MCSE Top-Rated Sites


 

Implementing and Administering a Microsoft Windows 2000 Directory Services Infrastructure

Concepts
Active Directory Overview
The Microsoft Windows 2000 Active Directory (AD) is the central repository in which all objects in an enterprise and their respective attributes are stored. It is a hierarchical, multimaster enabled database, capable of storing millions of objects. Because it is multimaster, changes to the database can be processed at any given domain controller (DC) in the enterprise regardless of whether the domain controller is connected or disconnected from the network.

Windows 2000 Domain Hierarchy
Windows 2000 domains use a hierarchical model with a parent domain and child domains under it. A single domain tree consists of a parent domain and all of its child domains.

Domains are named in accordance with the Internet’s Domain Name System standard. If the parent (root) domain is called “acme.com”, a child may be called “support.acme.com”. In a Windows 2000 domain, trust relationships between domains are made automatically either by two-way, or transitive trusts. Domain A can trust Domain B, Domain A can trust Domain C, and Domain B can trust Domain C. In addition, you have the option of only having one way trusts, or no trust. The act of permissions flowing downward from parent to child is called inheritance. It is the default, but can be blocked for specific objects or classes of objects.

AD Database Overview
Forest and Trees The AD database contains all information about objects in all the domains from logon authentication to objects in the directory. A hierarchical structure made up of multiple domains that trust each other is called a tree. A set of object definitions and their associated attributes is called a schema. All domains in a tree will share the same schema and will have a contiguous namespace. A namespace is a collection of domains that share a common root name. An example of this is support.acme.com, marketing.acme.com, and acme.com. A disjointed namespace contains domains that are interrelated, but don’t share common root name. This might occur when a company merges with another company. An example of this is acme.com, and abc.com. A forest is one or more domain trees that have separate contiguous namespaces. All the trees in a forest share a common schema and trust one another because of transitive trusts. If you have multiple forests, you must set up an explicit trust between them.

Sites Use the Active Directory Sites And Services Microsoft Management Console (MMC) snapin to configure sites. To create a site, add the subnets the domain controllers are in to the site object. A site object is a collection of subnet addresses that usually share a geographic location. Sites can span domains, and domains can span sites. If the subnet address of a client or domain controller has not been included in any site, it is assigned to the initial site 2 container created by AD, named Default-First-Site. If a subnet requires fast access to the directory, it should be configured as a site. In every site, at least one global catalog server should be installed for fast directory access, and at least one domain controller should be installed.

Dynamic Domain Name System (DDNS) AD requires Dynamic Domain Name System (DDNS) for name resolution of objects. The records in the DNS database are automatically updated instead of the normal DNS manual methods.

Organizational Units (OUs) An Organizational Unit is a container object that can hold users, groups, printers, and other objects, as long as these objects are members of the same domain as the OU. You can organize the domain into logical administrative groups using OUs. OUs allow you to delegate the management of the objects in the OU to other users. You can assign separate sets of permissions over the objects in the OU, other than the permissions in your domain.

The Active Directory Users And Computers MMC snap-in is used to create and manage OUs. To delegate the control of an OU, use the Delegation of Control Wizard.

Global Catalog A global catalog contains all the objects in the AD, with only a subset of their attributes.

This allows you to find object quickly even in a large multi-domain environment. The global catalog serves as an index to the entire structure of all domains and trees in a forest. It is also used for user authentication, so a user can log on at any location without having to perform a lookup back to the user’s home domain. The first server installed in a tree is called the global catalog server. Additional global catalog servers will improve the response time of queries for AD objects. Use the Active Directory Sites And Services MMC snap-in to create additional global catalog servers.

Domain Controllers All domain controllers in a Windows 2000 domain have a writeable copy of the AD database. All changes performed on any domain controller are replicated to all the other domain controllers within the domain via multimaster replication. Multimaster replication occurs when there is no master domain controllers, and all domain controls are considered equal. Domain controllers are not required to replicate directly with each other. Domain controllers that are in close proximity to each other can replicate with each other, and then one of them can send all the changes to a remote domain controller.

Replication A connection object is a connection that AD uses for replication. Connection objects are fault tolerant. When a communication fails, AD will automatically reconfigure itself to use another route to continue replication. The process that creates connection objects is called Knowledge Consistency Checker (KCC). It runs on all domain controllers every 15 minutes by default. It creates connection objects that provide the most favorable route for replication at the time of replication. KCC uses the network model that has been defined to determine 3 connectivity between sites, but it will configure the links between domain controllers in the same site without assistance. Changes that need to be replicated are based on the update sequence number (USN). Each domain controller maintains a table of its own USNs, which is updated whenever it makes a change to an AD object. The USN is written to the AD database with the attribute that has changed. Other domain controllers use this USN to determine whether a change has occurred on a replication partner. To reduce network traffic, only the changed attribute will be transferred. After a domain controller fails, it attempts to replicate with all of the domain controllers when brought back online. It only requests updates with USNs greater than the last USN that was applied.

Sites AD uses sites to control replication traffic over a WAN. A site is a group of domain controllers joined by a fast connection. Intrasite replication traffic can consume a large amount of bandwidth. Intersite traffic is compressed at a rate of 10:1.

Site Links Site links are created using either Remote Procedure Call (RPC), or Simple Mail Transfer Protocol (SMTP) after sites are created. These links facilitate the replication between sites.

If not created, domain controllers will not be able to send or receive directory updates.

