Section 12.3. Exam 70-294 Highlighters Index


12.3. Exam 70-294 Highlighters Index

In this section, I've attempted to compile the facts within the exam's subject areas that you are most likely to need another look atin other words, the areas of study that you might have highlighted while reading the Study Guide. The title of each highlighted element corresponds to the heading title in the Exam 70-294 Study Guide. In this way, if you have a question about a highlight, you can refer back to the corresponding section in the study guide. For the most part, the entries under a heading are organized as term lists with a Windows Server 2003 feature, component, or administration tool as the term and the key details for this feature, component, or administration tool listed next.

12.3.1. Planning an Active Directory Forest and Domain Structure

Summary of highlights from the "Planning an Active Directory Forest and Domain Structure" section of the Exam 70-294 Study Guide.


Active Directory infrastructure

  • Forests, domain trees, and domains are the logical components of Active Directory.

  • Sites and subnets are the physical components of Active Directory.


Active Directory domains

  • Domains are logical groupings of objects that allow central management and control.

  • A domain is implemented when Active Directory is installed on the first domain controller.


Active Directory domain trees

  • Domain trees are groups of domains that share the same namespace.

  • Every domain tree has a root domain, which is at the top of the domain tree.

  • Domains in a domain tree have two-way transitive trusts between them.


Active Directory forests

  • Forests are groups of domain trees that are grouped together to share resources.

  • Every forest has a forest root domain, which is the first domain created in the forest.

  • Domain trees in a forest have two-way transitive trusts between them.


Active Directory data

  • Active Directory represents data stored in the database as objects.

  • An object's common name is the name assigned when the object is created with the CN= designator.

  • An object's distinguished name describes its place in the directory according to the series of containers in which it is stored.

  • No two objects in the directory will have the same distinguished name.


Active Directory root

  • All objects in the directory have parents except for the root of the directory tree.

  • The rootDSE represents the top of the logical namespace for a directory.

  • Below the rootDSE is the root domain, which is established when you create the first domain.

  • Once established, the forest root domain never changes.


Forest-wide containers

  • Forest Root Domain container is the container for objects in the forest root domain.

  • Configuration container is the container for the default configuration and all policy information.

  • Schema container is the container for all objects classes, attributes and syntaxes.

  • The forest root domain, configuration, and schema containers are defined within like-named partitions:


Active Directory partitions

  • Active Directory uses partitions to logically divide up the directory.

  • Partitions are the largest logical category of objects in the directory.

  • All directory partitions are created as instances of the domainDNS object class.

  • When you create a new domain, you create a new container object for the domain in the directory tree.

  • All domain controllers store at least one domain directory partition and two forest-wide data partitions.


Domain-wide data

  • Domain-wide data is replicated to every domain controller in a domain as a writeable replica.

  • Global catalogs maintain a partial replica of domain-wide data from all domains in a forest.


Forest-wide data

  • Forest-wide data is replicated to every domain controller in a forest.

  • The configuration partition is replicated as a writable replica.

  • The schema partition is replicated as a read-only replica, except on the schema operations master.

  • Application partition data is replicated on a forest-wide, domain-wide or other basis.


Creating the forest root domain

  • Create a forest root domain by installing Active Directory on the first domain controller in a forest.

  • Once you've established the forest root domain, you can add new domains to the forest.

  • Any domains in a different namespace as the forest root establish a root domain for a new domain tree.


Forest root domains

  • A dedicated root is used as a placeholder.

  • A nondedicated root is used as a normal part of the directory.


Domains in a forest

  • All domain controllers share the same configuration container.

  • All domains in a forest trust all the other domains in that forest.

  • All domains in a forest have the same global catalog.

  • All domain controllers in a forest have the same schema.

  • All domains in a forest have Enterprise Admins and Schema Admins as top-level administrators.


Working with domains

  • Use domains to logically group objects for central management and control.

  • Domains set the replication boundary for the domain directory partition and for domain policy information. Domain boundaries are also boundaries for resource access and administration.

  • Group Policy settings that apply to one domain are independent from those applied to other domains.


Domain controllers

  • DNS servers must be installed on the network prior to installing Active Directory.

  • To designate a server as a domain controller, use Dcpromo to install the Active Directory.

  • To demote a domain controller, use Dcpromo to uninstall the Active Directory.

  • Configuring a domain controller in a new domain allows you to create:

    A new domain in a new forest

    A child domain in an existing domain tree

    A domain tree in an existing forest


Domain functional levels

  • Windows 2000 mixed mode, the default mode, supports Windows Server 2003, Windows 2000, and Windows NT domains.

  • Windows 2000 native mode supports Windows Server 2003 and Windows 2000 domains only.

  • Windows Server 2003 interim mode supports Windows Server 2003 and Windows NT domains only.

  • Windows Server 2003 mode supports Windows Server 2003 domains only.

  • Only Windows Server 2003 mode supports group nesting, group type conversion, universal groups, easy domain controller renaming, update logon timestamps, migration of security principals, and Kerberos KDC key version numbers.

