Implementing and Administering

Windows 2000 Directory Services Infrastructure

Active Directory Overview:

• Organizational Unit (OU) - container used to organize objects inside a domain into logical administrative groups such as computers, printers, user accounts, file shares, applications and even other OUs.
• Domain - all network objects exist within a domain with each domain storing information only about the objects it contains. A domain is a security boundry - access to objects is controlled by Access Control Lists (ACLs). ACLs contain the permissions associated with objects that control which users or types of users can access them. In Windows 2000, all security policies and settings (like Administrative rights) do not cross from one domain to another. The domain admin only has rights to set policies within his/her domain.
• Tree - a grouping or hierarchical arrangement of one or more Windows 2000 domains that share a contiguous name space (e.g., sales.company.com, admin.company.com, and jobs.company.com). All domains inside a single tree share a common schema (formal definition of all object types that can be stored in an AD deployment) and share a common Global Catalog.
• Forest - a grouping or hierarchical arrangement of one or more domain trees that form a disjointed namespace (e.g., acme.com and company.com). All trees in the forest share a common schema and Global Catalog, but have different naming structures. Domains in a forest operate independently of each other, but the forest enables communication across the domains.
• Sites - combination of one or more IP subnets connected by high-speed links. Not part of the AD namespace, and contain only computer objects and connection objects used to configure replication between sites.

Site Replication:

• Active Directory information is replicated between Domain Controllers (DCs) and ensures that changes to a domain controller are reflected in all DCs within a domain
• DCs store a copy of all AD information for their domain, manage changes to it and copy those changes to other DCs in the same domain.
• Administrators set how often replication occurs, at what times, and how much data can be sent.
• DCs immediately replicate important changes to AD like a user account being disabled.
• AD uses multimaster replication meaning that no one DC is the master domain controller - all DCs within a domain are peers.
• Active Directory automatically generates a ring topology for replication in the same domain and site. The ring ensures that if one DC goes down, it still has an available path to replicate its information to other DCs.

Active Directory Concepts:

Schema - contains a formal definition of contents and structure of AD such as attributes, classes and class properties. For an object class, the schema defines what attributes an instance of a class must have, additional attributes that are allowed and which object class can be its parent. Installing AD on the first computer in a network creates the domain and default schema which contains commonly used objects. Extensions can be made to the schema whenever needed. By default, write access to the schema is limited to members of the Administrators group.

Global Catalog - a central repository of info about objects in a tree or forest. AD automatically creates a global catalog from the domains that make up AD through the replication process. Attributes stored in the global catalog are usually those most often used in Search operations (like user names, logon names, etc.) and are used to locate a full replica of the object. Because of this, the global catalog can be used to find objects anywhere in the network without replication of all information between DCs.

Active Directory Naming Conventions:

• Distinguished Name (DN) - every object in AD has one. Uniquely identifies object and contains sufficient info for an AD client to retrieve it from the Directory. Includes the name of the domain that holds the object and also the complete path through the container hierarchy to it. DNs must be unique - AD will not allow duplicates.
• Globally Unique Identifier (GUID) - unique 128-bit number assigned to objects when they are created. The GUID never changes so even if the object is renamed or moved, the GUID can be used to locate it.

Trust Relationships:

• Implicit two-way trust - default in Windows 2000 AD. Trust relationships between domains in a tree are established and automatically (implicitly). Feature of Kerberos authentication protocol.
• Explicit one-way nontransitive trust - default in Windows NT 4.0 domains. Trust is limited to the two domains in the relationship and does not flow to others. Must be manually (explicitly) created. Are the only form of trust possible with:
  • Windows NT 4.0 domains
  • Windows 2000 domains in a separate forest
  • Windows 2000 domains and MIT Kerberos 5 authentication realms

Domain Modes:

Mixed mode - whenever you first install or upgrade a domain controller to W2K, it defaults to mixed mode. This allows it to interoperate with domain controllers running Windows NT.
Native mode - when all of your domain controllers are running W2K and you will not be adding any more pre-W2K domain controllers to your domain, you can switch the domain over to native mode.

