The Best Damn Windows Server 2003 Book Period- P49 pot

Syngress.com HR global group Benefits global group Global_HR_ Resources domain local group Files... Syngress.com HR global Benefits global Global_HR_ Resources domain local All_HR univer

Moving all of the domains in the forest to the Windows 2000 native or Windows Server 2003 functional level greatly reduces the complexity Just as we saw in the previous section, when a new benefits user joins the company, the only group his or her account needs to be made a member of is the Benefits global group in his or her regional domain Again, this is because the Benefits global group is nested in the HR global group

The real power in a multiple domain environment, however, comes in the ability to use uni-versal security groups.You no longer have to add each HR global group into the

Global_HR_Resources domain local group Instead, you can add all of the HR global groups into a universal group called ALL_HR.You then add this group into the Global_HR_Resources DLG These group memberships are shown in Figure 11.10

When universal groups enter the design, we are using the AGGUDLP model (sometimes

abbre-viated AGUDLP), where U represents Universal group.This model means: Accounts should be placed into Global groups that can be placed into other Global groups and/or Universal groups, and then into Domain Local groups, which are added to ACLs and granted Permissions to resources.

446 Chapter 11 • Creating User and Group Strategies

Figure 11.9 AGDLP in a Multiple Domain Forest

NorthAmerica.

Syngress.com HR

global group

Benefits global group

Europe.

Syngress.com

HR global group

Benefits global group

New User

Asia.

Syngress.com

HR global group

Benefits global group

Global_HR_

Resources domain local group

Files

While this might look like a similar amount of work when compared with Figure 11.9, the real power of this design becomes evident when you attempt to grant all HR users access to another resource, such as a printer in Asia In this case, you simply need to create a new DLG and grant the print permission for the printer in the Asia domain to that group In Figure 11.11, the group is called HR_Print_Asia.You then simply add the All_HR universal group to the HR_Print_Asia domain local group Imagine what the diagram would look like if you couldn’t use a universal group and how much more work would be involved.You would need to add each HR global group

to the HR_Print_Asia domain local group Now imagine that you have dozens of similar situations

in your forest, and you’ll no doubt appreciate the simplicity and reduced management requirements that universal groups bring with them

Creating User and Group Strategies • Chapter 11 447 Figure 11.10 AGGUDLP in a Multiple Domain Forest

NorthAmerica.

Syngress.com

HR global

Benefits global

Europe.

Syngress.com

HR global

Benefits global New User

Asia.

Syngress.com

HR global Benefits global

Global_HR_

Resources domain local

All_HR universal group

Figure 11.11 Using AGGUDLP to Grant Access to an Additional Resource

NorthAmerica.

Syngress.com HR

global group

Benefits global group

Europe.

Syngress.com HR

global group Benefits global group New User

Asia.

Syngress.com

HR

global

group Benefits global group

Global_HR_

Resources domain local

All_HR universal group

Printer

HR_Print_

Asia domain local group

Working with Forests and Domains

In this chapter:

 Understanding Forest and Domain Functionality

 Creating the Forest and Domain Structure

 Implementing DNS in the Active Directory Network Environment

Introduction

A Microsoft Active Directory network has both a physical and a logical structure Forests and domains define the logical structure of the network, with domains organized into

domain trees in which subdomains (called child domains) can be created under parent

domains in a branching structure Forests are collections of domain trees that have trust relationships with one another, but each domain tree has its own separate namespace

In this chapter, you will learn all about the functions of forests and domains in the Windows Server 2003 Active Directory infrastructure, and we will walk you through the steps of creating a forest and domain structure for a network.You’ll learn to install domain controllers (DCs), create the forest root domain and a child domain, find out how to name and rename domains, and how to set the functional level of a forest and domain

The Domain Name System (DNS) is an integral part of a Windows Server 2003 network, as it is used for providing name resolution within the network We will discuss the role of DNS in the Active Directory environment, and you’ll learn about the rela-tionship of the DNS and Active Directory namespaces, how DNS zones are integrated into Active Directory, and how to configure DNS servers for use with Active Directory

Chapter 12

449

Understanding Forest

and Domain Functionality

Active Directory is composed of a number of components, each associated with a different concept,

or layer of functionality.You should understand each of these layers before making any changes to the network.The Active Directory itself is a distributed database, which means it can be spread across multiple computers within the forest Among the major logical components are:

