Nutshell: Microsoft Active Directory

Date of course: _____________________________________

Page |2

Name of Student: ___________________________________

Rev 1.0

Nutshell: Microsoft Active Directory

Page |3

Nutshell: Microsoft Active Directory

Page |4
Created by Michael March Contact Information : michaelmarch@gmail.com Not to be reused or copied in anyways without the explicit written agreement between Michael March and the requester, until so granted permission.

Contents
Contents...........................................................................................................................................4 Introduction to Active Directory......................................................................................................6 Active Directory Facts.....................................................................................................................6 Advanced Installation Facts.............................................................................................................8 Installation Tools.............................................................................................................................8 Backup and Restore Facts................................................................................................................9 Security Facts.................................................................................................................................10 Group Facts....................................................................................................................................11 Built-in Groups..............................................................................................................................11 Group Strategy Facts......................................................................................................................12 Designing Active Directory for Delegation...................................................................................13 Planning Guidelines.......................................................................................................................14 Trust Types....................................................................................................................................14 Functional Level Types..................................................................................................................15 Operation Master Types.................................................................................................................16 Troubleshooting Operation Masters..............................................................................................17 Managing the Schema....................................................................................................................18 Default Active Directory Objects..................................................................................................19 Object Management Tasks and Tools............................................................................................20 Group Policy Facts.........................................................................................................................20 Refreshing Group Policy................................................................................................................21 Editing GPO Facts.........................................................................................................................21 Controlling GPO Application........................................................................................................22 Edit Permissions.............................................................................................................................22 Block Inheritance...........................................................................................................................22 No Override...................................................................................................................................23 WMI Filtering................................................................................................................................23 Loopback Processing.....................................................................................................................23 Group Policy Tools........................................................................................................................24 Gpresult..........................................................................................................................................24 RSoP..............................................................................................................................................24 RSoP Access..................................................................................................................................24 Delegation Facts.............................................................................................................................25 Software Distribution Facts...........................................................................................................25 Administrative Template Facts......................................................................................................26 Folder Redirection Facts................................................................................................................26 Logon Facts....................................................................................................................................27 Automatic Certificate Enrollment Facts........................................................................................28 Managing Sites and Subnets..........................................................................................................28 Replication Facts............................................................................................................................28
Nutshell: Microsoft Active Directory

Page |5 Managing Replication Facts..........................................................................................................29 Tombstones and Garbage Collection.............................................................................................29 Global Catalogs and Universal Group Membership Caching........................................................30 Site License Facts..........................................................................................................................30 Application Directory Partitions....................................................................................................31

Nutshell: Microsoft Active Directory

Page |6

Introduction to Active Directory

As you study this section, answer the following questions:

What was the first directory service? What is a directory information tree? How does Active Directory use DNS? What is the purpose of a global catalog server? Is a global catalog server useful in a single domain environment? What are three examples of a Microsoft Management Console provided with Windows Server 2003?

After finishing this section, you should be able to complete the following tasks:

Describe the components that constitute an Active Directory deployment. Design an Active Directory structure. Identify the tools used for Active Directory configuration and management.

This section covers the following exam objectives:

101. Plan a strategy for placing global catalog servers. 103. Implement an Active Directory service forest and domain structure.

Active Directory Facts

You should know the following facts about Active Directory:

Active Directory is based on the LDAP (Lightweight Directory Access Protocol) standard. Active Directory uses DNS for locating and naming objects. The tree root domain is the highest level domain in a tree (a tree root domain can also be a forest root domain). The tree root domain is the highest Active Directory domain in the tree. A tree is a group of domains based on the same name space. Domains in a tree: o Are connected with a two-way transitive trust. o Share a common schema. o Have common global catalogs. A schema makes up the attributes of an object in a tree. The forest root domain is the first domain created in the Active Directory forest. There are dedicated and regional forest root domains. Container objects are designed to contain other objects, either other containers or leaf objects. Domain container objects can contain Organizational Unit (OU) container objects.

Nutshell: Microsoft Active Directory

Page |7

First level OUs can be called parents. Second level OUs can be called children. OUs can contain other OUs or any type of leaf object (e.g., users, computers, printers). You cannot assign rights and permissions to OUs. You can assign GPOs (Group Policy Objects) to OUs. An Active Directory site is one or more well-connected, highly-reliable, fast TCP/IP subnets. All Active Directory sites contain servers and site links (the connection between two sites that allows replication to occur). A site link cost is a value assigned to a link that is used to regulate the traffic according to the speed of the link. The higher the site link cost, the slower the link speed. Domain controllers are servers that contain copies of the Active Directory database that can be written to. Domain controllers participate in replication. The Active Directory database is partitioned and replicated. There are four types of Active Directory database partitions: o Domain o Configuration o Schema o Application Users find objects in Active Directory by querying the database. The first domain controller installed in the forest automatically becomes the global catalog server for that domain.

