In this chapter, we discuss the role of sites in the Active Directory infrastructure, andhow replication, authentication, and distribution of services information work within and across
Trang 1possible for a user to have several layers of GPOs applied, it is very possible to have conflictingpolicies.This section discusses how to evaluate which policy will ultimately apply.
The first concept that needs to be covered is the order in which policies are applied
The first rule to remember is that a policy always overrides a profile setting.This becomes afactor as users might be moved from one OU where they use roaming profiles that allowthe user a lot of liberty to configure their own settings As these users are moved to another
OU where the users’ privileges are more controlled, they might notice that the user profilesettings are overwritten by the OU policies
The next concept is the order of the application of polices Group policy is applied inthis order:
■ Local computer policy
■ Site policy
■ Domain policy
■ OU policies, starting with the parent OU and working inward toward the rity object through the child OUs
secu-As an administrator, you still have further control over the application of policies
Windows Server 2003 Active Directory has two settings that help you with this control: No Override and Block Inheritance.The No Override setting is set to prevent a child OU
policy setting from overwriting the policy setting of the parent It does not apply if thepolicy setting is not set in the parent GPO
The Block Inheritance setting allows you to control the inheritance of a policy
set-ting in the parent by blocking it from being applied to the child Even though you can set
Block Inheritance , if the No Override option is set, No Override will be the setting
that takes effect
TEST DAY TIP
You might encounter questions on the exam that require you to evaluate a number
of different GPOs applied at site, domain, and OU level and determine the effectivepolicy for a particular user, computer, or OU It is helpful, in these situations, whenthere are multiple nested OUs, to draw a diagram of the OU structure to help yousee the relationships between parent and child containers
Trang 2Summary of Exam Objectives
In this chapter, we covered several of the Microsoft exam objectives.The first of theseobjectives is to establish trust relationships.Trust relationships are the relationships estab-lished between domains, trees, and forests so users in one domain can access the resources
in another domain.This could be accomplished by creating new user accounts for thepeople who need to access the resources, but doing so would add to the administrativeoverhead of the domain Microsoft developed a better solution: trust relationships
Trusts come in many flavors to meet the needs of the situation where users in onedomain need access to the resources in another domain First, there are the default trustscreated between parent and child domains.These trusts are automatically created to simplifyusage of resources in a tree.The network administrator can create additional types of trustssuch as external, shortcut, realm, and forest trusts External trusts link two external domains.Shortcut trusts simplify the authentication paths needed to authenticate users Realm trustsare created to connect a non-Windows network to a Windows Server 2003 domain Foresttrusts link forests together in the enterprise
As you create these additional trust types, you can determine whether the trust willwork in one direction only, or if it can work in both directions.When the trust works inboth directions, it is called a two-way or bidirectional trust, and users in both domains haveaccess to resources in both domains
Another issue is whether the trust is transitive A transitive trust ”passes” through onetrusted domain to another A transitive trust implies a trust relationship when more thantwo domains are involved If Domain A trusts Domain B, and Domain B trusts Domain C,then Domain A trusts Domain C.This is sometimes not the effect you want when creatingtrusts.The administrator has control over the transitive nature of the trust As a further pro-tection, SID filtering helps to prevent against elevation of privelege attacks that couldpotentially be launched by rogue users who have administrative access in the trusted
domain
The second part of this chapter covered working with organizational units (OUs) An
OU is a container used to organize the resources and users of the domain OUs can containcomputers, users, groups of users, printers, shared directories, and other OUs As the corpo-rate infrastructure shifts, it is easy to move objects inside the Active Directory structurefrom one OU to another
One of the major reasons for creating an OU is to apply policy settings that affect theWindows environment, security, and applications to the members of the OU.This is accom-plished using Group Policy Objects (GPOs) Another major reason for creating OUs is to beable to delegate control to a local manager or supervisor.This empowers local supervisorswith the ability to manage the users and computers within their realm of control
Trusts and OUs are both important components of a Windows Server 2003 network,and thus it is important to understand both, not only to master the objectives of Exam 70-
294, but to perform the duties of a network administrator
Trang 3Exam Objectives Fast Track
Working with Active Directory Trusts
Trusts allow users in one domain to access resources in another domain withouthaving to create additional accounts in the domain with the resources
Whenever a child domain is created, two-way transitive trusts are automaticallycreated between the parent and the child
Realm trusts are created to join a Windows Server 2003 domain to a Windows Kerberos realm
non-Forest trusts are created between the root domains of two forests to allow users inone forest to access resources in the other forest
SID filtering is a security device that uses the domain SID to verify each securityprincipal
Working with Organizational Units
OUs are Active Directory containers that can have users, groups, printers, sharedfolders, computers, and other OUs as members
OUs are created to help organize objects in the Active Directory; they are notsecurity principals
The smallest scope to which a GPO can be assigned is an OU
Control of the OU can be delegated to other users to simplify the task ofadministration
Planning an OU Structure and Strategy for Your Organization
Create separate domains when you need decentralization of administrativefunctions and for GPOs that use different Password and Account LockoutPolicies
You must delegate control over an OU for others to be able to manage the OU
GPOs are applied first to the local computer, then to the site, then to the domain,then to parent OUs, and finally to child OUs
Trang 4Q: What are the differences between external, realm, and shortcut trusts?
A: An external trust is created to establish a relationship with a domain outside your tree
or forest A realm trust is created to establish a relationship with a non-Microsoft work using Kerberos authentication A shortcut trust is used to optimize the authenti-cation process
net-Q: What type of trust is needed to have users in a non-Windows Kerberos realm useresources in a Windows 2003 domain?
A: A realm trust will allow users in the non-Windows Kerberos realm to have access to theresources in a Windows 2003 domain
Q: What type of trust needs to be created between the root domain and a domain that isseveral layers deep inside the same tree?