Replication availability, cost, and replication frequency can be configured for greater efficiency. The KCC uses settings from the site links to determine which connection objects to create to replicate directory data. SMTP transport is generally used for connections that are intermittent, such as dial-up links. Replication can be set up for a specific schedule by specifying when replication over that site link cannot take place, or by default, which allows replication to occur at any time. The default replication time is every three hours. Cost value determines which link to use when there are multiple links between sites. AD always uses the lowest cost path available. You can designate a domain controller as a bridgehead server to act as a replication gateway. It accepts all replication data from other sites via slow links and distributes it to other domain controllers in the site via fast links. Bridgehead servers are commonly used when sites are separated by firewalls, proxy servers, or Virtual Private Networks (VPNs).

Site Link Bridge A site link bridge specifies a preferred route for replication traffic. It is the process of building a connection between two links. It is not needed in a fully routed IP network. If you set up site link bridges, you must turn off the default option to bridge all site links automatically.

Installing, Configuring, and Troubleshooting Active Directory
Microsoft Management Console (MMC)
MMC is a framework in which you can add custom utilities called snap-ins to administer system components. Preconfigured MMCs that are used to work with AD are: 

Snap-in Descriptions
AD Domains And Trusts Configures and manages trust relationships.

AD Sites And Services Creates and manages sites, site links, site link bridges, replications and OUs.

AD Users And Computers Creates and Manages user accounts, resource objects and security groups.

DNS Manages DNS.

Domain Security Policy Manages security policy for domains.

Active Directory
Installing Active Directory Servers install as member servers (standalone) by default. Active Directory services can be only installed on a Windows 2000 Server, an Advanced Server or a Datacenter Server. You must have at least 256 MB of memory available, and at least one NTFS 5.0 partition. The Directory Services database is installed to %systemroot%\ntds\ntds.dit by default. AD depends on DNS, and as such, cannot be installed without it. During the installation program, if DNS is not found, you are given the choice of aborting the installation or installing DNS on the server you’re upgrading to a domain controller.

You do not have to reinstall the operating system to create a domain controller. A member server can be promoted to a domain controller or demoted to a member server at any time by using dcpromo. The answer file contains only the [DCInstall] section. 

Use the /answer:<answer_file> switch to specify the answer file. 

To remove AD and demote a domain controller to a member server, log on as an Administrator, then supply Enterprise Administrator credentials during the demotion process.

Use mixed mode (installed by default) if your domain consists of both AD and pre-Windows 2000 domain controllers. If Windows 2000 is being installed into an infrastructure where all domain controllers will be running Windows 2000, then domain controllers should utilize native mode.

Creating Sites By default, all domain controllers are placed in the default site, Default-First-Site-Name, and the KCC handles all replication. To create a site go to Start | Programs | Administrative Tools | AD Sites And Services. Right-click Sites, and choose New Site. Type the name of your site and select a site link. If the IP address of a newly installed domain controller matches an existing subnet in a defined site, it is automatically added to that site. Otherwise, it is added to the site of the source domain controller.

Creating Subnets Subnets are the objects used by AD to determine the boundaries of sites. Workstations use subnets to determine the closest domain controller for logons. AD uses IP subnets to find a domain controller in the same site as the system that is being authenticated during a logon and to determine the best routes between domain controllers. To create a subnet go to Start | Programs | Administrative Tools | AD Sites And Services | Sites. Right-click Subnets, and 5 choose New Subnet. Enter the subnet address and subnet mask. Associate the subnet with a site.

Creating Site Links Creating a site link between two or more sites influences replication. In creating a site link, you can specify what connections are available, which ones are preferred, and how much bandwidth is available. AD can use this information to choose the most efficient times and connections for replication. Site links are not created automatically, they must be manually created. Computers in different sites cannot communicate with each other or replicate data until a site link has been established between them. To create a new site link go to Start | Programs | Administrative Tools | AD Sites And Services Right-click the Inter-Site Transports folder (IP or SMTP), then click New Site Link. Provide a link name and choose the sites you want to connect. The DEFAULTIPSITELINK object is created in the IP container when AD is installed on the first domain controller in a site. Default site link cost is 100. The slower a connection, the more it should cost. The replication interval must be at least 15 minutes and cannot exceed 10,080 minutes.

Replication protocols over site links: 

SMTP Replication - Only used for intersite replication. Is synchronous and ignores all schedules. Requires installation of a Certificate Authority (CA).

IP Replication - Uses Remote Procedure Calls (RPCs) for both intersite and intrasite replication. Intersite IP replication uses schedules by default. Does not require a CA.

Creating Site Link Bridges In a fully routed network, it is not necessary to create site link bridges as all site links using the same protocol are bridged by default. When a network is not fully routed it is necessary to disable the default site link bridging. To create a new site link bridge, go to Start | Programs | Administrative Tools | AD Sites And Services. Right-click the Inter-Site Transports folder (IP or SMTP), then click New Site Link Bridge. Provide a site link bridge name and choose the site links you want to connect. To disable default site link bridging, go to Start | Programs | Administrative Tools | AD Sites And Services. Right-click the Inter-Site Transports folder (IP or SMTP), then click Properties. Uncheck the Bridge All Site Links check box.

Creating Connection Objects Connection objects are automatically created by the Knowledge Consistency Checker (KCC). Manually adding connection objects may increase replication performance. To create a connection object, go to Start | Programs | Administrative Tools | AD Sites And Services.