Installation Facts You should know the following facts about Active Directory installation:

Active Directory requires the following: o TCP/IP running on the servers and clients. o A DNS server. o Windows 2000 or 2003 operating systems. After installing Windows 2003, you can install Active Directory using the Dcpromo command. Members of the Domain Admins group can add domain controllers to a domain. Members of the Enterprise Admins group can perform administrative tasks across the entire network, including: o Change the Active Directory forest configuration by adding/removing domains. (New domains are created when the first domain controller is installed. Domains are removed when the last domain controller is uninstalled.) o Add/remove sites. o Change the distribution of subnets or servers in a site. o Change site link configuration.

Nutshell: Microsoft Active Directory

Page |8

Advanced Installation Facts

If you are installing a Windows Server 2003 server into an existing Windows 2000 Active Directory structure, you must first prepare Active Directory for the installation by taking the following steps: 1. Apply Service Pack 2 or later on all domain controllers. 2. Back up your data. 3. On the schema master for the forest, disconnect the server from the network and run Adprep /forestprep. 4. Reconnect the server and wait at least 15 minutes (or as long as a half a day or more) for synchronization to occur. 5. If Active Directory has multiple domains, or if the infrastructure master for the domain is on a different server than the schema master, run Adprep /domainprep on the infrastructure master for the domain. Keep in mind the following facts about using Adprep:

To run /forestprep, you must be a member of the Schema Admins or Enterprise Admins group. To run /domainprep, you must be a member of the Domain Admins or Enterprise Admins group. If you have a single domain, and the infrastructure master is on the same server as the schema master, you do not need to run /domainprep (/forestprep performs all necessary functions to prepare Active Directory).

You should know the following facts about Active Directory advanced installations:

Installing from a replica media set will create the initial Active Directory database using a backup copy and then replicate in any changes since the backup. This prevents a lot of the replication traffic that is normally created on a network when a server is promoted to a domain controller. To rename domain controllers, the domain functional level must be at least Windows 2003 (this means all domain controllers must be running Windows 2003).

Installation Tools
You can use the following tools to troubleshoot an Active Directory installation: Tool Directory Services log Netdiag Description Use Event Viewer to examine the log. The log lists informational, warning, and error events. Run from the command line. Test for domain controller connectivity (in some cases, it can make repairs).

Nutshell: Microsoft Active Directory

Page |9 DCDiag Dcpromo log files Analyzes domain controller states and tests different functional levels of Active Directory. Located in %Systemroot%/Debug folder. Dcpromoui gives a detailed progress report of Active Directory installation and removal. Dcpromos is created when a Windows 3.x or NT 4 domain controller is promoted. Can remove orphaned data or a domain controller object from Active Directory.

Ntdsutil

You can also check the following settings to begin troubleshooting an Active Directory installation:

Make sure the DNS name is properly registered. Check the spelling in the configuration settings. PING the computer to verify connectivity. Verify the domain name to which you are authenticating. Verify that the username and password are correct. Verify the DNS settings.

Backup and Restore Facts

You should know the following facts about backup and restore:

When you reboot after restoring, Active Directory replication replicates changes. Items restored non-authoritatively will be overwritten during replication. Use an authoritative restore to restore deleted objects. Objects will be replicated back to other domain controllers on the network. Use a nonauthoritative restore to get the DC back online. Items will replicate from other DCs after the restored DC goes back online. Active Directory data is restored by restoring the System State data. You cannot selectively restore Active Directory objects from the backup media. To restore objects that were added to deleted OUs, move the objects from the LostAndFound container. No restore of objects is necessary. Make sure you perform backups more often than the tombstone lifetime setting in Active Directory. For example, if the tombstone lifetime is set to 10 days, you should back up Active Directory at least every 9 days. If your backup interval is larger than the tombstone lifetime, your Active Directory backup can be viewed as expired by the system.

Microsoft gives the following as the best practice procedure for restoring Active Directory from backup media: 1. Reboot into Active Directory restore mode. Log in using the password you specified during setup (not a domain account).
Nutshell: Microsoft Active Directory

P a g e | 10 2. Restore the System State data from backup to its original and to an alternate location. 3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring the entire database) or specific Active Directory objects (if you're only restoring selected Active Directory objects) as authoritative. 4. Reboot normally. 5. Restore Sysvol contents by copying the Sysvol directory from the alternate location to the original location to overwrite the existing Sysvol directory (if you're restoring the entire database). Or, copy the policy folders (identified by GUID) from the alternate location to the original location to overwrite the existing policy folders. You should know the following facts about Sysvol restoration:

Sysvol is the shared system volume on all domain controllers. Sysvol stores scripts and Group Policy objects for the local domain and the network. The default location for Sysvol is %Systemroot/Sysvol. To ensure that the proper settings are authoritatively restored, copy the Sysvol directory from an alternate location over the existing Sysvol directory. Or, copy the Sysvol policy folders from the alternate location over the original location. (This maintains the integrity of the Group Policy of the computer.)

