Active Directory Beginning in Microsoft Windows 2000 Server and continuing in Windows Server 2003, Active Directory replaces the Windows NT collection of directory functions with functi
Trang 1Remote Control
Terminal Server allows an administrator to view or take control of a user’s session This feature not only allows administrators to monitor user actions on a terminal server, but also acts like Remote Assistance, allowing a help desk employee to control a user’s session and perform actions that the user is able to see as well
To establish remote control, both the user and the administrator must be connected to terminal server sessions The administrator must open the Terminal Server Manager console from the Administrative tools group, right-click the user’s session, and choose Control By default, the user will be notified that the administrator wishes to connect to the session, and can accept or deny the request
Important Remote Control is available only when using Terminal Server Manager within a
terminal server session You cannot establish remote control by opening Terminal Server Manager on your PC
Remote control settings include the ability to remotely view and remotely control a session, as well as whether the user should be prompted to accept or deny the administrator’s access These settings can be configured in the user account properties on the Remote Control tab, as shown in Figure A-13, and can be configured by the properties
of the RDP-Tcp connection, which will override user account settings Group Policy can also be used to specify remote control configuration
Figure A-13 The Remote Control tab of a user’s properties dialog box
Trang 2In addition to enabling remote control settings, an administrator must have permissions to establish remote control over the terminal server connection Using the Per-missions tab of the RDP-Tcp Properties dialog box, you can assign the Full Control permission template or, by clicking Advanced, assign the Remote Control permission to
a group, as shown in Figure A-14
Figure A-14 The Remote Control permission
Review
This appendix provides an overview of Terminal Server and the tools, technologies, and processes used to configure and, ultimately, troubleshoot the feature The aim of this appendix, like the rest of this training kit, is to prepare you for the 70-290 certification exam If you plan to deploy or support Terminal Server in your production network, be sure to refer to online help and the Microsoft Knowledge Base for additional detail
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 3Glossary
Numbers
802.11 Refers to a family of Institute of Electrical and Electronics Engineers (IEEE)
specifications for wireless networking
802.11a An extension to 802.11 that applies to wireless local area networks (WLANs)
and provides up to 54 Mbps in the 5 GHz band
802.11b An extension to 802.11 that applies to wirelessLANs and provides 11 Mbps
transmission (with a fallback to 5.5, 2, and 1 Mbps) in the 2.4 GHz band 802.11b
is a 1999 ratification to the original 802.11 standard, allowing wireless functionality comparable to Ethernet Also called Wi-Fi
802.11g An extension to 802.11 that applies to wireless LANs and provides 54 Mbps
transmission in the 2.4 GHz band 802.11g is backward compatible with 802.11b, allowing the two to work together
A
access control entry (ACE) An entry in an access control list (ACL) that defines the
level of access for a user or group
access control list (ACL) A set of data associated with a file, directory, or other
resource that defines the permissions users or groups have for accessing it In Active Directory, the ACL is a list of access control entries (ACEs) stored with the object it protects In Microsoft Windows NT, an ACL is stored as a binary value called a security descriptor
access token or security access token A collection of security identifiers (SIDs)
that represent a user and that user’s group memberships The security subsystem compares SIDs in the token to SIDs in an access control list (ACL) to determine resource access
account lockout A security feature that disables a user account if failed logons
exceed a specified number in a specified period of time Locked accounts cannot log on and must be unlocked by an administrator
Active Directory Beginning in Microsoft Windows 2000 Server and continuing in
Windows Server 2003, Active Directory replaces the Windows NT collection of directory functions with functionality that integrates with and relies upon standards including Domain Name System (DNS), Lightweight Directory Access Protocol (LDAP), and Kerberos security protocol
G-1
Trang 4Active Directory–integrated zone A DNS (Domain Name System) zone stored in
Active Directory so it has Active Directory security features and can be used for multimaster replication
Active Directory Service Interface (ADSI) A programming interface that provides
access to Active Directory
ActiveX A loosely defined set of technologies that allows software components to
interact with each other in a networked environment
