Chapter One: Introduction to Active Directory (and Other Things)
Figure 1-1: When a Windows client logs into an Active Directory Domain, he is granted access to certain shared network resources. All user authentication, permissions, and access are set up beforehand by policies configured by the network administrator.
Figure 1-2: An array of hard drives formatted for RAID level 0 (which is also called striping under Windows Server 2003) has one huge advantage over the other RAID formats: raw speed. This speed is achieved by layering, or striping, bits of information across each member hard drive. The result is one big, fast hard drive array. But, along with the large advantage of speed comes an equally as large disadvantage : zero redundancy. Since each drive contains only bits and pieces of the whole set of data, if even one of these drives fails, the entire chain falls apart. For this reason, RAID 0 is not a recommended configuration unless raw speed is the only concern.
Figure 1-3: Hard drives formatted at RAID level 1 (called "mirrored" in Windows Server 2003) configures one hard disk as a real-time, exact duplicate of another hard drive. Unlike RAID 0, RAID 1 excels at fault-tolerance. If one of the drives dies, the other, an exact replica of the first, takes over. RAID 1 has two main drawbacks. First, it requires you to double the amount of storage that you require. For example, if you need 900GB of hard disk storage and want to use RAID 1, you will have to purchase an additional 900GB to act as the mirror. In many organizations, the financial obstacles of RAID 1 are just too great. The other drawback is performance. A RAID 1 set does not perform much better than a single hard drive, and nowhere near the performance of RAID Level 0.
Figure 1-4: A subset of RAID 1, called RAID 0+1, mixes the speed advantages of RAID 0 with the redundancy of RAID 1. RAID 0+1 takes a RAID 0 striped set, and mirrors it to another striped set. The advantages to this configuration are obvious: we have speed, and we have redundancy. However, the cost disadvantage of RAID 1 is compounded with 0+1. For example, if you have a RAID 0 striped set of three drives, you must purchase an additional three drives onto which to mirror that set.
Figure 1-5: A RAID set formatted for RAID level 3 adds both speed and redundancy. Like RAID 0, data is striped over each individual disk, providing for the greatest possible speed. However where RAID 0 provides no fail safe for a drive failure, a RAID 3 set uses redundancy information known as parity. This data is stored on a single drive and contains the information needed to reconstruct the RAID set in the event of a failure. When a drive fails in a RAID 3 set, all users connected to the server can continue working until the administrator replaces the defective unit. Once the drive is replaced , the RAID set is automatically rebuilt, on the fly.
Figure 1-6: Hard drives configured as RAID level 5 combine the advantages of RAID 0 and 3, while making the system much more economically feasible . Data is striped over the various drives in the set, giving RAID 5 similar speed to RAID 0. But instead of dedicating one hard drive for parity information as in RAID 3, level 5 distributes the parity throughout all the drives in the set. This gives each and every drive in the set the ability to reconstruct the data stored on the other drives in the event of a failure. And because the amount of disk storage needed does not have to be doubled , as in RAID 1, RAID 5 saves money.
Figure 1-7: In this example, two client computers are connected to a network switch using fast ethernet. The Windows Server 2003 computer, in turn , is connected to the network switch via a special gigabit ethernet port, giving it 10 times the bandwidth of the client computers. This gigabit port reduces the chances that the server's communication to the clients will become saturated .
Chapter Three: Sharing Network Resources
Figure 3-1: The create new object-user dialog box. Use the information here to create new users to log into the Active Directory Domain.
Figure 3-2: Network Share Permissions and NTFS file permissions. The former allows or denies a user/group access to a network shared folder. The latter dictates what the user/ group can do once inside the share.
Figure 3-4: The NTFS Read Permission groups the List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, and Synchronize special permissions together.
Figure 3-5: The NTFS Write Permission groups the Create File/Write Data, Create Folder/Append Data, Read Permissions, Write Attributes, Write Extended Attributes, and Synchronize special permissions together.