Security Facts
You should know the following facts about security principals:

A security principal is an account holder who has a security identifier. The Active Directory migration tool allows you to move objects between domains. Objects moved to a new domain get a new SID. The Active Directory migration tool creates a SID history. The SID history allows an object moved to a new domain to keep its original SID.

You should know the following information pertaining to identifiers: Identifier Description GUID Globally Unique Identifier. 128-bit number guaranteed to be unique across the network. Assigned to objects when they are created. An object's GUID never changes (even if object is renamed or moved). SID Security Identifier. Unique number assigned when an account is created. Every account is given a unique SID. System uses the SID to track the account rather than the account's user or group.
Nutshell: Microsoft Active Directory

P a g e | 11 A deleted account that is recreated will be given a different SID. The SID is composed of the domain SID and a unique RID. Relative Identifier. Unique to all the SIDs in a domain. Passed out by the RID master.

RID

Group Facts
Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest. Scope Description Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can Global contain user and computer accounts and global groups from the domain in groups which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest. Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal Domain groups, and global groups from any domain in the forest. A domain local local groups group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides. Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, Universal universal groups, and global groups from any domain in the forest. Universal groups groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.

Built-in Groups
Windows domain controllers include several built-in domain local groups, each of which has predefined rights. These groups are automatically created on domain controllers, and are placed in the Built-in folder in Active Directory Users and Computers. Built-in Group Description Full control over the computer, including every available right in the Administrators system (the only built-in account that automatically has all rights), including the Take ownership of files or other objects right. Server Share folders and backup files and folders. Operators
Nutshell: Microsoft Active Directory

P a g e | 12 Back up, copy, and restore files on the computer (regardless of permissions). Log on to and shut down the computer. Cannot change security settings. Create, delete, and modify domain user accounts and groups. Cannot modify the Administrators group or any Operators groups.

Backup Operators Account Operators

The basic best practices for user and group security is:

Create groups based on users' and administrators' needs. Assign user accounts to the appropriate groups. Assign permissions to each group based on the resource needs of the users in the group and the security needs of your network.

Group Strategy Facts

To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:

Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect). The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.) Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.

The following table shows the three basic recommended approaches to managing users, groups, and permissions. Strategy Use ALP Used on workstations and member servers. Description Application A: Place user Best used in a workgroup Accounts environment, not in a domain. L: Into Local groups P: Assign Permissions to the local groups A: Place user 1. Identify the users in the Accounts domain who use the same

AGDLP

Used in mixed mode domains and in native

Nutshell: Microsoft Active Directory

P a g e | 13 mode domains (does not use universal groups, which are also not available in mixed mode). G: Into Global groups DL: Into Domain Local groups P: Assign Permissions to domain local groups resources and perform the same tasks. Group these accounts together in global groups. 2. Create new domain local groups if necessary, or use the built-in groups to control access to resources. 3. Combine all global groups that need access to the same resources into the domain local group that controls those resources.

4. Assign permissions to the resources to the domain local group. AGUDLP Used in native mode A: Place user Universal groups should be used domains, when there is Accounts when you need to grant access to more than one domain, G: Into Global similar groups defined in multiple and you need to grant groups domains. It is best to add global access to similar groups U: Into groups to universal groups, instead of defined in multiple Universal placing user accounts directly in domains. groups universal groups. DL: Into Domain Local groups P: Assign Permissions to domain local groups

Designing Active Directory for Delegation

You should know the following facts about delegating control:

You should structure the OUs and user account location based on administrative needs. When you delegate control of an OU, you assign a user or group the permissions necessary to administer Active Directory functions according to their needs. In a small organization, you may have a single administrative group to manage the Active Directory objects. In larger organizations, you may have OUs for several departments. In this case, you could delegate control to a user or group within each OU.

Nutshell: Microsoft Active Directory

P a g e | 14

Use the Delegate Control wizard in Active Directory Users and Groups to delegate control. You can verify permissions delegation two ways: o Select the Security tab in the container's Properties dialog box. o Open the Advanced Security Settings dialog box for the container.

Planning Guidelines
You should know the following guidelines for planning an Active Directory structure:

To begin planning a forest, you must decide how many forests you need. You may need more than one forest because of the physical structure of the company, business unit autonomy, schema differences, or trust limitations. Multiple forests require more administration. Additional administrative difficulties include: o Schema consistency. o Global catalog placement. o Trust configuration. o Resource access. Every time you add a domain, you add administrative and hardware costs. You should consider multiple domains if you need to o Configure separate security policies. o Separate administration. o Control replication traffic. o Support Windows NT. o Create distinct name spaces. o Configure password policies. Create OUs for the following reasons: o Administrative purposes. o Corporate policies. o Administer Group Policies.

