Managing User Objects with Active Directory

User objects are special objects within the directory. After all, if it wasn't for users, there wouldn't be much need for enterprise networks. In traditional networks such as Windows NT, User objects are mostly managed through the groups they belong to. Groups are also present in Active Directory. In fact, it is essential to have a comprehensive group management strategy within your WS03 network if you want to be able to administer user-related events within it. But group management is not the...

GPO Inheritance and Blocking

In addition to the application order, you can control the inheritance settings for GPOs. This means that if you assign a setting at the domain level or any other higher level, you can ensure that your setting is the one that is propagated to the object whether or not there are conflicting settings lower down in the application hierarchy. This is done by forcing GPO inheritance. Normally, GPOs are inherited automatically throughout the GPO application order. If a setting is enabled at the domain...

Managing and Administering Groups

User objects are created within the directory for a variety of reasons. One of the most important is the assignation of permissions, both within the directory as well as permissions to access objects outside the directory such as printer queues and file folders. Permissions are assigned through the use of groups. In fact, one of the first best practices you learn in any network environment is that you never assign permissions to individual users you always assign them to groups. Assigning...

Service Positioning Best Practices

Use the following rules to design your Service Positioning scenario In large AD structures, place the forest-wide Operation Masters in a Protect Forest Root Domain. If your forest spans multiple sites, place the Schema Master in one site and the Domain Naming Master in another. Carefully protect the access to the Schema Master role. Place the RID Master and the PDC Emulator roles on the same DC. Create a dedicated PDC Emulator role in domains that have more than 50,000 users. Separate Global...

DNS Server Positioning

Network performance is exactly the reason why the DNS service is the fourth Active Directory service that needs positioning for optimal directory operations. Since part of the AD structure is based on the Domain Naming System and since all logons must resolve the name and location of a domain controller before being validated, the DNS service has become a core Active Directory service. When positioning services for AD, you will quickly learn that you should marry the DNS service with the domain...

The Member Server Baseline Policy

Another security policy that is global to a group of objects is the Member Server baseline policy. This policy includes a variety of settings that are applied to all servers. It is located in the Services OU and because it is the parent OU for all Member Servers, it is applied to all of them. Because of this, each specific server role GPO includes only incremental security settings as well as the settings it requires for its role to function properly. For example, in order to provide additional...

The Server Lifecycle

As mentioned previously, building a network is 80 percent planning and preparation and 20 percent implementation. The process of building servers is the same. Servers are designed to meet specific requirements within your network. More will be discussed on this topic later, but for now, it is sufficient to say that, like all network components, servers have a lifecycle within the enterprise network. It begins with the Purchasing Process, then moves on to the IT Management Process to end with...

Using the Technological Lab as a Testing Ground

The final preparation activity for your WS03 enterprise network project is the preparation and implementation of a technological laboratory. Since application compatibility testing and proofs of concepts are an integral part of the design and preparation process, the technological laboratory is crucial. The laboratory should contain enough technologies to be able to properly reproduce the organization's existing IT infrastructure. It should include technologies that are as recent as possible....

Access Audition and Monitoring

The final aspect of Level 4 is audition. It is important to track resource use and monitor log files to ensure that users have appropriate access rights and that no user tries to abuse their rights. Audition is a two-step process in WS03. First, you must enable the auditing policy for an event. Then, for given types of objects, you must turn on the auditing for the object you want to track and identify who you want to track. WS03 lets you audit several different types of events account logon...

L Creating the File Server

There are several process involved in the creation of a File Server. The overall File Server Creation Process is outlined in Figure 7-3. The place to start is with the creation of the server itself. Use the process outlined in Chapter 2 to create a basic Member Server. This server is based on the Server Kernel, but its primary role will be Enable quotas on the server Enable Indexing service through Manage Your Server Create shares through the File Server Management console and Share a Folder...