Sites:

MS defines sites as sets of domain controllers that are well-connected in terms of speed and cost. A site object named Default-First-Site-Name is created on the first domain controller installed in a site. This object can be renamed. If the IP address of a newly installed DC matches an existing subnet in a defined site, it is automatically added to that site. Otherwise, it is added to the site of the source domain controller.

Subnets:

IP subnets are used by AD to find a DC in the same site as the system that is being authenticated during a logon and also to determine the best routes between DCs.

site links:

Site links are not created automatically. They must be manually created using AD Sites & Services. Computers in different sites cannot communicate with each other or replicate data until a site link has been established between them. Default site link cost is 100. The slower a connection, the more it should cost. The replication interval must be at least 15 minutes and cannot exceede 10080 (one week). No replication occurs based on the interval unless the schedule allows it. Check the Ignore Schedules check box for the appropriate protocol in the properties of the Inter-site Transports folder to disable site link scheduling.

• There are two protocols used for replication over site links:
  • IP replication - uses Remote Procedure Calls (RPCs) for both intersite and intrasite replication. Intersite IP replication uses schedules by default. Does not require a Certificate Authority (CA).
  • SMTP replication - only used for intersite replication. Is asynchronous and ignores all schedules. Requires installation of a CA.

Site link bridges:

In a fully routed network, it is not necessary to create site link bridges as all site links using the same protocol are bridged by default. When a network is not fully routed and an administrator is creating site link bridges, it is first necessary to disable the default site link bridge. 

Bridgehead servers are computers with additional hardware or network capacity that are specified as preferred recipients for intersite replication. The bridgehead server subsequently replicates its AD information to its replication partners. Using bridgehead servers improves replication performance between sites.

Create global catalog servers:

The global catalog should only be assigned to servers that are well connected to other DCs and have sufficient resources. AD creates one Global Catalog server per forest by default. If your network has multiple sites, you may wish to create additional global catalog servers to prevent queries from being performed across slow Wide Area Network (WAN) links.

Transfer Flexible Single Operations Master (FSMO) roles:

Miscellaneous:

DCs in Active Directory act as peers and use multimaster replication to share changes to the AD database. There are some roles that cannot be performed in a multimaster fashion and these are called Operations Master Roles. When in a single domain with a single DC, all roles reside on one machine - the operations master domain controller.

Forest-Wide Operations Master Roles (automatically assumed by the first DC installed in the forest):

Schema Master - controls all updates and changes to the schema. Any time you update the schema you are accessing the schema master. There can only be one schema master in an entire forest.
Domain Naming Master - controls the addition or removal of domains in the forest. Only one allowed per forest.

Domain-Wide Operations Master Roles (automatically assumed by the first DC in the new domain):

Relative ID Master - assigns relative IDs to each of the DCs in its domain.   Only one allowed per domain. Every object in a domain gets a unique security ID (SID) which contains a domain SID (same for everything in the domain) and a relative ID (RID - unique for every object created in the domain).
PDC Emulator - acts as a Primary Domain Controller for domains with computers operating without W2K client software or with NT BDCs. In native mode it is the preferred replication partner for password changes in a domain. Used by other DCs to authenticate logons before rejecting due to a bad password. Also handles GPO edit conflicts and time synchronization. Only one allowed per domain.
Infrastructure Master - updates group-to-user references when members of groups are changed or renamed.

Operations Master Placement:

The infrastructure master should be located on a non-global catalog server that has a direct connection object to some global catalog in the forest, prefereably in the same AD site.
At the forest level, the domain naming and schema master roles should be placed on the same DC as they are not used much and must be tightly controlled.

Seizing FSMO Roles:

• Schema master - failure will only be noticeable to admins when they are trying to modify the schema - it will not affect network users. Use the AD Schema MMC snap-in to transfer roles.
• Domain naming master - failure will only be noticeable to admins when they are trying to add or remove domains. Use the AD Domains and Trusts console to transfer roles.
• RID master - failure is not visible to network users. Admins will notice it is dead if they are trying to create objects in a domain that has run out of relative identifers. Use the AD Users and Computers  console to transfer roles.
• Infrastructure master - Will only be visible to admins if they have recently renamed and moved a large number of accounts. Role can be seized to a DC that is not a global catalog server but is well-connected to one. Use the AD Users and Computers console to transfer roles.
• PDC emulator - affects network users, especially those using non W2K clients. Use the AD Users and Computers console to transfer roles.
• Roles can also be seized/transferred using the ntdsutil.exe command-line utility.