ActiveX component Reusable software component that adheres to the ActiveX
specification and can operate in an ActiveX–compliant environment
address A precise location where a piece of information is stored in memory or on
disk Also, the unique identifier for a node on a network On the Internet, the code
by which an individual user is identified The format is username@hostname, where username is your user name, logon name, or account number, and host- name is the name of the computer or Internet provider you use The host name
might be a few words strung together with periods
Address Resolution Protocol (ARP) A Transmission Control Protocol/Internet Pro
tocol (TCP/IP) and AppleTalk protocol that provides IP-address-to-MAC (media access control) address resolution for IP packets
Advanced Configuration Power Interface (ACPI) An industry specification, defin
ing power management on a range of computer devices ACPI compliance is necessary for devices to take advantage of Plug and Play and power management capabilities
allocation unit The smallest unit of managed space on a hard disk or logical vol
ume Also called a cluster
anonymous FTP A way to use an FTP program to log on to another computer to
copy files when you do not have an account on that computer When you log on, enter anonymous as the user name and your e-mail address as the password This
gives you access to publicly available files See also File Transfer Protocol (FTP)
AppleTalk Local area network architecture built into Macintosh computers to con
nect them with printers A network with a Windows Server 2003 server and Macintosh clients can function as an AppleTalk network with the use of AppleTalk network integration (formerly Services for Macintosh)
Archive (A) attribute An attribute of each file that is used by backup utilities to
determine whether or not to back up that file The Archive attribute is set to TRUE whenever a file is created or modified Differential and incremental backup jobs will back up files only if their archive attribute is TRUE
Associate To connect files having a particular extension to a specific program When
you double-click a file with the extension, the associated program is launched and the file you clicked is opened In Windows, associated file extensions are usually called registered file types
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 5Asynchronous Transfer Mode (ATM) A network technology based on sending
data in cells or packets of a fixed size It is asynchronous in that the transmission
of cells containing information from a particular user is not necessarily periodic
attribute A characteristic In Windows file management, it is information that shows
whether a file is read-only, hidden, compressed, encrypted, ready to be backed up (archived), or should be indexed
audit policy Defines the type of security events to be logged It can be defined on a
server or an individual computer
authentication Verification of the identity of a user or computer process In Windows
Server 2003, Windows 2000, and Windows NT, authentication involves comparing the user’s security identifier (SID) and password to a list of authorized users on a domain controller
authoritative restore Specifies a type of recovery of Active Directory When an
authoritative restore is performed using the Backup Utility and Ntdsutil in the Directory Services Restore Mode, the directory or the specific object(s) in the directory that have been authoritatively restored are replicated to other domain
controllers in the forest See also non-authoritative restore
Automated System Recovery (ASR) A feature of Windows Server 2003 that allows
an administrator to return a failed server to operation efficiently Using the ASR Wizard of the Backup Utility, you create an ASR set which includes a floppy disk with a catalog of system files, and a comprehensive backup When a server fails, boot with the Windows Server 2003 CD-ROM and press F2 when prompted to start Automated System Recovery
Automatic Updates A client-side component that can be used to keep a system up
to date with security rollups, patches, and drivers Automatic Updates is also the client component of a Software Update Services (SUS) infrastructure, which allows
an enterprise to provide centralized and managed updates
B
Background Intelligent Transfer Service (BITS) A service used to transfer files
between a client and a Hypertext Transfer Protocol (HTTP) server BITS intelligently uses idle network bandwidth, and will decrease transfer requests when other network traffic increases
backup domain controller (BDC) In a Windows NT domain, a computer that
stores a backup of the database that contains all the security and account information from the primary domain controller (PDC) The database is regularly and automatically synchronized with the copy on the PDC A BDC also authenticates logons and can be promoted to a PDC when necessary In a Windows Server 2003
or Windows 2000 domain, BDCs are not required; all domain controllers are peers, and all can perform maintenance on the directory
Trang 6backup media pool A logical set of backup storage media used by Windows Server