Trust Types
The following table shows the types of trusts you can create in Active Directory. Trust Type Characteristics and Uses Automatically established between two trees in the same forest. Tree root Trusts are transitive and two-way. Automatically created between child and parent domains. Parent/child Trusts are transitive and two-way. Shortcut Manually created between two domains in the same forest. Trusts are transitive, and can be either one-way or two-way. Create a shortcut trust to reduce the amount of Kerberos traffic on the
Nutshell: Microsoft Active Directory

P a g e | 15 network due to authentication. Manually created between domains in different forests. Typically used to create trusts between Active Directory and NT 4.0 External domains. Trusts are not transitive, and can be either one-way or two-way. Manually created between the two root domains or two forests. Forest root Transitive within the two forests. Can be either one-way or two-way. Manually created between Active Directory and non-Windows Kerberos realms. Realm Can be transitive or non-transitive. Can be either one-way or two-way. Trusts have a direction that indicates which way trust flows in the relationship.

The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Domain A is the trusting domain, and Domain B is the trusted domain. Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A (remember that users in the trusted domain have access to resources in the trusting domain). A two-way trust is the same as two one-way trusts in opposite directions.

Functional Level Types

The table below shows the domain functional levels. Domain Functional Level 2000 Mixed Domain Controller Operating Systems NT 2000 2003

Features The following features are available in 2000 Mixed:

Universal groups are available for distribution groups.

2000 Native

2000 2003

Group nesting is available for distribution groups. The following features are available in 2000 Native:

Universal groups are available for security and distribution groups. Group nesting.

Nutshell: Microsoft Active Directory

P a g e | 16

Group converting (allows conversion between security and distribution groups).

2003

2003

SID history (allows security principals to be migrated among domains while maintaining permissions and group memberships). The following features are available in 2003:

All features of 2000 Native domains. Domain controller rename. Update logon time stamp. User password on InetOrgPerson object.

Forest functional levels depend on the domain functional levels. The table below shows the forest functional levels. Forest Functional Level 2000 Domain Functional Level 2000 Mixed or 2000 Native

Features The following features are available in 2000: Global catalog replication improvements are available if both replication partners are running Windows Server 2003. The following features are available in 2003:

2003

2003

Global catalog replication improvements Defunct schema objects Forest trusts Linked value replication Domain rename Improved AD replication algorithms Dynamic auxiliary classes InetOrgPerson objectClass change

Operation Master Types

The following table lists the operation masters at the domain and forest levels. Only one domain controller in the domain or forest performs each role. Operation Master Function and Characteristics

Nutshell: Microsoft Active Directory

P a g e | 17 Ensures domain-wide unique relative IDs (RIDs). One domain controller in each domain performs this role. RID Master The RID master allocates pools of IDs to each domain controller. When a DC has used all the IDs, it gets a new pool of IDs. Emulates a Windows NT 4.0 primary domain controller (PDC). Replicates password changes within a domain. PDC Emulator Ensures synchronized time within the domain (and between domains in the forest). One domain controller in each domain performs this role. Tracks moves and renames of objects. Infrastructure Master Updates group membership changes. One domain controller in each domain performs this role. Ensures that domain names are unique. Domain Naming Must be accessible to add or remove a domain from the forest. Master One domain controller in the forest performs this role. Maintains the Active Directory schema for the forest. Schema Master One domain controller in the forest performs this role. You should know the following facts about operation master roles:

Operation master role servers are also called flexible single master operation (FSMO) servers. These are domain controllers that perform operations on the network. By default, the first domain controller in the forest holds all operation masters. When you create a new domain, the first domain controller holds the three domain operation masters (RID master, PDC emulator, infrastructure master). Use Active Directory Users and Computers to transfer RID master, PDC emulator, and infrastructure masters. Use Active Directory Domains and Trusts to transfer the domain naming master. Use the Active Directory Schema snap-in to transfer the schema master. Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to make it available for adding to a custom console. Before transferring any role, you must connect to the domain controller that will receive the transferred role. To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object. With a few exceptions, the infrastructure master

Troubleshooting Operation Masters

The following table lists several problems that can be attributed to inaccessible or failed operation masters.

Nutshell: Microsoft Active Directory

P a g e | 18 Check this operations master... RID master Infrastructure master Infrastructure master Domain naming master PDC master PDC master

If you have this problem... Unable to add Active Directory objects (either from one or many domain controllers). Unable to move or rename an object. Group membership information is not updated between domain controllers Cannot add or remove a domain Non-Windows 2000/XP/2003 clients cannot authenticate. Password changes are not updated.

Normally, you should transfer roles to other servers only if the server holding the original role is available. If the server holding the master has failed, you will need to seize the role (forcefully move the role to another server).