Using the Active Directory Migration Tool

The ADMT offers several features for the support of the Parallel Network Migration Approach. It is fairly simple to use. Its installation is based on a Windows Installer file (as are the Support Tools, the Resource Kit, the Group Policy Management Console, and other WS03 add-ons and installable components) that is located on the WS03 CD in the i386 ADMT folder. Simply double-click on the ADMIGRATION.MSI file for installation. Once it is installed, you can launch the ADMT console by moving to...

Preparing the Parallel Network

Chapter 1 outlined eight different enterprise network server roles (including the Failsafe Server). These roles are illustrated in Figure 4-2. Two of these are required for the initial implementation of the parallel network Network Infrastructure and Identity Management Servers. You will need to > Server installation and configuration > DNS configuration finalization > Time service configuration (Table 4-1 ) > Alert management configuration > Default group policy customization First...

Quick Tip

WS03 now includes a new system account the NetworkService account. This account has fewer privileges than the LocalSystem account and should be used to start services on high-risk servers. Thus if someone manages to take control of a service and wants to use it to take control of a machine, they will not have the privileges to do so. Once you have identified the registry keys, files, folders, and services you want to modify, you can move on to the creation or modification of your security...

Using a Commercial Migration Tool

The ADMT is a very powerful tool, especially in its second edition, but it does not do everything in a migration. If you find that you have several thousands of users and several gigabytes of data to migrate in multiple locations, you may decide that using the ADMT is not enough. In this case, you may decide to use a commercial migration tool. There are several on the market and all of them include the capability to migrate both accounts or other directory objects and networked user data. Thus,...

Policy Design

The policy application process outlines a clear division between both computer and user settings. This is by design. Policies are also divided into two parts computer configuration and user configuration. Since both portions are designed to address specific settings for either a machine or a user, you can and should disable unused portions of GPOs. You can open a GPO's properties and disable either the computer or the user portion of a GPO. Disabling both computer and user settings has the...

Comm Vault Galaxy

CommVault Systems, a Microsoft Gold Certified Partner, produces a backup technology called Galaxy Galaxy is an enterprise data protection technology that is fully integrated with Windows Server 2003. It fully supports backing up and restoring System State data it is integrated with the Volume Shadow Copy Service it provides a feature similar to the ASR, allowing administrators to restore downed servers from scratch using a recent backup and it fully knows and understands Active Directory. It...

Production OU Design Best Practices

Keep the following rules in mind when you create OU structures Think in terms of equipment and objects in the directory. Determine how you will implement the administrative delegation process. Identify standards for all administrative categories in the organization. Use the administrative service or function or the line of business to name OUs. These tend to be more stable than organizational structure. Limit your structure to five levels, three if you are not responsible for the finalization...

DNS Configuration Finalization

The Active Directory DNS service installation prepares the DNS server to operate with Active Directory, but it does not complete a full DNS configuration. Several elements are required to complete the configuration Set Aging Scavenging for all zones. Verify application partitions for DNS replication. Finalize DNS Forward Lookup name resolution configuration. Finalize Reverse Lookup name resolution configuration. DNS server configuration is performed through the Computer Management Microsoft...

Index

Acceptance testing, 7 Account Lockout Policy, 211 account policy elements, 390, 392-393 accounts, user migrating from NT to WS03, 447-448 security policies, 97 templates for, 254-255 vendors, 254 ACPI (Advanced Configuration and Power Interface), 54 Acquisition Process stage, 7 ACS (Application Center Server), 463 Active Desktop, 278-279 Active Directory (AD) best practices, 79, 100-104, 115-116, 137 245-257 namespace, 101-104 nature of, 85-87 new features, 83-85 ongoing design process, 137...

Caution

The first is directly through a GPO by importing the template into the GPO. This is done by selecting Import Policy from the context menu displayed when you right-click on Computer Configuration Security Settings in the Group Policy Object Editor. This displays a dialog box that lists available templates. , 5V10r I' .' > ' 1,1,7, inf IX security,inF hisecdc.inf jVhisecws.inf _'_ NewWS.inf rootsec.inf sceregvl.inf _T> securedc.inf Jf w2k_dc.ini j w2k_doma 3 w2k_serve j w2k_work Clear this,...