  • Domain functional level can be raised, but not lowered. It is a one-way process.


Forest functional levels

  • Windows 2000, the default mode, supports domain controllers running Windows Server 2003, Windows 2000, and Windows NT.

  • Windows Server 2003 interim mode supports Windows Server 2003 and Windows NT only.

  • Windows Server 2003 mode supports Windows Server 2003 domain controllers only.

  • Only Windows Server 2003 mode supports extended two-way trusts between forests, domain rename, domain restructure using renaming, and global catalog replication enhancements.

  • Forest functional level can be raised, but not lowered. It is a one-way process.


Using UPN suffixes

  • Every user account has a User Principal Name (UPN).

  • The UPN is the User Logon Name combined with @ and a UPN suffix.

  • The names of the current domain and the root domain are set as the default UPN suffix.

  • You can specify an alternate UPN suffix to use to simplify logon or provide additional logon security.

12.3.2. Planning and Implementing a Strategy for Placing Global Catalog Servers

Summary of highlights from the "Planning and Implementing a Strategy for Placing Global Catalog Servers" section of the Exam 70-294 Study Guide.


Global catalog servers

  • A global catalog contains a full copy of all objects in host domain.

  • A global catalog contains a partial, read-only replica of objects in all other domains.

  • The global catalog enables logon by providing universal group membership information.

  • The global catalog enables finding directory information throughout the forest.

  • The global catalog helps to resolve User Principal Names beyond the current domain.

  • By default, the first domain controller installed in a domain is the global catalog server.


Placing global catalog servers

  • Queries to global catalog servers are done over TCP port 3268 and TCP port 3269.

  • Each site should have at least one global catalog to ensure availability and optimal response time.

  • Exchange Server mailbox names are resolved through queries to the global catalog server.


Designating replication attributes

  • Each object has attributes that are designated for replication.

  • Global catalog servers use the replication details.

  • Schema administrators can designate additional attributes to be replicated.

  • Use the Active Directory Schema snap-in.


Universal group membership caching

  • Once caching is enabled, domain controllers store universal group membership information in a cache.

  • The cache is maintained indefinitely and updated every eight hours by default.

  • Up to 500 universal group memberships can be updated at once.

  • Universal group caching allows faster logon, reduces bandwidth usage and reduces resource usage.

12.3.3. Planning Flexible Operations Master Role Placement

Summary of highlights from the "Planning Flexible Operations Master Role Placement" section of the Exam 70-294 Study Guide.


Operations masters

  • A designated operations master has a flexible single-master operations (FSMO) role.

  • Operations performed by an operations master can only occur at one place at the same time.


Forest roles

  • The schema master and domain-naming master roles are assigned on a per-forest basis.

  • There is only one schema master and only one domain-naming master in a forest.


Domain roles

  • The RID master, infrastructure master and PDC emulator are assigned on a per-domain basis.

  • Each domain in a forest has only one RID master, infrastructure master, and PDC emulator.


Schema master

  • The schema master maintains the only writeable copy of the schema container.

  • The schema master is the only domain controller in the forest on which you can change schema.


Domain-naming master

  • The domain-naming master is responsible for adding or removing domains from the forest.

  • If the domain-naming master cannot be contacted, you will not be able to add or remove the domain.


Relative ID (RID)

  • The relative ID (RID) master allocates blocks of relative IDs.

  • Every domain controller in a domain is issued a block of relative IDs by the RID master.

  • RIDs are used to build the security IDs that uniquely identify security principals in a domain.

  • If a domain controller cannot contact RID master and runs out of RIDs, no objects can be created.


PDC emulator

  • The PDC emulator master acts as the PDC for Windows NT 4.0 BDCs.

  • The PDC emulator master is responsible for processing password changes.


Infrastructure master

  • The infrastructure master updates group-to-user references across domains.

  • The infrastructure master compares its directory data with that of a global catalog.


Operations master role placement

  • The first domain controller in a forest has all five roles are assigned to it.

  • The first domain controller in a domain is the RID master, infrastructure master, and PDC emulator.

  • Forest-wide rolesthe schema master and domain-naming mastershould be on same domain controller.

  • The RID master and PDC emulator master roles should be on the same domain controller.

  • Except for a single or multidomain forest with all DCs as global catalogs, the infrastructure master should not be placed on a DC that is also a global catalog.


Locating and transferring the operations master roles

  • You can determine the current operations masters using neTDom query fsmo.

  • You can transfer domain-wide roles by using Active Directory Users And Computers.

  • You can transfer domain-naming master using Active Directory Domains And Trusts.

  • You can transfer schema master using the Active Directory Schema snap-in.


Seizing operations master roles

  • When operations master fails and is not coming back, you can seize the role to forcibly transfer.

  • Use repadmin /showutdvec DomainControllerName NamingContext to check USNs.

  • Use ntdsutil to seize the role.