To seize an operations master role you must use the Repadmin tool to make sure the domain controller that is seizing the role is fully up-to-date with the updates on the former role owner. Use the Ntdsutil tool to finish seizing the role: 1. Enter ntdsutil at the command line. 2. Enter roles. 3. Enter connections. 4. Enter connect to server [fully qualified domain name of the server]. 5. Enter quit. 6. At the FSMO prompt, enter seize [master role name]. 7. Enter quit to exit. After seizing the role, do not bring the old server back on line. If you repair the server, use Dcpromo to first remove Active Directory. Then bring it back on line, install Active Directory, and transfer the role back if desired.

Managing the Schema

You should know the following facts about schema management:

The schema is the database of object classes and attributes that can be stored in Active Directory. Each object definition in the schema is stored as an object itself, so Active Directory can manage these definitions just as it does other objects. The schema includes definitions for classes and attributes (the definitions are also called metadata). Extending the schema allows Active Directory to recognize new attributes and classes. Adding a component like Microsoft Exchange requires the Active Directory to be extended.

Nutshell: Microsoft Active Directory

P a g e | 19

Only a member of the Schema Admins group has the permission to modify or extend the schema. To perform schema management tasks, use the Active Directory Schema snapin.

Default Active Directory Objects

When you install Active Directory, several objects and containers are automatically created. The following table lists the default containers and their contents. Container Contents Built-in domain local security groups. Builtin These groups are pre-assigned permissions needed to perform domain management tasks. All computers joined to the domain without a computer Computers account. All domain controllers. Domain Controllers* This OU cannot be deleted. Proxy objects for security principals in NT 4.0 domains or ForeignSecurityPrincipals domains outside of the forest. Objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller. LostAndFound** Administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container. Objects that contain limits on the number of objects users and NTDS Quotas** groups can own. Application-specific data created by other programs. Program Data** This container is empty until a program designed to store information in Active Directory uses it. Configuration information about the domain including security System** groups and permissions, the domain SYSVOL share, Dfs configuration information, and IP security policies. Built-in user and group accounts. Users and groups are pre-assigned membership and Users permissions for completing domain and forest management tasks.
*Be aware that the Domain Controllers OU is the only default organizational unit object. All other default containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.

Nutshell: Microsoft Active Directory

P a g e | 20
**By default, these containers are hidden in Active Directory Users and Computers. To view these containers, click View/Advanced Features from the menu.

Object Management Tasks and Tools

You should know be familiar with the following object management tasks and tools:

The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets you migrate users and other objects between domains. The tool requires that the source domain trust the target domain. You can use the ADMT to retain an object's SID. Moving an object within a domain retains its permissions. Deleting the object deletes existing permissions. You should rename or move an object rather than delete and recreate the object. The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. If a computer that does not have an account is joined to the domain, a computer object is created by default in the built-in Computers OU. Use the Dsadd command to add an OU object to Active Directory from the command line. The easiest way to create a single OU in Active Directory is to use the Active Directory Users and Computers snap-in in the MMC. To view the LostAndFound folder, select Advanced Features from the View menu in the Active Directory Users and Computers snap-in. The LostAndFound folder is used when, for example, a container is deleted on one replica, but objects are added or moved beneath the same container on another replica. In this case, the objects added or moved under the deleted container are stored in the LostAndFound container.

Group Policy Facts

Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects). You should know the following Group Policy facts:

GPOs contain hundreds of configuration settings. GPOs can be linked to Active Directory sites, domain, or organizational units (OUs). GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon. A GPO only affects the users and computers beneath the object to which the GPO is linked. Group policy settings take precedence over user profile settings. A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. GPOs are applied in the following order:

Nutshell: Microsoft Active Directory

P a g e | 21 1. Local 2. Site 3. Domain 4. OU If GPOs conflict, the last GPO to be applied overrides conflicting settings. The Computers container is not an OU, so it cannot have a GPO applied to it. Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains. You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.) Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.

Refreshing Group Policy

By default, Computer Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 5 minutes on domain controllers and every 90 minutes (plus a random offset between 0 and 30 minutes) for other computers. By default, User Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 90 minutes (plus a random offset between 0 and 30 minutes). You can modify refresh rates by editing the properties of the following settings in Group Policy: o Group Policy refresh interval for computers. o Group Policy refresh interval for Domain Controllers. o Group Policy refresh intervals for users. Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall software or move files while users are using their computers.

To manually refresh group policy settings, use the Gpupdate command with the following switches: Switch No switch /target:user /target:computer Function Refresh user and computer-related group policy. Refresh user-related group policy. Refresh computer-related group policy.

Editing GPO Facts

You should know the following facts about editing a GPO:

Nutshell: Microsoft Active Directory

P a g e | 22

Group Policy Object Editor has two nodes: o Computer Configuration to set Group Policies for computers. o User Configuration to set Group Policies for users. You can extend each node's capabilities by using snap-ins. Use an Administrative Template file (.adm) to extend registry settings available in the Group Policy Editor. Use the Software setting to automate installation, update, repair, and removal of software for users or computers. The Windows setting automates tasks that occur during startup, shutdown, logon, or logoff. Security settings allow administrators to set security levels assigned to a local or non-local GPO.