Delegation in Active Directory

Delegation in Active Directory is performed through the use of a wizard. The tool you use to perform delegation depends on the object you want to delegate. If it is a site, you need to use the AD Sites and Services console. If it is a domain or an OU, use the AD Users and Computers console. Delegation is simple right-click on the object you want to delegate and choose Delegate Control to launch the Delegation Wizard. WS03 includes a series of preassigned tasks you can delegate. These include...

WMI Filtering

Windows Management Instrumentation is a management infrastructure in Windows that allows the monitoring and controlling of system resources through a common set of interfaces and provides a logically organized, consistent model of Windows operation, configuration, and status. WMI is Microsoft's answer to the Desktop Management Task Force's (http www.dtmf.org ) Desktop Management Interface (DMI). The DMTF designed DMI to allow organizations to remotely manage computer system aspects such as...

Establishing a Shared Printer Policy

Now that you have a basic understanding of the printing support features of Windows Server 2003, you can begin to establish your enterprise shared printer policy. This policy should be fully documented and distributed to all technicians. It should include Printer selection criteria (based on Designed for Windows certified printers) Minimum criteria for the addition of a shared printer Default printer setting standards Version 3 digitally signed drivers for all printers A standard printer naming...

Recovery Strategies for Windows Server

Recovery strategies for WS03 depend on the type of problem you encounter, of course, but they include Driver rollback If you install an unstable driver on your system, you can use the driver rollback feature to restore the previous version of a driver so long as you can still log into your system. This is done by viewing the device properties in the Device Manager (System Properties Hardware tab), moving to the Driver tab, and selecting Roll Back Driver. AWD PCNET Family PCI Ethernet Adapter...

Naming Best Practices

Based on stable structure Note If multiple service instances, use additional service numbering scheme Region Registered Number Forest Name Member Servers Services HIS, SMS, SQL, and so on used to locate domain controllers at logon. For this reason, you should avoid using third-party DNS servers with Windows, especially if they are non-Windows based. WS03 brings several enhancements to the DNS service so long as it is integrated with AD. With WS03, the DNS service has moved from being simply a...

Authoritative Active Directory Restores

One of the most significant issues with NTBackup and WS03 in general in terms of backup and especially restoration is Active Directory. Active Directory is a complex database. Often, the best way to restore a downed domain controller is to rebuild the DC to a certain level, then let multimaster replication take over to bring the server up to date. The impact of this recovery strategy is that it taxes the network, especially if the DC is a regional server. It all depends on the level to which...

Time Service Configuration

Enterprise networks are very sensitive to time synchronization. That's why WS03 includes a built-in time synchronization system. In a WS03 forest, the Windows Time Service configures itself automatically, taking advantage of the time service that is available on domain controllers. A special domain controller, the PDC Emulator, serves as the authoritative source for time within a domain. In a forest, PDC Emulators synchronize with time sources in parent domains. Ultimately, only one server...

Do You Tip Dfs Drivers

The DFS process is fully detailed in the book Windows Server 2003 Deployment Kit Designing and Deploying File Servers in the Planning Server Deployments Microsoft Press, 2003 . It is highly recommended reading if you want to make full use of DFS in your enterprise. Clients can view DFS shares in the same way they view standard shared folders, through My Network Places. But the best way to give access to domain DFS roots to clients is to send them a shortcut to the root. The advantage of the DFS...

Documenting Server Installations

In addition, you'll need to document every Server Installation. The best way to do this is to use a standard Server Data Sheet. As mentioned previously, you can obtain the Server Data Sheet from the companion Web site. It can be used either on paper or in electronic format. It can also be adapted to database format. In support of the Server Data Sheet, you will need a Kernel Data Sheet outlining the contents of the Server Kernel for this particular version of the kernel. Each sheet should...