12.3.4. Planning and Implementing Organizational Unit Structure

Summary of highlights from the "Planning and Implementing Organizational Unit Structure" section of the Exam 70-294 Study Guide.


Understanding organizational units

  • Within a domain, organizational units are used to:

    Delegate administrator privileges while limiting administrative access

    Create hierarchies that mirror business structure or functions

    Manage groups of objects as a single unit through Group Policy

  • Organizational units are represented as container objects that are part of a designated domain.

  • Organizational units are not a part of DNS structure.


Organizing OU hierarchies

  • Division or business unit OU hierarchies reflect the department structure within the organization.

  • Geographic or business location OU hierarchies reflect the actual physical location of units.

  • Areas of administrative control OU hierarchies reflect the way resources and accounts are managed.


Delegate administrative rights for OUs

  • Delegate rights to assign a user full administrative control.

  • Delegate rights to assign a user a specific set of administrative permissions.


Group Policy Objects

  • Every site, domain, and OU has an associated Group Policy Object (GPO).

  • Using Group Policy, you can specify a set of rules for computer and user configuration.

  • Manage policy settings using Group Policy Object Editor or the Group Policy Management console.

  • You can use Group Policy to:

    Define default options for configuration and security settings

    Limit options for changing configuration and security settings

    Prevent changing certain configuration and security settings


Creating OUs

  • Each domain has its own OU hierarchy.

  • To create an OU, you must be a member of the Administrators group in the domain.

  • You can create an OU using Active Directory Users And Computers or DSADD.


Moving Objects within an OU

  • You can move existing objects from one OU to another using drag-and-drop.

  • You can move existing objects from one OU to another using right-click Move or DSMOVE.

  • To move objects between domains, you must use the Movetree.exe utility.

12.3.5. Planning and Implementing an Administrative Delegation Strategy

Summary of highlights from the "Planning and Implementing an Administrative Delegation Strategy" section of the Exam 70-294 Study Guide.


Planning for delegation

  • Delegation can be used at the domain level and at the organizational unit level.

  • You can:

    Grant full control over an OU.

    Grant full control over specific types of objects in an OU or domain.

    Grant rights to perform specific tasks in a domain or OU.


Effects of delegation

  • Any user that has designated as an administrator for a domain automatically has full control over the domain.

  • Any user that has delegated permissions at the domain level has those permissions for all OUs in the domain.

  • Any user delegated permissions in a top-level OU has those permissions for all OUs within the top-level OU.


Delegating administration

  • You can delegate administration in Active Directory Users And Computers.

  • Right-click the OU, and then select Delegate Control.

12.3.6. Planning and Managing Active Directory Sites

Summary of highlights from the "Planning and Managing Active Directory Sites" section of the Exam 70-294 Study Guide.


Understanding sites

  • Every Active Directory implementation has at least one site.

  • A site is a group of IP subnets that are connected by reliable, high-speed links.

  • A subnet is a subdivision of an IP network. Sites are connected to each other via site links.

  • A site link is a logical, transitive connection between two or more sites.

  • Site structure reflects the physical environment and is separate from the logical representation.


Site boundaries

  • Domain and site boundaries are separate.

  • A single site can contain resources from multiple domains.

  • A single domain can extend across multiple sites.

  • A single site can have multiple subnets, but a single subnet can only be a part of one site.


Using sites

  • Key reasons to create additional sites are to control replication traffic and isolate logon traffic.

  • Each site should have at least one domain controller and one global catalog.

  • Each site should have at least one DNS server and one DHCP server.

  • Each site may also need local file servers, messaging servers, and certificate authorities.


Understanding replication

  • Replication within a site is referred to as intrasite replication .

  • Replication between sites is referred to as intersite replication .


How sites isolate logon traffic

  • If a user logs in to their home domain, a DC within the local site authenticates the logon.

  • If a user logs in to another domain, a DC in the local site forwards the logon request to a DC in the user's home domain.


Intrasite replication

  • Replication data is not compressed, which reduces processor and memory usage.

  • Replication partners notify when changes need to be replicated, allowing partners to request changes.

  • Replication partners poll each other periodically to determine whether there are updates.

  • Remote Procedure Call (RPC) over IP is used.


Intersite replication

  • Replication data is compressed by default to reduce network bandwidth usage.

  • Replication partners do not notify each other when changes need to be replicated.

  • Replication partners poll each other at specified intervals, but only during scheduled periods.

  • RPC over IP or Simple Mail Transport Protocol (SMTP) is used.

  • Use of SMTP is limited to DCs in different domains. DCs in the same domains must use RPC over IP.


Knowledge Consistency Checker (KCC)

  • The KCC runs on each DC.

  • The KCC performs monitoring intrasite replication.


Inter-Site Topology Generator (ISTG)

  • The ISTG runs on a designated DC.

  • The ISTG performs monitoring for intersite replication.

  • The ISTG designates a bridgehead server.

  • You can also designate a preferred bridgehead server.

  • When used, multiple preferred bridgehead servers should be specified.