A: None.Transitive two-way trusts are automatically created between the layers of the treestructure
Q: What is the difference between implied, implicit, and explicit trusts?
A: An implicit trust is one that is automatically created by the system An example is thetrusts created between parent and child domains An explicit trust is one that is manu-ally created An example is a forest trust between two trees An implied trust is one that
is implied because of the transitive nature of trusts An example is the trust betweentwo child domains that are in different trees, and a tree-root trust was created betweenthe roots of the tress
Q: What exactly does SID filtering accomplish?
A: SID filtering is used to secure a trust relationship where the possibility exists thatsomeone in the trusted domain might try to elevate his or her own or someone else’sprivileges
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, aredesigned to both measure your understanding of the Exam Objectives presented inthis chapter, and to assist you with real-life implementation of these concepts Youwill also gain access to thousands of other FAQs at ITFAQnet.com
Trang 5Q: What is the difference between an OU, site, and domain.
A: All three are containers to which a GPO can be assigned.The domain is the basicbuilding block of the organization It can contain the other container types, site andOUs.The site is a container that will represent the physical layout of the organization
An OU is a logical container that can be used to implement security policies, runscripts, deploy applications, and delegate authority for granular administrative control
Q: What is the difference between an OU and a security principal?
A: A security principal is a user, group, computer, or service that holds an account and can
be given access to resources An OU is a container that is used to organize objects inthe Active Directory OUs are also boundary units that are used to apply the securitysettings from a GPO
Q: How and why is control of an OU delegated?
A: Control over a GPO is delegated to put the responsibility for the OU in the priate hands Control is often delegated to the manager or supervisor responsible forthe users and computers in the OU.You delegate control by right-clicking on the OU
appro-In Active Directory Users and Computers and selecting Delegate Control from the menu.This launches the Delegation of Control wizard.You can also set the user account that has management responsibilities from the Managed By tab in the OU’s
properties
Q: How are GPOs applied?
A: GPOs applied to user configuration are applied as part of the logon process, whereasGPOs applied to computer configuration are applied as part of the boot process First,any GPOs linked to the local computer are applied, followed by the site, then thedomain, and finally the OUs GPOs linked to the parent OU are applied first followed
by the GPOs linked to the child If a conflict exists in the settings of the various GPOs,the one applied last takes precedence
Trang 6Working with Active Directory Trusts
1 You are administering two domains, mycompany.com and denver.hr.mycompany.com.Users in denver.hr.mycompany.com need to access resources in mycompany.com.Youwant to optimize the trust relationships.What type of trust should you create to allow this?
A Forest trust
B Shortcut trust
C External trust
D Tree Root trust
3 Your boss just informed you that your company will be participating in a joint ture with a partner company He is very concerned about the fact that a trust relation-ship needs to be established with the partner company He fears that an administrator
ven-in the other company might be able to masquerade as one of your admven-inistrators andgrant himself privileges to resources.You assure him that your network and itsresources can be protected from an elevated privilege attack Along with the othersecurity precautions that you will take, what will you tell your boss that will help himrest easy about the upcoming scenario?
A The permissions set on the Security Accounts Manager (SAM) database will vent the other administrators from being able to make changes
pre-Self Test
A Quick Answer Key follows the Self Test questions For complete questions, answers,and explanations to the Self Test questions in this chapter as well as the otherchapters in this book, see the Self Test Appendix
Trang 7B The SIDHistory attribute tracks all access from other domains.Their activities can
be tracked in the System Monitor
C The SIDHistory attribute from the partner’s domain attaches the domain SID foridentification If an account from the other domain tries to elevate its own oranother user’s privilege, the SID filtering removes the SID in question
D SID filtering tracks the domain of every user who accesses resources.TheSIDHistory records this information and reports the attempts to the Security log
in Event Viewer
4 You recently completed a merger with yourcompany.com Corporate decisions havebeen made to keep the integrity of both of the original companies; however, manage-ment has decided to centralize the IT departments.You are now responsible forensuring that users in both companies have access to the resources in the other com-pany.What type of trust should you create to solve the requirements?
A Forest trust
B Shortcut trust
C External trust
D Tree Root trust
5 You recently created a trust relationship with a partner company for collaboration on
a joint project.This partner company has many such joint projects and has many trustrelationships with other companies.You created a share containing all the files neededfor the joint project.You worked with the partner company’s administrator and addedyour project members to one of his existing universal groups that contains all of themembers in his domain who need access to the project files.You added them to thepermissions on the folder and the permissions on the share.You granted the universalgroup Read access to the share permission and Read & Execute access to the foldervia NTFS permissions SID Filtering has been enabled.The users in the universalgroup are now complaining that they cannot gain access to the project’s files.What doyou need to do to fix the problem?
A You need to upgrade the level of permissions on the folder to Modify so that the
universal group can have access
B You need to upgrade the level of permissions to Change on the share so that the
universal group can have access
C You need to break the trust relationship and recreate it; it has a corrupted file
D You need to have the domain administrator from the partner domain verify thatonly members from his domain are in the universal group
Trang 8Working with Organizational Units
6 The development team of your company has started a new research project.They want
to ensure that only the members of their project team are allowed to see the new tories that they create.You created a new OU that contains the user accounts of thedevelopment team, the computers they will be using, a shared folder where they aregoing to place their research documents, and several printers that are to be isolated fromthe rest of the company.They are concerned about who will have access to the newdirectories How will you protect the directories from unauthorized access?
direc-A Create a GPO that will limit access to the directories Apply the GPO to the newOU
B Create a GPO that will limit access to the directories Apply the GPO to thedomain
C Create a security group that contains the members of the research group Remove
the Everyone group from the ACL Add the new group to the ACL and grant it
the appropriate permissions
D Do nothing Since the directories and files are part of an OU, no one outside the
OU can access them
7 You created three OUs for your domain: one called Corp, and two child OUs called Sales and Tech.You create two GPOs, one called Desktop the other called Network.The
Desktop GPO specifies the desktop settings for all users.The Network GPO specifiesthe network and Registry policies.The Registry policy prohibits users from beingable to edit the Registry.You first apply the Desktop GPO to the Corp OU and thenapply the Network GPO to the Corp OU.You want the members of the Tech OU to
be able to modify Registry settings.What should you do?