Figure 3-6: The List Folder Contents and Read and Execute NTFS permissions are identical in appearance. The only difference between them is List Folder Contents applies only to folders, and Read & Execute applies to files. Traverse Folder/Execute File, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, and Synchronize special permissions are all grouped into this permissions group.
Figure 3-7: The Modify NTFS permission groups Traverse Folder/Execute File, Create Files/Write Data, Create Folder/Append Data, Delete, List Folder/Read Data, Read Attributes, Read Extended Attributes, Read Permissions, Write Attributes, Write Extended Attributes, and Synchronize special permissions.
Figure 3-8: The Full Control NTFS permission groups all NTFS special permissions into one setting. Give a user full control over a file or folder, and he or she is able to do just about anything with it.
Figure 3-9: The NTFS permissions assigned to our marketing shared folder.
Chapter Four: Clients and Client Management
Figure 4-1: An example of a client/server relationship on the same subnet. Because the client and server are on a common subnet, they may exchange information freely . Notice that the client uses the server's IP address as its DNS server.
Figure 4-2: An example of a client/server relationship on two different subnets. In order to exchange information, the client and server must go through a third party, a router, which forwards packets between the two.
Figure 4-3: The Windows 2000 Professional logon window, fully configured to log into our domain with the user tknot.
Figure 4-4: On a standard Windows 2000 or XP system, the folders that store application and user data are kept locally on the computer's hard drive. If the hard drive should fail, or if the user upgrades to a new or different computer, the data must be transferred to the new machine.
Figure 4-5: When using a folder redirection group policy object, data that is normally stored on the user's local hard drive is instead redirected to the network server. This facilitates ease of movement from one computer to another, and safeguards data in the event of a computer crash.
Figure 4-6: The dynamic creation of redirected folders. A . User Mac N. Tosh logs into the domain. A GPO is configured to redirect his My Documents folder to a network share. B . The NTFS and network share permissions on the Redirected Data share are configured to allow Mr. Tosh Full Control privileges over whatever folders/files he creates inside. C . Once logged in, Mr. Tosh's My Documents folder is dynamically created giving him Full Control and his group Modify permissions.
Figure 4-6: Software Installation Group Policy Object.
A : Software installer packages are stored on the network server; in this case, our Domain Controller for the guinea.pig domain. Through a GPO, these installer packages are advertised to the domain. B . This software becomes available to network clients logging into the domain. It can then be installed on these client computers, eliminating the need to carry installer CDs to each client for installation.
Figure 4-7: Published vs. Assigned Software Installer GPO.
A : Software that is published in the Active Directory becomes available in the Windows Add/Remove Programs control panel under the Add New Programs option. The user may then install it by clicking the Add button. For this example, we see a Word 2000 file viewer. B : Software that is assigned takes a more active role. When the user logs into the client computer, a shortcut for the Word 2000 viewer is placed on the Start Menu. The instant the user launches the viewer (or double-clicks a Word file), the software is installed to her computer.
Figure 4-7: A ZAP installation GPO
A : A GPO containing the proper ZAP software installation settings is applied to the root of the domain guinea.pig. B : The GPO applied in step A propagates throughout the domain, as shown in step B. All users can see the ZAP installers in their Add/Remove Programs control panels, but they are unable to install the software. Only a user with administrative rights can do this.
Figure 4-8: GPO Conflict Resolution
A : GPO 1 is applied to the Guinea.pig domain with two rules (A and B) set to True and False, respectively. B : The East Wing OU is a child object of the parent domain guinea.pig. Therefore, it inherits the settings of GPO 1.
C : GPO 2 is applied to the North Wing OU. Rule B is set to True on this new GPO, conflicting with GPO 1's rule B. The North Wing and its children still inherit GPO 1's settings, but since GPO 2 is closer to the bottom of the domain tree, its conflicting rule B gets priority over GPO 1's rule B. Since rule A has no conflict, North Wing and its children inherit its settings from GPO 1.