Establishing sites

  • When you install the first DC in a site, Dcpromo creates a default site and a default site link.

  • The default site is named Default-First-Site-Name.

  • The default site link is called DEFAULTIPSITELINK.


Configuring sites

  1. Create the site.

  2. Create one or more subnets and associate them with the site.

  3. Link the site to other sites using site links.

  4. Associating a domain controller with a site.

  5. Specify a site license server for the site.


Creating sites

  • You can create sites using Active Directory Sites And Services.

  • Right-click the Sites container and select New Site.


Creating subnets

  • Any computer with an IP address on a network segment associated with a site is in the site.

  • Each subnet can be associated only with one site.

  • You can create a subnet using Active Directory Sites And Services.

  • Right-click the Subnets container in the console tree and select New Subnet.


Associating domain controllers with sites

  • Each site should have at least one domain controller associated with it.

  • To provide fault tolerance and redundancy, you should have at least two DC in each site.

  • After associating a subnet with a site, any DCs you install on that subnet will be located in the site, and any existing DCs must be moved to the site.

  • You can move a DC to a site using Active Directory Sites And Services.

  • Right-click the domain controller object, and then select Move.


Specifying a site license server for a site

  • Every site must have a site license server associated with it.

  • For the default site, the default site license server is the first domain controller created in the site.

  • You can determine the site-licensing server using Active Directory Sites And Services.


Configuring intersite replication

  • To configure and maintain intersite replication, you must:

    1. Create the required site links.

    2. Configure site link properties for replication cost, interval, and schedule as appropriate.

    3. Optionally, create site link bridges.

    4. Optionally, determine and monitor the Inter-Site Topology Generator.

    5. Optionally, determine and monitor bridgehead servers.

    6. Optionally, specify preferred bridgehead servers.


Creating site links

  • Site links are used over WAN links.

  • By default, replication is 24 hours a day, 7 days a week, at an interval of at least 180 minutes.

  • Prioritize links using link cost. The default link cost is set to 100.

  • With site links, you can use RPC over IP for reliable links and SMTP for unreliable links.

  • You can create a site link between two or more sites using Active Directory Sites And Services.

  • Right-click the transport protocol, either IP or SMTP, and select New Site Link.


Site link bridges

  • By default, site link transitivity is enabled.

  • When more than two sites are linked for replication and use the same transport, sites links are bridged.

  • The link path is determined by the site link bridge cost.

  • The site link bridge cost is the sum of all the links included in the bridge.

  • The path with the lowest total site link bridge cost is used.


Configuring site link transitivity

  • With an Active Directory forest, site link transitivity can be set on a per-transport protocol basis.

  • You can enable or disable transitivity using Active Directory Sites and Services.

  • Right-click the transport protocol, and then select Properties.

  • To enable site link transitivity, select Bridge All Site Links.

  • If you disable transitive links, you can manually create site link bridges.


Determining the Inter-Site Topology Generator

  • The Inter-Site Topology Generator (ISTG) in a site generates intersite replication topology.

  • Operating as the ISTG adds considerable workload.

  • You can determine the ISTG using Active Directory Sites And Services.

  • Use the site's NTDS Site Settings.


Site bridgehead servers

  • Replication between sites is performed by bridgehead servers.

  • A bridgehead server is a domain controller designated by the ISTG to perform intersite replication.

  • The ISTG configures a bridgehead server for each Active Directory partition that needs to be replicated.

  • Operating as a bridgehead server adds to the workload of the domain controller.

  • You can list the bridgehead servers in a site using repadmin /bridgeheads site:SiteName.


Using preferred bridgehead servers

  • Once you designate preferred bridgehead servers for a site, the ISTG will use only them.

  • You must configure a bridgehead server for each partition that needs to be replicated.

  • If the preferred bridgehead servers are unavailable, intersite replication will stop.


Recovering from preferred bridgehead failure

  • Remove failed servers as preferred bridgeheads, and then specify different preferred bridgeheads.

  • Or remove all servers as preferred bridgehead servers and then allow the ISTG to select bridgeheads.


Configuring preferred bridgeheads

  • You can configure preferred bridgeheads using Active Directory Sites and Services.

  • Right-click the server you want to designate as a preferred bridgehead, and then select Properties.

  • Add preferred transports to the Transports Available For list.

12.3.7. Maintaining Active Directory Infrastructure

Summary of highlights from the "Maintaining Active Directory Infrastructure" section of the Exam 70-294 Study Guide.


Two-way transitivity trust relationships

  • All domains in a forest have automatic two-way transitive trusts between parent and child domains.

  • Because trusts are automatic, you do not need to create them.

  • Because trusts are two-way, a user in any domain in a forest can access resources in any other domain in the forest.

  • Because trusts are transitive, users can access resources across any consecutive series of domains in a forest.


Establishing trusts

  • Windows Server 2003 uses Kerberos or NT LM for authentication and establishment of trusts.

  • Kerberos is used with Windows 2000 or later clients and servers.

