, the source, is the server about to be taken offline. The fact that...

Creating an Auxiliary Class

An auxiliary class is used to extend another object dass. For example, suppose you have two types of users permanent and temporary. While the normal user object is perfect for your permanent employees, it does not contain attributes sufficient for your temporary workers. To resolve this, you first create an auxiliary class (called, for example, tempWorker) that contains a number of additional attributes, and then you declare it as an auxiliary class for the user class. This makes these...

Inter Site Replication

Since connections between sites have limited bandwidth, we prefer to schedule replication to occur at specific times when network activity is low. Domain controllers will be updated across our WAN links, but latency becomes a factor. Transmissions between sites can use RPC over IP for synchronous connections, or SMTP for asynchronous, unreliable links. SMTP can send schema, configuration, and Global Catalog updates, but it cannot send data for the directory partition, since the File Replication...

Using DNS to Find a Domain Controller

One of the most important uses of DNS in an Active Directory environment is that of locating domain controllers. Remember that one of the goals of moving to a DNS-based name resolution process was to reduce or eliminate our dependence on NetBIOS broadcast technology. On a network that consists of only Windows 2000 Windows Server 2003 (or newer) computers, NetBIOS and WINS traffic can be completely eliminated. Since finding a domain controller is critical to the process of logging in, let's take...

Figure

Adding the Value Name and Data Type to the Registry gj Registry Editor - HKEY LOCAL MACHINE on Local Machine Keyboard Layout Gp Keyboard Layouts Authentication Packages REG MULTI SZ msvl 0 Bounds- REG BINARY 00 30 00 00 00 20 00 00 Notitication Packages REG_MULTIJ3Z FPNWCLNT Tcpipclientsuppcri REG_DWORD 0x1 13. We're ready to migrate. Log on to both domain controllers with your Administrative account. At the AD domain controller, go to Administrative Tools and activate the Active Directory...

Global Catalog Servers

A Global Catalog server is an AD server that holds a partial replica of the entire tree. This replica holds a limited amount of information about every object within the forest, usually those properties that are necessary for network functionality or those properties that are frequently asked for or searched against. The Global Catalog is referenced when a user looks for an object outside of their domain, thus eliminating the call to a domain controller at the destination domain. The list of...

The AD Installation Wizard

AD is installed by using the Active Directory Installation Wizard (the actual file is named DCPromo.exe and is located in the < MnndoMs_root> System32 directory). The wizard leads you through the entire installation process, asking you for information on the first domain controller, domain, site, and other configuration information. AD must be installed on a volume that has been formatted with NTFS 5 or higher. The wizard itself is fairly straightforward. It starts with the obligatory...

Event Viewer

Event Viewer adds a Directory Services log for domain controllers, which you should monitor regularly. It can be a great source of AD-related information. Event 701 reports each time your AD database file has been defragmented online. You can also view logs recorded on other domain controllers, one at a time. Figure 14.35 displays a Warning event that should be heeded. 3 29 33 F'M Category Knowledge Consistency Warning Event ID 1308 NT AUTHORITYWJONYMOUS LOGON The Knowledge Consistency Checker...

System State Data

System State Data refers to a computer's essential system files. The specific files differ according to a computer's role. Be sure to back up these files regularly. They are necessary to restore Active Directory Services to a domain controller. System State Data can only be backed up using normal or copy methods. Actually, I would dedicate a separate backup to System State. In the case of a domain controller, System State files include these System files under Windows File Protection...

The Difference between DNS and AD Domains

For some reason, our industry often uses the same term to represent completely different things. In Chapter 7 we discussed DNS Domain Name System domains. A DNS server is used to resolve TCP IP host names into IP addresses. A DNS domain represents a piece of the overall DNS namespace. DNS is a service used to find resources A process submits a host name, and DNS attempts to find a record that matches. If a match is found, DNS returns the appropriate IP address to the requestor. As such, we...