MCSE in a Nutshell: The Windows 2000 Exams: Chapter 2 Study Guide


	MCSE in a Nutshell: The Windows 2000 Exams By Michael Moncur & Paul Murphy February 2001 0-596-00030-8, Order Number: 0308 478 pages, $29.95

Part 3, Chapter 2
Study Guide

This chapter includes the following sections, which address various topics covered on the Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure MCSE exam:

Introduction to Active Directory

Introduces the vocabulary and concepts needed to understand the Windows 2000 Active Directory architecture.

Installing Active Directory

Discusses the steps necessary to plan for and install Active Directory. It also describes how to verify that the installation was successfully completed.

Configuring Active Directory

Describes how to set up the Organizational Unit (OU) structure and discusses the creation and management of Active Directory components.

Active Directory Objects

Describes the building blocks of Active Directory objects. Discusses how to create, manage, and move objects through the use of Group Policies, administrative templates, and software policies.

DNS for Active Directory

Describes the creation and integration of DNS zones. Includes dynamic updates, DNS monitoring, and replication.

Directory Maintenance and Replication

Describes both intersite and intrasite replication.

Remote Installation Service (RIS)

Describes the steps necessary to automatically deploy Windows 2000, including disk images, security, and troubleshooting Remote Installation Service.

Active Directory Security

Discusses issues related to Directory Services infrastructure and Group Policy security. Describes security templates, audit policies, and security events.

Active Directory Maintenance

Describes techniques for managing accounts and backing up and restoring Active Directory. Discusses how to optimize the performance of both Active Directory and the domain controllers that support it.

Troubleshooting Active Directory

Discusses how to troubleshoot problems with DNS, Group Policies, Active Directory components, and software deployment. Describes how to recover from a system failure.

Introduction to Active Directory

Active Directory replaces the Windows NT domain model. It is designed to simplify access to network resources by providing network administrators with the ability to add, modify, and remove both users and resources from a single, hierarchical database. There are many new concepts to learn, but if you keep in mind that its two main functions are to keep track of all the available network resources and to provide access only to authorized users, you'll have no trouble getting up to speed with Active Directory.

Active Directory is stored on Windows 2000 domain controllers. Only Windows 2000 Servers can be Windows 2000 domain controllers. One major change between Windows NT and Windows 2000 is that there are no primary or backup domain controllers on a Windows 2000 network. All Windows 2000 domain controllers are equal and replicate the Active Directory database using a virtual ring topology.

Terminology

The following terms relating to Microsoft Active Directory will be useful in understanding how Active Directory works. A solid understanding of the vocabulary will help make an abstract concept like Active Directory a lot easier to grasp:

Domain

A network of computers and related hardware that share a user database. This user database is replicated among all the domain controllers. The main benefits of a domain are centralized administration of network resources and a single user logon to access those resources, regardless of where the resources are physically located in the domain.

Organizational Unit (OU)

A tool for dividing domain resources into groups that match the actual structure of your business. For example, the Accounting Organizational Unit can contain the user accounts of employees in the accounting department, the folders that store financial data, the printers used for invoices, and the billing software. Permissions can then be granted to the OU as a whole.

Tree

A collection of Windows 2000 domains with two-way trust relationships. These domains share a common root domain, such as oreilly.com. Subdomains of the root domain are named in DNS dotted format, to the left of the root domain. Two examples of this naming scheme would be linux.oreilly.com and windows.oreilly.com.

Forest

A collection of two or more trees, each with its own root domain name. The trees in the forest automatically have transitive trust relationships. This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice-versa, without any separate trust relationships between A and C.

Site

A section of the network that has a fast enough TCP/IP connection to allow for efficient replication of files. Microsoft recommends a minimum of 512 Kbps for efficient replication. Because the main requirement is speed, a single site can span multiple domains or a domain can have multiple sites, depending on the network bandwidth available.

Object

Any individual component on the network, including files, folders, scanners, printers, tape backup devices, and even user accounts.

Container

An object that contains other objects is called a container. A folder that contains files would be a container because the folder is an object and its files are also objects.

Attribute

An object is described by its attributes. A file's attributes would include its name, size, location, and permissions.

Class

A way to describe objects within the Active Directory schema. A class is just the list of attributes that describe an object. Basically, the file object is the physical file itself. The file class is the logical definition of the file's properties, such as name, size, and location.

Schema

A list of what types of objects can be managed in the Active Directory database. The schema is made up of classes (definitions of objects) and attributes (containers for the descriptions of objects). The schema can theoretically be modified by a qualified programmer to customize and extend Active Directory to meet their individual needs.

Installing Active Directory

After you have at least one Windows 2000 Server up and running, you can get started with Active Directory. You'll need to do a bit of planning first. The best way to get started is to take an inventory of all the hardware and map out the physical network connections.

If all the network administration tasks are handled from one location, this process can be relatively simple. If you are configuring an Active Directory that spans multiple physical locations across WAN links, it will get quite complex.

IN THE REAL WORLD When planning a network, you should always take a methodical approach and document everything you've done. There will come a day when another administrator will have to figure out what you've done after you've gone on to bigger and better things. Just remember . . . some day that other administrator will be you.

Planning

Every Windows 2000 domain and its Active Directory can consist of millions of objects. Instead of adding new domains for each location, you should consider breaking down a single large domain into Organizational Units (OU), which are covered in detail later in this chapter.

There are a few cases where multiple domains would be a better solution. If two locations have different Internet domain names, they'll probably want to keep their identities separate on the private portions of their networks, too.

If you have slow WAN connections between physical locations or very strict security requirements in a certain location, you probably want to use separate domains to reduce replication and authentication traffic across those links. Otherwise, keep it as simple as possible by using one domain.

Microsoft recommends that you register at least one domain name for your network from an official naming organization, like Network Solutions. You can choose to register a single domain name for use inside and outside a firewall, or you can register two separate domain names. There are advantages and disadvantages to both methods.

If you choose to use the same domain for the private portion of your network as you do for your Internet presence, you have to be very careful not to allow access to your private data from the public Internet. With the sheer number of security holes in all network operating systems, including Windows 2000, this can be a serious issue. Because of the additional security concerns, it is generally more complex to successfully manage a domain using this naming scheme.

If you choose to use a different domain name inside your network than you use for your Internet presence, it is much easier to figure out whether a resource is public or private. This makes the security a bit easier to manage.

Installation

If you've just finished installing Windows 2000 Server on the first computer in the domain and the Configure Your Server window is displayed, choose the Active Directory Installation Wizard. Otherwise, you can open the Configure Your Server window by choosing it from the Start Programs Administrative Tools menu.

When you begin the installation with the Active Directory Installation Wizard, you'll have the choice of creating a new domain controller for a new domain or adding a domain controller to an existing domain.

If you choose to create a new domain controller, you'll have the choice of either starting a new tree or joining an existing tree as a subdomain. Active Directory requires a DNS server to function properly. The Active Directory Installation Wizard allows you to make the current computer the DNS server during the installation process. Following is a description of the steps involved in running the wizard:

Start the Active Directory Installation Wizard from the Configure Your Server dialog box. During the install, you'll have to click the Next button to move between screens.

You'll see the Domain Controller Type screen. Here's where you'll have to choose to either create a domain controller for a new domain or add a domain controller to an existing domain. I'll assume you're starting from scratch and want to create a new domain.

You'll see the Create Tree or Child Domain screen. Create a new tree.

You'll see the Create or Join Forest screen. Create a new forest.

You'll see the New Domain Name screen. Type your registered domain name in the Full DNS Name for New Domain box.

For some reason, Microsoft didn't kill off NetBIOS completely, so the next screen you'll see will show you the shortened DNS domain name as a Domain NetBIOS name.

You'll see the Database and Log Locations screen. You should see the path WINNT\NTDS.

You'll see the Shared System Volume screen. You should see the path WINNT\SYSVOL.

You'll get a warning screen about the need for a DNS server. Click OK, and the Configure DNS Wizard will start.

Choose Install and Configure DNS on This Computer.

You'll see the Permissions screen. Choose Permissions Compatible Only with Windows 2000 Servers.

You'll see the Directory Services Restore Mode Administrative Password screen. Type in the password that will be required if you ever have to restore Active Directory.

You'll see a report of all the choices you've made so far.

After you've accepted the configuration, the wizard will actually start the configuration process. You'll see a progress bar, and it could take a few minutes to finish.

You'll see the Completing the Active Directory Installation Wizard screen. Click Finish, then click Restart. When the computer reboots, you should be all set.

Verifying the Active Directory installation

There are a couple of quick tests to be sure that Active Directory and DNS are working. Look for the new domain you created in My Network Places. If you see your domain name, you should be okay. You can also look for your domain using the Active Directory Users and Computers MMC snap-in:

Choose Start Programs Administrative Tools Active Directory Users and Computers. The Users and Computers MMC snap-in is displayed, as shown in Figure 3-1.

