A forest is one or more domain trees that have separate contiguous namespaces. All the trees in a forest share a common schema and trust one another because of transitive trusts. If you have multiple forests, you must set up an explicit trust between them. To create a site, add the subnets the domain controllers are in to the site object. A site object is a collection of subnet addresses that usually share a geographic location.
Sites can span domains, and domains can span sites. If a subnet requires fast access to the directory, it should be configured as a site. In every site, at least one global catalog server should be installed for fast directory access, and at least one domain controller should be installed. Organizational Units OUs An Organizational Unit is a container object that can hold users, groups, printers, and other objects, as long as these objects are members of the same domain as the OU.
You can organize the domain into logical administrative groups using OUs. OUs allow you to delegate the management of the objects in the OU to other users. You can assign separate sets of permissions over the objects in the OU, other than the permissions in your domain. Global Catalog A global catalog contains all the objects in the AD, with only a subset of their attributes.
This allows you to find object quickly even in a large multi-domain environment. The global catalog serves as an index to the entire structure of all domains and trees in a forest. The first server installed in a tree is called the global catalog server. Additional global catalog servers will improve the response time of queries for AD objects.
Domain Controllers All domain controllers in a Windows domain have a writeable copy of the AD database. All changes performed on any domain controller are replicated to all the other domain controllers within the domain via multimaster replication. Multimaster replication occurs when there is no master domain controllers, and all domain controls are considered equal. Domain controllers are not required to replicate directly with each other. Domain controllers that are in close proximity to each other can replicate with each other, and then one of them can send all the changes to a remote domain controller.
Replication A connection object is a connection that AD uses for replication. Connection objects are fault tolerant. When a communication fails, AD will automatically reconfigure itself to use another route to continue replication. It runs on all domain controllers every 15 minutes by default. It creates connection objects that provide the most favorable route for replication at the time of replication.
Changes that need to be replicated are based on the update sequence number USN. Each domain controller maintains a table of its own USNs, which is updated whenever it makes a change to an AD object. Other domain controllers use this USN to determine whether a change has occurred on a replication partner. To reduce network traffic, only the changed attribute will be transferred.
After a domain controller fails, it attempts to replicate with all of the domain controllers when brought back online. A site is a group of domain controllers joined by a fast connection. Intrasite replication traffic can consume a large amount of bandwidth. Intersite traffic is compressed at a rate of These links facilitate the replication between sites. If not created, domain controllers will not be able to send or receive directory updates.
Replication availability, cost, and replication frequency can be configured for greater efficiency. The KCC uses settings from the site links to determine which connection objects to create to replicate directory data. SMTP transport is generally used for connections that are intermittent, such as dial-up links. Replication can be set up for a specific schedule by specifying when replication over that site link cannot take place, or by default, which allows replication to occur at any time.
The default replication time is every three hours. Cost value determines which link to use when there are multiple links between sites. AD always uses the lowest cost path available. You can designate a domain controller as a bridgehead server to act as a replication gateway. It accepts all replication data from other sites via slow links and distributes it to other domain controllers in the site via fast links.
Bridgehead servers are commonly used when sites are separated by firewalls, proxy servers, or Virtual Private Networks VPNs. Site Link Bridge A site link bridge specifies a preferred route for replication traffic. It is the process of building a connection between two links. It is not needed in a fully routed IP network. If you set up site link bridges, you must turn off the default option to bridge all site links automatically. Domain Security Policy Manages security policy for domains.
Active Directory Installing Active Directory Servers install as member servers standalone by default. AD depends on DNS, and as such, cannot be installed without it. You do not have to reinstall the operating system to create a domain controller.
A member server can be promoted to a domain controller or demoted to a member server at any time by using dcpromo. The answer file contains only the [DCInstall] section. To remove AD and demote a domain controller to a member server, log on as an Administrator, then supply Enterprise Administrator credentials during the demotion process.
Use mixed mode installed by default if your domain consists of both AD and pre-Windows domain controllers.
If Windows is being installed into an infrastructure where all domain controllers will be running Windows , then domain controllers should utilize native mode. Right-click Sites, and choose New Site.
Type the name of your site and select a site link. If the IP address of a newly installed domain controller matches an existing subnet in a defined site, it is automatically added to that site. Otherwise, it is added to the site of the source domain controller. Creating Subnets Subnets are the objects used by AD to determine the boundaries of sites. Workstations use subnets to determine the closest domain controller for logons. AD uses IP subnets to find a domain controller in the same site as the system that is being authenticated during a logon and to determine the best routes between domain controllers.