Open the Site folder. Next, open the Servers folder, then expand the server object to get to the NTDS Settings. Right-click NTDS Settings, and choose New Active Directory 6 Connection. In the Find Domain Controllers box, select the desired domain controller. In the New Object – Connection window, name the new connection.

Creating Global Catalog Servers There should be at least one global catalog server located in every site. If your network has multiple sites, you may wish to create additional global catalog servers to prevent queries from being performed across slow Wide Area Network (WAN) links. AD creates one global catalog server per forest by default. To create a global catalog server, go to Start | Programs | Administrative Tools | AD Sites And Services. Open the Site folder, and open the Servers folder, then expand the server object to get to the NTDS Settings. Right-click NTDS Settings, and choose Properties. Select the Global Catalog Server checkbox on the General tab.

Moving Server Objects between Sites When a server is created, it becomes a member of the site in which it’s installed. To move server objects between sites go to Start | Programs | Administrative Tools | AD Sites And Services. Open the Site folder, and open the Servers folder where the server is currently located. Right-click the server to be moved, and select Move. Select the site you want to move the server object to then click OK.

Operations Master Roles AD uses multimaster replication of the directory to make all domain controllers equal. Some operations are impractical to perform in a multimaster environment. In a single-master model, only one DC in the entire directory is allowed to process updates. The Windows 2000 Active Directory has the ability to transfer roles to any domain controller (DC) in the enterprise. Because an Active Directory role is not bound to a single DC, it is referred to as operations masters roles. There are five operations masters roles: 

Domain naming master - Forest-level master that controls adding/deleting of domains to the forest. Responsible for domain name uniqueness.

Infrastructure master - Domain-level master that maintains inter-domain consistency.

PDC emulator - Domain-level master that provides support for non-AD compatible clients. Handles the replication of data to Windows NT BDCs.

Relative Identifier (RID) - pool operations master Domain-level master that allocates relative IDs to domain controllers.

Schema master - Forest-level master responsible for write updates and changes to the schema.

Transferring Operations Master Roles In transferring operations master roles, you are moving the role from one domain controller to another. This may occur when one of the domain controllers hosting the master role should fail. Depending on the role, you must transfer the role using one of three AD snap-ins: 

Domain naming master - Active Directory Domains And Trusts 
Infrastructure daemon - Active Directory Users And Computers 
PDC emulator - Active Directory Users And Computers 
Relative Identifier RID - operations master Active Directory Users And Computers 
Schema master - Active Directory Schema 

Verifying Active Directory Installation  
You can verify promotion of a server to a domain controller by checking for the following items after an upgrade: 

Default containers - Created automatically when the first domain is created.

Default domain controllers - OU Contains the first domain controller.

Default-First-Site-Name - First site is automatically created when you install the first domain controller.

Directory services database - The file Ntds.dit is installed in the %systemroot%\ntds directory.

Global catalog server - First domain controller becomes a global catalog server by default.

Root domain - Forest root is created when the first domain controller is installed.

Shared system volume - Default location is %systemroot%\Sysvol directory. Exists on all Windows 2000 domain controllers.

SRV - resource records on the DNS servers. Check the Netlogon.dns file for the LDAP SRV entry.

Implementing an Organizational Unit Structure  
OUs are AD containers into which users, groups, resources, and other OUs are placed. The objects must be members of the same domain as the OU. OUs allow you to assign separate sets of permissions over the objects in the OU, and allow you to delegate administrative rights to objects. To create OUs, go to Start | Programs | Administrative Tools | AD Users And Computers. Select the domain name or in another OU. Right-click it, then choose New from the Action menu then select Organizational Unit. Enter the name of the new OU, then click OK.

OU Properties: 
General Description, street address, city, state or province, zip or postal code, and country or region.

Managed By OU manager’s name, office location, street address, city, state or province, country or region, phone number, and fax number.

Group Policy OU’s group policy links.

Backing Up and Restoring Active Directory
The data in AD that is backed up is called System State data. It contains the Registry, system boot file, the AD database, the SYSVOL directory, and the COM+ Class Registration database. To use the Windows 2000 Backup utility to back up the System State data, you must be a member of the Administrators or the Backup Operators group.

Performing a Nonauthoritative Restore of Active Directory By default, when restoring System State data to a domain controller, you are performing a nonauthoritative restore. All System State components that are older than the replicated components on the other domain controllers will be brought up to date by replication after the data is restored. If you do not want this information to be updated by replication, you must perform an Authoritative Restore. Nonauthoritative restore is used for restoring System State data on a local computer only. If you do not specify an alternate location for the restored data, Backup will erase your current System State data. Only the registry files, SYSVOL directory files, and system boot files are restored to the alternate location. The AD database, Certificate Services database, and COM+ are not restored when an alternate location is selected. To restore System State data, you must first start the system in safe mode.

Performing an Authoritative Restore of Active Directory An authoritative restore is performed immediately after a nonauthoritative restore and designates the information that is authoritative. A value of 100,000 is added to the Property Version number of every object on the domain controller. This ensures the objects on this domain controller will overwrite the copies of these objects on other domain controllers. To perform an authoritative restore, perform the standard restore procedure, but do not allow the domain controller to reboot at the end of the procedure. Click No to bypass the restart option, then close Backup. From a command prompt, type Ntdsutil. From the Ntdsutil: prompt, type Authoritative Restore. Then type Restore Database.