Controlling GPO Application

You should know the following controlling GPO application:

All GPOs directly linked to or inherited by a site, domain, or OU apply to all users and computers within that container that have Apply Group Policy and Read permissions. By default, each GPO you create grants the Authenticated Users group (basically all network users) Apply Group Policy and Read permissions. To apply settings to computers, configure the Computer Configuration node of a GPO.

Edit Permissions
You can control the application of GPOs by editing the permissions in the GPO access control list (ACL). (When you deny an object the required permissions to a GPO, the object will not receive the GPO.)

To deny access to a GPO, add the user, group, or computer to the GPO permissions and deny the Apply Group Policy and Read permissions. To apply a GPO to specific users, groups, or computers, remove the Authenticated Users group from the GPO permissions. Add the specific user, group, or computer and grant the Apply Group Policy and Read permissions.

Block Inheritance
You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent objects. To block GPO inheritance, 1. Click the Group Policy tab for the domain or OU for which you want to block GPO inheritance. 2. Select the Block Policy inheritance check box.
Nutshell: Microsoft Active Directory

P a g e | 23 You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or OU (along with all the containers and objects beneath them) from inheriting GPOs.

No Override
You should know the following facts about the No Override option:

The no override option prevents a GPO from being overridden by another GPO. When no override is set on more than one GPO, the GPO highest in the Active Directory hierarchy takes precedence. No override cannot be set on a local GPO.

WMI Filtering
You should know the following facts about WMI filtering:

You can use WMI queries to filter the scope of GPOs. WMI filtering is similar to using security groups to filter the scope of GPOs. WMI queries are written in WMI query language (WQL).

Loopback Processing
By default, Group Policy configuration applies Computer Configuration GPOs during startup and User Configuration GPOs during logon. User Configuration settings take precedence in the event of a conflict. You can control how Group Policy is applied by enabling loopback processing. Following are some circumstances when you might use loopback processing:

If you want Computer Configuration settings to take precedence over User Configuration settings. If you want to prevent User Configuration settings from being applied. If you want to apply User Configuration settings for the computer, regardless of the location of the user account in Active Directory.

Loopback processing is typically used to apply User Configuration settings to special computers located in public locations, such as kiosks and public Internet stations. Keep in mind the following about how loopback processing works.

Loopback processing runs in Merge or Replace Mode. Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on. Replace mode prevents the User Configuration GPOs from being applied.

Nutshell: Microsoft Active Directory

P a g e | 24 To enable loopback processing: 1. Create or edit a GPO to distribute to computers on which you want to enable loopback processing mode. 2. Choose Group Policy from the System node of Administrative Templates in Computer Configuration. 3. Right-click Users Group Policy loopback processing mode and click Properties. 4. Click Enabled. 5. Choose Merge mode or Replace Mode.

Group Policy Tools

You should be familiar with the use of the following Group Policy tools:

Gpresult

Gpresult is a command line tool that allows you to examine the policy settings of specific users and computers. Start Gpresult by entering Gpresult at the command line (use the /? switch for syntax help). Gpresult can show the following: o Last application of Group Policy and the domain controller from which policy was applied. o Detailed list of the applied GPOs. o Detailed list of applied Registry settings. o Details of redirected folders. o Software management information, like information about assigned and published software.

RSoP
RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or computer. You should know the following facts about RSoP:

The RSoP wizard reports on how GPO settings affect users and computers. The wizard runs in two modes: logging and planning. The RSoP wizard logging mode reports on existing group policies applied against computers or users. The RSoP wizard planning mode simulates the effects policies would have if applied to computers or users.

RSoP Access
You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways:
Nutshell: Microsoft Active Directory

P a g e | 25

Install the RSoP wizard as an MMC snap-in Use the Start > Run sequence and run Rsop.msc. You can also select an object in Active Directory Users and Computer and select Resultant Set of Policy (in planning or logging mode) from the All Tasks menu.

Delegation Facts
You should know the following facts about trust delegating control of group policies:

Decentralized administrative delegation means that administration is delegate to OU level administrators. In decentralized administrative delegation, assign fullcontrol permission to the OU administrators for GPOs. Centralized administrators only delegate full-control permissions to top level OU administrators. Those administrators are responsible for everything downward. In task-based delegation, administration of specific group policies to administrators who handle specific tasks. For example, security administrators would get full-control of security GPOs, and application administrators would get full-control of application GPOs.