Enter the subnet address and subnet mask. Associate the subnet with a site. Creating Site Links Creating a site link between two or more sites influences replication. In creating a site link, you can specify what connections are available, which ones are preferred, and how much bandwidth is available.
AD can use this information to choose the most efficient times and connections for replication. Site links are not created automatically, they must be manually created. Computers in different sites cannot communicate with each other or replicate data until a site link has been established between them. Provide a link name and choose the sites you want to connect.
Default site link cost is The slower a connection, the more it should cost. The replication interval must be at least 15 minutes and cannot exceed 10, minutes. Is synchronous and ignores all schedules. Requires installation of a Certificate Authority CA.
Intersite IP replication uses schedules by default. Does not require a CA. Creating Site Link Bridges In a fully routed network, it is not necessary to create site link bridges as all site links using the same protocol are bridged by default.
When a network is not fully routed it is necessary to disable the default site link bridging. Provide a site link bridge name and choose the site links you want to connect. Uncheck the Bridge All Site Links check box. Manually adding connection objects may increase replication performance. Open the Site folder. In the Find Domain Controllers box, select the desired domain controller. In the New Object — Connection window, name the new connection. Creating Global Catalog Servers There should be at least one global catalog server located in every site.
If your network has multiple sites, you may wish to create additional global catalog servers to prevent queries from being performed across slow Wide Area Network WAN links. AD creates one global catalog server per forest by default. Select the Global Catalog Server checkbox on the General tab. Open the Site folder, and open the Servers folder where the server is currently located. Right-click the server to be moved, and select Move. Select the site you want to move the server object to then click OK.
Operations Master Roles AD uses multimaster replication of the directory to make all domain controllers equal. Some operations are impractical to perform in a multimaster environment. In a single-master model, only one DC in the entire directory is allowed to process updates. The Windows Active Directory has the ability to transfer roles to any domain controller DC in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as operations masters roles.
Responsible for domain name uniqueness. Infrastructure daemon Domain-level master that maintains inter-domain consistency. Schema master Forest-level master responsible for write updates and changes to the schema. This may occur when one of the domain controllers hosting the master role should fail. Default domain controllers OU Contains the first domain controller. Default-First-Site-Name First site is automatically created when you install the first domain controller.
Directory services database The file Ntds. Global catalog server First domain controller becomes a global catalog server by default. Root domain Forest root is created when the first domain controller is installed. Exists on all Windows domain controllers. SRV resource records Check the Netlogon. The objects must be members of the same domain as the OU. OUs allow you to assign separate sets of permissions over the objects in the OU, and allow you to delegate administrative rights to objects.
Select the domain name or in another OU. Right-click it, then choose New from the Action menu then select Organizational Unit. Enter the name of the new OU, then click OK. To use the Windows Backup utility to back up the System State data, you must be a member of the Administrators or the Backup Operators group.
Performing a Nonauthoritative Restore of Active Directory By default, when restoring System State data to a domain controller, you are performing a nonauthoritative restore. All System State components that are older than the replicated components on the other domain controllers will be brought up to date by replication after the data is restored. If you do not want this information to be updated by replication, you must perform an Authoritative Restore.
Nonauthoritative restore is used for restoring System State data on a local computer only. If you do not specify an alternate location for the restored data, Backup will erase your current System State data. To restore System State data, you must first start the system in safe mode. Performing an Authoritative Restore of Active Directory An authoritative restore is performed immediately after a nonauthoritative restore and designates the information that is authoritative.
A value of , is added to the Property Version number of every object on the domain controller. This ensures the objects on this domain controller will overwrite the copies of these objects on other domain controllers.
To perform an authoritative restore, perform the standard restore procedure, but do not allow the domain controller to reboot at the end of the procedure. Click No to bypass the restart option, then close Backup. From a command prompt, type Ntdsutil. From the Ntdsutil: prompt, type Authoritative Restore. Then type Restore Database. Startup and Recovery Settings The paging file must be on the system partition and the pagefile itself must be at least 1 MB larger than the amount of RAM installed for the Write debugging information option to work.
Use dumpchk. A small memory dump needs 64K of space. Memory dumps are saved with the filename memory. Startup and recovery settings are accessed through Control Panel System. Choose the Advanced tab, Startup and Recovery. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly.
Resource records will then be updated by the DHCP clients and or server without administrator intervention. Right-click the domain name and choose Properties. Check the Allow Dynamic Updates box on the General tab.
You must do the same for the Reverse Lookup Zones. If serial numbers have changed since the last copy, a new copy of the entire zone database is transferred to the secondary. Troubleshooting Dcpromo creates an installation log during the installation procedure that records every step, including success or failures. The file created is Dcpromo. All debugging options are disabled by default because they can be resource-intensive.