New IP Features in WS

Windows Server 2003 is completely based on the TCP IP protocol. In fact, the entire functioning of the WS03 Active Directory, the core of the WS03 network, is based on TCP IP addressing and name resolution. As such, the TCP IP protocol in WS03 becomes a core component of the WS03 enterprise network. Since WS03 relies so heavily on TCP IP, Microsoft has enhanced the protocol and improved it over and above the many improvements included in Windows 2000. These improvements include Automatic...

Designing an Internal Public Key Infrastructure

PKI implementations can be quite complex, especially if you need to use them to interact with clients and suppliers outside your internal network. The main issue at this level is one of authority are you who you say you are and can your certificates be trusted When this is the case, you must rely on a third-party authority specializing in this area to vouch for you and indicate that your certificates can and should be trusted. WS03 can play a significant role in reducing PKI costs in these...

WS Printer Drivers

WS03, like Windows 2000, uses three core printer drivers the Unidriver, Postscript, and a Plotter driver. Each of these drivers provides the core printer protocol. Along with the core drivers, Windows Server 2003 calls upon a printer definition file for each type of printer in your network. This vastly simplifies the driver development process because all driver structures are standardized. These core drivers have been defined in conjunction with independent hardware vendors to ensure stability...

Securing Level Through Group Policy Objects

The best way to manage authentication, authorization, and auditing is through Group Policy. Authorization has been covered to some extent in the discussion on Operating System Hardening, and especially in access control of directory, file system, and registry objects. As you have seen, the latter two can be configured through the Security Configuration Manager. Directory objects are secured as you create them. For example, the delegation procedures you use when creating your OU structure are...

Q Chapter Roadmap Putting the Enterprise Network into Production

Migrating Data, Users, and PCs to the Parallel Network Figure 10-1 Using the Active Directory Migration Tool gt Creating Domain Data Reports gt Special ADMT Considerations Transferring Networked User Data gt Using a Commercial Migration Tool Decommissioning the Legacy Network New and Revised AD IT Roles Figures 10-2,10-3 Designing the Services Administration Plan Figure 10-4 Windows Server 2003 Administration Tools Final Recommendations Best Practice Summary Sample list of tasks per...

Software Installations with WS

Windows Server 2003 includes a set of Group Policy objects that can be used to deliver software to both users and computers. These GPOs are closely tied to the Windows Installer service which is available for both PCs and servers. Windows Installer is a service that has been designed to help take control of the software lifecycle. This does not only mean remote installation of software, but more specifically it means software upgrades, patches, maintenance fixes, and something which is more...

Schema Modification Strategy Best Practices

Use the following schema modification best practices Don't make your own modifications to the schema unless they are absolutely necessary. Use AD primarily as a NOS directory. Use AD AM to integrate applications. Use MMS 2003, Standard Edition to synchronize AD and AD AM directories. Make sure all commercial products that will modify the schema are Windows Server 2003 Logo approved. Limit your initial modifications to modifications by commercial software. Create a Schema Change Policy Holder...

Windows Server

As the 22nd edition of Windows, this version is designed specifically for servers. It is a successor to Windows 2000 Server and uses the same core code as its predecessor. In this case, Microsoft did not perform a complete rewrite of the Windows 2000 code as was done with the Windows NT code when Windows 2000 was designed . This means that WS03 is a natural evolution from Windows 2000. Several of the new features of WS03 are simply improvements over their Windows 2000 counterparts. If you are...

Creating the Print Server

The Print Server Preparation Process D Identify all printers in the organization D Enable the Print Server role D Create your printer ports O Create the printers and install drivers O Identify location or each printer O Set the spooling location or the Print Server O Set spooling options for the printer D Ensure the AD printing GPOs are set O Ensure the printer is published in AD O Ensure clients can connect to printers Figure 7-6 The Print Server Preparation Process 5. Create your printer...