There should be a directory tree with your domain name listed; double-click it and it should expand.

Double-click on Domain Controllers and be sure the name of the server you installed AD on is listed.

Figure 3-1. The Active Directory Users and Computers snap-in

If both of these tests work out well, your last step is to make sure DNS is set up properly. Windows 2000 has a built-in testing utility to make sure DNS is working. You should definitely try this before moving on:

Choose Start Programs Administrative Tools DNS.

You should see the name of your server listed. Right-click and choose Properties, then choose the Monitoring tab.

Click in the A Simple Query Against This DNS Server check-box. If you already have the server connected to other DNS servers, you can also choose the A Recursive Query to Other DNS Servers checkbox.

Click on the Test Now button. In the results, you should see that the server passed the test or tests.

Configuring Active Directory

Managing Active Directory is usually handled through the Microsoft Management Console (MMC) and its snap-ins. You can pretty much right-click on any object to configure its properties. It's a good idea to wander around and explore all the snap-ins and the objects they manage.

Creating new objects is almost as easy. Most objects can be created using the pull-down menus in the MMC or through right-clicking on a container or parent object. If you follow along with all the step-by-step instructions in this chapter, you'll have a good idea of what day-to-day administration of Active Directory is like.

Creating Active Directory Components

Because every component in Active Directory is an object and most objects are managed through the MMC, you'll be using this tool several times a day, every day, if you manage an Active Directory environment.

As you add more and more objects to the Active Directory database, efficient replication of information on the network becomes more important. The best replication strategy is often divide and conquer.

Managing intersite replication

There are two main types of replication in Windows 2000, intrasite and intersite:

Intrasite replication

The replication of data within a single site

Intersite replication

The replication of data between two or more sites

Sites

Domain controllers need to pass information back and forth to keep network information up-to-date. Sites are used to maximize replication speed among domain controllers. You can have many sites in a single domain, or a single site can span multiple domains. The main requirement for a site is that the domain controllers have fast network connections to each other.

Sites replicate by informing their replication partners that they have a change. Because speed is the main consideration in setting up a site, this replication occurs whenever it is necessary and not after a default interval. If site replication traffic is bogging down your network, consider reconfiguring the sites or installing faster network connections.

IN THE REAL WORLD
Microsoft recommends at least a 512-Kbps connection between domain controllers in a site. Most LANs run at 10 or 100 Mbps. It's usually when you cross WAN links for replication that you'll have to be concerned with speed. Don't forget that you're sharing the WAN connection with a lot of other traffic.

After you've drawn a network map of all your domain controllers and determined the interconnectivity speeds, you can start adding replication sites. Use the following steps to add a new site:

Choose Start Programs Administrative Tools Active Directory Sites and Services. The Sites and Services Console is now displayed, as shown in Figure 3-2.

Right-click on the Sites folder and choose New Site.

You'll see the New Object--Site screen. Type in a name for the site.

Choose a site link object from the list (which may contain only one choice) and click the OK button.

Repeat the relevant steps until you've created site links for your entire network.

Figure 3-2. The Active Directory Sites and Services console

Subnets

TCP/IP networks are divided into smaller networks, called subnets, for easier management. Usually domain controllers on the same subnet or bordering subnets are part of the same site.

If you're already familiar with TCP/IP addressing, you can create your own subnets and start associating sites with your new subnets. You can create your own subnet using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the Sites folder.

Right-click on the Subnets folder and choose New Subnet.

You'll see the New Object--Subnet screen.

Type in the IP address for the new subnet and the subnet mask, which will determine how many addresses are included in the subnet.

You'll see a list of the existing sites; choose the site you want to associate with the new subnet.

Site links

Before two or more sites can begin to replicate data, you have to establish a site link between them. After you've created at least two sites, you can set up a site link between them. If you need to, you can also add another DC to an existing site by adding another link to the site. Use the following steps to create a site link:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the Inter-Site Transports folder. Right-click on the TCP/IP folder and choose New Site Link.

You'll see the New Object--Site Link screen. Type a name for your new site link.

Choose at least two sites and click the OK button.

IN THE REAL WORLD
If your domain doesn't have a dedicated connection to the Internet, you can choose SMTP instead of TCP/IP for the site link replication protocol. If you'd like to do this, you'll need an Enterprise CA, which is described in , and you'll have to run SMTP on all the domain controllers that connect to the site.

After you've created a site link, it's easy to add a new site to the existing link or remove a site from the link. Use the following steps to perform either function:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the Inter-Site Transports folder. Right-click on the TCP/IP folder and choose Properties.

Under the General tab, look inside the Sites Not in This Site Link box for the site you want to add to the site link.

Choose the site you want to add, press the Add button, and then press OK.

If you have the opportunity to have multiple connectivity options between domain controllers in a site, such as an Ethernet connection and a RAS connection, you can set up a redundant site link.

In the case of an RAS and an Ethernet connection, the Ethernet connection would be much faster under almost any circumstances. You can assign a value to each connection, called a site link cost. Of the available site links, Windows 2000 will automatically use whichever link is cheapest. You can configure a site link cost by using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the Inter-Site Transports folder.

Double-click on the TCP/IP folder.

Right-click on the proper site link and choose Properties.

You'll see the Site Link Properties screen.

The default cost for all links is 100. Type in a new cost in the Cost box to reflect the priority of the link. The lower the cost, the higher the priority.

IN THE REAL WORLD
You can configure a set interval when sites should check for updates in the same place as you set the cost of the link. However, you'll have faster replication if the Ignore Schedules property is selected in the Inter-Site transport properties. Right-click on the Inter-Site Transports folder, choose Properties and make sure Ignore Schedules is selected.

Link bridges

If you add more than two sites to a site link, the costs of the individual connections are bridged. The entire site link is considered one connection, and the individual sites will automatically find each other for replication purposes. This assumes all the sites in a site link are using the same protocol (TCP/IP).

If you're using more than one connection protocol between sites in a site link or if the sites in a site link can't reach each other across the TCP/IP network because of a routing issue, you can manually create a bridge between sites.

If sites are all able to see each other, the site link is transitive. This should be the case unless you have very specific reasons for not configuring your network this way. If they need a site link bridge set up so they can replicate, the site link is referred to as intransitive.

You can set up a site link bridge by using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the Inter-Site Transports folder.

Right-click on either the TCP/IP or SMTP folder and choose New Site Link Bridge.

You'll see the New Object--Site Link Bridge screen. Type in a name for the new site link bridge.

Choose at least two sites to add to the site link bridge and click the OK button.

IN THE REAL WORLD If you have many intransitive sites and you don't want to manually configure site link bridges for them, you can select Bridge All Site Links from either the TCP/IP or SMTP properties in the Inter-Site Transports folder.

Bridgehead servers

Any domain controller can be used for intersite replication. If you have some domain controllers with particularly fast network connections, you can give them priority in the replication process. The server that will have the highest priority is called a bridgehead server.

If your network has a firewall between replicating sites, you'll have to specify a preferred bridgehead server to ensure replication is successful. The firewall proxy server can receive replication data and pass it to domain controllers inside the firewall.

You can have more than one bridgehead server for a site, but only one at a time will be considered the preferred bridgehead server. You can configure a preferred bridgehead server by using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Right-click on the domain controller you want to make the preferred bridgehead server and choose Properties.

You'll see the Domain Controller Properties screen. Look for the Transports Available for Inter-Site Data Transfer box.

Choose the intersite transport or transports on the list that the DC will be a preferred bridgehead server for.

Click the Add button and click OK.

Managing intrasite replication

Replicating data between domain controllers within the same site is called intrasite replication. Active Directory automatically creates a virtual ring topology to handle intrasite replication. A virtual ring isn't necessarily physically wired in the ring topology, but data is passed from one computer to the next in a set order.

Replication data is passed between the participating domain controllers in the same direction around the ring until a failure occurs. If a domain controller is unable to participate in the replication process, traffic is automatically routed around it and continues with the next available domain controller.

Active Directory will recognize if a domain controller is added to or removed from a site and automatically adjust the ring's topology. To ensure the best performance, Active Directory will periodically look for a more efficient way to pass data among the domain controllers in a site. If it finds one, the replication path is automatically updated.

Global catalog servers

The global catalog is a database of object attributes for the entire Active Directory forest. The global catalog is automatically initialized on the first domain controller in a forest. This computer is called the global catalog server.

The global catalog will contain all the attributes for every object in its own domain. For other domains in its tree and forest, it contains a partial list of the most frequently used attributes of the rest of the objects in the forest.