Startup and Recovery Settings The paging file must be on the system partition and the pagefile itself must be at least 1 MB larger than the amount of RAM installed for the Write debugging information option to work. Use dumpchk.exe to examine contents of memory.dmp. A small memory dump needs 64K of space. Found in %systemroot%\minidump. Memory dumps are saved with the filename memory.dmp. Startup and recovery settings are accessed through Control Panel | System. Choose the Advanced tab, Startup and Recovery.

DNS for Active Directory
Installing, Configuring and Troubleshooting DNS for Active Directory
Integrating Active Directory DNS Zones With Non-Active Directory DNS Zones The Domain Name System (DNS) is the Active Directory locator in Windows 2000. Active Directory clients and client tools use DNS to locate domain controllers for administration and logon. You must have a DNS server installed and configured for Active Directory and the associated client software to function correctly. Non-Microsoft DNS servers can be used with AD if they support SRV records and dynamic updates. The DNS server in Windows NT Server 4.0 cannot be used with AD, but BIND versions 8.1.2 and later can. Active Directory Integrated DNS uses the directory for the storage and replication of DNS zone databases. If you use Active Directory Integrated DNS, DNS runs on one or more domain controllers and you do not need to set up a separate DNS replication topology.

Configuring Zones for Dynamic DNS (DDNS) Updates Zones can be configured for dynamic updates. Resource records will then be updated by the DHCP clients and or server without administrator intervention. The Only Secure Updates option is only available in Active Directory integrated zones. To configure DDNS, from the DNS console, select the server you want to administer and then select Forward Lookup Zones. Right-click the domain name and choose Properties. Check the Allow Dynamic Updates box on the General tab. You must do the same for the Reverse Lookup Zones. Root or “.” zones cannot be configured for dynamic updates.

Managing Replication of DNS Data Zone 
Transfer is the duplication of data between DNS servers that do not participate in AD.

Zone Replication is the replication of data between DNS servers (on domain controllers) that participate in AD. Zone Replication DNS servers poll AD every 15 minutes for updates.

Zone Transfer uses DNS Notification. There are two zone transfer types, full zone transfer (AXFR) and incremental zone transfer (IXFR): AXFR: When the refresh interval expires on a secondary server it queries its primary using an AXFR query. If serial numbers have changed since the last copy, a new copy of the entire zone database is transferred to the secondary.

IXFR: Uses serial numbers, but transfers only information that has changed. The server will only transfer the full database if the sum of the changes is larger than the entire zone, the client serial number is lower than the serial number of the old version of the zone on the server or the server responding to the IXFR request doesn’t recognize that type of query.

Troubleshooting Dcpromo creates an installation log during the installation procedure that records every step, including success or failures. The file created is Dcpromo.log, and is stored in the %systemroot%\Debug directory Dns.log can be enabled for debugging purposes. It is stored in the %systemroot%\system32\dns folder. All debugging options are disabled by default because they can be resource-intensive. Use nslookup to troubleshoot problems with DNS.

Change and Configuration Management
Implementing and Troubleshooting Group Policy
Group policies are collections of computer and user configuration settings that are linked to domains, sites, computers, and organizational units. When applied, a Group Policy affects all users and computers within a container. Group Policy settings define what controls, freedoms, or restrictions are placed over an OU. Group Policy Objects can contain seven types of settings: 

Administrative Templates - Defines application and desktop configurations via Registry controls.

Security Controls - access and security (account policies, lockout policies, audit policies, user rights, etc.) Software Installation Controls installation, update, and removal of software.

Scripts - Controls when Windows 2000 will execute specific scripts.

Remote Installation Services - Controls options when Client Installation Wizard is used by RIS.

Internet Explorer - Maintenance Manages and customizes Internet Explorer.

Folder Redirection - Defines folder redirection for user profile home directories and folders.

User configuration settings apply group policies to users, regardless of what computer they have logged on to. Settings are only applied at time of logon and removed when the user logs off. Computer configuration settings apply group policies to computers, regardless of what user logs on to them. Settings are applied when Windows initializes.

Creating a Group Policy Object (GPO) A GPO is stored in two locations; a Group Policy template (GPT), and a Group Policy container (GPC). Local GPOs are created using the Group Policy snap-in for the MMC. Site GPOs are created by Start | Programs | Administrative Tools | AD Sites And Services. Rightclick the Site folder, and choose Properties, Group Policy tab. Each Windows 2000 computer can have one local GPO. Local GPOs can have their settings overridden by non-local GPOs when used in conjunction with AD. In a peer-to-peer environment, local GPOs are not overwritten by non-local GPOs. Domain/OU GPOs are created by Start | Programs | Administrative Tools | AD Users And Computers. Right-click domain or OU, and choose Properties, Group Policy tab.

Linking an Existing GPO GPOs are linked with a container. It’s through the container that GPOs are applied to individual users and computers. GPOs cannot be tied directly to users or computers. A single GPO can be linked to multiple OUs, or multiple GPOs can be linked to a single OU. Only Domain Admins and Enterprise Admins have the ability to link GPOs to domains, OUs, or 11 sites. To link a GPO to an existing, domain or OU, use Administrative Tools | AD Users And Computers | Right-click domain or OU, and choose Properties, Group Policy tab. Click Add then choose the policy and click OK. To link a GPO to an existing, site use Administrative Tools | AD Sites And Services | Right-click domain or OU, and choose Properties, Group Policy tab. Click Add then choose the policy and click OK.