2003 and Windows 2000 Server Backup
bandwidth On a network, the transmission capacity of a communications channel
stated in megabits per second (Mbps) For example, Ethernet has a bandwidth of
10 Mbps Fast Ethernet has a bandwidth of 100 Mbps
basic disk A physical disk that is configured with partitions The disk’s structure is
compatible with previous versions of Windows and with several non-Windows operating systems
Basic Input/Output System (BIOS) The program used by a personal computer’s
microprocessor to start the system and manage data flow between the operating system and the computer’s devices, such as its hard disks, CD-ROM, video adapter, keyboard, and mouse
binding A software connection between a network card and a network transport
protocol such as Transmission Control Protocol/Internet Protocol (TCP/IP)
BOOTP Used on Transmission Control Protocol/Internet Protocol (TCP/IP) networks
to enable a diskless workstation to learn its own IP address, the location of a BOOTP server on the network, and the location of a file to be loaded into memory
to boot the machine This allows a computer to boot without a hard disk or a floppy disk Stands for “Boot Protocol.”
bottleneck Refers to the point of resource insufficiency when demand for computer
system resources and services becomes extreme enough to cause performance degradation
broadcasting To send a message to all computers on a network simultaneously See
also multicasting
Browser service The service that maintains a current list of computers and provides
the list to applications when needed When a user attempts to connect to a resource in the domain, the Browser service is contacted to provide a list of avail-able resources The lists displayed in My Network Places and Active Directory Users and Computers (among others) are provided by the Browser service Also
called the Computer Browser service
C
Caching A process used to enhance performance by retaining previously-accessed information in a location that provides faster response than the original location Hard disk caching is used by the File and Print Sharing for Microsoft Networks service, which stores recently accessed disk information in memory for faster retrieval The Remote Desktop Connection client can cache previously viewed screen shots from the terminal server on its local hard disk to improve performance of the Remote Desktop Protocol (RDP) connection
catalog An index of files in a backup set
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 7certificate A credential used to prove the origin, authenticity, and purpose of a pub
lic key to the entity that holds the corresponding private key
certificate authority (CA) The service that accepts and fulfills certificate requests
and revocation requests and that can also manage the policy-directed registration process a user completes to get a certificate
certificate revocation list (CRL) A digitally signed list (published by a certificate
authority) of certificates that are no longer valid
child domain A domain located directly beneath another domain name (which is
known as a parent domain) For example, Engineering.scribes.com is a child domain of scribes.com, the parent domain Also called a subdomain
child object An object inside another object For example, a file is a child object inside a folder, which is the parent object
Client Access License (CAL) The legal right to connect to a service or application
CALs can be configured per server or per device/per user
cluster A set of computers joined together in such a way that they behave as a single
system Clustering is used for network load balancing as well as fault tolerance In data storage, a cluster is the smallest amount of disk space that can be allocated for a file
Cluster service The collection of software on each node that manages all
cluster-specific activity
codec Technology that compresses and decompresses data, particularly audio or
video Codecs can be implemented in software, hardware, or a combination of both
common name (CN) The primary name of an object in a Lightweight Directory
Access Protocol (LDAP) directory such as Active Directory The CN must be unique within the container or organizational unit (OU) in which the object exists
concurrent Simultaneous
console tree The default left pane in a Microsoft Management Console (MMC) that
shows the items contained in a console
container An Active Directory object that has attributes and is part of the Active
Directory namespace Unlike other objects, it does not usually represent thing concrete It is a package for a group of objects and other containers
some-D
delegate Assign administrative rights over a portion of the namespace to another
user or group
Device Driver A program that enables a specific device, such as a modem, network
adapter, or printer, to communicate with the operating system Although a device might be installed on your system, Windows cannot use the device until you have
Trang 8installed and configured the appropriate driver Device drivers load automatically (for all enabled devices) when a computer is started, and thereafter run transparently