The two main purposes for the global catalog are to respond to requests for object information and to provide domain controllers with authentication information. When a program wants to open a file and the relevant information isn't provided by the local domain controller, that DC asks the global catalog server what the file's attributes are, such as: name, size, location, and permissions. Based on the results, the program can determine what to do next.

Users can log on from any computer in the forest, regardless of physical location. This is made possible because the global catalog server provides logon information to the local domain controller attempting to log the user on. If the global catalog server is down, users can only log on locally to computers for which they have the required permissions.

TIP: Members of the Domain Admins group can log on to the network regardless of whether or not the global catalog server is down.

Global catalog servers can generate a lot of network traffic because they have to constantly deliver information about every object in the forest whenever it's requested. Although it's a good idea to have multiple global catalog servers for both reliability and load balancing, be sure the server has a high-bandwidth connection.

Organizational Unit Structure

The best way to break down a Windows 2000 domain into manageable sections is through the Organizational Unit (OU) structure. Each unit can reflect the actual departmental breakdowns inside your organization. You can assign user accounts, folders, physical equipment, and any other object to a specific OU. You can then assign permissions to the OU. If a user switches departments, you can move them to the new OU and they will inherit the new OU's permissions.

Organizational Units are arranged in a hierarchy. This can start as a simple geographic breakdown and layer down into departments within each location. You can have as many layers as you'd like, but fewer layers make managing the OU proportionally easier.

Creating Organizational Units

You can create a different OU structure for every domain in the forest. The most logical way to design your OU structure is to match the real departments and jobs in your organization to each OU.

Because the OU structure is hierarchical, you can create a flowchart of the departments and use it as a map when creating an OU hierarchy. To create a new OU, use the following steps:

Be sure you're logged on as an administrator. Choose Start Programs Administrative Tools Active Directory Users and Computers.

Choose to create either a new OU in the domain or a sub-unit of an existing OU.

Choose Action New Organizational Unit.

You'll see the New Object--Organizational Unit screen. Type a name for the OU and click on the OK button.

Repeat the relevant steps until you've created a complete OU structure for your organization.

IN THE REAL WORLD You can modify your OU structure at any time. However, it would be more efficient to take the time to map out which user accounts, folders, and equipment are needed for every department and create the OU structure all at once. If the framework is in place, the assignment of permissions becomes a lot easier.

Configuring Organizational Units

After you've taken the time to simulate the actual structure of your organization with an OU hierarchy, you can begin to customize each OU to fit the security and accessibility needs of your users. You can configure an OU by using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Click the plus sign next to the proper domain name to see which Organizational Units are available.

Right-click on the OU and choose Properties.

Choose one of the three configuration tabs (General, Managed By, or Group Policy). These tabs are described in more detail in Table 3-1.

Configure the OU and click the OK button when you're finished.

TIP: There will be simulation questions that will require you to navigate through configuration dialog boxes. Before taking any of the Windows 2000 exams, you should try to go through every dialog box in Windows 2000 at least once, paying close attention to the MMC.

Table 3-1: Organizational Unit Properties

Tab

Available Properties and Their Uses

General

Contains a general description and geographical location. Filling in these properties accurately is useful when doing a keyword search for Organizational Units.

Managed By

Contains the contact information for the department head of the OU. Keeping these properties up-to-date will make contacting a user easier if there is a security or maintenance problem with his or her account.

Group Policy

Contains information about the Group Policies assigned to the OU. This information will make the future assignment of policies to similar Organizational Units easier.

Managing Active Directory Objects

Because Active Directory can hold millions of objects, the task of managing all of them can become quite daunting. The best way to deal with all the objects is to name them consistently, store them in Organizational Units, and assign policies and permissions to groups of objects, rather than individually.

Active Directory object naming conventions

Every object in the Active Directory database has at least one unique name to separate it from every other object. To manage all the different types and locations of objects, a few related naming schemes are used in Active Directory. They're all fairly straightforward, so you should have no trouble using them.

Underneath all the descriptive names an object may have, a unique 128-bit number, called a globally unique identifier (GUID), is permanently associated with every object. This number remains constant for the life of the object, regardless of other changes to the object's name or location.

IN THE REAL WORLD Unlike Windows NT's security identifier (SID), which was domain-specific, Windows 2000's GUID reaches across all domains in the Active Directory forest. This means that the GUID doesn't change if you move an account from one domain to another within the forest. In the registry, a GUID might look like the following: {2cecfa7b-9316-11d4-bf01-004005a3ae74}.

DNS allows people to assign memorable names to computers that are really identified by unique 32-bit IP addresses. The same is true for Active Directory, which allows a user-friendly distinguished name (DN) to be mapped to the GUID. It would be difficult to remember a long GUID like the above sample, but it's easier to remember an account name like kirtb or a folder called payroll.

A distinguished name includes not only the user-friendly name of the individual object, called a common name (CN), but its entire path in the directory. This path can consist of a domain component (DC) (like oreilly.com), several hierarchical Organizational Unit (OU) names (like employees and its subdivision, editors), and, finally, by the user-friendly portion of the distinguished name. So, the entire DN might look like: oreilly.com/employees/editors/katie. If Katie decided to work in the production department for a few months, her account's DN would change, but the underlying GUID would remain the same.

If two objects have the same common name, it's not a problem so long as they're in different Organizational Units. Their distinguished names would be different because the OU portion of their paths wouldn't be the same.

There is one other type of name, called a user principal name (UPN). It's a user-friendly name, usually comprised of part or all of a user's real name. This type of naming scheme is often used for email addresses. These must be unique to the domain to avoid confusion.

Creating accounts

There are two major types of user accounts in a Windows 2000 network, local user accounts and domain user accounts. Both types of accounts are objects in the Active Directory environment:

Local user account

Grants access to resources that are on the local computer where the account was created

Domain user account

Grants access to resources throughout the entire network, as long as trust relationships exist between domains

You can set up local user accounts on computers that aren't yet connected to the rest of the network or on mobile systems, which are often used without a network connection, yet still need some form of security. When you create a local user account, the password is stored only on the local computer.

Most of the time, the best solution is to create a domain user account. This will allow the greatest flexibility in accessing resources. To take full advantage of domain user accounts in Active Directory, you should store user accounts within an OU.As long as you are logged in as an administrator for the local machine, you can create a new local user account by using the following steps:

Choose Start Programs Administrative Tools Computer Management. This opens the MMC snap-in shown in Figure 3-3.

Click the plus sign next to the Local Users and Groups snap-in.

Right-click on Users and select New User.

You'll see the New User screen. Configure the account with a username, password, and whatever other details you need.

Figure 3-3. The Computer Management MMC snap-in

As long as you are logged in as an administrator for the domain, you can add a new domain user account by using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Double-click on the correct domain and right-click on Users.

Choose New and then choose User.

You'll see the New Object--User screen. Be sure to fill in both the User Logon and User Logon Name (pre-Windows 2000), if the user will be logging into the domain from any version of Windows other than 2000.

Click the Next button and configure the password and password options.

Click the Finish button.

Locating objects

All objects have descriptive properties, called attributes. When you search for an object, you'll really be searching for one or more of the object's attributes that make it unique in the network. Some common attributes are: Name, Organizational Unit, and Description.

IN THE REAL WORLD Despite the obvious security hole it creates, many network administrators use the same password or an insecure pattern of passwords when configuring new user accounts. It's a good idea to check the User must change password at next logon option during the password configuration portion of account creation. The first time a new user logs on, they will be forced to choose a new password instead of keeping the administrator-assigned one.

There is a tool called Find to help you search for objects in the Active Directory. If you've used an Internet search engine, you'll be prepared for using the Find program. You can start Find by using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Right-click on the smallest container you think might contain your object and choose Find.

You'll see the Find Users, Contacts and Groups screen. Fill in whatever you know about the object and click the Find Now button.

IN THE REAL WORLD You'll probably want to create shortcuts to frequently used tools, like Find. Usually, you can right-click on an object and create a shortcut.

Moving objects

You can either move objects within a domain or between domains. There are different rules that apply to each type of move. Moving objects within a domain is far less complex and error prone. You can move an object within a domain by using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Highlight the object you want to move and choose Action Move.

Choose the destination OU and click the OK button.

There are only a few simple rules for moving an object within a domain:

You can move more than one object at a time.

Objects lose permissions that they inherited from their former OU and inherit permissions from their new OU.

Permissions directly applied to the object itself remain unchanged.

You can also move objects between domains. The best way to do this is by using the MOVETREE program, which is included on the Windows 2000 installation media. It can be used to move just about any object, with a few notable exceptions, like system objects and domain controllers. Common objects, like users, groups, files, and folders can be moved easily between domains. MOVETREE is a command-line program with many options, which are described in Table 3-2.

