Securing the partitions

Windows Server 2003 enables administrators to efficiently manage domain partitions in very large enterprises. The new Credential Manager helps by providing a secure store of user credentials and certificates. By selecting authentication services in the catalog, you are automatically adding the Credential Manager to the system. When a user's computer requests authentication through NTLM or Kerberos, the Update Default Credentials or Save Password checkbox appears in the UI dialog box, enabling the Credential Manager to keep track of the user's name, password, and related information. The next visit causes the Credential Manager to automatically supply the stored credentials. Trusts also simplify cross-domain security issues.

If you have two Windows Server 2003 partitions or forests that are connected by a trust, authentication requests can be routed between partitions, thereby providing a seamless coexistence of resources. Authentication protocols can follow trust paths, so the service principal name of the resource computer must be resolved to a location in the partner partition. Server Principal Names (SPNs) can be used to support authentication between a service and a client application. The SPN can be one of the following names:

For users who access a resource from a computer located in another partition, Kerberos contacts the key distribution center on the domain controller within its domain for a session ticket to the SPN of the resource computer. Then the domain controller is responsible for finding the SPN.

Windows Server 2003 also introduced a new Group Policy management solution to unify all management of Group Policy. The Group Policy Management console integrates existing policy functionality into one simplified console. The following tools are all integrated into the Group Policy Management console:

♦ Active Directory Users and Computers snap-in

♦ Active Directory Sites and Services snap-in

♦ Resultant Set of Policy snap-in

♦ Access Control List (ACL) editor

♦ Delegation Wizard

These tools enable administrators to perform all necessary core Group Policy tasks from within the console. The following list shows a few benefits of the Group Policy Management console:

♦ Backup/restore of Group Policy Objects

♦ Import/export and copy/paste of GPOs and Windows Management Instrumentation (WMI) filters

♦ HTML reports for GPO settings and Resultant Set of Policy (RSoP) data. (These reports enable printing, saving, and read-only access to GPOs.)

♦ Scripting of Group Policy operations provided by this tool. (Note: This does include scripting of settings within a GPO.)

The Group Policy Management console supports management of Windows 2000 server. Windows XP Pro must have Service Pack 1 and an additional post-Service Pack 1 hotfix, along with the .Net Framework installed.

The Group Policy Management console also enables management across domain partitions, all within a simple user interface, by using drag-and-drop features. This management tool is available as a separate component that is downloadable from Microsoft's Web site at

Was this article helpful?

0 0

Post a comment