A Nothing; because the GPOs were not applied to the Tech OU, they will not affectthe users
B Nothing; because you applied the Desktop GPO first, the Desktop GPO will nottake effect
C You should set No Override on the Tech OU so that its settings are not
over-ridden
D You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU
8 Your Active Directory domain has one site and five OUs Marketing and Technical are child OUs to the Corp OU.The Marketing OU is a parent to the Sales and PR OUs.
You are using GPOs to configure environment and security policies on the network.The following restrictions are in place:
Trang 9■ Corp OU Disable Registry editing tools for all users
■ Marketing OU Disable modification of network connections for all users
■ Technical OU Corporate logo as desktop wallpaper for all users
■ Sales OU 3D Pipes screensaver for all users
■ PR OU High Contrast #1 color scheme for all users
Which restriction or restrictions will be in place for users in the Sales OU? (Choose
all that apply.)
A Disable Registry editing tools for all users
B Disable modification of network connections for all users
C Corporate logo as desktop wallpaper for all users
D 3D Pipes screensaver for all users
E High Contrast #1 color scheme for all users
9 You have an OU called Support.You have a GPO called RegEdit.The only setting inthe RegEdit GPO is that the use of the Registry editing tools has been disabled inthe User Configuration node For performance reasons, the decision has been made tolimit the numbers of GPOs that are processed at logon.The decision has been made
to remove the requirement to disable the use of the Registry editing tools.Whatshould your course of action be to implement the new decisions?
A Remove the RegEdit GPO from the Support OU
B Create a new GPO that enables the use of the Registry editing tools Apply thenew GPO to the Support OU
C Edit the Registry on the computers used by the Support OU that will allow foruse of the Registry editing tools
D Configure a local GPO to allow the use of the Registry editing tools Set the NoOverride option to this policy
10 You created three OUs for your domain: one called Corp, and two child OUs called Sales and Tech.You create two GPOs, one called Desktop and the other called Network.
The Desktop GPO specifies the desktop settings for all users.The Network GPOspecifies the network and Registry policies.The Desktop policy prohibits users frombeing able to change their wallpaper.You first apply the Desktop GPO to the Corp
OU, and then apply the Network GPO to the Corp OU.You delegated control of the
OU to the senior member of the Tech group Later, the Tech OU manager modifiesthe Desktop GPO to allow his users to change their wallpaper.What should you do
Trang 10A Nothing, since the GPOs were not applied to the Tech OU, they will not affectthe users.
B You should set No Override on the Tech OU so that its settings are not
over-ridden
C You should set No Override on the Corp OU so that its settings are not
over-ridden
D You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU
11 Your network consists of a single domain and five OUs.The parent OU is named Corp Corp has two child OUs, First Floor and Second Floor.The First Floor OU has one child
OU, Sales.The Second Floor OU has one child OU, Administration All of the company’s
DCs are members of the Corp OU.The First Floor and Second Floor OUs contain theresources that belong to their respective floors.The Sales OU has nonadministrativecomputers, users, and groups.The Administration OU has the administration computers,users, and groups.You need to design a domainwide security policy that will accomplishthe following goals:
■ All users need to have the same password and lockout policy
■ Audit policies are required for only the DCs
■ The nonadministrative computers do not need the same level of security applied
to them as is required for the administrative computers
■ The number of group policies to be processed at logon needs to be minimized
You take the following actions:
■ Create a single GPO
■ Import a security template for the DCs
■ Link the GPO to the domain
Which of the desired results are achieved by your actions?
A All users have the same password and lockout policy
B Audit policies implemented only on the DCs
C The nonadministrative computers have the same level of security applied to them
as is required for the administrative computers
D The number of group policies to be processed at logon is minimized
Trang 11Planning an OU Structure and Strategy for Your Organization
12 Your Active Directory domain consists of one site.You have three OUs.The Corp OU
is a parent OU to the Sales OU and Training OU.You have specified restrictions in ious group policies and included them in GPOs On the Corp OU, there is a linkedGPO, which prevents users from using Registry editing tools.The Sales OU has a linkedGPO that specifies a company logo as the desktop for all users.The Training OU has alinked GPO that disables users from modifying network connections All other grouppolicy settings are set to defaults.What restrictions (if any) will users in the Sales OU beunder when they log on to the network? (Choose all that apply.)
var-A They cannot edit the Registry
B They have the company logo as their desktops
C They cannot modify network connections
D They will have no restrictions
13 You have been tasked to ensure that network security policies are in place, and standardsare implemented for users’ configurations.The network is a single Active Directorydomain network.There are five OUs: Corp, Sales, Marketing, Development, andTechnical.The Corp OU is a parent OU to all other OUs.You are given the followinglist of objectives to meet:
■ All users must be prohibited from editing their Registries
■ All users must have a password of at least eight characters
■ Users in the Sales and Marketing OUs must not be able to store more than50MB of data on any server
■ Users in the Development OU must change their passwords every 30 days
■ All policy settings should only affect their intended targets
Which of the following solutions will accomplish all of your objectives?