Working with the Distributed File System

The preferred technology for fault tolerance of file shares is the Distributed File System DFS . DFS offers several enterprise features for the support and administration of file shares DFS creates a file share alias that is unique through which users can access files on a server. This means that you can change the target file share without impacting users because they access the alias and not the physical file server. The DFS alias does not only apply to file shares, it can also be applied to...

Designing the Enterprise Network Architecture

Every network infrastructure project must begin with the design of the architecture for that project. This is where you make the architectural decisions that will affect how you will make use of the technology you are moving to. Before you work with Windows Server 2003, you'll have to design the architecture of your network. There are a lot of elements to consider and decisions you need to make before you perform your first production installation of WS03. The Enterprise Network Architecture...

Considerations for the Migration of Services to the Parallel Network

Remember, when you migrate services from your existing network to the parallel network, you must perform a server rotation. Thus when you select a service to migrate, you should prepare the new servers first and ensure that you have a fallback solution in case of service failure. Ideally, you will be able to migrate a service, stabilize the servers, and then proceed to client migration. For client migration, you will need to migrate their PCs to Windows XP in order to fully profit from the new...

Moving Servers and Configuring Domain Replication

Now that all your servers are ready, you can move them to a new physical site. When you move DCs to another site, you need to ensure that Active Directory replication operates properly. For this, you need to work with the Active Directory Sites and Services console. Chances are that you'll also have to modify some of the properties of the DCs and Network Infrastructure Server you move. As you know, it is preferable not to modify a DC's IP address. Thus, your staging center would ideally include...

The People OU Structure

The People OU structure must support both user-based Group Policy application as well as some user administrative task delegation. Since Active Directory is a database that should be as static as possible, you want to ensure that your People OU structure will be as stable as possible. Each time you perform massive changes to the OU structure, it is replicated to every domain controller within the production domain. This is the reason why you do not want to include your organizational structure...

Sharing Applications Terminal Services

The Terminal Service is a core WS03 feature. In fact, with WS03, Terminal Services can now automatically provide load balancing of terminal applications. For this feature to work, Terminal Servers must be clustered at the network level to work together to run a common set of applications and appear as a single system to clients and applications. To do this, they must be clustered through the Network Load Balancing service. Once this is done, Session Directories can be used to transparently...

Fast Logon Optimization

As mentioned previously, Windows XP provides Fast Logon Optimization to speed the process of opening a user session on a corporate PC. Fast Logon Optimization refers to a feature in XP that supports the asynchronous application of some policy settings. These settings are related to three specific policy categories All other policy settings are applied synchronously. Remember also that GPOs are only applied if they have changed unless otherwise specified in your Group Policy application...

Designing the Network Services Infrastructure

Preparing File and Print Servers Sharing Files and Folders Creating the File Server Managing Folder Availability Sharing Printing Services Sharing Files and Printers for Non-Windows Clients Preparing Application Servers Preparing Terminal Servers Collaboration Servers Additional Network Infrastructure Server Functions Server System Requirements by Role Designing the Services OU Structure Considerations for the Migration of Services to the Parallel Network Best Practice Summary Chapter Roadmap...

The Service Lifecycle

IT service lifecycle models abound in the industry. Microsoft first published an IT service lifecycle management model in a white paper entitled Planning, Deploying and Managing Highly Available Solutions, released in May 1999 search for the document name at http search.microsoft.com . This model identified four phases of service lifecycle management Planning Identifying and preparing solutions for deployment Deployment Acquiring, packaging, configuring, installing, and testing deployment...

Administering Code Access Security

The entire CLR security allocation process is referred to as Code Access Security CAS . Two tools are available for .NET Framework administration in Administrative Tools the .NET Framework Configuration Console and the .NET Framework wizards. The latter contains three wizards that walk you through a configuration process Adjust .NET Security, Trust an Assembly, and Fix an Application. Security can be performed either through the wizards or the configuration console. If you choose to use the...