Table 3-2: MOVETREE Command Options

Option

Description

/?

Brings up the MOVETREE help file

/check

A trial run that tests the move without actually moving the objects

/continue

Continues a paused or stopped MOVETREE operation

/start

Runs a check operation and then actually performs the move

/startnocheck

Executes the move operation without performing a check

/verbose

Reports progress during the move operation (useful for both troubleshooting and learning about what's happening)

Publishing Resources

Users will look in the Active Directory for all the resources that are available to them on the network. Some items, such as a Windows 2000 network printer, are visible in the directory automatically, just by physically installing them on the network. Other items, like shared folders and user accounts, have to be published by a network administrator to be seen in the Active Directory.

Different types of objects are published in different ways. Most common items, such as user accounts, shared folders, and legacy NT printers, are published using the Active Directory Users and Computers snap-in. The most common item you'll probably have to publish is a shared folder. Use the following steps to publish a shared folder in the Active Directory:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Choose the domain you want the shared folder to be in.

Right-click on the container you want to hold the folder.

Choose New Shared Folder.

You'll see the New Object--Shared Folder screen. Fill in a name for the folder and type the UNC path that you want the shared folder to point to.

Securing Resources

The most flexible way to secure resources in a Windows 2000 network is through permissions. Permissions describe which actions are available to a user or group. There are several types of permissions that can be assigned. The five most common permissions are described in Table 3-3.

Table 3-3: Windows 2000 Permissions

Permission

Function

Read

View an object and its properties, such as its owner and permissions, without changing them

Write

Modify an object without changing its owner or permissions

Full Control

Includes Read and Write permissions and adds the ability to modify, delete, take ownership, and change permissions

Create All Child Objects

Add any object to an Organizational Unit

Delete All Child Objects

Remove any object from an Organizational Unit

Windows 2000 stores permission information for every object in a file called the Access Control List (ACL). This ACL is the same file that is used to store NTFS permissions. Active Directory will automatically recognize NTFS permissions and use the Windows 2000 equivalents.

It is easier to assign permissions to groups of users, rather than to each individual user. A user's permissions will be a combination of their individual permissions plus any permissions assigned to any group the user belongs to. Permissions can be either granted or denied on an object-by-object basis.

IN THE REAL WORLD A user can belong to many groups. The denial of a permission in any of the user's groups will deny the user permission regardless of other permissions, including Full Control.

Because Active Directory lists all the objects in one hierarchical directory and permissions can be inherited, assigning permissions is a straightforward process in Windows 2000. Most permissions can be assigned by using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Choose View and make sure Advanced Features is selected.

Click once on the object you want to assign permissions for.

Choose Action Properties, then choose the Security tab.

Click on the Add button, choose the group you're assigning permissions for, and then place checkmarks in either the Allow or Deny boxes for the desired permission.

The five permissions discussed in Table 3-3 are called standard permissions. These are used most often. If you need to control access in a more specific way, there are many more permissions available, called special permissions. If you'd like to see the special permissions for an object, follow the first four steps listed earlier and continue on with the following steps:

In the Security tab, click the Advanced button.

You'll see the Access Control Settings screen. Choose the object you want to modify and click the View/Edit button.

Add or remove checkmarks for the appropriate special permissions.

IN THE REAL WORLD When you assign permissions, you can choose to make any child object of the existing object automatically inherit its parent's permissions. This can greatly reduce the amount of work needed to secure a directory structure.

Delegating administrative control

An efficient Active Directory Organizational Unit structure will closely mirror the company's departmental structure. To ensure security throughout the network, many tasks, such as backing up or deleting files, can only be performed with the administrator's account. To make an OU run more efficiently, permissions usually assigned only to an administrator can be delegated to a departmental manager.

This will allow departments to work much more independently and quickly, without a major change to the level of security. As long as each manager can be trusted and protects their account, there is no downside to shifting some administrative control to local managers.

Windows 2000 allows you to individually assign permissions to each object in the Active Directory. However, it is often easier to manage permissions if they are assigned to an OU, rather than an individual, or to a folder, rather than a file. You can distribute control by using the Delegation of Control Wizard.

The wizard will walk you through giving a user or group of users permission to perform tasks or control objects that they wouldn't normally have access to. You can start the wizard by choosing Start Programs Administrative Tools Active Directory Users and Computers. Select the object you want to delegate control for and choose Action Delegate Control.

IN THE REAL WORLD You may want to delegate control of such objects as a printer or database server to a competent manager who may need to perform mundane, but time-constrained, operations to it without the intervention of a system administrator.

Group Policies

Most companies have several departments, and each department requires its users to use a specific group of programs. The accounting department will use billing software, and technical support will use a database to keep track of service requests. You can customize each department's Windows desktop to reflect their individual needs by assigning Group Policies.

Implementing a Group Policy

Group Policies are used for both convenience and security. Before you actually start creating Group Policies, you should take an inventory of which programs each department or OU will need to have available and any other settings they'll need.

Creating a Group Policy Object (GPO)

A Group Policy Object is the container that stores the Group Policy settings. There are two types of Group Policy Objects, local and non-local:

Local GPO

Every Windows 2000 computer has one local GPO to store its default settings, regardless of whether or not it is connected to a Windows 2000 network.

Non-local GPO

These are applied to either users or computers and take precedence over a computer's local GPO. Non-local GPOs can control settings on a domain, OU, or site level. Permissions are cumulative.

There is a Group Policy snap-in for the Microsoft Management Console. You can access the snap-in in several different ways, depending on which type of GPO you want to configure. Use the information in Table 3-4 to determine the best way to open the Group Policy snap-in.

Table 3-4: Group Policy Snap-In

Type of GPO

How to Open the Snap-In

Local GPO for the current computer

In the MMC, choose Console Add/Remove Snap-In. Click on the Standalone tab, and press Add. Then click on Group Policy, Add and be sure the local computer is visible. Click Finish, Close, OK.

Local GPO for a remote computer

Same as above, except instead of looking for the local computer, browse the network for the remote computer.

Non-local GPO for an OU or a domain

Choose Start Programs Administrative Tools Active Directory Users and Computers. Right-click on the OU or domain, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO.

Non-local GPO for a site

Choose Start Programs Administrative Tools Active Directory Sites and Services. Right-click on the site, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO.

Group Policies apply to either a computer's settings or a user's settings. Computer configuration settings apply to the physical machine regardless of which user is logged in to it. User configuration settings apply to the user and roam with the user to any computer they log in to on the network. There are three main types of settings that can apply to either computer or user configuration settings: Administrative Templates, Software Settings, and Windows Settings.

Administrative Templates

Administrative Templates contain policy settings for network configuration, logon and logoff settings, and several Windows programs, such as Internet Explorer, MMC, and the task scheduler. These can apply to both the user and the computer.

Some settings will apply to only the computer or only the user. Settings that apply only to the computer include: disk quotas, DNS settings, and printers. Settings that apply only to the user include modifications to the Control Panel, desktop, Start menu, and taskbar. There are more than 400 settings that are controlled by Administrative Templates.

Software Settings

Software Settings control how software is installed. These settings can provide a framework for third-party vendors to determine how their software is installed in Windows 2000. By default, Software Settings only control software installation issues; after software is installed, it can be controlled by other Group Policies that apply to a domain, an OU, or a site.

There are two ways to manage applications after they are installed in an Active Directory environment. A program can be assigned to a computer or published to a group of users:

Assigning a program

A program can be assigned to a particular computer or group of computers. This will allow users with access to the computer(s) to run the program.

Publishing a program

A program can be published to a user or group of users. These users will have access to the program.

Windows Settings

Windows Settings are divided into two groups, scripts and security. These settings apply to both user and computer settings. There are two types of scripts, logon/logoff and startup/shutdown:

Startup/shutdown

Run when the computer is booting up or shutting down

Logon/logoff

Run when a user is logging on or off of the computer

IN THE REAL WORLD A computer can have multiple scripts that need to execute. There is a default time limit of 10 minutes for all scripts to finish executing. This can cause problems if either the logoff or shutdown script doesn't have time to finish. You can increase the timeout with a software policy.

The security settings portion of the Group Policy Windows Settings can be used as an alternative to using an Administrative Template. These settings can be applied to local and non-local GPOs. Windows Settings that apply only to users include policy settings for folder redirection, Internet Explorer maintenance, and Remote Installation Services.

Modifying Group Policy inheritance

In Active Directory, there is a hierarchical structure for all objects. A parent container, such as a folder, can have child containers, such as subfolders. Group Policies are inherited by default, but there are a few exceptions. A setting specifically applied to a child object overrides only that particular inherited setting. Other settings that were inherited remain in place. Different types of objects can have different types of settings, so only mutual categories of settings can be inherited.