  • NT LM is used with pre-Windows 2000 clients and servers.


Trust trees

  • When a user attempts to access a resource in another domain, a trust tree is used.

  • The user's request passes through one DC in each domain between the user and the resource.

  • The request is then authenticated in the domain where the resource resides.


Using the trust tree

  • Authentication requests from the source domain pass through parent-child trusts to the tree-root.

  • From the tree root, they pass through parent-child trusts to the destination domain.


Shortcut trusts

  • Establish a shortcut trust between the domains to establish an authentication shortcut.

  • The DC in the first domain can forward authentication requests directly to a DC in the second domain.

  • You need two accounts: one that is a member of Domain Admins in the first domain, and one that is a member of Domain Admins in the second domain.


External trusts

  • External trusts are nontransitive trusts that must be explicitly established by administrators.

  • An external trust can be one-way or two-way.

  • An external trust is applicable only to the domains for which the trust is established.

  • Users in other domains cannot make use of the trust because it is nontransitive.

  • External trusts are provided for backward compatibility with Windows NT domains.


Forest trusts

  • Forest trusts are one-way or two-way transitive trusts between forest root domains.

  • Forest trusts must be explicitly established by administrators.

  • Forest trusts are used to share resources and to authenticate users between forests.

  • All DCs in all domains of both forests must be upgraded to Windows Server 2003.

  • Forest trusts are transitive between two forests only.

  • You need two accounts: one that is a member of Enterprise Admins in the first forest, and one that is a member of Enterprise Admins in the second forest.


Realm trusts

  • Realm trusts are trusts between Windows domains and Kerberos realms.

  • Realm trusts must be explicitly established by administrators.

  • Realm trusts can be nontransitive, transitive, two-way, or one-way.

  • You need to establish the trust separately for the Windows domain and the Kerberos realm.


Viewing current trust relationships

  • Using Active Directory Domains And Trusts, you can view available domains and existing trusts.

  • To view the existing trusts for a domain, right-click the domain node and select Properties.

  • Click the Trust tab.


Understanding trust relationships

  • When a new domain is added to a new domain tree within a forest, the default trust is a tree-root trust.

  • When a new domain is a subdomain of a root domain, the default trust is a parent-child trust.

  • All default trusts are established as two-way, transitive trusts.

  • For all trusts there are two sides: an incoming trust and an outgoing trust.

  • To establish a trust, you must configure both sides of the trust.


Establishing trust relationships

  • You can establish an explicit trust relationship using Active Directory Domains And Trusts.

  • Right-click the domain for which you want to establish an explicit trust, and then select Properties.

  • For a forest trust, this must be the forest root domain in one of the participating forests.

  • In the domain's Properties dialog box, click the Trust tab and click the New Trust button.


Troubleshooting trusts

  • Windows Server 2003 validates all incoming trusts automatically.

  • If the credentials used to establish the trust are no longer valid, the trust fails verification.

  • Failure of the trust means that users are not able to access resources.

  • You can re-validate the trust by providing new credentials or by specifying that incoming trusts should not be validated.

  • You can re-validate and reset a trust relationship using Active Directory Domains And Trusts.


Active Directory service dependencies

  • LDAP

  • Domain Name System (DNS)

  • Kerberos v5 Authentication

  • Remote Procedure Call (RPC)


Sysvol replication dependencies

  • File Replication Service (FRS)

  • NTFS and share permissions on the Sysvol


Troubleshooting Active Directory

  • Use Replication Administrator (Repadmin) and Replication Monitor (Replmon).

  • Use the NTDS performance object in the Performance console.

  • Use performance logging and alerts.

  • Review the Directory Service log on the domain controller.


Troubleshooting FRS

  • Use the FileReplicaConn and FileReplicatSet performance objects in the Performance console.

  • Use performance logging and alerts.

  • Review the File Replication Service log on the domain controller.

  • Review the Sysvol permissions.


Restoring Active Directory

  • Back up the System State on domain controllers whenever you perform Normal backups.

  • The System State of a domain controller can only be restored using Directory Services Restore Mode.

  • Press F8 during boot up, and then selecting Directory Services Restore Mode as the startup option.


Authoritative Restore

  • Use when you need to recover Active Directory and no other domain controller has the correct data.

  • You must restore the System State, making sure not to reboot the computer, and then use NTDSUTIL to perform authoritative restore.

  • Sysvol is not restored authoritatively unless you do a primary restore of the Sysvol.


Nonauthoritative Restore

  • Use when you need to restore a DC and allow it to get any necessary updates from other DCs.

  • You must restore the System State, and then reboot the domain controller.

  • The restored DC gets updates of Active Directory and Sysvol from other DCs.

  • You have the option of doing a primary restore of the Sysvol.


Performing a primary restore on Sysvol

  • The Sysvol folder is backed up as part of the System State.

  • If you restore a DC, the Sysvol data on the restored DC is overwritten with data from other DCs.