Device Manager An administrative tool that you can use to administer the devices
on your computer Using Device Manager, you can view and change device properties, update device drivers, configure device settings, and uninstall devices
digital signature An attribute of a driver, application, or document that identifies the
creator of the file Microsoft’s digital signature is included in all Microsoft-supplied drivers, providing assurance as to the stability and compatibility of the drivers with Windows Server 2003 and Windows 2000 Server
directory service A means of storing directory data and making it available to
net-work users and administrators For example, Active Directory stores information about user accounts, such as names, passwords, phone numbers, and so on, and enables other authorized users on the same network to access this information
disk quota A limitation set by an administrator on the amount of disk space available
to a user
distinguished name (DN) In the context of Active Directory, “distinguished” means
the qualities that make the name distinct The DN identifies the domain that holds the object, as well as the complete path through the container hierarchy used to reach the object
Distributed file system (Dfs) A file management system in which files can be
located on separate computers but are presented to users as a single directory tree
DNS name servers Servers that contain information about part of the Domain Name
System (DNS) database These servers make computer names available to queries for name resolution across the Internet Also called domain name servers
domain A group of computers that share a security policy and a user account
data-base A Windows Server 2003 domain is not the same as an Internet domain See
also domain name
domain controller A server in a domain that accepts account logons and initiates
their authentication In an Active Directory domain, a domain controller controls access to network resources and participates in replication
domain functional level The level at which an Active Directory domain operates
As functional levels are raised, more features of Active Directory become able There are four levels: Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003
avail-domain local group A local group used on ACLs only in its own avail-domain A avail-domain
local group can contain users and global groups from any domain in the forest, universal groups, and other domain local groups in its own domain
domain name In Active Directory, the name given to a collection of networked
computers that share a common directory On the Internet, the unique text name
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 9that identifies a specific host A machine can have more than one domain name, but a given domain name points to only one machine Domain names are resolved to IP addresses by DNS name servers
Domain Name System (DNS) A service on Transmission Control Protocol/Internet
Protocol (TCP/IP) networks (including the Internet) that translates domain names into IP addresses This allows users to employ friendly names like FinanceServer
or Adatum.com when querying a remote system, instead of using an IP address such as 192.168.1.10
domain naming master The one domain controller assigned to handle the addition
or removal of domains in a forest See also Operations Master
DWORD A data type consisting of four bytes in hexadecimal
Dynamic Data Exchange (DDE) Communication between processes implemented
in the Windows family of operating systems When programs that support DDE are running at the same time, they can exchange data by means of conversations Conversations are two-way connections between two applications that transmit data alternately
dynamic disk A disk that is configured using volumes Its configuration is stored in
the Logical Disk Manager (LDM) database, and is replicated to other dynamic disks attached to the same computer Dynamic disks are compatible only with Windows Server 2003, Windows XP, and Windows 2000
Dynamic Host Configuration Protocol (DHCP) A Transmission Control Protocol/
Internet Protocol (TCP/IP) protocol used to automatically assign IP addresses and configure TCP/IP for network clients
dynamic-link library (DLL) A program module that contains executable code and
data that can be used by various programs A program uses the DLL only when the program is active, and the DLL is unloaded when the program closes
E
effective permissions The permissions that result from the evaluation of group and
user permissions allowed, denied, inherited, and explicitly defined on a resource The effective permissions determine the actual access for a security principal
enterprise Term used to encompass a business’s entire operation, including all
remote offices and branches
environment variable A string of environment information such as a drive, path, or
filename associated with a symbolic name The System option in Control Panel or the Set command from the command prompt can be used to define environment variables