Filtering Group Policy settings with security groups

Multiple Group Policies can be assigned to a particular domain, OU, or site. Security settings are cumulative, so by applying the correct permissions to security groups, you can control access in a layered fashion.

DNS for Active Directory

Domain Name Service (DNS) is the naming scheme used on the Internet. Windows 2000 abandons the NetBIOS naming scheme used in previous versions of Windows, replacing it with the standard DNS system. You're probably already familiar with the DNS dotted name format. An example would be www.oreilly.com.

The top-level domain in this address is "com," meaning it is a commercial enterprise. Top-level domain names like com, gov, edu, and org are shared by many domains. The second-level domain is the unique descriptive name, "oreilly." The final part of this fully qualified domain name (FQDN) is the hostname, "www."

IN THE REAL WORLD Since the early days of the Internet, people have named their computers by the method that they could use to exchange information. If the computer at oreilly.com was a File Transfer Protocol (FTP) server, it would be named ftp.oreilly.com. If the computer was a web server, it would be named www.oreilly.com. Current computers are powerful enough to host multiple servers and can accommodate multiple names and IP addresses on a single machine.

The FQDN can also accommodate extra names if a subdomain is involved. If there were a computer named "elephant" in the animals subdomain of the oreilly.com root domain, the FQDN of the elephant computer would be elephant.animals.oreilly.com.

The naming scheme for DNS is called a namespace. There are two types of DNS namespaces, contiguous and disjointed. All the names in a contiguous namespace share the same name for at least one level of the FQDN. An example of a contiguous namespace is an Active Directory tree and its subdomains. The oreilly.com tree has subdomains of linux.oreilly.com and windows.oreilly.com.

Domains in a disjointed namespace, such as an Active Directory forest, are part of the same network, but have different domain names. A theoretical example would be the Ford Motor Company forest. Both Jaguar and Volvo are distinct parts of the Ford Motor Company. Computers in various locations of the forest may have totally different names.

Within the disjointed namespace, there could some be contiguous namespaces for local dealerships, like dallas.ford.com and austin.ford.com. There could also be disjointed namespaces like sales.jaguar.com, service.volvo.com, and www.ford.com. All of these computers are still part of the same forest and can have two-way transitive trust relationships, but because at least some part of the namespace is disjointed, the forest itself is a disjointed namespace.

IN THE REAL WORLD When you attempt to connect to a computer via Telnet or FTP, unless you know the computer's Internet Protocol (IP) address, you'll probably have to use the FQDN. If you frequently connect to computers in a few domains and don't want to type the FQDN, you can add these domains to the Append these DNS suffixes list in your network configuration, and Windows 2000 will attempt to find the hostname in each of the listed domains. Typing ping books a few times a day is easier than having to type ping books.oreilly.com.

Installing and Configuring DNS

A computer that stores the database of domain names and their Internet Protocol (IP) addresses is called a name server. Active Directory requires at least one name server, but having multiple name servers will improve both reliability and speed of finding resources on the network.

Another way of improving your DNS system is to divide your namespace into zones. Each zone, or subdivision, would have its own name server. This can help distribute administrative tasks among locations in the Active Directory forest.

DNS zones

A DNS namespace can be divided into zones for more efficient management. There are a couple of simple rules that govern how a namespace can be divided into zones:

A zone can only include a contiguous portion of the namespace, such as oreilly.com and windows.oreilly.com.

A zone is tied to a specific root domain, such as oreilly.com or a subdomain, such as linux.oreilly.com.

A namespace like oreilly.com cannot be divided up into one zone for the root domain (oreilly.com) and another for all the subdomains (linux.oreilly.com, windows.oreilly.com, and so on). The problem would be that the linux and windows subdomains taken by themselves aren't a contiguous namespace. They're only contiguous when included with their oreilly.com root domain.

Integrating DNS zones

Every name server covers at least one zone, called its primary zone. In addition to the primary zone, if multiple name servers are used, a name server can contain a backup copy of other name servers' primary zones. This redundancy helps make DNS a very reliable naming system.

When one name server automatically queries another for a copy of its primary zone, the first name server sends a copy of the zone database file in a process called a zone transfer. By strategically placing name servers on different subnets, you can reduce lookup traffic on the network. The zone transfers cause traffic, so be sure to configure the zone transfers between areas of the network that will often share resources. Otherwise, you'll be generating needless traffic between the subnets.

Dynamic updates

Windows 2000 DNS servers can automatically synchronize zone information using a process called Dynamic Domain Name Service (DDNS). Whenever an IP address or hostname changes, the DDNS service makes sure that the zone database is updated.

DNS replication

The zone database is stored on at least one computer called the primary name server. To improve speed and reliability, you can host copies on the zone database on multiple backup name servers. Data within the zone file is updated automatically with DDNS. The primary name server can distribute updates out to the backup name servers in a process called a zone transfer. When a computer is first configured as a backup name server, the entire zone database must be copied using a full zone transfer. Subsequently, as changes are made to the zone database, only the changed data needs to be replicated. Partial replication of the changes to a zone database file is called an incremental zone transfer.

If the DNS zone file is stored in the Active Directory and all the name servers are also configured as part of the Active Directory, data transfer will be automatically handled by AD. If not, you can manually configure the name servers to replicate the zone file on a push basis using a process called DNS notification.

The DNS zone file maintains a serial number to keep track of which version of the database is current. Whenever there is a change to the zone database, the serial number is also modified, triggering the notification and subsequent replication of the zone file by the backup name servers.

Monitoring DNS

You can monitor DNS activity in a couple of different ways. You can keep an event log for DNS and view the results in the Event Viewer or set up more stringent debugging options. Troubleshooting DNS is covered in greater detail in the "Troubleshooting DNS" section at the end of this chapter.

Directory Maintenance and Replication

A good network administrator knows that thoroughly planning a network before actually implementing it will save a tremendous amount of time and effort in the long run. An experienced network administrator knows that no matter how well you plan a network, the network will have to be changed to meet the ever changing needs of its users.

The three main tasks you'll have to perform are: adding a new server, moving a server to a new replication site, and removing a server from the network. Because hardware is constantly improving, adding new servers or consolidating tasks performed by a few less powerful servers on a new server is commonplace. This type of activity can occur quite frequently if your company is growing rapidly.

Creating a Server Object

Everything in Active Directory is an object. In the case of a server, a server object is the logical representation of the physical machine in the hierarchical AD database. When you install a new server, you'll have to add it to the Active Directory using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Double-click on the site you would like to add the server to.

Right-click on the Servers folder and choose New Server.

You'll see the New Object--Server screen. Type in a name for the new server and click the OK button.

Moving Server Objects Between Sites

Sites are areas of the network that have high interconnectivity bandwidth. They're used to divide up replication traffic in the most efficient way possible. When you start to change the number or types of servers on a network, you may have to move servers to other sites to maintain those high-speed connections.

Sometimes you need to change the replication site a server is currently a member of. You can do this by using the following steps:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Right-click on the server you'd like to move and choose Move.

You'll see a list of available sites. Choose the site you want to move the server to and click the OK button.

IN THE REAL WORLD When you replace a few slower servers with a higher capacity server, traffic on that part of the network can increase exponentially. Be sure that your new servers are on sites that can handle the increased traffic. You may have to create new sites or modify the physical layout of your network to maintain or improve speed.

Removing a Server Object

Hardware becomes obsolete fairly quickly. It's not that three-year-old servers become unusable, but time is money, so it's often your job to weed out slower machines.

IN THE REAL WORLD Windows NT and 2000 have relatively high hardware requirements to run at peak performance. If the older servers have compatible hardware, they can sometimes be recycled using the free operating system Linux. Interoperability between Windows and Unix-based systems is increasing, and these older servers can be used for many worthwhile tasks on a primarily Windows 2000-based network.

Assuming you want to permanently remove a server, use the following steps to delete the server object from the Active Directory:

Choose Start Programs Administrative Tools Active Directory Sites and Services.

Right-click on the server object you'd like to permanently remove and choose Delete.

Confirm that you want to do this by pressing the Yes button.

IN THE REAL WORLD If a server object needs to be removed temporarily, the NTDS Settings object for that server should be removed. When the server is brought online again, these settings are automatically restored.

Active Directory Replication

In most network environments, significant and frequent changes are made to the files, folders, user accounts, and equipment. Active Directory has to share these changes with all its domain controllers. Synchronizing this information across the entire enterprise can be a huge amount of work. To make this task as efficient as possible, the method of replication is specialized to the particular situation. Active Directory supports two main types of replication:

Single-master replication

To prevent possible conflicts, one computer stores a master copy of the data and the replicating computers store a backup. This is a one-way process.