  • You must perform a primary restore of the Sysvol to ensure the restored Sysvol is the master.

  • Start by restoring System State using either authoritative or nonauthoritative restore.

  • During the restore, do not accept the default restore settings.

  • Instead, on the Completing The Restore Wizard page, click the Advanced button.

  • Select When Restoring Replicated Data Sets, Mark The Restored Data As The Primary Data For All Replicas.

12.3.8. Planning and Implementing User, Computer, and Group Strategies

Summary of highlights from the "Planning and Implementing User, Computer, and Group Strategies" section of the Exam 70-294 Study Guide.


Groups

  • Distribution groups are used for email distribution lists; they do not have security descriptors.

  • Security groups are used to assign access permissions; they have security descriptors.


Domain local groups

  • Used primarily to assign access permissions to resources within a single domain.

  • Can include members from any domain in the forest and from trusted domains in other forests.

  • Typically, global and universal groups are members of domain local groups.


Global groups

  • Used primarily for users or computers in the same domain that share a similar role, function, or job.

  • Can include only accounts and groups from domain in which they are defined, including other global groups.


Universal groups

  • Used primarily to define sets of users or computers that should have wide permissions throughout a domain or forest.

  • Can include accounts and groups from any domain in the forest, including other universal groups and global groups.


Using groups in Windows 2000 Mixed, Windows Server 2003 Interim domain functional level

  • Domain local groups can contain accounts and global groups from any domain.

  • Global groups can contain accounts from the same domain only.

  • Universal security groups can't be created.


Using groups in Windows 2000 Native, Windows Server 2003 domain functional level

  • Domain local groups can contain accounts and global groups from any domain. Domain local groups from the same domain only.

  • Global groups can contain accounts and other global groups from the same domain only.

  • Universal groups can contain accounts from any domain. Global and universal groups from any domain.


Changing group scope

  • Domain local groups can be changed to universal groups; no member can have domain local scope.

  • Global groups can be changed to universal groups; no member can have global scope.

  • Universal groups can be changed to domain local or global groups; no member can have global scope for global.


Planning authentication using smart cards

  • Smart cards store digital certificates used in logon authentication.

  • Extensible Authentication Protocol (EAP) is used with remote access and smart cards.

  • Require users to use smart cards for authentication using Active Directory Users And Computers.

  • On the Account tab, select Smart Card Is Required For Interactive Logon.

  • You must install smart card reader devices on computers and set up a smart card to use for user logon.

  • With smart cards, enterprise CAs only can be used because they store certificates in Active Directory.

12.3.9. Planning, Implementing, and Maintaining Group Policy

Summary of highlights from the "Planning, Implementing, and Maintaining Group Policy" section of the Exam 70-294 Study Guide.


Group Policy

  • Group Policy is as a set of rules that you can apply to help you manage users and computers.

  • Active Directory defines computer policies and user policies.

  • You can use Group Policy with all workstations and servers running Windows 2000 or later.


Computer policies

  • Are applied to computers and are stored under Computer Configuration.

  • You use Computer Configuration settings to configure policy on a per-computer basis.

  • When a computer is started, computer policy settings are applied.

  • A history of the registry-based settings that were applied is written to %AllUsersProfile%\Ntuser.pol.


User policies

  • Are applied to users and are stored under User Configuration.

  • Use User Configuration settings to configure policy on a per-user basis.

  • When a user logs on, user policy settings are applied.

  • A history of the registry-based settings that were applied is written to %UserProfile%\Ntuser.pol.


Group Policy refresh

  • Group Policy settings are automatically refreshed to keep settings current.

  • By default, Group Policy is refreshed every 5 minutes on DCs and every 90 to 120 minutes on other computers.

  • Group Policy is refreshed every 16 hours in full.

  • Slow link and policy processing settings can affect when refresh occurs.

  • Use Gpupdate to manually refresh policy from the command line.


Group Policy Objects

  • Group Policy is applied using Group Policy Objects (GPOs).

  • Sites, domains, and organizational units all have related Group Policy Objects.

  • The settings of top-level GPOs are inherited by lower-level GPOs.


Local Group Policy

  • For local environments, a subset of Group Policy called Local Group Policy is available.

  • This policy allows you to manage policy settings for those who log on to a local machine.

  • Local Group Policy is managed through the Local Group Policy Object (LGPO).

  • All computers have an LGPO.

  • Although DCs have LGPOs, Group Policy for DCs should be managed through Default Domain Controllers Policy.


Group Policy settings

  • Manage Group Policy by configuring policy settings.

  • Policy settings can be enabled, disabled, or not configured.

  • Enabled policy settings are active and applied.

  • Disabled policy settings are inactive and not applied or enforced.

  • Not configured policy settings are not being used.


Inheritance and blocking

  • Inheritance and blocking can affect the meaning of these states.

  • If inherited settings are enforced, you cannot override them.

  • If inherited settings are blocked and inheritance is not enforced, the inherited setting does not apply.


Inheritance precedence order

  • Everyone who logs on to the local machine is affected by Local Group Policy.