A Create a GPO called Policy, with settings prohibiting users from using Regedit,and requiring passwords of at least eight characters Link Policy to the Corp OU
Create a GPO called Data, with disk quotas set at 50MB Link Data to the Sales
OU and to the Marketing OU Create a GPO called Password, making userschange their passwords every 30 days Link Password to the Development OU
Trang 12B Create a GPO called Policy, with settings prohibiting users from using Regedit,and requiring passwords of at least eight characters Link Policy to the domain.Create a GPO called Data, with disk quotas set at 50MB Link Data to the Corp
OU Create a GPO called Password, making users change their passwords every
30 days Link Password to the Development OU
C Create a GPO called Policy, with settings prohibiting users from using Regedit,and requiring passwords of at least eight characters Link Policy to the Corp OU.Create a GPO called Data, with disk quotas set at 50MB Link Data to the Corp
OU Create a GPO called Password, making users change their passwords every
30 days Link Password to the Corp OU
D Create a GPO called Policy In Policy, define settings prohibiting users from usingRegedit, requiring passwords of at least eight characters, setting disk quotas at50MB, and a maximum password age of 30 days Link Policy to the Corp OU
14 Your Active Directory domain has two OUs.The Corp OU is a parent OU to theTechnical OU.You have implemented a GPO linked to the Corp OU.You do notwant those settings affecting the users in the Technical OU How can you accomplishthis with minimal effort?
A On the GPO linked to the Technical OU, select Block Policy inheritance.
B On the GPO linked to the Corp OU, select Block Policy inheritance.
C On the GPO linked to the Technical OU, negate any options set in the Corp OU
by choosing Disabled for those options.
D On the GPO linked to the Technical OU, select No Override.
15 John Smith is a junior network administrator for your company His user account isJSmith.You want him to take charge of linking all network group policies to theappropriate OUs Because of his experience level, you do not want him to have addi-tional controls over the OUs.What is the easiest way to accomplish this?
A Use the Delegation of Control Wizard Select JSmith, and check Create, delete,
and manage groups
B Use the Delegation of Control Wizard Select JSmith, and check Manage Group
Policy links
C Use the Delegation of Control Wizard Select JSmith, and check Create and
Modify Group Policy
D Use the Delegation of Control Wizard Select JSmith, and check Apply Group
Policy
Trang 13Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in thischapter as well as the other chapters in this book, see the Self Test Appendix
Trang 15Working with Active Directory Sites
Exam Objectives in this Chapter:
1.4 Implement an Active Directory site topology
2.2 Manage an Active Directory site
2.2.3 Configure site boundaries
1.4.1 Configure site links
2.2.2 Configure site link costs
2.2.1 Configure replication schedules
2.5.1 Diagnose and resolve issues related to Active Directory
replication
1.4.1 Configure site links
2.3 Monitor Active Directory replication failures Tools might
include Replication Monitor, Event Viewer, and supporttools
2.3.1 Monitor Active Directory replication
2.3.2 Monitor File Replication service (FRS) replication
Chapter 6MCSA/MCSE 70-294
Trang 16In the previous chapter, we saw the logical structure of the network as defined by forestsand domains Sites and the subnets, of which sites are comprised, define the physical struc-ture of an Active Directory network Sites are important in an enterprise-level multiple
location network for creating a topology that optimizes the process of replicating Active
Directory information between domain controllers (DCs) Sites are used for replication andfor optimizing the authentication process by reducing authentication traffic across slow,high-cost WAN links Site and subnet information is also used by Active Directory-enabledservices to help clients find the nearest service providers
In this chapter, we discuss the role of sites in the Active Directory infrastructure, andhow replication, authentication, and distribution of services information work within and
across sites.We explain the relationship of sites with domains and subnets, and how to create
sites and site links
You’ll also learn about site replication and how to plan, create, and manage a replication
topology.We’ll walk you through the steps of configuring replication between sites, and cuss how to troubleshoot replication failures
dis-Understanding the Role of Sites
In today’s distributed network environment, the communication must always be rapid andreliable Geographical and other restrictions resulted in the need to create smaller networks,
known as subnets.These subnets provide rapid and reliable communication between
loca-tions, which can also be attained in larger networks by using Microsoft Windows Server
2003 Active Directory Sites.They ensure rapid and reliable communication by using themethods offered by Microsoft Windows Server 2003 Active Directory Sites to regulateinter-subnet traffic
A site defines the network structure of a Windows Server 2003 Active Directory A site consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable con-
nections.The primary role of sites is to increase the performance of a network by nomic and rapid transmission of data.The other roles of sites are replication and
eco-authentication.The Active Directory physical structure manages when and how the tication and replication must take place.The Active Directory physical structure allows themanagement of Active Directory replication scheduling between sites.The performance of
authen-a network is authen-also bauthen-ased on the locauthen-ation of objects authen-and logon authen-authenticauthen-ation authen-as users log on to
the network
TEST DAY TIP
As a network administrator, you must be familiar with the various roles and servicesoffered by the Active Directory Sites You needn’t worry about memorizing everydetail for this particular exam What you do have to know are the basics of how eachrole and services of Active Directory Sites works, and how Active Directory Sites can
be used efficiently in terms of data transmission as part of a large network
Trang 17ReplicationReplication is defined as the practice of transferring data from a data store present on a
source computer to an identical data store present on a destination computer to synchronize
the data In a network, the directory data must live in one or more places on the network
to be equally available to all users.The Active Directory directory service manages a replica
of directory data on one or more DCs, ensuring the availability of directory data to allusers.The Active Directory works on the concept of sites to perform replication efficiently,
and uses the Knowledge Consistency Checker (KCC) to choose the best replication topology
for the network automatically
NOTE
The KCC is a process that runs on a DC, and identifies the most efficient replicationtopology for the network automatically, based on the data provided by the net-work in Active Directory Sites and Services
Authentication
Authentication is a process by which a system validates users, using the logon information
provided.The authentication process includes the confirmation of the source and integrity
of information, such as verifying the identity of a user or computer.The information such
as user’s name and password are verified with the data available in the system If the systemfinds a match, access is granted and an access token is generated that is used to subsequentlydetermine the user’s level of access to objects according to the DACLs on those objects
The granting of the level of access based on permissions is called authorization.