Ethernet A local area network (LAN) protocol Ethernet supports data transfer rates
of 10 Mbps and uses a bus topology and thick or thin coaxial, fiberoptic, or
Trang 10twisted-pair cabling A newer version of Ethernet called Fast Ethernet supports data transfer rates of 100 Mbps, and an even newer version, Gigabit Ethernet, sup-ports data transfer rates of 1000 Mbps
extended partition A nonbootable portion of a hard disk that can be subdivided
into logical drives There can be only a single extended partition per hard disk
Extensible Authentication Protocol (EAP) An extension to the Point-to-Point Pro
tocol (PPP) that allows the use of arbitrary authentication methods for validating a PPP Connection
Extensible Markup Language (XML) An abbreviated version of the Standard Gen
eralized Markup Language (SGML), it allows the flexible development of defined document types and provides a non-proprietary, persistent, and verifiable file format for the storage and transmission of text and data both on and off the Web
user-external trust A one-way or two-way trust for providing access to a Windows NT 4
domain or a domain located in another forest that is not joined by a forest trust
F
failover An operation that automatically switches to a standby database, server, or
network if the primary system fails or is temporarily shut down for servicing In server clusters, the process of taking resources off one node in a prescribed order and restoring them on another node
fault tolerance The ability of a system to ensure data integrity when an unexpected
hardware or software failure occurs Many fault-tolerant computer systems mirror all operations—that is, all operations are done on two or more duplicate systems,
so if one fails the other can take over
File Replication Service (FRS) The service responsible for ensuring consistency of
the SYSVOL folder on domain controllers FRS will replicate, or copy, any changes made to a domain controller’s SYSVOL to all other domain controllers FRS can also be used to replicate folders in a Distributed File System (Dfs)
File Transfer Protocol (FTP) A method of transferring one or more files from one
computer to another over a network or telephone line Because FTP has been implemented on a variety of systems, it’s a simple way to transfer information between usually incongruent systems such as a PC and a minicomputer
firewall A protective filter for messages and logons An organization connected
directly to the Internet uses a firewall to prevent unauthorized access to its
net-work See also proxy server
folder redirection An option in Group Policy to place users’ special folders, such as
My Documents, on a network server
forest A group of one or more Active Directory trees that trust each other through
two-way transitive trusts All trees in a forest share a common schema, configuration,
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 11and Global Catalog (GC) When a forest contains multiple trees, the trees do not form a contiguous namespace Unlike trees, a forest does not need a distinct name
forest trust A transitive trust used to share resources between forests Can be
one-way or two-one-way
fully qualified domain name (FQDN) A domain name that includes the names of
all network domains leading back to the root to clearly indicate a location in the
domain namespace tree An example of an FQDN is Accts.finance.adatum.com or Sales.europe.microsoft.com
G
gateway A device used to connect networks using dissimilar protocols so that infor
mation can be passed from one to another
Global Catalog (GC) Contains a full replica of all Active Directory objects in its host
domain plus a partial replica of all directory objects in every domain in the forest
A GC contains information about all objects in all domains in the forest, so finding information in the directory does not require unnecessary queries across domains
A single query to the GC produces the information about where the object can be found
global group A group that can be used in its own domain and in trusting domains
However, it can contain user accounts and other global groups only from its own domain
globally unique identifier (GUID) Part of the identifying mechanism generated by
Active Directory for each object in the directory If a user or computer object is renamed or moved to a different name, the security identifier (SID), relative distinguished name (RDN), and distinguished name (DN) will change, but the GUID will remain the same
GUID partition table (GPT) The storage location for disk configuration information
for disks used in 64-bit versions of Windows
Group Policy Setting of rules for computers and users in Windows Server 2003 and
Windows 2000 Server Group Policy is able to store policies for file deployment, application deployment, logon/logoff scripts, startup/shutdown scripts, domain security, Internet Protocol security (IPSec), and so on
Group Policy Object (GPO) A collection of policies stored in two locations: a