  • LGPO settings have the least precedence and can be superseded by site, domain, and OU settings.

  • Active Directory-based policy settings are applied in this order: site, domain, OU.


Inheritance without blocking

  • Site policy affects all users and computers located within domains and OUs that are part of the site.

  • Domain policy affects all users and computers located within OUs that are part of the domain.

  • OU policy affects all users and computers defined within the OU as well in child OUs.


GPOs in Active Directory

  • All GPOs are stored in the Group Policy Objects container.

  • The link between a domain, site, or OU makes a GPO active.

  • You can link a GPO to a specific level or to multiple levels.


Default Domain Controllers Policy GPO

  • This is the default GPO created for and linked to the Domain Controllers OU.

  • It is applied to all domain controllers in a domain by default.

  • Use this GPO to manage security settings for domain controllers in a domain.

  • Use only to configure User Rights Assignment And Audit Policy.

  • You may also want to set Security Options and event log settings.

  • Manage other areas of DC policy by creating a new GPO and linking as appropriate.


Default Domain Policy GPO

  • This is the default GPO created for and linked to the domain within Active Directory.

  • It is used to establish policy settings that apply to all users and computers in a domain.

  • Use only to manage Password Policy, Account Lockout Policy, and Kerberos Policy.

  • Manage other areas of domain policy by creating a new GPO and linking as appropriate.


Group Policy settings

  • Two major categories of settings: Computer Configuration and User Configuration.

  • These categories are divided into several major classes.

  • Software Settings provide settings for automating deployment of software.

  • Windows Settings provide settings for managing Windows settings for both computers and users.

  • Administrative Templates provide settings for managing registry-based settings.


Managing Local Group Policy

  • To work with Local Group Policy, you must use an administrator account.

  • Use gpedit.msc /gpcomputer:"%computername%"

  • Use gpedit.msc /gpcomputer:"RemoteComputer"


Managing Active Directory Group Policy

  • Any changes you make are made first on the PDC Emulator if it is available

  • Domain Admins and Enterprise Admins can work with Active Directory Group Policy.

  • With Active Directory Group Policy, creating and linking objects are separate actions.

  • You can create a GPO and later link it to a site, domain or OU.

  • Or you can create a GPO and simultaneously link it to a site, domain or OU.

  • Manage site GPOs using Active Directory Sites And Services.

  • Manage domain and OU GPOs using Active Directory Users And Computers.


Administrative Templates

  • Administrative Templates are used to manage registry-based settings.

  • Each set of Administrative Templates is defined using an administrative template (.adm) file.

  • Administrative template files do not affect the processing of policy.

  • Administrative template files are used to display the settings that can be configured.

  • Settings are stored in the Registry.pol file associated with the GPO.


Default Administrative Templates

  • Every Windows computer has default administrative templates.

  • These files are stored in the %Windir%\inf folder.

  • The default templates on your system determine the templates used and stored in a new GPO.

  • Turn Off Automatic Updates Of ADM Files forces comparison of local templates and stored templates to determine whether the stored templates should be updated.

  • Always Use Local ADM Files For Group Policy Editor forces use of local templates instead of templates stored in GPO.


Viewing Administrative Templates

  • You can edit a GPO and determine which .adm files are being used.

  • Right-click Administrative Templates, and then select Add/Remove Templates.


Using Resultant Set Of Policy for planning

  • Resultant Set Of Policy (RSoP) can be used for testing different scenarios.

  • You can model the effects of modifying policy settings, moving a user or computer and adding groups.

  • In the Resultant Set Of Policy snap-in, right-click Resultant Set Of Policy and select Generate RSoP Data.

  • Select Planning Mode.


Autoenrollment using Group Policy

  • Public Key Infrastructure (PKI) provides components for digital certificates.

  • Computers and users can use certificates for authentication and encryption.

  • Microsoft Certificate Services provide the necessary components for certificates.

  • A server designated as a certificate authority (CA) issues certificates.

  • A CA used for autoenrollment must be an enterprise root CA or an enterprise subordinate CA.

  • When you install enterprise CAs, autoenrollment policies are enabled automatically through the following:

    User Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings

    Computer Configuration\Windows Settings\Security Settings\Public Key Policies\Autoenrollment Settings


Computer scripts using Group Policy

  • Computers scripts can run during startup or shutdown.

  • Use Startup or Shutdown under Computer Configuration\Windows Settings\Scripts.


User scripts using Group Policy

  • User scripts can run during logon or logoff.

  • Use Logon or Logoff under Computer Configuration\Windows Settings\Scripts.


Redirecting folders using Group Policy

  • Folder redirection allows you to redirect special folders to a central network location.

  • You can redirect Application Data, Desktop, My Documents, and My Pictures.

  • A copy of the user's current special folder is made in the designated location.

  • You can redirect based on security group membership if desired.

  • The network location to which you redirect folders must be configured as a shared folder.