Software Distribution Facts

You should be familiar with the use of the following software distribution:

When you configure the option Uninstall this application when it falls out of the scope of management on a user assigned software application installed through a GPO, you force the software to uninstall automatically when an account is moved out of the OU to which the GPO was applied. There are two default settings for software restriction policies: Unrestricted and Disallowed. o Unrestricted allows software to run according to the rights of the user who is accessing the software. o Disallowed does not allow software to run regardless of the logged on user's rights. If the default restriction level is Disallowed then no software will be able to run unless there is an additional rule configured that explicitly makes the software unrestricted. The Always wait for the network at computer startup and logon GPO setting forces a computer to wait for the network to fully initialize before attempting to refresh Group Policy settings. The source path to the location of an MSI file must always be a UNC path: \\servername\sharename\filename. To fix the source path for an existing software package you need to delete and recreate the package. In order for users to run installation files from the software distribution point, they need to have Read and Execute permissions.

Nutshell: Microsoft Active Directory

P a g e | 26 Use software restriction policies to prevent users from running specific software. Configure rules to identify the method Windows uses to identify unique software packages. Restriction Option Certificate Rule Characteristic

A certificate rule uses the software application's certificate. Windows locates the certificate of the software to identify allowed or restricted software. When you create a hash rule, Windows performs a hashing function on the executable file. When users try to run software, Windows compares Hash Rule the hash value of the executable with the hash value stored in group policy. Use a hash rule to restrict software regardless of its location. Internet Zone The Internet Zone rule uses Internet Explorer zones to identify software Rule based on zones. With a path rule, Windows identifies restricted or allowed software by path Path Rule and name. However, the same executable file in a different location will not be governed by the rule.

Administrative Template Facts

You should be familiar with the following facts about Administrative templates:

Computer Configuration and User Configuration each have the following three nodes: o Windows Components: Use to administer Windows 2003 Server components. The Computer Configuration node has settings for IIS. The User Configuration node has settings for Internet Explorer. o System: Use to administer the functionality of the Windows 2003 OS. o Network: Use to control the functionality of the network. In the Computer Configuration node, Administrative Templates contains a Print node for printer administration. In the User Configuration node, Administrative Templates contains nodes of administering the Start menu, Taskbar, Desktop, Control Panel, and shared folders.

Folder Redirection Facts

You should know the following facts about folder redirection:

To put user profile data back to the local system, make sure the GPO is enabled and select the Redirect to the local userprofile location option.

Nutshell: Microsoft Active Directory

P a g e | 27

Folder redirection works best by distributing a Group Policy, but you can redirect folders manually on the local system by modifying the folder's properties (not through a local GPO, though). The following folders can be redirected: o My Documents o Application Data o Start Menu o My Pictures o Desktop Redirected folders are made available offline automatically.

Logon Facts
You should know the following facts about managing logon:

Password policies are only effective in GPOs applied to the domain. To create different password policies, you must create additional domains. Each forest has a single alternate user principle name (UPN) suffix list that you can edit from the properties of the Active Directory Domains and Trusts node. After adding an alternate UPN suffix, you can configure all user accounts to use the same UPN suffix, thus simplifying user logon for users in all domains in the forest.

You should be familiar with the following password and account lockout policy settings: Setting Enforce password history Minimum password length Minimum password age Description Keeps a history of user passwords (up to 24) so that users cannot reuse passwords. Configures how many characters a valid password must have.

Forces the user to use the new password for whatever length of time you determine before changing it again. Determines that user passwords cannot contain the user name, the Password must user's real name, the company name, or a complete dictionary meet complexity word. The password must also contain multiple types of characters, requirements such as upper and lowercase letters, numbers, and symbols. Maximum password Forces the user to change passwords at whatever time interval you age determine. Account lockout Configures how many incorrect passwords can be entered before threshold being locked out. Account lockout Identifies how long an account will stay locked out once it has been duration locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of

Nutshell: Microsoft Active Directory

P a g e | 28 minutes before the account will be automatically unlocked. Specifies the length of time that must pass after a failed login attempt before the counter resets to zero.

Reset account lockout after

Automatic Certificate Enrollment Facts

You should know the following facts about using Group Policy to configure automatic certificate enrollment:

Before you can add an automatic certificate request, you must have certificate templates configured on your system. Run Certtmpl.msc to install the certificate templates. For a completely automatic certificate installation, set the Request Handling options of the certificate template to enroll the subject without requiring any user input. Without the Request Handling option selected, the user will be prompted for input during the certificate enrollment phase. An icon on the taskbar will also appear, which users can click to start the enrollment process.

Managing Sites and Subnets

You should know the following facts about managing sites and subnets: 1. When a client attempts to find a domain controller for authentication, it receives a list of DC IP addresses from DNS. 2. The client passes a query to the DCs to find a good match for authentication. 3. Active Directory grabs the query and passes it to Net Logon. 4. Net Logon looks for the client IP address in the subnet-to-site mapping table. 5. If the client IP address isn't found in the subnet-to-site mapping table, the DC returns a NULL site value, and the client authenticates using the returned DC.