■ Forests

■ Trees

■ Domains

■ The domain namespace Aspects of the physical structure include the following:

■ Sites

■ Servers

■ Roles

■ Links Administrative boundaries, network and directory performance, security, resource management, and basic functionality are all dependent on the proper interaction of these elements

Note that the differentiation between forests and trees is most obvious in the namespace By its

nature, a tree is one or more domains with a contiguous namespace Each tree consists of one or more domains, while each forest consists of one or more trees Because a forest can be composed of discrete multiple trees, a forest’s namespace can be discontiguous By discontiguous, we mean that the

namespaces anchor to different forest-root DNS domains, such as cats.com and dogs.com Both are top-level domains and are considered two trees in a forest when combined into a single directory

The Role of the Forest

An Active Directory always begins with a forest root domain, which is automatically the first domain

you install.This root domain becomes the foundation for additional directory components Certain forest objects and services are only present at the root (for example, the Enterprise Administrators and Schema Administrators groups, and the Schema Master and Domain Naming Master roles) These cannot be easily recreated, depending on the type of failure

New Forestwide Features

Many of the new features offered by Windows Server 2003 are only available in a forest where you have raised the forest functional level to Windows Server 2003 For more information on functional

levels and a breakdown of when these new features become available, see the section Forest and Domain Functional Levels later in the chapter.

450 Chapter 12 • Working with Forests and Domains

Defunct Schema Objects

In Windows 2000 Active Directory, you could deactivate a schema class or attribute Now, once your forest has been raised to the Windows Server 2003 functional level, you can not only deacti-vate them, you can even rename and redefine them.This feature protects against the possibility of one application irreversibly claiming another application’s schema It allows for the redefinition of

classes and attributes without changing their unique identities.These items are called reused If the class or attribute is left deactivated, it is called defunct.

Domain Rename

This is a complex and sweeping modification to the namespace of a domain DNS names, and NetBIOS names of any child, parent, or forest-root domain can now be changed As far as Windows

Server 2003 Active Directory is concerned, the identity of a domain rests in its domain Globally Unique Identifier (GUID), and its domain SID Creating new DNS or NetBIOS names will leave

those attributes unchanged.The domain rename function is not able to promote a domain to the forest root role Even if you rename the forest root domain, its role will remain unchanged

The renaming process will temporarily interrupt the functionality of the domain and its interac-tion with the forest, until the DCs are rebooted Client workstainterac-tions will not funcinterac-tion properly until

they are each rebooted twice Due to the complexity of the operation, the risks of such a sweeping

change, and the unavoidable domain and workstation service interruptions, domain renaming should not be considered a routine operation

Forest Restructuring

Existing domains can now be moved to other locations within the namespace During this restruc-turing, you will manually break and reestablish the appropriate trust relationships among the domains A requirement for namespace changes, or a need to decrease administrative overhead, typi-cally drives forest restructuring.This reduction in overhead is accomplished by reducing replication traffic, reducing the amount of user and group administration required, and simplifying the adminis-tration of Group Policy.The smallest possible number of domains will provide the most efficient design Minimizing the number of domains reduces administrative costs and increases the efficiency

of your organization Reasons to restructure include:

■ Decommissioning a domain that is no longer needed

■ Changing the internal namespace

■ Upgrading your network infrastructure to increase your bandwidth and replication capacity, which enables you to combine domains

Before you begin restructuring Windows Server 2003 domains within your forest, make sure that the forest is operating at the Windows Server 2003 functional level

Working with Forests and Domains • Chapter 12 451

Universal Group Caching

Universal Group caching is a new feature of the Windows Server 2003 DC, which caches a user’s

complete Universal Group membership.The cache is populated at first logon, and subsequent logons use the cache, which is refreshed periodically

Some of the benefits of Universal Group caching include faster logon times and authenticating DCs no longer have to consult a GC to get Universal Group membership information In addition, you can save the cost of upgrading a server to handle the extra load for hosting the GC Finally, net-work bandwidth is minimized because a DC no longer has to handle replication for all of the objects located in the forest