Back up and restore Active Directory:

Perform an authoritative restore of Active Directory:

An authoritative restore is performed immediately after a non-authoritative restore and designates the information that is authoritative (meaning that it will be replicated to other DCs in the forest even though it is not current). The authoritative data is given a higher version number than data on other DCs which allows them to accept the changes.

Steps for performing an authoritative restore:

1.       Perform a non-authoritative restore

2.       Restart the system

3.       Press F8

4.       At the options menu choose Directory Services Restore Mode

5.       Choose W2K as the operating system to load

6.       Log on as Administrator

7.       Click OK when you are warned about running in safe mode

8.       Drop to a command prompt and type ntdsutil and press enter

9.       Type authoritative restore and press enter

10.    Type restore database to restore entire directory or type restore subtree <subtree_distinguished_name> to restore a portion then press enter.

11.    Type restore database verinc and press enter to restore the entire directory and override the version increase.

12.    Type quit to exit NTDSUTIL.

Install, configure, and troubleshoot DNS for Active Directory:

• An Active Directory Integrated zone stores its data in Active Directory rather than on the local machine. Provides greater fault-tolerance and secure updates.  
• ACL editing provides granular access to either the zone or a specified resource record in the zone. This feature is not available for standard primary zones.
• Non Microsoft DNS servers can be used with AD so long as they support SRV records & dynamic updates. The DNS server in Windows NT Server 4.0 cannot be used with AD however BIND versions 8.1.2 and later can.

Configure zones for Dynamic DNS (DDNS) updates:

Zones can be configured for Dynamic Updates. Resource records will then be updated by the DHCP clients and or server without administrator intervention. The Only Secure Updates option is only available in Active Directory Integrated zones (enabled by default).

Manage replication of DNS data:

In MS speak, Zone Transfer refers to the duplication of data between DNS servers that do not participate in AD. Zone Replication refers to the replication of data between DNS servers (on domain controllers) that do participate in AD. Zone Transfer uses DNS Notification whereas in Zone Replication DNS servers poll AD approx every 15 minutes (by default - depends on SOA refresh interval) for updates.  

Installing, Configuring, Managing, Monitoring, Optimizing, and Troubleshooting Change and Configuration Management:

Implement and troubleshoot Group Policy:

The more GPOs you apply, the longer it takes to startup and/or logon to a system. GPOs are handy, but don't go completely nuts with them.

Each W2K computer can have one local GPO. These local GPOs can have their settings overridden by non-local GPOs when used in conjunction with AD.

Delegate administrative control of Group Policy:

Allows you to specifiy which groups of Administrators have access permissions to the GPO. The default permissions are:

Write access is required to open and view the Group Policy snap-in and see the settings it contains.

Modify Group Policy inheritance:

Group policy settings are processed (inherited) in the following order:

Local GPO - there can be only one local GPO and it is processed first.
Site GPOs - these are processed next - administrator can specify the order they are processed in. Overwrites local.
Domain GPOs - multiple GPOs are processed synchronously in the order specified by the administrator. Overwrites site and local.
OU GPOs - GPOs linked to the OU highest in AD are processed first followed by GPOs linked to any child OUs. Each previous GPO is overwritten by the next in line. When several GPOs are linked to a single OU, they are processed synchronously, in the order specified by the administrator.

Block inheritance - any site, domain or OU can block inheritance of group policy from above, except when an administrator has set No Override to the GPO link. Block inheritance cannot be applied to GPOs or GPO links.
No override - any GPO linked to a site, domain or OU can be set to no override so that none of its policies will be overridden by a child container it is linked to.

Filter Group Policy settings by associating security groups to GPOs:
Setting permissions for security groups allows an administrator to filter group policy so that it only applies to the users and computers specified.

System Policy Editor (poledit.exe) - Windows NT 4, Windows 95 and Windows 98 all use the System Policy Editor (poledit.exe) to specify user and computer configuration that is stored in the registry.
Not secure because settings can be changed by a user with the Registry Editor (regedit.exe). Settings are imported/exported using .ADM templates. Are considered "undesirabley persistant" as they are not removed when the policy ends.