Single Affinity versus No Affinity

Each refers to the way NLB load balances traffic. Single affinity refers to load balancing based on the source IP address of the incoming connection. It automatically redirects all requests from the same address to the same cluster member. No affinity refers to load balancing based on both the incoming IP address and its port number. Class C affinity is even more granular than single affinity. It ensures that clients using multiple proxy servers to...

Consolidation Through Server Baselining

Windows Server Performance Monitor

The best way to identify consolidation opportunities is to create server baselines and base your service level agreements on them. Server baselines tell you what level of operation is acceptable for a given service under normal workloads and conditions. As you migrate services from your existing network to the new parallel network, you have the opportunity to re-architect and redesign them. Operations that used multiple small servers in your existing network can easily be consolidated into...

Upgrade versus Clean Installation

As mentioned earlier, there are some impacts to consider when deciding to upgrade or perform a new installation. Most depend on the status of your current network. Table 1-2 outlines the potential upgrade paths for all versions of WS03. There is no upgrade path to Windows Server 2003, Web Edition. Though the upgrade is much easier to perform than a clean installation, when you upgrade from Windows NT to WS03, you will lose some functionality. Windows Server 2003 no longer uses the WINNT folder....

Special ADMT Considerations

There are a few items you must keep in mind when using the ADMT. The first is related to the security identifier SID . As mentioned earlier, all of a user's data is associated with the SID that represents the user at the time the object is created. Thus all of a user's data will be associated with the user's legacy SID. When you transfer this data to the new network, you must use a special technique that will either carry over the user's legacy SID or translate the SID on the object to the...

Distributed Link Tracking

Windows 2000 first introduced the Distributed Link Tracking DLT service. This service is composed of a client and a server component. Both components are available on WS03, but only the client component is available on Windows XP. This service is designed to track distributed links, or rather shortcuts that have been created on a client computer. The basic purpose of the service is to ensure that shortcuts are always functional. For example, when a workgroup is working with a given set of files...

Implementing a New Enterprise Network

Chapter 2 introduced the concept of a parallel network for Active Directory implementation. The opportunities presented by the parallel network are quite bountiful and beneficial. For one thing, you get to recreate your production network from scratch using a design that capitalizes on the new operating system's core features. It's an ideal opportunity to revise every network concept and detail to see how it can be improved upon to further meet its basic objective, information service delivery...

Forest Design Example

Now that you're comfortable with the forest concept, you can identify the number of forests you need. Use the following examples to review the forest creation process. The first design example focuses on the identification of the number of forests for a medium-sized organization with 5,000 users. It is distributed geographically into ten regions, but each region is administered from a central location. The organization operates under a single public name and delivers the same services in each...

Using the Active Directory Blueprint

Like the Enterprise Network Architecture Blueprint presented in Chapter 1 refer back to Figure 1-5 , the Active Directory Design Blueprint emerges from the structure of the Microsoft Certification Exam number 70-219, Designing a Microsoft Windows 2000 Directory Services Infrastructure. It also includes the same prerequisites business and technical requirements analyses. The advantage of using the same blueprint structure for both operations is that you should already have most of this...

Completing the People OU Structure

Now that you have a better understanding of the major changes within WS03 for user management and administration, you are ready to begin the completion of your People OU infrastructure. The easiest way to do so is to detail the requirements for each OU within a table much like the one you used for the PCs OU design in Chapter 5 Table 5-1 . Table 6-4 outlines a possible People OU structure for T amp T Corporation. As mentioned before, T amp T has several main offices where user creation is...

Installing the First Server in a Forest

The place to start is with the very first server in the forest. This server will have several characteristics it will be a DC with integrated DNS service, it is the Schema Master for the forest, it is also the PDC Emulator and the RID Master for the forest root domain, it hosts the Global Catalog service, it synchronizes time for the forest, and it is the forest License Manager. Server Installation and Configuration Begin with the Server Kernel Installation per the procedures outlined in...