An important characteristic of authentication in the Windows Server 2003 family is its
support for single sign-on.The single sign-on feature allows a user to log on to the network
once, using a single password, and authenticate to any computer in a network
The single sign-on feature offers the following security advantages:
■ For a user, the use of a single password reduces ambiguity and increases the workefficiency of the system
■ For administrators, the level of administrative support needed for authenticatingthe domain users is reduced, since the administrator needs only to maintain oneaccount per user
EXAM WARNING
Make sure you are familiar with the advantages of the single sign-on feature and
Trang 18Windows Server 2003 uses two methods to carry out authentication:
■ Interactive logon authentication
■ Network authentication
TEST DAY TIP
As a network administrator, you must be familiar with the various authenticationmechanisms offered by Active Directory Sites You needn’t worry about memo-rizing every detail for this particular exam What you do have to know are thebasics of how each of the authentication mechanisms of the Active Directory Sitesworks, and how Active Directory Sites can be used efficiently in terms of userauthentication in a network
Interactive Logon Authentication
Interactive logon authentication verifies the user’s logon information to either a domainaccount or to a local computer.This process of authentication is based on the type of useraccount, such as a domain account or a local computer account:
■ With a domain account, a user logs on to the network by providing logon mation such as a password or smart card, using single sign-on data stored in theActive Directory directory service.When a user logs on to the network with adomain account, the user can access resources both in the domain to which he orshe logs on and any other trusted domains
infor-■ With a local computer account, a user logs on to a local computer by providing
logon information stored in the Security Accounts Manager (SAM) on the local
machine
NOTE
SAM is a local security account database for local computer accounts Local useraccounts are usually stored on workstations or servers, and can only be used toaccess the local computer, not resources on any other computer on the network
Network Authentication
Network authentication verifies the user’s identification to a network service to which theuser tries to gain access.To offer this type of authentication, the security system of WindowsServer 2003 supports authentication mechanisms:
Trang 19■ Kerberos V5
■ Secure Socket Layer/Transport Layer Security (SSL/TLS)When a domain account is used, network authentication occurs transparently and inthe background via Kerberos or TLS/SSL Users who use a local computer account mustgive user credentials such as a username and password while trying to gain access to a net-work resource
EXAM WARNING
Make sure you know the differences between interactive logon authentication andnetwork authentication in Windows Server 2003
Distribution of Services Information
Active Directory distributes a wide range of service information.The DCs are also used todistribute directory information and generate responses for each service request.The Active
Directory distributes service-centric information such as configurations and bindings.The
dis-tribution of this type of information enables the services to be more accessible by clientsand is easily manageable for administrators
The distribution of services information in Active Directory enables the client andapplications to get information from the directory.This information is then used to accessthe services offered by the servers present on the network Figure 6.1 shows how the ser-vices information is accessed between the client, server, and a DC in a network
Figure 6.1 Services Information Shared between a Client, Server, and
a Domain Controller
DomainController
21
3
Trang 20In Figure 6.1, the client shares the services information between a client, server, and a
DC in three steps:
1 The client makes a request
2 The client receives the services information from a DC as a response
3 The clients available on the network server then use the services information
TEST DAY TIP
Make sure you know the wide range of services information offered by the ActiveDirectory Sites Be aware of how the services information is accessed between theclient, server, and a DC on a network
Certain sets of services are distributed by the directories by default, including file andprint services, storage management, Active Directory, and management services.These sets
of services can be modified in the directories to meet the needs of your network ment.The distribution of services to the directory provides the following benefits:
environ-■ Resource availability This Active Directory model is a service-centric modelthat enables the client to provide access to the distributed network services Sincethe services information is distributed to the directory, clients needn’t store theresource’s location
■ Administration Distributing services in Active Directory enables the trator to resolve configuration-related problems in a network centrally, instead ofhaving to visit individual computers.This feature ensures that all the servicesemploy the latest configuration information
adminis-■ Publishing services This process enables the data or operations available to thenetwork users Publishing a service in Active Directory enables users and adminis-trators to move from a machine-centric view of the network to a service-centricview
EXAM WARNING
Make sure you are familiar with the benefits of distribution of services to the tory, and how it works to provide them for you
Trang 21direc-Relationship of Sites to Other Active Directory Components
A site is as a collection of inter-connected computers that operates over IP subnets A site isalso a place on a network having high bandwidth connectivity.The relationship of sites toActive Directory components is based on the following network operations performed
by sites:
■ Control of replication occurrences
■ Changes made with the sites
■ How efficiently DCs within a domain can communicate
Relationship of Sites and Domains
A site can contain one or more domains, and a domain can be part of one or more sites
Sites and domains do not have to maintain the same namespace Sites and domains are
inter-related to each other because sites control replication of the domain information
The Relationship of Sites and Domains
Domains are also defined as units of replication Through the use of SRV records,
the DNS server provides information regarding the location of domain controllers
in various sites A Domain Name System (DNS) server recognizes each domain that
is present in a particular site If your network requires more than one domain, youcan easily create multiple domains Figure 6.2 illustrates the relationship betweensites and domains in a network, and helps us to understand that a site can haveone or more domains, and a domain can have one or more sites
In Figure 6.2, we see how multiple sites reside in a single domain, and how asingle site can consist of multiple domains A domain provides the following benefits:
■ Organizing domain objects
■ Publishing of resources and information about domain objects
■ Applying Group Policy Objects (GPOs) to the domain to performresource and security management