Multi-master replication

Multiple computers store, send, and accept replication data at various times simultaneously around the network.

Operations master roles

Single-master replication is organized into five distinct tasks, called operations master roles. Some of the roles involve single domains, while other roles involve the whole forest. Only Windows 2000 domain controllers can be assigned operations master roles. The operations master roles are described in Table 3-5.

TIP: Only computers running Windows 2000 Server can be Windows 2000 domain controllers. In a mixed mode environment, you may have legacy Windows NT Servers on the network. Remember that only Windows 2000 Servers that are configured as domain controllers can be assigned operations master roles.

Table 3-5: Operations Master Roles

Role

Scope

Description

Infrastructure master

Domain

Updates and changes if a user or group is renamed. There can be only one infrastructure master per domain. If a user moves across domains, the two infrastructure masters will replicate the change during the next multi-master replication between domains.

Primary domain controller (PDC) emulator

Domain

If the network is running in mixed mode, the PDC emulator acts like a Windows NT PDC and replicates with the NT backup domain controllers. If the network is running in native mode, the PDC emulator will be the first DC to get replication of password changes. If replication hasn't occurred on a recent password change, a DC can check with the PDC emulator to see if it received the password change. This is especially important if a network has a lot of domain controllers and frequent password changes. There can be only one PDC emulator per domain.

Relative ID master

Domain

The relative ID master has two main functions. It assigns a group of consecutive IDs to domain controllers so that they can assign unique IDs to objects created on the DC. To move any Active Directory object between domains, you have to move it from the computer that is currently acting as the relative ID master. You can change which computer is the relative ID master, but there can be only one relative ID master at a time in a domain.

Domain naming master

Forest

Keeps track of domains that are added to or removed from the forest. There can be only one domain naming master in the forest.

Schema master

Forest

Changes to the Active Directory schema can only be made from the schema master. There can be only one schema master in the forest.

All the operations master roles are automatically assigned to the first domain controller in the forest. After your network has grown and there are multiple domain controllers, you may want to distribute the roles among different domain controllers.

Once you have two domain controllers in a domain, you can take some precautionary steps. The first domain controller will still have all the operations master roles, but the second domain controller can be configured as a standby operations master domain controller.

If the first computer fails, the backup machine will automatically assume any roles formerly handled by the original domain controller. If you have many domain controllers on your network, you may want to move some of the operations master roles onto separate machines for load balancing and reliability.

Because the operations masters have to replicate data frequently, be sure to choose domain controllers with fast network connections. You can assign any role to any domain controller by following a few steps. The process differs slightly, depending on which role you're changing.

TIP: The Windows 2000 MCSE exams will use simulations more often than were used for the NT4 track. Be sure to try the step-by-step instructions throughout the book. Not only will they teach you the individual topic, they'll get you familiar with the Microsoft Management Console and its many snap-ins.

Transferring operations master roles

All five roles can be reassigned using Microsoft Management Console (MMC) snap-ins. Unfortunately, not all of the snap-ins you'll need are installed by default. If you want to change the schema master, you'll have to install the Active Directory Schema snap-in by using the following steps:

Choose Start Settings Control Panel Add/Remove Programs.

Choose Change or Remove Programs.

Choose Windows 2000 Administrative Tools and click the Change button.

You'll see the Welcome to the Windows 2000 Administration Tools Setup Wizard. As with most Windows 2000 wizards, you'll have to click the Next button to move to the next screen.

You'll see the Setup Options screen. Choose Install All of the Administrative Tools.

It will copy all the required files. Click the Finish button.

Start the Microsoft Management Console. Choose Start Run, and then type mmc and click OK.

Choose Console Add/Remove Snap-In.

You'll see the Add/Remove Snap-In screen. Click Add.

You'll see the Add Standalone Snap-In screen. Double-click on Active Directory Schema.

Click Close and then click OK.

Choose Console Save.

Almost all of the administrative tasks in Windows 2000 are handled by MMC snap-ins. We're going to be using the MMC a lot in this chapter, so you'll be well prepared for the MMC simulation questions by the time you're done.

If you want to transfer the domain naming master role, you'll need to perform the following steps:

Choose Start Run, type mmc, and click the OK button.

Open the Active Directory Domains and Trusts snap-in.

Right-click on the domain controller that you want to become the new domain naming master. Choose Connect to Domain.

You'll see the Connect to Domain screen. Click the Browse button and choose the correct domain name.

Right-click on Active Directory Domains and Trusts and choose Operations Master.

You'll see the Operations Master screen. Click on the Change button and then click OK.

You can change either the infrastructure master, PDC emulator, or relative ID master roles using roughly the same set of steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Right-click on the domain in question and choose Connect to Domain.

You'll see the Connect to Domain screen. Click the Browse button and choose the correct domain name.

Right-click on Active Directory Users and Computers and choose Operations Master.

You'll see the Operations Master screen. Depending on which role you want to change, choose either RID (for Remote ID), PDC (for PDC emulator), or Infrastructure (for the infrastructure master).

After you've chosen the role you want to change, click on the Change button and then click OK.

There is one last role you may need to change, the schema master role. Assuming you've already installed the schema master snap-in, you can use the following steps to change which DC will act as the schema master:

Choose Start Run, type mmc, and click the OK button.

Right-click on Active Directory Schema and choose Change Domain Controller.

Choose Any DC for automatic selection, or you can manually type in the name of the domain controller you want to be the new schema master. Click the OK button.

Right-click on Active Directory Schema and choose Operations Master.

You'll see the Change Schema Master screen. Click the Change button and then click OK.

If you only have one domain controller, all operations master roles will be on that computer. However, if you have multiple domain controllers and domain trees in your Active Directory forest, it can be difficult to remember which domain controllers are assigned each role.

There is a methodical way to find out which computers are playing each role. Remember, some roles are required in each domain, while others need only a single player for the entire forest.

If you want to find out which machines are acting as an infrastructure, PDC emulator, or relative ID master, you can perform the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Right-click on Active Directory Users and Computers and choose Operations Master.

Depending on which computer you're trying to find, choose either RID (for Remote ID), PDC (for PDC emulator), or Infrastructure (for infrastructure master).

The name of whichever domain controller is currently acting in the role will appear. Click Cancel to close the dialog box.

If you want to find out which computer is acting as the domain naming master, use the following steps:

Choose Start Run, type mmc, and click the OK button.

Open the Active Directory Domains and Trusts snap-in.

Right-click on Active Directory Domains and Trusts and choose Operations Master.

You'll see the Operations Master screen. Under Domain Naming Operations Master, you'll see the name of the current domain naming master.

Click the Close button without making any changes.

You'll have to follow a different set of steps to find out which computer is the current Active Directory schema master:

Choose Start Run, type mmc, and click the OK button.

Open the Active Directory Schema snap-in.

Right-click on Active Directory Schema and choose Operations Master.

You'll see the Change Operations Master screen. Under Current Operations Master, you'll see the name of the current schema master.

Remote Installation Service (RIS)

You can remotely install Windows 2000 Professional on clients using a disk image or CD-ROM stored on a server using the Remote Installation Service. Client computers must have network cards that either are supported by the RIS boot disk, have Pre-Boot Execution Environment (PXE) ROMS, or are NetPC compliant.

IN THE REAL WORLD RIS is a new technology with serious security issues. It doesn't use any encryption technology, yet it assigns file permissions during the installation process. Spoofing of an RIS server and subsequent permissions modifications, not to mention other damaging behavior, is a real possibility.

Creating an RIS Boot Disk

If the client computer on which you'd like to install Windows 2000 Professional, the only OS currently supported by RIS, doesn't have PXE ROMS, you'll have to create an RIS boot disk. You can create the disk by performing the following steps (be sure you have a formatted floppy disk available in the drive of the computer you're working on):

Start the RBFG.EXE program.

You'll see the Windows 2000 Remote Boot Disk Generator screen. Choose Create Disk.

A dialog box informing you that the process is complete will appear. Click on the Close button and remove the floppy disk.

Installing RIS on a Server

Choose a computer with a fast connection to the client computers to use as an RIS server. A lot of data must be sent from the server to the clients for the installation of Windows 2000 Professional. The RIS server setup will fail if it does not find a DNS server or the DHCP service running on the network, so be sure to verify this before proceeding.

Once you're ready to install RIS, use the following steps to complete the install:

Install the RIS service as an optional component. The Configure Your Server screen should indicate setup is not complete.

If you don't see the Configure Your Server screen, you can get it by choosing Start Programs Administrative Tools Configure Your Server.

You'll see the Configure Your Server screen. Choose Finish Setup and you'll see the Add/Remove Programs screen.

Under Configure Remote Installation Services, click on Configure.

You'll see the Remote Installation Services Setup Wizard screen. Click the Next button.