Group Policy container (GPC) and a Group Policy template (GPT) The GPC is an Active Directory object that stores version information, status information, and other policy information (for example, application objects) The GPT is used for file-based data and stores software policy, script, and deployment information The GPT is located in the system volume folder of the domain controller
Trang 12H
headless server A server without a monitor, keyboard, mouse, or video card, which
is administered remotely
hive One of five sections of the registry Each hive is a discrete body of keys,
sub-keys, and values that record configuration information for the computer Each hive
is a file that can be moved from one system to another but can be edited only by using the Registry Editor
host Any device on the network that uses TCP/IP A host is also a computer on the
Internet you might be able to log on to You can use FTP to get files from a host computer and use other protocols (such as Telnet) to make use of the host computer
hosts file A local ASCII text file that maps host names to IP addresses Each line rep
resents one host, starting with the IP address, one or more spaces, and then the host’s name
hypertext A system of writing and displaying text that enables the text to be linked
in multiple ways, available at several levels of detail Hypertext documents can also contain links to related documents, such as those referred to in footnotes
Hypertext Markup Language (HTML) A language used for writing pages for use
on the Internet or an intranet HTML allows text to include codes that define fonts, layout, embedded graphics, and hypertext links
Hypertext Transfer Protocol (HTTP) The method by which Web pages are trans
ferred over the network
identity store A database of security identities, or security principals Active Direc
tory is the identity store for a Windows Server 2003 domain
inheritance The process through which permissions are propagated from a parent
object to its children Inheritance is at work in Active Directory and on disk volumes formatted with NTFS
instance The most granular level of performance counter A performance object,
such as LogicalDisk, has counters, such as % Free Space That counter may have instances, representing specific occurrences of that counter, for example the free space on disk volume C:\ and disk volume D:\
IntelliMirror A suite of technologies that allows a complete operating environment
to follow the user to other computers, as well as offline Components include the user’s profiles, data, and applications
I
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Trang 13Internet Authentication Service (IAS) The Microsoft implementation of Remote
Authentication Dial-In User Service (RADIUS), an authentication and accounting system used by many Internet Service Providers (ISPs) When a user connects to
an ISP using a username and password, the information is passed to a RADIUS server, which checks that the information is correct, and then authorizes access to the ISP system
Internet Control Message Protocol (ICMP) A protocol used to report problems
encountered with the delivery of data, such as unreachable hosts or unavailable ports ICMP is also used to send a request packet to determine whether a host is available The receiving host sends back a packet if it is available and functioning
See also ping
Internet Printing Protocol (IPP) A protocol that allows a client to send a job to a
printer over the Internet or an intranet The communication between the client and the printer is encapsulated in HTTP
Internet Protocol (IP) The inter-network layer protocol used as a basis of the
Inter-net IP enables information to be routed from one network to another in packets and then reassembled when they reach their destination
Internet Protocol version 6 (IPv6) A new version of Internet Protocol supported
in Windows Server 2003 The current version of IP is version 4, also known as IPv4 IPv6, formerly called IP—The Next Generation (IPng), is an evolutionary upgrade and will coexist with version 4 for some time
Internetwork Packet Exchange/Sequenced Packet Exchange (IPX/SPX)
Trans-port protocols used in Novell NetWare networks
interrupt request (IRQ) One of a set of possible hardware interrupts, identified by
a number The number of the IRQ determines which interrupt handler will be used
Internet Protocol security (IPSec) An Internet Engineering Task Force (IETF) stan
dard that provides authentication and encryption over the Internet IPSec is widely used with virtual private networks (VPNs)
IP address A 128-bit number, usually represented as a four-part decimal separated
by periods (for example, 192.168.1.10) that uniquely identifies a machine on the Internet Every machine on the Internet has a unique IP address
K
Kerberos An identity-based security system developed at the Massachusetts Institute
of Technology (MIT) that authenticates users at logon It works by assigning a
unique key, called a ticket, to each user who logs on to the network The ticket is
then embedded in messages to identify the sender of the message The Kerberos security protocol is the primary authentication mechanism in Windows Server
2003 and Windows 2000 Server