■ Delegating authority eliminates the need for administrators with broadadministrative authority
■ Security policies and settings such as user rights and password policies
do not change from one domain to another
■ Each domain stores only the information about the objects located in
Trang 23Physical vs Logical Structure of the Network
The sites present in an Active Directory denote the physical structure of a network.The
phys-ical structure information is available as site and site link objects in the directory.This mation is used to build the most efficient replication topology Generally, Active DirectorySites and Services are used to define sites and site links
infor-Sites represent the physical structure of the network, and domains represent the logical structure of the organization In Active Directory, sites map the physical structure of a net- work, while domains map the logical or administrative structure of an organization.This par-
titioning of physical and logical structure offers the following advantages:
■ You can develop and manage the logical and physical structures of your networkindependently
■ You do not have to base domain namespaces on your physical network
■ You can deploy DCs for multiple domains within the same site
■ You can deploy DCs for the same domain in multiple sites
TEST DAY TIP
Make sure you know and understand the differences between the physical and thelogical structure of the network Be aware of how each is used to build the mostefficient replication topology
The Relationship of Sites and Subnets
In Active Directory, a site consists of a set of computers that are inter-connected in a localarea network (LAN) Computers within the same site typically exist in the same building,
or on the same campus network A single site consists of one or more IP subnets.Thesesubnets are a section of an IP network, with each subnet having a unique network address
A subnet address consists of a cluster of neighboring computers in much the same way
as the postal codes group neighboring postal addresses Figure 6.3 shows one or moreclients residing within a subnet that defines an Active Directory site
The subnet created through Active Directory Sites and Services are sections of an IPnetwork, with each subnet having a unique network address In Figure 6.3,
172.16.224.0/19 is a unique network address of the Active Directory site
Sites and subnets are represented in Active Directory by site and subnet objects, which
we create through the Active Directory Sites and Services administrative tool Each siteobject is associated with one or more subnet objects
Trang 24Creating Sites and Site Links
In the previous sections, we discussed the concepts of sites and subnets.To review, sites andthe subnets define the physical structure of an Active Directory network A site is a collec-tion of inter-connected computers that operate over subnets, sharing a network with highbandwidth connections.The high bandwidth connection is represented by the differencebetween the highest and lowest frequencies in a given range Site links represent physicalconnections between sites, which enables communication between sites
NOTE
The Windows Server 2003 Active Directory consists of the default site link, namedDEFAULTIPSITELINK, which is created automatically when the first domain in thenetwork is created This link is assigned to the Default-First-Site-Name site Theseare the names assigned automatically when you create the first site You shouldchange the default names to something more descriptive
Trang 25head High-performance sites are developed based on the proper planning of the physicaldesign of your network Site planning enables you to determine exactly which sites you
should create and how they can be linked using site links and site link bridges Site tion is stored in the configuration partition, which enables you to create sites and related infor-
informa-mation at any point in your deployment of Active Directory
Site planning enables you to publish site information in the directory for use by cations and services Generally, the Active Directory consumes the site information.You’llsee how replication impacts site planning later in the chapter
appli-Criteria for Establishing Separate Sites
When you initially create a domain, a single default Active Directory site called First-Name is created.This site represents your entire network A domain or forest consisting
Default-Site-of a separate site can be highly efficient for a LAN connected by high-speed bandwidth
NOTE
A forest is defined as multiple Active Directory domains that share the same class,site, attribute definitions, and replication information (but not necessarily the samenamespace) The domains present in the same forest are linked with two-way tran-sitive trust relationships
When a network consists of a single subnet or multiple subnets joined by reliable, speed links, a single site topology offers the following advantages:
high-■ Simplified replication management
■ Regular directory updates between all DCsEstablishing a single site topology enables all replication to occur as intrasite replication,which requires no manual replication configuration A single site topology design enablesDCs to receive updates with respect to directory changes
Trang 26Intrasite replication refers to replication among DCs within the same site Intersite
replication refers to replication among DCs located at different sites
Creating a Site
Sites are created using the Active Directory Sites and Services tool of Windows Server
2003 Exercise 6.01 walks you through the steps involved in creating a site
Active Directory Sites and Services tool is a Microsoft Management Console (MMC)that can be used to administer the replication of directory data.This tool can also be used
to create new sites, site links, subnets, and so forth
EXERCISE 6.01
C REATING A N EW S ITE
1 To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools | Active Directory Sites and Services The Active Directory Sites and Services console appears as
shown in Figure 6.4
2 Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console Right-click and select Sites folder New | Site option from the context menu as shown in Figure 6.5.
Figure 6.4 The Active Directory Sites and Services Tool
Trang 273 Selecting the New Site option opens a New Object – Site dialog box
as shown in Figure 6.6
4 Type the name of the site in the Name box present in the New Object – Site dialog box as shown in Figure 6.7.
5 Select an initial site link object for the site from the New Object – Site
dialog box as shown in Figure 6.7
Figure 6.5 The New Site Option
Figure 6.6 The New Object – Site Dialog Box
Trang 286 Click OK This completes the process of creating a site using the Active Directory Sites and Services tool Figure 6.8 shows the initial site link
object of the site
Renaming a Site
Renaming a site is one of the first tasks you should perform when administering a sitestructure.When you create a site initially, it is created with the default name Default-First-Site-Name.This name can be changed based on the purpose of the site, such as the name
of the physical location
Figure 6.7 The Name of the Site
Figure 6.8 The Initial Site Link Object for the Site
Trang 29A site is also renamed when a network of an organization is expanded by one or moresites Even if an organization is located in a single location, it makes sense to rename theDefault-First-Site-Name, because you never know when the network will expand.