Group Policy snap-ins - Exclusive to Windows 2000 and supercedes the System Policy Editor. Uses Incremental Security Templates.

• Should only be applied to Windows 2000 systems that have been clean installed onto an NTFS partition. For NTFS computers that have been upgraded from NT4 or earlier, only the Basic security templates can be applied.
• Settings can be stored locally or in AD. They are secure and cannot be changed by users - only Administrators.
• More flexible than System Policies as they can be filtered using Active Directory.
• Settings are imported/exported using .INF files. The Group Policy snap-in can be focused on a local or remote system.

Incremental Security Templates for Windows 2000:

*ws.inf is for a workstation, *sv.inf is for a member server, *.dc.inf is for a domain controller.

Assign script policies to users and computers:

Startup/shutdown scripts that run at system startup and shutdown and are assigned to computers. Logon/logoff scripts that are assigned to users run when the users logs on or off the system.

Startup scripts run in sequential order; login scripts run asynchronously.
When a system is shut down, Windows 2000 processes the logoff scripts first followed by the shutdown scripts. Multiple scripts can be assigned to the same user or computer and Windows processes them from top to bottom. The default timeout value for script processing is 10 minutes. If your scripts require more than this, you must manually adjust the timeout value with a software policy. The following scripting languages can be used: VBScript, JScript, Perl, and MS-DOS style batch files.

Group Policy can be used to redirect the following special folders:

Application Data                                  Desktop                                                 My Documents
My Pictures                                           Start Menu

Advantages are:

• When used with roaming profiles, redirecting folders to a central server prevents files from being copied back and forth from the server to the workstation every time the user logs on and off.
• Makes a user's documents available to them even on different computers on the network.
• Data that is centrally stored on a network server can be backed up regularly and does not require action on the part of the user.
• Sysadmin can use group policy to set disk quota, limiting the amount of space used by special folders.

Managing, Monitoring, and Optimizing the Components of Active Directory:

Manage Active Directory objects:

Moving Active Directory objects within a domain:

Objects can be moved within a domain using the AD Users & Computers console. Permissions that have been assigned directly to an object will not change when it is moved. It's possible to move multiple objects at once.

Moving Active Directory objects between domains:

Done using the movetree command-line utility included with the Windows 2000 Support Tools. When objects are moved their GUID remains unchanged but they receive a new SID. An OU can be moved from one domain to another without damaging any of its GPOs. The GPO link is automatically updated and continues to work. Users that are members of Global groups cannot be moved.

Use the netdom command-line utility included with the Windows 2000 Support Tools to move workstations or member servers between domains.

Control access to Active Directory objects:

W2K keeps a list of user access permissions for every AD object called the Access Control List (ACL). Permissions can be used to assign admin privileges to users, groups, OUs, or any other object without giving control over other AD objects.

Monitor, maintain, and troubleshoot Active Directory components:

Configuring, Managing, Monitoring, and Troubleshooting Active Directory Security Solutions:

Apply security policies by using Group Policy:

• Used to track success/failure of events like logon attempts, accesses to a specific file, modifications to a user account, group memberships, and security setting modifications.
• Audited events are written to the Event Viewer.
• You must have the Manage Auditing & Security Log user right on the system where you need to implement an audit policy or review the audit log.
• NTFS file system required for files and folders being audited.

Create, analyze, and modify security configurations by using Security Configuration and Analysis and Security Templates:

• The Security Configuration and Analysis snap-in is used to troubleshoot security in Windows 2000.
• The security database is compared to an incremental template such as hisecsv.inf and the results displayed in the right hand pane.
• There is a text based version of this tool that can be run from the command line - secedit.exe.

Implement an audit policy: The following event categories can be audited:

Monitor and analyze security events:

• Application log - contains errors, warnings, or information generated by programs running under Windows.
• System log - contains errors, warnings, or information generated by W2K.
• Security log - contains info about success/failure of audited events. Only records events that auditing is set for.
• Logs are accessed through Administrative Tools > Event Viewer