The RIS Setup Wizard will ask for several configuration settings, such as where the Windows 2000 Professional installation source files are, where you'd like to create the disk image on the server, and whether it should start the client installation process as soon as possible.

Authorizing an RIS Server

RIS is not a highly secure environment, but you can limit your potential exposure by carefully selecting which computers can act as RIS servers. You have to authorize a server before it can perform RIS installations. As a safety feature, if an RIS installation is attempted by an unauthorized computer, that computer will automatically be cut off from the network. You can authorize an RIS server using the following steps:

Choose Start Programs Administrative Tools DHCP.

Choose the DHCP server and choose Action Manage Authorized Servers.

You'll see the Manage Authorized Servers screen. Click Authorize.

Type in the name or IP address of the proposed RIS server. Click the OK button and then click Yes.

You'll see the Manage Authorized Servers screen. Choose the new RIS server and click OK.

You can choose to configure your RIS server to install Windows 2000 without any prompts and using a default naming scheme. There is a custom setup available if you need any special settings on a particular client. If you have any trouble during the install, you can try to restart the installation or, if the problems persist, you can use third-party diagnostic software using the maintenance and troubleshooting option.

The Client Installation Wizard (CIW) will walk you through the steps needed to install, reinstall, or troubleshoot OS installation. The CIW gives you four options:

Automatic Setup

This option allows users to simply log in and choose the operating system to be installed, then proceed without having to make any more input. Choices can be restricted by the Administrator, and a predefined naming scheme can be used.

Custom Setup

This setup allows for two main customizations unavailable with an automatic setup. The automatic computer naming scheme can be overridden, and the location in AD where the computer account is created can be changed.

Maintenance and Troubleshooting

This allows third-party diagnostic tools to be used to examine and potentially fix any problems with the disk image or setup files that will be used.

Restart a Previous Setup Attempt

This can continue a previous installation where it left off, assuming you have resolved any problems that caused the installation to stop.

Pre-Staging RIS Clients

We've already discussed the need to authorize an RIS server to help ensure the integrity of the files being sent to the client. Keep in mind that it is technically possible to intercept and modify RIS installation data. You can further secure the RIS environment by making sure only authorized clients receive the installation files. The process of authorizing the client is called pre-staging. You can do this using the following steps:

Choose Start Programs Administrative Tools Active Directory Users and Computers.

Right-click on the OU that will be the container for the RIS client. Choose New Computer.

You'll see the New Object--Computer screen. Type in the name of the RIS client computer and click the Change button to authorize the computer's user to join the domain after RIS has installed the OS. Click the Next button.

You'll see the Managed screen. Click in the box next to This is a managed computer.

Unfortunately, you have to manually type in the client computer's GUID. This is a unique 32-digit hexadecimal code either located physically on the computer (usually a sticker), viewable in the BIOS, or both.

RIS Account Creation

If you are using RIS to install client computers, you are probably an administrator for a large, sophisticated network. Managing accounts for hundreds or thousands of users can be a lot of work that can be more efficiently handled by delegating some control to trusted users.

You can allow computer accounts to join a domain in one of two ways, depending on how the account was created. If the account was created in an OU container, you can use Group Policies for authorization. If the account was created in the Computers container, you can use the Delegation of Control Wizard for authorization. You can also authorize both user-created and pre-staged computer account creation to be delegated to a trusted user or group of users.

Active Directory Security

Active Directory is designed to allow a very large number of users to efficiently access potentially every network resource in the enterprise. Universal access can be great for productivity, but this freedom can pose a significant challenge to maintaining network security. It is absolutely essential that you take a systematic approach to ensuring security on your network. Security issues permeate all aspects of resource management. We cover various security topics throughout the entire book.

TIP: Microsoft has decided to emphasize security by assigning an entire exam to the topic. Because security is such a fundamental part of managing a network, you'll find that security topics will be covered on every exam to some extent.

Security Templates

Active Directory is very good at displaying a lot of information in an easy-to-use directory structure. This approach is extended to managing your security configuration. You can store security settings in a single file, called a security template.

There is a Security Template Console snap-in available for the MMC, but it's not installed by default. Installing this console will simplify the process of creating security templates. You can install this snap-in using the following steps:

Open the Microsoft Management Console and choose Console Add/Remove Snap-In Add.

You'll see the Add Standalone Snap-In screen, shown in Figure 3-4. Choose Security Templates, click Add, and then press Close.

Click the OK button and then click Save.

Name the security console whatever you'd like and click the Save button.

Figure 3-4. The Add Standalone Snap-In dialog

You'll now be able to use this snap-in to configure and view security templates. There are many predefined security templates that you can modify to suit the needs of your network. You can create your own templates from scratch, but I recommend modifying an existing template until you become thoroughly familiar with all the possible security settings.

The Security Configuration and Analysis Console

The Security Configuration and Analysis Console is an MMC snap-in that can be used to configure, analyze, and modify security settings. Security templates can be imported into the console, modified if needed, and applied to the relevant policy to actually implement the changes. Most security needs can be met by the modification of existing security templates, rather than configuring an entire security policy from scratch.

The Security Configuration and Analysis Console will also check the current security settings and provide a report. This report not only will display areas that need to be secured, but will also allow you the option of letting the computer fix any potential security problems for you. Although this is very convenient, you should verify that the changes are adequate to ensure a secure environment.

You can create a security database into which you can import multiple security templates. You can import new templates into this database as needed. Both of these tasks can be performed using the following steps:

Right-click on the Security Configuration and Analysis node in the MMC and choose Open Database.

Type a name for a new security database and click OK.

You'll see the Import Template screen. Choose a template and click OK.

If you have an existing security database and you want to import another template, follow these steps:

Right-click on the Security Configuration and Analysis node in the MMC and choose Open Database.

Right-click on the appropriate database and choose Import Template.

You'll see the Import Template screen. Choose a template and click OK.

If you need to replace a template in the database rather than just merge one in, there is an option to clear the database before importing in the Import Template screen.

Audit Policies

One of the traditional tools network administrators use is the log file. A log file records events that have occurred on the network and can provide valuable clues in the event of a breach of security. They can be used to monitor and evaluate network performance and provide baseline data to compare with future activity.

An audit policy defines what will be recorded in the log file. You can audit activities, such as file access, login activity, resource usage, process tracking, and account management. You can apply an audit policy to a domain controller, stand- alone server, printer, or specific files or folders using the MMC. Auditing must be configured before the Event Viewer can be used to monitor audited events. You can create an audit policy for files and folders by using the following steps:

Right-click on the appropriate icon, choose Properties, and click on the Security tab.

Choose the Advanced button and click on the Auditing tab, then click the Add button.

Choose the users and groups for the policy to apply to and click OK.

You'll see a list of events with a Successful and Failed checkbox available. Click the boxes for the events you want to audit for the given users or groups.

Trust Relationships

Active Directory allows for two different types of trust relationships. A trust relationship is set up between a trusting domain and a trusted domain. The trusting domain allows users in the trusted domain to log in. Group Policy security in the trusting domain still applies to the users logging in from the trusted domain.

The default trust relationship between Windows 2000 domains in a tree and root domains in a forest is a two-way transitive trust. This means that if tree A trusts tree B and tree B trusts tree C, tree A automatically trusts tree C and vice-versa, without any separate trust relationships between A and C.

Because each subdomain in a tree trusts the root domain and the root domain trusts its subdomains, every subdomain in a tree automatically trusts every other subdomain in the tree. Because every root domain in a forest trusts every other root domain in the forest, every subdomain of every tree in the forest trusts every other subdomain in the forest. This greatly simplifies trusts in a Windows 2000 network compared to the Windows NT trust scheme.

IN THE REAL WORLD Because users in any domain of the forest potentially have access to all other domains in the forest with a single logon, you should be very careful when assigning permissions to users.

The second type of trust relationship possible in Windows 2000 is a one-way nontransitive trust. This was the only option in Windows NT. In a nontransitive trust relationship, domain A decides to trust users in domain B. Domain A becomes the trusting domain in this relationship, because it trusts the users in domain B. Domain B becomes the trusted domain, because its users are trusted by domain A. Users in domain B can now log in to domain A, but users in domain A cannot log into domain B, unless a separate nontransitive trust relationship is established.

Nontransitive trusts can be set up between two Windows 2000 domains in different forests or between a Windows 2000 domain and a Windows NT domain. You can also set up a nontransitive trust between a Windows 2000 domain and a compliant Kerberos realm.

Active Directory Maintenance

Because Active Directory stores information about all the objects on the network, it is very important to make sure that the information contained in the AD is timely and accurate. Protecting the integrity of the data stored in your Active Directory and optimizing the directory's performance involves frequent monitoring and tweaking. I recommend assigning a set schedule for performing maintenance tasks.