Use nslookup to troubleshoot problems with DNS. When applied, a Group Policy affects all users and computers within a container. Group Policy settings define what controls, freedoms, or restrictions are placed over an OU. Group Policy Objects can contain seven types of settings: Setting Description Administrative Templates Defines application and desktop configurations via Registry controls. Security Controls access and security account policies, lockout policies, audit policies, user rights, etc.
Software Installation Controls installation, update, and removal of software. Scripts Controls when Windows will execute specific scripts. Folder Redirection Defines folder redirection for user profile home directories and folders. User configuration settings apply group policies to users, regardless of what computer they have logged on to.
Settings are only applied at time of logon and removed when the user logs off. Computer configuration settings apply group policies to computers, regardless of what user logs on to them. Settings are applied when Windows initializes. Right- click the Site folder, and choose Properties, Group Policy tab.
Each Windows computer can have one local GPO. GPOs cannot be tied directly to users or computers. Click Add then choose the policy and click OK. Each previous GPO is overwritten by the next in line. When several GPOs are linked to a single OU, they are processed synchronously, in the order specified by the administrator. No override can be set so that none of its policies will be overridden by a child container it is linked to. Loopback setting is used to merge or replace modes. Filtering grants or restricts Read access to the GPO.
To prevent a GPO from applying to a specific user within a listed group, add the user to the list of names and then select the Deny setting for the Apply Group Policy setting. When a GPO link is removed, it is no longer applied, but still exists.
Managing and Troubleshooting User Environments by Using Group Policy Group policies can be used to control the abilities of a user to perform tasks or access portions of the operating system or network. System Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user. User profiles refer to the environment settings that users can change.
Environment control takes place via Administrative Templates. Administrative Templates control a system through editing or overwriting portions of the Registry.
They are secure and can only be changed by Administrators. Templates can be filtered using Active Directory. INF files. Removes all securedc. For Workstations running in Windows native mode only. Requires all communications to be digitally signed hisecws. Cannot communicate High Secure hisecsv. When a system is shut down, Windows processes the logoff scripts then the shutdown scripts. Multiple scripts can be assigned to the same user or computer and Windows processes them using top-down logic.
Windows Installer packages have a. MSI file extension. A Group Policy Object is created. Behavior filters are set in the GPO to determine who gets the software. Choose the publishing method, then choose OK. AD can either uninstall the old application first or upgrade over top of it. When publishing upgrades, they can be optional or mandatory for users but are mandatory when assigned to computers.
When applications are no longer supported, they can be removed from software installation without having to be removed from the systems of users who are using them. Applications that are no longer used can have their removal forced by an administrator. Software assigned to the user is automatically removed the next time that user logs on. When software is assigned to a computer, it is automatically removed at start up.
Users cannot re-install the software. Configuring Deployment Options You can assign or publish software packages. Assigned software is installed the next time the user logs on regardless of whether or not they run it.
When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application.
Software assigned to a computer is installed automatically. A local administrator can only remove software when it is assigned to a computer. Users can repair software assigned to computers, but not remove it. Published applications are not advertised. Applications can only be published to users, not computers. Published applications do not self-repair or re-install if deleted. With invocation, when a user launches an unknown file type, the client computer queries Active Directory to see what is associated with the file extension.
If an application is registered, AD checks to see if it has been published to the user. If it has, it checks for the auto-install permission. If all conditions are met, the application is installed. Non-MSI programs are published as. ZAP files. ZAP files can only be published, not assigned. Managing Network Configuration by Using Group Policy Used with roaming profiles to redirect folders to a central server to prevent files from being copied back and forth from the server to the workstation every time the user logs on and off.
Use Group Policy to set disk quotas, limiting the amount of space used by special folders. RIS can initiate a typical network share type of installation or use a system image transfer type of installation.
Hard disk must have at least two partitions, one for the Operating System and one for the images. The image partition must be formatted with NTFS. RIS packages cannot be installed on either the system or boot partitions. Setting Up a RIS Server Setup Wizard creates the folder structure, copies needed source files to the server, creates the initial CD-based Windows Professional image in its designated folder along with the default answer file Ristandard.
Choose a pre-defined format or create a custom one. Associate an answer file. SIF with your image. Specify the Remote Installation Folder Location. For Initial Settings, choose Do not respond to any client requests. Specify the location of the Windows Professional source files for building the initial CD-based image. Provide a text name for the CD-based image. Configure all components and settings for the desired client configuration.