Renaming a site enables administrators to differentiate sites present in a network easily andperform administration tasks efficiently
When a DC becomes aware that its site has been renamed, it will update its DNSrecords appropriately Because of issues with cached DNS lookups and client caching of sitenames that will lead to temporary delays in connectivity directly after a rename, it’s best toname and rename sites as early as possible in the deployment After renaming a site, it’sadvisable to manually force replication with other DCs in the same site
Sites are renamed using the Active Directory Sites and Services tool of Windows Server
2003 Exercise 6.02 walks you through the steps involved in renaming a site
EXERCISE 6.02
R ENAMING A N EW S ITE
1 To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools Double-click Active Directory Sites and Services The Active Directory Sites and Services dialog box
appears as shown in Figure 6.9
2 Highlight the Sites folder in the left-hand tree pane of the Active
Directory Sites and Services console Expand the Sites folder, and
you’ll see the sites shown with icons of small, yellow office buildings asshown in Figure 6.10
Figure 6.9 The Active Directory Sites and Services Tool
Trang 303 Right-click the site you want to rename and select the Rename option
from the context menu as shown in Figure 6.11
4 Type the new name of the site in the Name box in the left console
pane as shown in Figure 6.12
Figure 6.10 The Sites Folder
Figure 6.11 The Rename Option
Trang 315 Click OK This completes the process of renaming a site using the Active
Directory Sites and Services tool
Creating Subnets
Subnets are associated with the Active Directory sites to match client computers.The nets are denoted by a range of IP addresses.The Active Directory Sites and Services userinterface prevents you from having to provide the subnet names manually; instead, you areprompted for a network address An example of a subnet name for an IP version 4 net-works is 10.14.208.0/20.This IP address consists of two portions: the network addressappears before the slash, and after the slash is a representation of the subnet mask Somecommon subnet masks and the corresponding slash notations are shown in Table 6.1.Thenumber following the slash indicates the number of binary digits (bits) that make up thenetwork partition of the IP address 255 in decimal translates to 11111111 in binary 8 bits),thus you can see how the subnet masks in Table 6.1 translate to the corresponding slashnotations
sub-Table 6.1 Subnet Masks and Slash Notation
Trang 32Subnets are created using the Active Directory Sites and Services tool of WindowsServer 2003 Exercise 6.03 shows the steps involved in creating subnets.
EXERCISE 6.03
C REATING S UBNETS
1 To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services The Active Directory Sites and Services
console appears as shown in Figure 6.13
2 Highlight the Sites folder in the left tree pane of the Active Directory
Sites and Services console Expand the Sites folder as shown in
Figure 6.14
Figure 6.13 The Active Directory Sites and Services Tool
Figure 6.14 The Sites Folder
Trang 333 Right-click Subnets and select New Subnet from the context menu as
shown in Figure 6.15
4 Selecting the New Subnet option opens a New Object – Subnet dialog
box as shown in Figure 6.16
5 Type the network address and subnet mask in the form of dotted
dec-imal notation in the text boxes present in the New Object – Subnet
dialog box as shown in Figure 6.17
Figure 6.15 The New Subnet Option
Figure 6.16 The New Object – Subnet Dialog Box
Trang 346 Select a site object for this subnet from the list provided in the New Object – Subnet dialog box as shown in Figure 6.18.
7 Click OK This completes the process of creating a subnet using the
Active Directory Sites and Services tool
Associating Subnets with Sites
After creating sites and subnets, the next step is to associate your subnets with sites
Computers on Active Directory networks communicate with each other using the
Transmission Control Protocol/Internet Protocol (TCP/IP) assigned to sites based on their
Figure 6.17 The Network Address and Subnet Mask
Figure 6.18 The Site Object
Trang 35locations in a subnet Remember that a site consists of one or more IP subnets.You specifythe subnets associated with each site on your network by creating subnet objects in theActive Directory Sites and Services console.The association of subnets with sites enablesthe computers on the Active Directory network to use the subnet information to find a
DC in the same site, so that authentication traffic will not cross over WAN links ActiveDirectory also uses subnets during the replication process to determine the best routesbetween DCs
Subnets are associated with sites using the Active Directory Sites and Services tool ofWindows Server 2003 Exercise 6.04 walks you through the steps involved in associatingsubnets with sites
EXERCISE 6.04
A SSOCIATING S UBNETS WITH S ITES
1 To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services
2 Highlight the Subnet folder present in the left tree pane of the Active
Directory Sites and Services console (see Figure 6.19).
3 Right-click the newly created subnet and select the Properties option;
this will open a Properties dialog box as shown in Figure 6.20
4 Associate any site with this subnet by selecting the available site from
the site drop-down menu, and click OK, as shown in Figure 6.20.
Figure 6.19 The Subnet Folder
Trang 365 Click OK This completes the process of associating a subnet with a site
using the Active Directory Sites and Services tool
Creating Site Links
After creating and defining the scope of each site, the next step in the site configurationprocess is establishing connections between the sites.The physical connectivity between the
sites is established between the Active Directory databases by site link objects A site link object is an Active Directory object that embodies a set of sites that can communicate at uniform cost A site link can consist of two or more sites Because a site link joins two or
more sites with a uniform cost and replication schedule, they are used to determine theefficiency and direction of replication traffic throughout the Active Directory topology.Each site link is based on the following four components:
■ Transport The networking technology to move the replication traffic
■ Sites The sites that the site link connects
■ Cost The value to calculate the site links by comparing to others, in terms ofspeed and reliability charges
■ Schedule The times and frequency at which the replication will occur
Site links are created using the Active Directory Sites and Services tool of Windows
Server 2003 Exercise 6.05 walks you through the steps involved in creating site links
Figure 6.20 Subnet Dialog Box for Associating/Changing the Site
Trang 37EXERCISE 6.05
C REATING S ITE L INKS
1 To open the Active Directory Sites and Services tool, click Start |
Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services
2 Highlight the Inter-Site Transports folder in the left tree pane of the
Active Directory Sites and Services console Expand the Inter-Site Transports folder as shown in Figure 6.21.