Delegating Administrative Control of Group Policy Delegating a GPO to a user grants that user control over the GPO, not the container to which the GPO applies. GPO management delegation includes; GPO links to sites, domains and OUs, creating GPOs, and editing GPOs. The default permissions are: 

Modifying Group Policy Inheritance When multiple Group Polices apply to an object, the inheritance rules (order in which applied) of Group Policy apply. The order is Local GPO, Site GPO, Domain GPO, and OU GPO. Each previous GPO is overwritten by the next in line. When several GPOs are linked to a single OU, they are processed synchronously, in the order specified by the administrator.

Exceptions to Inheritance Order Any site, domain or OU can block inheritance of group policy from above, except when an administrator has set No Override to the GPO link. No override can be set so that none of its policies will be overridden by a child container it is linked to. Loopback setting is used to merge or replace modes.

Filtering Group Policy Settings by Associating Security Groups to GPOs By default, a GPO is applied to all members of its linked container. Filtering grants or restricts Read access to the GPO. If a user/group has Read access, the GPO can be applied; if not, it has been filtered. To apply the GPO to specific uses, modify the GPO’s Access Control List (ACL). To prevent a GPO from applying to a listed group, remove the Allow setting for the Apply Group Policy setting from the Security tab. To prevent a GPO from applying to a specific user within a listed group, add the user to the list of names and then select the Deny setting for the Apply Group Policy setting.

12 Removing and Deleting GPOs Deleting a GPO removes it from any sites, domains or OUs it was linked to. When a GPO link is removed, it is no longer applied, but still exists.

Managing and Troubleshooting User Environments by Using Group Policy
Group policies can be used to control the abilities of a user to perform tasks or access portions of the operating system or network. System Policies are a collection of user environment settings that are enforced by the operating system and cannot be modified by the user. User profiles refer to the environment settings that users can change. Environment control takes place via Administrative Templates. Administrative Templates control a system through editing or overwriting portions of the Registry.

Using Incremental Security Templates Settings can be stored locally or in AD. They are secure and can only be changed by Administrators. Templates can be filtered using Active Directory. Settings are imported/exported using .INF files.

Incremental Security Templates for Windows 2000  
Compatibility: compatws.inf compatsv.inf compatdc.inf 
Sets up permissions for local users group to ensure viability of legacy programs.

Secure: securews.inf securesv.inf securedc.inf 
Increases security settings for Account Policy and Auditing. Removes all members from Power Users group.

High Security: hisecws.inf hisecsv.inf hisecdc.inf 
For Workstations running in Windows 2000 native mode only. Requires all communications to be digitally signed and encrypted. Cannot communicate with downlevel Windows clients.

Changes ACLs to give Power Users ability to create shares and change system time.

Assigning Script Policies to Users and Computers Startup/shutdown scripts are assigned to computers. Logon/logoff scripts are assigned to users and run when a user logs on or off the system. When a system is shut down, Windows 2000 processes the logoff scripts then the shutdown scripts. Multiple scripts can be assigned to the same user or computer and Windows processes them using top-down logic.

Managing and Troubleshooting Software by Using Group Policy
Deploying Software by Using Group Policy Group Policy integrates software installation into Windows 2000 in a feature known as Software Installation and Maintenance. Administrators can automate the process of installing, upgrading, managing, and removing software from systems on the network.

Windows Installer packages have a .MSI file extension.

Maintaining Software by Using Group Policy Software packages are installed on a Windows 2000 Server in a shared directory. A Group Policy Object is created. Behavior filters are set in the GPO to determine who gets the software. The package is added to the GPO under User Configuration, Software Settings, Software Installation. Choose the publishing method, then choose OK. AD can either uninstall the old application first or upgrade over top of it. When publishing upgrades, they can be optional or mandatory for users but are mandatory when assigned to computers. When applications are no longer supported, they can be removed from software installation without having to be removed from the systems of users who are using them. They can continue using the software until they remove it themselves, but no one else will be able to install the software through the Start menu, Add/Remove Programs, or by invocation. Applications that are no longer used can have their removal forced by an administrator. Software assigned to the user is automatically removed the next time that user logs on. When software is assigned to a computer, it is automatically removed at start up. Users cannot re-install the software.

Selecting the “Uninstall this application when it falls out of the scope of management” option forces the removal of the software when a GPO no longer applies.

Configuring Deployment Options You can assign or publish software packages. Software that is published can be installed from the Control Panel, Add/Remove programs. Assigned software is installed the next time the user logs on regardless of whether or not they run it.

When software is assigned to a user, the new program is advertised when a user logs on, but is not installed until the user starts the application. Software assigned to a computer is installed automatically. A local administrator can only remove software when it is assigned to a computer. Users can repair software assigned to computers, but not remove it.

Published applications are not advertised. Applications can only be published to users, not computers. They are only installed through Add/Remove Programs or through invocation Published applications do not self-repair or re-install if deleted.

With invocation, when a user launches an unknown file type, the client computer queries Active Directory to see what is associated with the file extension. If an application is registered, AD checks to see if it has been published to the user. If it has, it checks for the auto-install permission. If all conditions are met, the application is installed.

Non-MSI programs are published as .ZAP files. .ZAP files can only be published, not assigned.

Managing Network Configuration by Using Group Policy
Used with roaming profiles to redirect folders to a central server to prevent files from being copied back and forth from the server to the workstation every time the user logs on and off.