Application Partitions

Another DC enhancement allows for the creation of application-specific Active Directory partitions,

also known as naming contexts Active Directory stores the information in a hierarchy that can be

populated with any type of object except for security principles such as users, groups, and com-puters.This dynamic body of data can be configured with a replication strategy involving DCs across the entire forest, not just a single domain With application partitions, you can define as many

or as few replicas as you want Site topologies and replication schedules are observed, and the appli-cation objects are not replicated to the GC Conveniently, appliappli-cation partitions can leverage DNS for location and naming.The Windows Server 2003 Web Edition cannot host application partitions because they do not support the DC role

Install from Backups

The Install from backups feature provides the capability to install a DC using backup media rather

than populating the Active Directory through a lengthy replication period.This is especially useful for domains that cross-site boundaries using limited WAN connectivity.To do this, back up your

directory store using Windows Backup, restore the files at the remote site’s candidate DC, and run dcpromo using the source replication from files option.This also works for GC servers.

Active Directory Quotas

The new Active Directory quotas (not to be confused with disk quotas) are defined as the number

of objects that can be owned by a given user in a given directory partition Fortunately, Domain Admins and Enterprise Administrators are exempt from the quota, and they do not apply at all to the schema partition Replicated operations do not count toward the quota; only the original

opera-tions do Quota administration is performed through a set of command-line tools, including dsadd, dsmod, dsget, and dsquery No graphical interface exists for quota administration.

Linked Value Replication

Linked value replication provides an answer to Windows 2000’s limit of 5000 direct group members.

Instead of treating a large group as a single replication unit, linked value replication allows a single member to be added or removed from the group during replication, thereby reducing network traffic Without it, for example, any changes to a 10,000-member distribution group will trigger a complete replication With a group that large, this would be likely to occur many times in a typical day

452 Chapter 12 • Working with Forests and Domains

Improved Knowledge Consistency Checker

The Windows 2000 Knowledge Consistency Checker (KCC) would not operate properly within a forest containing more than 200 sites due to the complexity of the inter-site replication topology generator algorithms.The service had to be turned off in that case, and the replication topology had

to be managed manually.The Windows Server 2003 KCC can automatically manage replication among up to 5000 sites due to new, more efficient algorithms In addition, it uses greatly improved topology generation event logging to assist in troubleshooting

Reduced NTDS.DIT Size The Windows Server 2003 directory takes advantage of a new feature called Single Instance Store

(SIS).This limits the duplication of redundant information.The new directory store is about 60 per-cent smaller than the one in Windows 2000

Forest Trusts

In Windows NT 4.0, there were few options for the interoperability of business units; for example, either Calico.cats.com trusted Labs.dogs.com or they didn’t.There were no other real options In addi-tion, if trust existed at all, it tended to be complete When Windows 2000 introduced the Active Directory, many more options became available so that partnerships and integrated project teams could form on the network just as they did in real life.The problem with that approach was that there always had to be a dominant partner at the root— the playing field could never be completely even

Understanding the politics of business, Microsoft stepped in with a solution called multiple-forest trusts in Windows Server 2003, which, when used, result in a configuration called federated forests.

Without the forest trust, Kerberos authentication between forests would not work Remember that having two forests means two Active Directory databases and two completely distinct sets of direc-tory objects, such as user accounts Accessing resources across the federated forest boundary requires

a more complex trust path than the one between domains within a single forest

Routing Hints for Forest Trusts Routing hints are a new feature of GCs.The problem with creating trusts between forests is that all

traditional authentication channels stop at the forest boundary DCs and traditional GCs are

some-times not enough When these fail to produce a Service Principal Name (SPN) describing the location

of the service being requested, routing hints from the Windows Server 2003 GC help guide the

workstation toward the correct forest within the Federated Forest boundary.The GC server does this

by checking the forest trust’s Trusted Domain Object (TDO) for trusted name suffixes that match the

one found in the destination SPN.The routing hint always goes back to the originating device so that it can resume its search for the SPN location in the other forest.This new functionality has

some limitations If the TDO contains outdated or incorrect information, the hint might be

incor-rect since the GC does not actually check for the existence of the other forests

Cross-Forest Authentication

Although some types of data access are supported, Windows Server 2003 does not support NetBIOS name resolution or Kerberos delegation across forests NTLM authentication for down-level clients

Working with Forests and Domains • Chapter 12 453

continues to be fully supported, however A Universal Group in one forest might contain global groups from one or more additional forests across any available forest trusts