The OU Design Process

In this design process, administrators must create a custom OU structure that reflects the needs of their organization and proceed to the delegation of its contents where appropriate. The best place to start the design process is with the Single Global Child Domain. Since this is the production domain, it will be the domain with the most complex OU structure. Once this domain's structure is complete, it will be simple to design the structure for other domains both within and outside the...

Using Local Security Templates

Local security templates can be applied in two manners through a graphical tool called the Security Configuration and Analysis or through a command-line tool called secedit. Both have their uses. Both can be used to analyze and configure a system based on a security template. The Security Configuration and Analysis is an MMC snap-in that provides a graphical view to system configuration and analysis. This can be quite useful since it provides the same interface that you use to either create...

Server Cluster Concepts

The nodes in a Server Cluster can be configured in either active or passive mode. An active node is a node that is actively rendering services. A passive node is a node that is in standby mode, waiting to respond upon service failure. It goes without saying that, like the Failsafe Server role presented in Chapter 1, the passive node is an expensive solution because the server hardware is just waiting for failures. But if your risk calculations indicate that your critical business services...

Product Activation

Product activation is a core component of the WS03 family of products. If you purchase a retail version of any version of WS03 or a new server including the operating system, you will have to activate the product. While there are a lot of discussions on the pros and cons of product activation, one thing is sure Microsoft needs to implement anti-piracy technologies to protect its copyrights. Activation will not be an issue for anyone acquiring WS03 through volume licensing programs such as Open...

Creating the Folder Structure

The folder structure is not the same as the shared folder structure because shares are regrouped by content type refer to Figure 7-1 . Though WS03 provides a Share a Folder Wizard that supports the creation of a folder structure on a NTFS disk, it is easier to use Windows Explorer to create the folders that will host file sharing. 1. Move to Windows Explorer Quick Launch Area Windows Explorer . 3. Create the three top level folders Administration, Applications, and Data. To do so, right-click...

Designing the Production Domain OU Structure

What's truly amazing with Active Directory is how a simple database can be used to manage objects and events in the real world. That's right, the objective of Active Directory is to manage the elements you store inside its database. But to manage objects, you must first structure them. Forests, trees, and domains begin to provide structure by providing a rough positioning for objects throughout the Active Directory database. This rough positioning needs to be vastly refined, especially when you...

Best Practices for Group Management Creation

Group management practices can become quite complex. This is why a group management strategy is essential to the operation of an enterprise network. This strategy begins with best practice rules and guidelines. It is complemented by a strategic use of Global groups or groups that are designed to contain users. The varying scopes of all of the groups within Active Directory will not help your group management activities if you do not implement basic guidelines for group usage. Thus there is a...

The Default Domain Controller Policy

The Default Domain Controllers Policy should also be modified, but the required modifications are too numerous to be listed here. The DC Promotion process will automatically secure different aspects of the local system and create the DC Security.inf template, but in most cases, additional DC security is required. In addition, it will be essential to ensure that all your domain controllers remain in the Domain Controllers organization unit, otherwise they will not be affected by your default DC...

Other Forest Domain Designs

Now that you have determined the domain structure to implement in your production forest, you can use it to derive the structure for the other forests you created. The staging forest is simple. It should represent the same structure as the production forest. As such, it requires a parent and a child domain. Since it is designed to represent only the production environment, it does not require additional domains for training, development, or other purposes. The development and utilitarian...

Configuring the Default Domain Policy

Chapters 3 and 4 outlined the importance of configuring the two default domain policies Default Domain and Default Domain Controllers at the Protected Forest Root Domain. The reason for this is so that the content of these policies will propagate to child domains as soon as they are created. This means the default policies should be customized as soon as the forest root domain has been created. The Default Domain Policy is the account policy for the domain. Since only one policy can contain...