14 Data that is centrally stored on a network server can be backed up regularly and does not require action on the part of the user. Use Group Policy to set disk quotas, limiting the amount of space used by special folders.

Deploying Windows 2000 Using Remote Installation Services
Deploying Windows 2000 Using Remote Installation Services (RIS)
Remote Installation Services allows you to support the installation of Windows 2000 Professional (only) onto network clients that don’t have an operating system installed. A destination client can be a system with only a DHCP Preboot Execution Environment-based (PXE-based) remote boot ROM NIC, or a RIS boot disk. RIS can initiate a typical network share type of installation or use a system image transfer type of installation. A RIS Server requires DHCP Server Service, Active Directory, DNS Server Service and at least 2 GB of disk space. Hard disk must have at least two partitions, one for the Operating System and one for the images. The image partition must be formatted with NTFS. RIS packages cannot be installed on either the system or boot partitions.

Setting Up a RIS Server Setup Wizard creates the folder structure, copies needed source files to the server, creates the initial CD-based Windows 2000 Professional image in its designated folder along with the default answer file (Ristandard.sif), and starts the RIS services on the server. To authorize the server, open Administrative Tools, DHCP. Right-click DHCP in the console tree and choose Manage authorized servers. Click Authorize and enter name or IP of the RIS server.

Assign users/groups that will be performing RIS installations permissions to Create Computer Objects in Active Directory. The Client Computer Naming Format is defined through Active Directory Users And Computers. Right-click the RIS Server and click Properties, Remote Install, Advanced Settings, New Clients. Choose a pre-defined format or create a custom one. Associate an answer file (.SIF) with your image.

Install Remote Installation Services using Control Panel | Add/Remove Programs | Windows Components. Start the RIS Setup Wizard by running Risetup. Specify the Remote Installation Folder Location. For Initial Settings, choose Do not respond to any client requests. Specify the location of the Windows 2000 Professional source files for building the initial CD-based image. Designate a folder inside the RIS folder where the CD image will be stored. Provide a text name for the CD-based image.

Creating A RIPrep Image  
Install Windows 2000 Professional on a source computer. Configure all components and settings for the desired client configuration. Install and configure applications. Copy the configuration to the Default User profile. To launch the RIPrep Wizard, click Start, Run and enter: \\RISServerName\reminst\admin\i386\riprep.exe. Provide the name of the RIS Server where the image will be stored.

Installing an Image on a RIS client  
Custom RIS images can be built using the RIPrep tool. It creates an installation image from a preinstalled and configured system. You can use Remote Installation Services (RIS) for Windows 2000 to install a local copy of the OS throughout the organization from remote locations. Using existing network technologies, after booting, personal computers contact a Dynamic Host Configuration Protocol (DHCP) server for an Internet Protocol (IP) address, and then contact a boot server to install the OS. Using RIS, you can send personal computers directly to an end user or staging area and install an automated, customized version of Windows 2000. The client initiates the protocol by broadcasting a DHCP Discover packet containing an extension that identifies the request as coming from a client that implements the PXE protocol. The boot server sends an offer containing the IP address of the server that will service the client. The client uses TFTP to download the executable file from the boot server. The client then initiates execution of the downloaded image.

Creating A RIS Boot Disk  
If the destination desktop does not have PXE-based remote-boot ROM on its NIC, you must create a boot disk to initiate the remote installation. The boot disk creates a PXE emulator that works on supported PCI network adapters that allow them to connect to the RIS server.

Since one disk works for all network adapters, a specific network boot disk is no longer required. The supported network adapters are listed in the utility that creates the boot disk.

This utility is named Rbfg.exe and can be found in the network folder: \reminst\admin\i386.

Configuring Remote Installation Options  
Once installed, the RIS system can be re-created and altered via the RIS host’s Properties dialog box from the Active Directory Users And Computers tool. RIS can be configured to respond to clients requesting server, to respond only to authorized and known clients, to verify that the server is properly configured, and to view the current RIS clients.

Managing Images for Performing Remote Installations  
You can customize existing CD-based installs by modifying the associated answer file (*.SIF). For RIPrep images, the files are stored as individual source files. If modifications need to be made to the RIPrep image, apply the existing image to a client, make any required changes, and rerun the RIPrep wizard from the RIS server Admin folder to upload the new, updated image to the RIS server. You can still modify the *.SIF file associated with a RIPrep-based install, but you’ll only be able to modify options that can be configured via the answer file. The RIPrep answer file, named RISETUP.SIF by default, will be located under the I386\Templates subfolder of the folder created for the RIPrep image.

Managing, Monitoring, and Optimizing the Components of Active Directory
Managing Active Directory Objects
Moving Active Directory Objects within a Domain  
Objects can be moved within a domain using the AD Users And Computers console.

Permissions that have been assigned directly to an object will not change when it is moved.

Objects without permissions inherit the permissions of the parent container they are moved to.

Moving Active Directory Objects between Domains  
An OU can be moved from one domain to another without damaging any of its GPOs. The GPO link is automatically updated. Use the Movetree command-line utility to move objects between domains. Use the Netdom command-line utility to move workstations or member servers between domains. When objects are moved their GUID remains unchanged but they receive a new SID. User objects that contain any other objects cannot be moved.