3 Right-click either the IP or SMTP folder (depending on what protocol the network is based on) in the left tree pane of the Active Directory
Sites and Services console Select New Site Link from the context
menu as shown in Figure 6.22
Figure 6.22 The New Site Link Option
Figure 6.21 The Inter-Site Transports Folder
Trang 38■ It is essential to have an understanding of Active Directory replication a the FileReplication Service (FRS), which is used to replicate the contents of the systemvolume (SYSVOL) folder that contains GPO objects, logon and logoff scripts, andstartup and shutdown scripts FRS is also used for Distributed File System (DFS)replication.
■ For Active Directory replication, a rule of thumb is that a given DC that acts as abridgehead server should not have more than 50 active simultaneous replicationconnections at any given time
Creating a Replication Topology
The next step is to create the replication topology Let’s discuss how to create a replicationtopology:
■ Active Directory replication is a one-way pull replication whereby the DC that
needs updates (target DC) gets in touch with the replication partner (source DC).Then, the source DC selects the updates that the target DC needs, and copies them
to the target DC Because Active Directory uses a multi-master replication model,each DC functions as both source and target for its replication partners From theview of a DC, it has both inbound and outbound replication traffic, depending onwhether it is the source or the destination of a replication sequence
■ Inbound replication is the incoming data transfer from a replication partner to a
DC, while outbound replication is the data transfer from a DC to its replicationpartner
■ System policies and logon scripts that are stored in SYSVOL use FRS to replicate.Each DC keeps a copy of SYSVOL for network clients to access FRS is also usedfor the Distributed File System (DFS)
■ Components of the replication topology such as the KCC, connection objects,site links, and site link bridges are to be checked by the administrator
■ There are two methods for creating a replication topology:
■ Use the KCC to create connection objects.This method is recommended ifthere are 100 or fewer sites
■ Use a scripted or third-party tool for the creation of connection objects.Thismethod is recommended if there are more than 100 sites
Managing Replication Topology
Data is usually replicated based on a change notification within sites It’s up to the trator to force immediate replication.To do so for all data on a given connection in a singledirection, perform the following steps:
adminis-1 Choose Start | Programs | Administrative Tools | Active Directory Sites and Services Expand Sites in the left tree pane.
Trang 392 Expand the name of the site that has to replicate to.
3 Expand the name of the server for replicating
4 Select the server’s NTDS Settings object.The right console pane will be
popu-lated with the server’s inbound connection objects
5 In the right pane, right-click the name of the server from which you want to
replicate, and select Replicate Now.
Replication can also be forced from the command line by using the repadmin.exe utility
from the Support Tools
Configuring Replication between Sites
To ensure that users can log on within a given span of time, it is necessary to locate DCsnear them, which sometimes involves moving the DCs between sites
The purpose of a site is to help manage the replication between DCs and across slownetwork links In addition to creating the site and adding subnets to that site, we also need
to move DCs into the site, as replication happens between DCs.The DC has to be added
to a site to which it belongs so that clients within a site can look for the DCs in the siteand can log on to it
To move DCs, follow these steps:
1 Select Click Active Directory Sites and Services.
2 Choose the Sites folder and then select the site where the server is located.
3 In the site, expand the Servers folder.
4 Right-click on the DC you want to move, and choose Move.
5 Select the destination subnet from the dialog box and click OK.
Configuring Replication Frequency
Replication frequency can be configured by providing an integer value that informs theActive Directory as to how many minutes it should wait before it can use a connection tocheck replication updates.The interval of time must be not less than 15 minutes and notmore than 10,080 minutes For any replication to happen, a site link is essential Followthese steps to configure site link replication frequency:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and Services
2 Expand the Inter-Site Transports folder, select either the IP or SMTP folder, and
then right-click the site link for which the site replication frequency is to be set
3 Click Properties, and in the Properties dialog box for the site link, enter in the
Trang 40Configuring Site Link Availability
After the DCs are moved, a site link has to be created between sites, as it provides a paththrough which replication takes place.The creation of site links gives the KCC informationabout which connection object should be created in order to replicate directory data Sitelinks also imply where the connection object should be created Follow these steps to con-figure a site link:
1 Choose Start | Programs | Administrative Tools | Active Directory Sites and Services
2 Open the Sites folder and then the Inter-Site Transports.
3 Right-click on the IP or SMTP folder depending on the protocol needed and then choose New Site Link.
4 Enter the name for the site link in the Name text box From the Sites not in this site link list, choose the site to connect and click Add.
■ IP replication All replication within a site occurs over synchronous RPC over
IP transport.The replication within a site is fast and has uncompressed delivery ofupdates Replication events occur more frequently within a site than betweensites, and the overhead of compression would be inefficient over fast connections
Configuring Site Link Bridges
Often, there is no need to deal with site link bridges separately, as all the links are
automati-cally bridged by a property known as a transitive site link Sometimes when you need to
control through which sites the data can flow, you need to create site link bridges Bydefault, all the site links created are bridged together
The bridging enables the sites to communicate with each other If this is not enabled
by the automatic bridging due to the network structure, disable the same and create anappropriate site link bridge In some cases, it is necessary to control the data flow throughthe sites In these cases, it is necessary to create site link bridges.To disable transitive sitelinks (automatic bridging), follow these steps: