The domain controllers are the key to ensuring your Active Directory is safe and secure. However, many aspects of your domain controllers may go unnoticed unless you are 100% aware what is happening behind the scenes. An important consideration is the point at which domain controllers receive many of their default security settings. You will recall that two default GPOs help configure the environment: the Default Domain Policy, targeted to the entire domain, and the Default Domain Controller Policy, targeted to the domain controllers. Finally, if you are upgrading from Windows NT to Windows 2000 or Server 2003, you will need to be aware of how the security is different on upgraded servers from those that are freshly installed.

Default Domain Policy

The GPO that is linked to the domain is primarily targeted to configure the domain user’s Account Policies. This includes the Password Policy, Account Lockout Policy, and Kerberos Policy. Figure 13-4 shows you the Default Domain Policy regarding the Account Policies.

Figure 13-4. Account Policies in the Default Domain Policy

The Default Domain Policy controls more than just the Account Policies. Table 13-2 lists the default settings in the Default Domain Policy.

Table 13-2. Default Domain Policy default configurations and values

Computer configuration	Policy setting	Value
Password Policy	Enforce password history ...