Federated Forest, or cross-forest, authentication takes two forms In the default forest-wide authentica-tion, an “allow-all deny-some” approach is used In other words, external users have the same level of

access to local resources as the local users do.The other form of access control takes the security

con-scious approach of “deny-all allow-some.”This optional method is called selective authentication, and

requires more administrative overhead by granting explicit control over the outside use of local

resources.You must set a control access right called allowed to authenticate on an object for the users and groups that need access from another forest If selective authentication is enabled, an Other Organization

SID is associated with the user.This SID is then used to differentiate the external user from local users and determines if an attempt can be made to authenticate with the destination service

For reliable authentication using Kerberos, system time must be accurate across every worksta-tion and server Servers are best synchronized with the same time source, while workstaworksta-tions are synchronizing time with the servers In an upgraded Active Directory domain, this is usually not a problem

New Domainwide Features

There are many new features in Windows Server 2003 related to domainwide features, the most sig-nificant of which we discuss next

Domain Controller Rename

Not to be confused with domain renaming, domain controller rename is the ability to rename a DC

without following the Windows 2000 procedure of demoting, renaming, and promoting again In a large domain, this saves considerable time, especially over a slow WAN link, since the process of re-promoting the DC requires a replication of the Active Directory

Universal Groups and Group Conversions

Universal Groups are able to contain members from any domain in any forest, and they replicate to

the GC.They are particularly useful for administrative groups One of the best uses for groups with universal scope is to consolidate groups above the domain level.To do this, add domain user

accounts to groups with global scope and nest these Global Groups within Universal Groups Using this strategy, changes to the Global Groups do not directly affect the membership of groups with universal scope.Taking it one step further, a Universal Group in one forest can contain Global

Groups from one or more additional forests across any available forest trusts.

Here is an example.You have two domains in different forests with NetBIOS names of CATS and DOGS Each domain contains a Global Group called Birdwatchers.To take advantage of this new capability, you add both of the Global Groups, CATS\Birdwatchers and DOGS\Birdwatchers,

to a Universal Group you create called ALLBirdwatchers.The second step is to create an identical Universal Group in the other forest as well.The ALLBirdwatchers group can now be used to

authenticate users anywhere in both enterprises Any changes in the membership of the individual Birdwatchers groups will not cause replication of the ALLBirdwatchers group

454 Chapter 12 • Working with Forests and Domains

Table 12.1 Summary of Universal Group Capabilities by Domain Functional Level

Windows 2000 native User and computer accounts, Universal Groups can be

Global Groups, and Universal added to other groups and Groups from any domain assigned permissions in any

domain

interim Windows Server 2003 User and computer accounts, Universal Groups can be

Global Groups, and Universal added to other groups and Groups from any domain assigned permissions in any

domain

Security Group Nesting Security Groups are used to grant access to resources Using nesting, you can add a group to a group.

This reduces replication traffic by nesting groups to consolidate member accounts A Security Group can also be used as an e-mail distribution list, but a Distribution Group cannot be used in a discre-tionary access control list (DACL), which means it cannot be used to grant access to resources

Sending e-mail to a Security Group sends the message to all members of the group

Distribution Group Nesting

Distribution Groups are collections of users, computers, contacts, and other groups.They are typi-cally used only for e-mail applications Security Groups, on the other hand, are used to grant access

to resources and as e-mail distribution lists Using nesting, you can add a group to a group Group nesting consolidates member accounts and reduces replication traffic Windows NT did not support

Distribution Groups within the OS, but they are supported in all versions of Active Directory

Distribution Groups cannot be listed in DACLs in any version of Windows, which means they

cannot be used to define permissions on resources and objects, although they can be used in DACLs

at the application layer Microsoft Exchange is a common example If you do not need a group for security purposes, create a Distribution Group instead

Number of Domain Objects Supported

In Windows 2000, group membership was stored in Active Directory as a single multivalued attribute When the membership list changed, the entire group had to be replicated to all DCs So that the store could be updated in a single transaction during the replication process, group

mem-berships were limited to 5000 members In Windows Server 2003, Linked Value Replication removes

this limitation and minimizes network traffic by setting the granularity of group replication to a single principle value, such as a user or group

Working with Forests and Domains • Chapter 12 455