Best Practices for Site Topology Design

Use the following best practices to design your site topology Use the default configuration for inter-site replication. Do not disable the Knowledge Consistency Checker. Do not disable transitive trusts. Do not specify Bridgehead Servers. Calculate replication latency between sites. Create sites according to network topology Site Links and WAN links should correspond. Make sure that no single site is connected to more than 20 other sites. Each site must host at least one DC. Do not use SMTP for...

Managing Printer Permissions

Printer permissions are much the same in Windows Server 2003 as they are in Windows NT. Print management is divided into printer queue and printer management. Print operators are allowed to manage both the physical device and the logical queue. In addition, each user that prints a job has control over their own job. That is, they can delete the job, but cannot change its priority. WS03 supports the segregation of printer and document management. Printer management allows operators to stop,...

Designing a Delegation Strategy

The delegation strategy you require will have a direct impact on your organizational unit strategy. This design will also have to take into account the Group Policy object strategy you outlined above. When designing for delegation, you need to take several factors into account. Begin by identifying the business needs that influence delegation. Many of these will have been inventoried at the very beginning of your project. You also need to have a good understanding of your IT organizational...

Creating the Dummy DNS Delegation

Return to the forest root server and use the Computer Management console to create a DNS delegation. Use the following procedure 1. Right-click on the TandT.net Forward Lookup Zone to select New Delegation from the context menu. This launches the New Delegation Wizard. Click Next. 2. Type in the name of the domain you want to delegate, in this case Intranet. Click Next. 3. Click Add. Type in the fully qualified domain name of the first domain controller in the child domain for example,...

Structured Approach Using Standard Operating Procedures

To reduce costs and improve network stability, the corporation must implement standard operating procedures SOPs . SOPs not only ensure stability within a network, but can also greatly reduce costs. Having documented SOPs, even for interactive or manual procedures, can vastly reduce the margin of error when performing the procedure. A well-designed SOP will also supply a contact point for reference if something goes wrong during its operation. But technical staff often does not have the time or...

Integration with Active Directory

Full support for the Windows operating system today also means integration to the Active Directory. Each shared printer is now published within the directory, much in the same way file shares are. Printers are published in the directory by default. Their object names are stored in their parent domain. Users can use the directory to search for printers and automatically connect to the appropriate printing service. AD stores information about printer features and locations. Locations especially...

Multicast versus Unicast Modes

NLB clusters operate in either Multicast or Unicast mode. The default mode is Unicast. In this mode, the NLB cluster automatically reassigns the MAC address for each cluster member on the NIC that is enabled in cluster mode. If each member has only one NIC, member to member communications are not possible in this mode. This is one reason why it is best to install two NICs in each server. When using the Multicast mode, NLB assigns two multicast addresses to the cluster adapter. This mode ensures...

Microsoft Meta Directory Services

Microsoft Metadirectory Server

MMS is a special application that is designed to oversee multiple directory services. MMS manages the operations of several directories to ensure data integrity. If you install MMS over AD and you identify AD as the primary source of information, MMS will automatically modify the values in other directory services when you modify values in AD. The Standard Edition of MMS is available for free http www.microsoft.com mms and is designed to support the integration of data between AD, AD AM, and...

NET Framework Authentication

Since the .NET Framework uses Web services, authentication models rely heavily on IIS, but there are some core functionalities within the framework itself since it provides role-based security RBS . The RBS in the framework can rely on three different types of authentication forms-based authentication generates a cookie , IIS authentication, and Windows authentication. The first must be programmed within the Web service. The second and third methods are administered by network operations. The...

The Castle Defense System

Medieval Castle Defense

The best way to define an ESP is to use a model. The model proposed here is the Castle Defense System CDS . In medieval times, people needed to protect themselves and their belongings through the design of a defense system that was primarily based on cumulative barriers to entry. If you've ever visited a medieval castle or seen a movie with a medieval theme, you'll remember that the first line of defense is often the moat. The moat is a barrier that is designed to stop people from reaching the...