Another security policy that is global to a group of objects is the Member Server baseline policy. This policy includes a variety of settings that are applied to all servers. It is located in the Services OU and because it is the parent OU for all Member Servers, it is applied to all of them. Because of this, each specific server role GPO includes only incremental security settings as well as the settings it requires for its role to function properly. For example, in order to provide additional security, you can include the Prevent IIS Installation setting (from Computer Configuration | Administrative Templates | Windows Components | Internet Information Services) in this baseline template. This way no one will be able to install IIS on any of your Member Servers. Then you can disable this setting in the incremental GPO that you apply to the Application Servers and Dedicated Web Servers OU.
Windows 2000 introduced the concept of automatic two-way transitive trusts within an Active Directory forest. Windows Server 2003 brings this concept even further with the addition of transitive trusts between forests. But despite the fact that trusts are now mostly automatic, some degree of management is still required because whenever a trust is created, you give access to your forests or domains to people and objects in other AD containers.
There are several types of trusts in Windows Server 2003. They are outlined in Table 8-3.
Was this article helpful?