Resource Publishing in Active Directory  
Publishing a resource refers to the process of creating an object in the directory that either contains the information you want to make available or that provides a reference to the object. General information is automatically published for all network users while account security information is only available to select administrator groups. Printers must be installed before they are added to AD. Use Administrative Tools, AD Users And Computers, domain node to find the container you want to add the printer to. Right-click the container and choose New, Printer. When the New Object-Printer dialog appears, type the UNC name of the printer in the Network Path box then click OK. Shared folders are published using Administrative Tools, AD Users And Computers, domain node. Right-click the container you want to add the shared folder to and choose New, Shared Folder. Enter the name of the folder in the Name box and the UNC name that you want to publish in AD in the Network Path box.

Locating Objects in Active Directory  

Computer Information - on a computer that belongs to the domain.

Contact - A person connected to the organization. Includes phone number, email, address, home page, etc.

Domain Controllers - Information on domain controllers including their DNS name, NetBIOS name, OS version, location, manager, etc.

Group - Collections of users, groups, or computers used to simplify administration.

OU (Organizational Unit) - Container used to organize AD objects including other OUs.

Printer - Pointer to a printer. Windows 2000 automatically adds printers created on domain computers to AD.

Shared Folder - Pointer to a shared folder on a computer.

Using the Find Tool Administrators can search AD via an LDAP query against the global catalog. To find objects in AD use Administrative Tools | AD Users And Computers. Right-click a domain or container in the console tree and select Find. Users can access directory objects via the search command from the Start menu, through My Network Places, or via the Find command from the AD Users And Computers snap-in. Users can search for computers, shared folders, printers, and users.

Creating and Managing Accounts Manually or by Scripting Account 

Local accounts - Created in the local computer’s Security Accounts Manager (SAM) database. Local accounts are not recognized by Active Directory. Added through Administrative Tools, Local Users and Groups.

Domain user accounts - Used by users to logon to the domain to gain access to network resources. Receive an access token from AD at logon that is checked against ACLs when accessing objects. Added through Administrative Tools, AD Users And Computers.

Built-in user accounts: Administrator and Guest.

Local user profile Created on a computer the first time a user logs on. Stored on the local hard drive.

Roaming user profile Created by system administrator. Stored on a server.

Available from any computer on the network. Changes are saved to the profile on the remote server.

Mandatory user profile Created by system administrator. Only administrators can change mandatory profiles.

Accounts should only be deleted when they will no longer needed. Renaming an account retains all rights, permissions and group memberships and assigns them to a different user.

Disable accounts when they are not going to be needed for an extended period but may be needed again.

Creating and Managing Groups  
Security groups are used to assign permissions for accessing objects in AD. Distribution groups are used for non-security related functions, and can only be accessed by AD-aware programs such as Exchange Server 2000. Accounts go into global groups which then go into 18 local groups that are assigned permissions to a resource. 

Global groups can only contain members from the domain in which the group was created. Use global groups to assign permissions for gaining access to resources located in any domain in the tree or forest. They contain other global groups when running in native mode. Domain Local groups can contain members from any domain. They only access resources in the domain where the group was created. They contain global groups, and should not be used to assign permissions to AD objects. Universal groups can include members from any domain. They contain other global and universal groups. 

Putting users in universal groups affects logon performance. Universal groups are not available in mixed-mode. Objects with identical security requirements should be placed into OUs. All objects inside the OU will inherit the same permissions.

Controlling Access to Active Directory Objects  
The Access Control List (ACL) is a list of user access permissions for every AD object.

Permissions can be used to assign administrative privileges to users, groups, OUs, or any other object without giving control over other AD objects. Permissions are cumulative, except for Deny. A user with read access to an object in one group and write access to the same object in another group would have a cumulative access of read and write. The exception to this is deny, which overrides all other permissions.

Standard permissions include: 

Read - Can view objects and their attributes, the owner of the object and AD permissions.
Write - Modify attributes of object.
Full Control - Change all permissions and take ownership.
Create All Child Objects - Can add any type of child object to an OU.
Delete All Child Objects - Can delete any type of object from an OU.

Delegating Administrative Control of Objects in Active Directory Permissions flow from the parent container to the child container unless inheritance has been prevented. Delegations should be accomplished using the Delegation of Control Wizard.

Options include: 
AD Object Type Selects scope for tasks being delegated: This folder, Existing Objects In This Folder, and Creation of Objects In This Folder, or Only The Following Objects In This Folder.

Permissions General is the most common. Property Specific includes permissions that can be assigned to the attributes of the object. Creation/Deletion of Specific Child Objects is the ability to create and delete child objects.

Tasks to Delegate Select tasks from a list or create custom tasks you want to delegate.

19 Users or Groups Select the users/groups you want to delegate control to.

Managing Active Directory performance
Domain Controller Performance Performance Console: 
Cache - File system cache used to buffer physical device data.
diskperf - Command for activating disk counters. Is not supported in Windows 2000.
Logical disk - Disk Queue Length If averaging more than 2, drive access is a bottleneck. 
Logicaldisk - Logical drives, stripe sets and spanned volumes.
Memory - Physical and virtual/paged memory on system.
Memory - Committed bytes Should be less than amount of RAM in computer.
Memory - Pages/sec Add more RAM if more than 20 pages per second.
Physical disk - % Disk Time If above 90%, move data/pagefile to another drive or upgrade drive.
Physical disk - Disk Queue Length If averaging more than 2, drive access is a bottleneck.
Physicaldisk - Monitors hard disk as a whole.
Processor - Monitors CPU load.
Processor - % CPU DPC Time Measures software interrupts.
Processor - % CPU Interrupts/Sec Measures hardware interrupts. 
Processor - % Processor Time Measures time CPU spends executing a non-idle thread.