  • Configure redirection using User Configuration node\Windows Settings\Folder Redirection.


Start menu redirection

  • Start Menu redirection works differently from redirection of other folders.

  • Start Menu redirection does not copy the contents of a user's local Start Menu.

  • Instead, users are redirected to a previously created, standard Start Menu.


Understanding software deployment

  • Software deployed through Group Policy is referred to as managed software.

  • You can deploy software on a per-computer basis, a per-user basis, or both.

  • Per-computer applications are available to all users of a computer.

  • Per-user applications are available to individual users.

  • Non-Windows Installer files can only be installed on a per-user basis.


Using distribution points

  • Before you deploy software through policy, you should set up a distribution point.

  • A distribution point is a shared folder available to the computers/users for which you are deploying software.


Deploying software

  • Copy the installer package file and all required application files to the distribution point.

  • Perform an administrative installation to the distribution point using Setup /a.

  • Administrative installs can be patched and redeployed through Software Installation policy.

  • Create special GPOs that configure software installation, and then link these GPOs as appropriate.

  • Software can be deployed using computer assignment, user assignment, or user publishing.


Computer assignment

  • You can assign the software to client computers so it is installed when a client computer starts.

  • Requires no user intervention, but does require a restart to install software.

  • Installed software is available to all users on a computer.

  • Not available with non-Windows Installer files.


User assignment

  • You can assign the software to users so it is installed when a user logs on.

  • Requires no user intervention, but does require the user to logon to install or advertise software.

  • The software is associated with the user only.

  • Not available with non-Windows Installer files.


User publishing

  • You can publish the application so users can install it manually through Add Or Remove Programs.

  • Requires the user to explicitly install software or activate the install.

  • The software is associated with the user only.


Advertised software can be installed

  • When the user accesses a document that requires the software

  • When a user opens a short cut to the application

  • When another application requires a component of the software


Updating deployed software

  • You can update deployed software using a patch or service pack.

  • You can update deployed software by deploying a new version of the application.


Deploying software

  • Use Windows Installer Packages (.msi) or ZAW Down-level Application Packages (.zap) files.

  • File permissions on these application installer packages must be set for Read access.

  • Software Installation policy is applied only during foreground processing of policy settings.

  • Per-computer application deployments are processed at startup.

  • Per-user application deployments are processed at logon.

  • You can customize installation using transform (.mst) files.

  • For per-computer deployment, use Computer Configuration\Software Settings\Software Installation.

  • For per-user software deployment, access User Configuration\Software Settings\Software Installation.


Applying patches and service packs for Windows Installer package

  • Copy updates to the folder containing the original .msi file. Overwrite any duplicate files as necessary.

  • Right-click the package you want to work with, and then select All Tasks Redeploy Application.


Applying patches and service packs for Non-Windows Installer package

  • Right-click the package, and then select All Tasks Remove.

  • .zap file and all related files to a network share and redeploy the application.


Upgrading previously deployed Software

  • Copy upgrade to share.

  • Create a package for upgrade in Group Policy.

  • Right-click the upgrade package, and then select Properties.

  • Click Add on the Upgrades tab.


Configuring Automatic Updates using Group Policy

  • Windows 2000 or later can use Automatic Updates to maintain the operating system.

  • Automatic Updates is for critical updates, security updates, update rollups, and service packs.

  • For per-computer, use Automatic Updates under Computer Configuration\Administrative Templates\Windows Components\Windows Update.

  • For per-user, use Automatic Updates under User Configuration\Administrative Templates\Windows Components\Windows Update.

  • Select the option 4 - Auto Download And Schedule For Install to fully automate.

  • Most Automatic Updates are installed only when the system is shut down and restarted.

  • Some Automatic Updates can be installed immediately if you enable Allow Automatic Updates Immediate Installation.

  • By default, only users with local administrator privileges receive update notification.

  • You can allow others to receive update notifications by enabling Allow Non-Administrators To Receive Update Notifications.


Troubleshooting the Application of group policy

  • Use the Resultant Set of Policy snap-in in Logging Mode.

  • Use the Gpresult command-line utility.


Restoring the default GPOs

  • Use Dcgpofix to restore the default GPOs to their original, default state.

  • Only Domain Admins or Enterprise Admins can run Dcgpofix.

  • You lose changes made to these GPOs as a result of the restore process.


Refreshing Group Policy manually

  • Group Policy is refreshed automatically.

  • You can refresh Group Policy manually using Gpupdate.

  • Gpupdate replaces the SECEDIT /refreshpolicy tool provided in Windows 2000.


Troubleshooting GPOs and the Sysvol

  • Use Gpotool to troubleshooting GPOs and Sysvol.

  • Check permissions on the Sysvol using the /checkacl option.




MCSE Core Required Exams in a Nutshell
MCSE Core Required Exams in a Nutshell: The required 70: 290, 291, 293 and 294 Exams (In a Nutshell (OReilly))
ISBN: 0596102283
EAN: 2147483647
Year: 2006
Pages: 95

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net