Figure 4-9: GPO Conflict Resolution with No Override Setting
A : GPO 1 is applied to the domain with Rules A and B set to True and False. GPO 1's settings are configured for no override . B : The East Wing OU, a child of the Guinea.Pig domain object, inherits GPO 1's settings. C : GPO 2 is applied to the North Wing OU with a conflicting rule B, set to True. Since GPO 1 is set to no override, GPO 2's conflicting rule B does take affect. The North Wing OU's children inherit GPO 1's settings as well.
Figure 4-10: GPO Conflict Resolution with Inheritance Blocking
A : GPO 1 is applied to the domain. B : The East Wing OU, a child of the domain object, inherits GPO 1's settings. C : GPO 2 is applied to the North Wing OU. GPO 2's settings are configured to block policy inheritance. Because of this, GPO 1's settings do not apply to the North Wing OU or its children.
Figure 4-11: A standard user profile under Windows 2000/XP. When a user logs into her computer, all her data, from her My Documents folder to her email preferences reside in her user folder stored on the computer's hard drive.
Figure 4-12: A network roaming profile under Windows 2000/XP. When a user assigned a roaming profile logs into the domain, her user folder is redirected to a server. This makes the user's computing experience consistent, no matter what computer she logs into.
Figure 4-13: Remote Installation Services A . Installation files for Windows Operating Systems are stored on the RIS Server. B . Clients "boot" from the network with information provided by a Dynamic Host Configuration Protocol (DHCP) server. C . Installation of Windows takes place over the network.
Chapter Five: Working With Multiple
Figure 5-1: 1 : Schema Master 2 : Domain Naming Master 3 : Global Catalog* A : PDC Emulator B : RID Master C : Infrastructure Master * Although the Global Catalog is a forest-wide entity, any number of domain controllers in the forest may be a Global Catalog. Having more than one Global Catalog increases fault tolerance.
Figure 5-2: Sharing resources across domains 1 . Global groups are created in domain A (the root domain). 2 . Using the transitive, two-way trust relationship between domain A and domain B (the child domain), the global groups are added, or nested, into a domain local group located in domain B. 3 . The domain local group is granted the proper NTFS file permissions to access the shared folder located in domain B.
Figure 5-3: Domains A, B, and C are located on different subnets and in different geographic locations. Each domain is connected via differing types of network connections, each with an assigned cost. Faster connections are assigned lower costs, while slower connections have higher costs.
Figure 5-4: The domain controllers in domains A, B, and C are located on different IP subnets. In order for them to communicate with one another, each points its default gateway settings to an IP address located on router D. Router D contains IP addresses located on all three subnets. For example, for domain A located on subnet 192.168.100.0, router D contains an IP address located in the same subnet. It also contains IP addresses on the same subnets as domains B and C. When domain A needs to contact domain B or C, the router forwards the requests from A to B or A to C. The same holds true for the other two subnets.
Figure 5-5: A . A client located in forest 1 sends a query to its DNS server regarding an address in forest 2. B . The DNS server in forest 1 has no information regarding the address in forest 2. C . The DNS server in forest 1 is set to forward any DNS requests that it cannot resolve to the DNS server in forest 2. D . The DNS server in forest 2 is able to resolve the address that the client in forest 1 is requesting. That information is passed back to the client.
Figure 5-6: A . A global group is created in Forest 1. B . The global group is nested inside a universal group in Forest 1. C . A domain local group is created in Forest 2, and the universal group from Forest 1 is nested inside. The domain local group is granted NTFS permissions to a network share in Forest 2. Members in Forest 1 are now able to access a share in Forest 2.
Chapter Six: Antivirus and Backup
Figure 6-1: A . On Monday, a Normal Backup is run. This backs up all selected files on the server. On Tuesday through Thursday, Incremental backups are run. B . On Monday, a Normal backup is run. On Tuesday through Thursday, Differential backups are run.
Figure 6-2: On the first leg of restoring a domain controller using ntbackup, make sure to select both the C drive and the system state options from the normal backup.