Managing Accounts

The most important part of your network is its users. If you've created a good Organizational Unit structure and assigned Group Policies in an efficient manner, you shouldn't have much trouble maintaining user accounts. If an employee leaves the company and can potentially return, it is best to disable, rather than delete, the account.

IN THE REAL WORLD If you delete an account, it is more difficult to reassign permissions for the objects that user owned to another user account. You'll have to own the objects to an administrator account before reassigning permissions.

Backing Up Active Directory

It is extremely important to back up data regularly. Users can lose data through malicious virus or worm attacks, by catastrophic hardware failure, or because of a simple mistake, such as accidentally deleting an important file. The safest policy is to keep frequent, multiple copies of data at separate locations.

The Active Directory can be backed up using the Windows Backup program included with Windows 2000. You'll probably have to schedule backups for late-night hours, because Windows Backup won't back up files that are in use and locked by applications. Also, the data transfer during a backup can use up quite a bit of network bandwidth.

Windows 2000 has a Backup Wizard to help you organize and implement a backup strategy. You can start the Backup Wizard using the following steps:

Choose Start Programs Accessories System Tools Backup.

You'll see the Welcome to the Windows 2000 Backup and Recovery Tools screen. Choose Backup Wizard.

The wizard will walk you through what you want to back up, where you want to put it, and when to perform the backup.

IN THE REAL WORLD To back up Active Directory data, system state data must be selected in the Windows Backup Wizard. The wizard will automatically determine which system state data to back up.

Restoring Active Directory

There are two types of restoration options for an Active Directory domain controller, authoritative and non-authoritative. You must always perform a non-authoritative restore before you can perform an authoritative restore. You have to reboot into Directory Services restore mode before starting either type of restoration:

Non-authoritative restore

Restores only those settings that aren't replicated from other domain controllers. If any modifications have been made to the replicated data, that data will be automatically updated the next time the restored computer receives replication data.

Authoritative restore

If you accidentally delete an object or objects, you can use a backup from before the deletion to non-authoritatively restore the object(s). Then you can use the NTDSUTIL program to mark those objects as authoritative. This will give them precedence in the replication process, so the other domain controllers will replicate the restored objects.

Optimizing Performance

Network performance is determined by the combined speed and efficiency of many components working together. Potential bottlenecks can form because of a lack of bandwidth on the network media, slow hard drives on file servers, or too many authentication requests handled by an insufficient number of domain controllers.

Active Directory performance

You should frequently monitor Active Directory's performance to make sure everything is running smoothly. There are two tools you can use, the Event Viewer and the Performance Console :

Event Viewer

Monitors services and applications and stores information in event logs. These logs include information about applications, the directory and file replication services, security, and system errors.

Performance Console

Provides counters to keep track of the performance of both local and remote computers on the network. The Performance Console contains the System Monitor and Performance Logs and Alerts.

Performance logs can be used for instant feedback or kept as a baseline to be compared to future readings. Also, the NTDS object counters can be used in much the same way to trace Active Directory performance.

TIP: The first step in troubleshooting Active Directory is to check the Directory Service logs in the Event Viewer.

Troubleshooting Active Directory

There are five operations master roles played by domain controllers in the forest. The severity of the problem depends on which DC fails. Table 3-6 lists the operations master roles and the consequences of their failure.

IN THE REAL WORLD If you have enough well-connected domain controllers, be sure to assign a standby role to an alternate domain controller in case the primary DC fails. If you do this, the odds of a disruption are far less.

Most operations master failures will not immediately or drastically affect the performance or functionality of the network. There is one notable exception, the primary domain controller emulator.

Because it deals with user authentication, if the PDC emulator is unavailable it can cause serious problems. This is the one case where you might consider seizing the role.

Seizing an operations master role involves transferring the operations master role to another domain controller. This process was covered earlier in this chapter. You should only do this if it is absolutely necessary.

IN THE REAL WORLD If yo

Tab	Available Properties and Their Uses
General	Contains a general description and geographical location. Filling in these properties accurately is useful when doing a keyword search for Organizational Units.
Managed By	Contains the contact information for the department head of the OU. Keeping these properties up-to-date will make contacting a user easier if there is a security or maintenance problem with his or her account.
Group Policy	Contains information about the Group Policies assigned to the OU. This information will make the future assignment of policies to similar Organizational Units easier.

Option	Description
`/?`	Brings up the MOVETREE help file
`/check`	A trial run that tests the move without actually moving the objects
`/continue`	Continues a paused or stopped MOVETREE operation
`/start`	Runs a check operation and then actually performs the move
`/startnocheck`	Executes the move operation without performing a check
`/verbose`	Reports progress during the move operation (useful for both troubleshooting and learning about what's happening)

Permission	Function
Read	View an object and its properties, such as its owner and permissions, without changing them
Write	Modify an object without changing its owner or permissions
Full Control	Includes Read and Write permissions and adds the ability to modify, delete, take ownership, and change permissions
Create All Child Objects	Add any object to an Organizational Unit
Delete All Child Objects	Remove any object from an Organizational Unit

Type of GPO	How to Open the Snap-In
Local GPO for the current computer	In the MMC, choose Console Add/Remove Snap-In. Click on the Standalone tab, and press Add. Then click on Group Policy, Add and be sure the local computer is visible. Click Finish, Close, OK.
Local GPO for a remote computer	Same as above, except instead of looking for the local computer, browse the network for the remote computer.
Non-local GPO for an OU or a domain	Choose Start Programs Administrative Tools Active Directory Users and Computers. Right-click on the OU or domain, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO.
Non-local GPO for a site	Choose Start Programs Administrative Tools Active Directory Sites and Services. Right-click on the site, choose Properties, and click on the Group Policy tab. Choose either New for a new GPO or Edit to modify an existing GPO.

Role	Scope	Description
Infrastructure master	Domain	Updates and changes if a user or group is renamed. There can be only one infrastructure master per domain. If a user moves across domains, the two infrastructure masters will replicate the change during the next multi-master replication between domains.
Primary domain controller (PDC) emulator	Domain	If the network is running in mixed mode, the PDC emulator acts like a Windows NT PDC and replicates with the NT backup domain controllers. If the network is running in native mode, the PDC emulator will be the first DC to get replication of password changes. If replication hasn't occurred on a recent password change, a DC can check with the PDC emulator to see if it received the password change. This is especially important if a network has a lot of domain controllers and frequent password changes. There can be only one PDC emulator per domain.
Relative ID master	Domain	The relative ID master has two main functions. It assigns a group of consecutive IDs to domain controllers so that they can assign unique IDs to objects created on the DC. To move any Active Directory object between domains, you have to move it from the computer that is currently acting as the relative ID master. You can change which computer is the relative ID master, but there can be only one relative ID master at a time in a domain.
Domain naming master	Forest	Keeps track of domains that are added to or removed from the forest. There can be only one domain naming master in the forest.
Schema master	Forest	Changes to the Active Directory schema can only be made from the schema master. There can be only one schema master in the forest.

MCSE in a Nutshell: The Windows 2000 Exams

Part 3, Chapter 2 Study Guide

Introduction to Active Directory

Terminology

Installing Active Directory

Planning

Installation

Verifying the Active Directory installation

Configuring Active Directory

Creating Active Directory Components

Managing intersite replication

Sites

Subnets

Site links

Link bridges

Bridgehead servers

Managing intrasite replication

Global catalog servers

Organizational Unit Structure

Creating Organizational Units

Configuring Organizational Units

Managing Active Directory Objects

Active Directory object naming conventions

Creating accounts

Locating objects

Moving objects

Publishing Resources

Securing Resources

Delegating administrative control

Group Policies

Implementing a Group Policy

Creating a Group Policy Object (GPO)

Administrative Templates

Software Settings

Windows Settings

Modifying Group Policy inheritance

Filtering Group Policy settings with security groups

DNS for Active Directory

Installing and Configuring DNS

DNS zones

Integrating DNS zones

Dynamic updates

DNS replication

Monitoring DNS

Directory Maintenance and Replication

Creating a Server Object

Moving Server Objects Between Sites

Removing a Server Object

Active Directory Replication

Operations master roles

Transferring operations master roles

Remote Installation Service (RIS)

Creating an RIS Boot Disk

Installing RIS on a Server

Authorizing an RIS Server

Pre-Staging RIS Clients

RIS Account Creation

Active Directory Security

Security Templates

The Security Configuration and Analysis Console

Audit Policies

Trust Relationships

Active Directory Maintenance

Managing Accounts

Backing Up Active Directory

Restoring Active Directory

Optimizing Performance

Active Directory performance

Troubleshooting Active Directory

Part 3, Chapter 2
Study Guide