Install and configure applications. Copy the configuration to the Default User profile. Provide the name of the RIS Server where the image will be stored. It creates an installation image from a preinstalled and configured system. Using RIS, you can send personal computers directly to an end user or staging area and install an automated, customized version of Windows The client initiates the protocol by broadcasting a DHCP Discover packet containing an extension that identifies the request as coming from a client that implements the PXE protocol.
The boot server sends an offer containing the IP address of the server that will service the client. The client uses TFTP to download the executable file from the boot server. The client then initiates execution of the downloaded image. Since one disk works for all network adapters, a specific network boot disk is no longer required. The supported network adapters are listed in the utility that creates the boot disk. This utility is named Rbfg. RIS can be configured to respond to clients requesting server, to respond only to authorized and known clients, to verify that the server is properly configured, and to view the current RIS clients.
Installation options are not available. Possible Group Policy conflicts. Check to make sure another Group Policy Object is not taking precedence. For RIPrep images, the files are stored as individual source files. Permissions that have been assigned directly to an object will not change when it is moved. Objects without permissions inherit the permissions of the parent container they are moved to.
The GPO link is automatically updated. Use the Movetree command-line utility to move objects between domains. Use the Netdom command-line utility to move workstations or member servers between domains. User objects that contain any other objects cannot be moved. Resource Publishing in Active Directory Publishing a resource refers to the process of creating an object in the directory that either contains the information you want to make available or that provides a reference to the object.
General information is automatically published for all network users while account security information is only available to select administrator groups. Printers must be installed before they are added to AD. Right-click the container and choose New, Printer. Right-click the container you want to add the shared folder to and choose New, Shared Folder.
A person connected to the organization. Includes phone number, e- Contact mail, address, home page, etc. Collections of users, groups, or computers used to simplify Group administration. Pointer to a printer. Windows automatically adds printers Printer created on domain computers to AD. Shared Folder Pointer to a shared folder on a computer. Right-click a domain or container in the console tree and select Find. Users can search for computers, shared folders, printers, and users.
Local accounts are not recognized by Active Directory. Domain user accounts Used by users to logon to the domain to gain access to network resources.
Built-in user accounts Administrator and Guest. Local user profile Created on a computer the first time a user logs on. Stored on the local hard drive. Roaming user profile Created by system administrator. Stored on a server. Available from any computer on the network. Changes are saved to the profile on the remote server. Mandatory user profile Created by system administrator. Only administrators can change mandatory profiles. Accounts should only be deleted when they will no longer needed.
Renaming an account retains all rights, permissions and group memberships and assigns them to a different user. Disable accounts when they are not going to be needed for an extended period but may be needed again. Creating and Managing Groups Security groups are used to assign permissions for accessing objects in AD.
Distribution groups are used for non-security related functions, and can only be accessed by AD-aware programs such as Exchange Server Global groups can only contain members from the domain in which the group was created. Use global groups to assign permissions for gaining access to resources located in any domain in the tree or forest.
They contain other global groups when running in native mode. Domain Local groups can contain members from any domain. They only access resources in the domain where the group was created.
Link to us Submit Software. I need it for my work. FlexiHub Simin To make best use of computer resources FlexiHub is a must have software for mid to large scale RoboTask Tomal Reduces the stress of launching applications or checking websites in pre-scheduled manner.
Smarter Battery Remso Battery life of portable computers are to short, anytime they can go out, Smarter Battery shows Tom Shinder's books have over , copies in print and he's a regular speaker at the security industry's leading Black Hat Briefings. First in-depth security exam from Microsoft. As Microsoft certification guru Ed Tittell points out, "this is the first real, nuts-and-bolts security exam in the MCP line-up.
This exam is the first MCP test to really dig into some of the most important details involved in locking down Windows systems and networks in the first place, and to step systematically through the processes involved in keeping Windows networks and systems secured thereafter.
So our low-priced study package delivers unsurpassed value for cost-conscious IT departments and trainees. In June, Microsoft will launch beta exams for the Windows Server certification line. Exams will likely go live the following August and September. The launch of this new certification track means that all current MCSEs, representing an installed base of approximately , source: MCP Magazine will need to recertify under Windows Server Many industry experts expect the Windows certification, and product line as well, to be a more popular track since many organziations are still using NT and plan to skip and go directly to Annotation Expert Insight.
Both authors are Microsoft-certified Windows XP specialists. Our Training Guide series features our acclaimed Exam Gear software - enhancing our readers' learning experience by providing them with powerful test simulation. About the Author: Robert L. His broad experience has led him to networking and integration topics as well as software development. He worked with Telus to complete the largest single rollout of Windows to occur prior to the product launch.
He currently works with large customers to deploy Microsoft technology.
0コメント