Replication Facts
You should know the following facts about replication:

Active Directory automatically decides which servers are the bridgehead servers (generally, the first domain controller in the site). To force a specific server to be the bridgehead server, you must manually configure it as the bridgehead server. To designate a preferred bridgehead server, edit the server object properties in Active Directory Sites and Services. Replication between sites occurs only between the bridgehead servers.

Nutshell: Microsoft Active Directory

P a g e | 29

To have different replication settings for different WAN links, you need to configure multiple site links. For complete flexibility, you should create a site link for each network connection between sites. The default link cost is 100. A higher cost for a link is less desirable. To force traffic over one link, set a lower cost. For example, set a lower cost for high-speed links to force traffic over the high speed link. Configure a higher cost for dial-up links that are used as backup links. Costs are additive when multiple links are required between sites. Use SMTP replication for high latency links where RPC replication would probably fail.

Managing Replication Facts

You should know the following facts about managing replication:

Use Replication Monitor (Replmon) or Active Directory Sites and Services to force replication. Replmon has an Update Automatically feature that allows you to specify the how often replication reports are refreshed. The Sysvol share replicates using the File Replication Service (this includes things like group policy and logon scripts). Replication uses port 135. DCs must be able to contact each other for replication. This means they need to have a valid network connection, valid IP address configuration, and DNS must be available so the servers can locate each other. You can use the Directory Service and the File Replication Service logs in Event Viewer to monitor replication services.

You should also know the following facts about Replmon:

Replmon allows you to perform the following administrative tasks: o force synchronization between domain controllers. o monitor domain controller replication. o perform simultaneous monitoring of domain controllers in different forests. Replmon gives a graphical view of the topology. Replmon must run on a computer running Windows Server 2003. You can start Replmon by entering Replmon at the command line.

Tombstones and Garbage Collection

You should know the following facts about tombstones and garbage collection:

Nutshell: Microsoft Active Directory

P a g e | 30

When an object is removed from the Active Directory database, it is moved to a hidden Deleted Objects container. Objects in the Deleted Objects container are called tombstones. The default storage time for tombstones is 60 days. Every 12 hours (default setting) a domain controller examines its Deleted Objects folder for tombstones that have exceeded the storage period. Objects beyond the storage period are removed in a process called garbage collection.

Global Catalogs and Universal Group Membership Caching

You should know the following facts about global catalogs and universal group membership caching:

A global catalog server needs to be contacted during logon. Place a global catalog server in each site to speed up logon. A global catalog server also maintains universal group membership. Group membership needs to be consulted during resource access. Only one server per site needs to be a global catalog server. Enabling the universal group membership caching feature for a site will let users who are members of a universal group log on in the event of a WAN link failure. If the only need is to obtain universal group membership information, enabling this feature for a site is a better solution than creating a global catalog server in the site. All servers in a site must be running Windows Server 2003 for universal group membership caching to work.

Site License Facts

You should know the following facts about site licensing:

Set up a site license servers to monitor license o Purchases. o Deletions. o Usage. The license logging service runs on each server within a site, collecting information to send to the site license server. The information in the site license server database can be viewed using the Licensing tool in Administrative Tools. By default, the site license server is the first domain controller created for a site. The site license server does not have to be a domain controller.

Nutshell: Microsoft Active Directory

P a g e | 31

Application Directory Partitions

Application directory partitions are used to store dynamic objects. Most information stored in Active Directory is relatively static, meaning that it changes infrequently enough to allow it to be replicated across a domain with a high degree of regularity. Dynamic objects, however, changes more frequently than they can be efficiently and effectively replicated. (Dynamic objects are created with a time-to-live (TTL) value, which, when it expires, allows Active Directory to delete the object.) Application directory partitions allow you to configure replication and replicas to accommodate the unique requirements of dynamic objects. Where domain partitions must replicate to all domain controllers in a domain, application directory partitions do not have to meet this requirement. For example, if DNS service is configured to use AD, the DNS zone data will be replicated across a domain (because zone data will be stored in a domain partition) even if the DNS server is not configured to run on the domain controller. However, if you put the DNS zone data in an application directory partition, you can limit the scope of replication. Application directory partitions are not limited, however, in the types of data they can hold. They can hold, for instance, user, computer, and group objects--every object type, in fact, but security principals. However, objects in an active directory partition operate under certain limitations including the following:

They cannot maintain DN-value references to objects in other application directory or domain partitions. Neither can objects in other partitions maintain DN-value references to objects in an application directory partition. They are not replicated to the Global Catalog. (However, a global catalog server can be configured to replicate an application directory partition.) They cannot be moved to other application directory partitions outside the partition in which they were created.

To create an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Create nc [distinguished name of the application partition directory] [domain controller name] To delete an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Delete nc [distinguished name of the application partition directory]

Nutshell: Microsoft Active Directory

P a g e | 32 To add an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Add nc [distinguished name of the application partition directory] [domain controller name] To remove an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Remove nc [distinguished name of the application partition directory] [domain controller name]

Nutshell: Microsoft Active Directory