Processor - Processor Queue Length More than 2 threads in queue indicates CPU is a bottleneck for system performance Performance Alerts and Logs By default, log files are stored in the \Perflogs folder in the system’s boot partition. 

Log types include Alert logs, Counter logs, and Trace logs. Alert logs log an event, send a message or run a program when a user-defined threshold has been exceeded. Counter logs record data from local/remote systems on hardware usage and system service activity. Trace logs are event driven and record monitored data such as disk I/O or page faults.

Troubleshooting Active Directory Components  
Cannot add/remove domain - Domain Naming Master is not available. Network problem or failure of computer holding the master role. Seize the role to another system.

Cannot create objects in AD - Relative ID master is not available due to failure of the computer holding master role or a network problem. If the network problem or the computer holding the master role cannot be repaired, seize the role to another system.

Cannot modify the schema - Schema master is not available due to failure of computer holding master role or network problem. If problem cannot be resolved, seize the role to another computer.

Clients cannot access resources in a different domain -Trusts may have failed between domains. Reset and verify trusts.

Clients without AD client software cannot logon - PDC emulator not available possibly caused by network problem or failure of system holding master role. If problem cannot be resolved, seize the role to another system.

Clients have trouble with password changes - PDC emulator not available possibly caused by network problem or failure of system holding master role. If problem cannot be resolved, seize the role to another system.

Managing and Troubleshooting Active Directory Replication
Managing Intersite Replication Replication takes place for domain controllers between sites (intersite replication) based upon a schedule, the amount of network traffic, and costs. The replication schedule, defined by site link and connection objects, is used to define the time that replication is allowed to occur. The replication interval is used to define how often replication should occur during a “window of opportunity” based on the schedule. 

Bridgehead servers are computers with additional hardware or network capacity that are specified as preferred recipients for intersite replication. The bridgehead server subsequently replicates its AD information to its replication partners. Using bridgehead servers improves replication performance between sites. When using a firewall proxy server, you must establish it as a bridgehead server and allow it to replicate AD information to other domain controllers outside the firewall.

Managing Intrasite Replication
Replication takes place between domain controllers within a site (intrasite replication) as needed without regard to cost or schedules. Domain controllers in the same site replicate using notification. When one domain controller has changes, it notifies its partners. The partners then request the changes and the replication occurs.

Urgent replication triggers: Events replicated immediately in native-mode domains: changing an LSA secret newly locked-out account RID manager state changes Events replicated immediately in mixed-mode domains: changes to account lockout policy changes to domain password policy 21 changing an LSA secret changing the password on a machine account inter-domain trust password changes newly locked-out account RID manager state changes 

Active Directory Security Solutions
Configuring and Troubleshooting Security in a Directory Services Infrastructure
Applying Security Policies by Using Group Policy You must have the Manage Auditing and Security Log user right on the system where you need to implement an audit policy or review the audit log. Used to track success/failure of events like logon attempts, accesses to a specific file, modifications to a user account, group memberships, and security setting modifications. Audited events are written to the Event Viewer.

Security Configuration and Analysis and Security Templates The security database (mysecuresv.mdb) is compared to an incremental template (hisecsv.inf) and the results displayed in the right pane. The log of the analysis will be placed in %systemroot%\security\logs\mysecure.log.

Implementing an Audit Policy Type secedit /refreshpolicy machine_policy at a command prompt to start policy propagation. By default policy propagation takes place every 8 hours.

Auditable Events: 
Account logon events - A domain controller received a request to validate a user account.

Account management - An administrator created, changed, or deleted a user account or group. A user account was renamed, disabled, or enabled, or a password was set or changed.

Directory service access - A user gained access to an Active Directory object. *Configure specific Active Directory objects for auditing to log this type of event.

Logon events - A user logged on or logged off, or a user made or canceled a network connection to the computer.

Object access - A user gained access to a file, folder, or printer.  Directory service access is auditing a user’s access to specific Active Directory objects. Object access is auditing a user’s access to files, folders, and printers. *Configure specific files, folders, or printers for auditing.

Policy change - A change was made to the user security options, user rights, or audit policies.

Privilege use - A user exercised a right, such as changing the system time.

Process tracking - A program performed an action.

System - A user restarted or shut down the computer, or an event occurred that affects Windows 2000 security or the security log.

Monitoring and Analyzing Security Events
Logs are accessed through Administrative Tools, Event Viewer. Logs include the Application log which contains errors, warnings, or information generated by programs running under Windows, the System log which contains errors, warnings, or information generated by Windows 2000, and the Security log which contains information about success/failure of audited events. The Event Viewer contains entries of events related to the operation of the operating system and various applications. A Windows 2000 domain controller has six logs available. These include: 

Application log - Contains events generated by application programs. Contain errors, warnings, informational events, and events generated by the Alert log.

Directory Service log - Contains events relating to the operation of AD.

DNS Server log -Contains events relating to the operation of the DNS server.

File Replication Service log - Contains errors and events that occur when domain controllers are updating.

Security Log - Contains information on security events, such as logon attempts and accessed resources.

System Log - Contains events generated by Windows 2000 components, drivers, and services.