What is the Difference Between Windows 2000 and Windows 2003

8/9/2019 What is the Difference Between Windows 2000 and Windows 2003

1/28

what is the difference between windows 2000 and windows 2003

2) Windows 2k - IIS 5 and windows 2k3 IIS 63) Windows 2k - IE 5 and Windows 2k3 - IE64) Terminal service are enhanced in win2k35) Windows 2k doesn't have 64 bit version6) DNS Stub zone has introduced in win2k3.7) Shadow copying has introduced.8) Schema version has changed from ver.13 to ver.30.9) In Win 2000 server we can apply 620 group policies but in 2003 we can apply nearly 720. 10) In 2000 wecannot rename domain whereas in 2003 we can rename Domain.11) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003supports up to 64 processors and max of 512GB RAM.12)2000 Supports IIS 5.0 and 2003 Supports IIS6.013)2000 doesnt support Dot net whereas 2003 Supports Microsoft .NET 2.014)2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, Datacenter and Webserver Editions.15)2000 doesnt have any 64 bit server operating system whereas 2003 has 64 bit server operating systems(Windows Server 2003 X64 Std and Enterprise Edition)16)2000 has basic concept of DFS (Distributed File systems) with defined roots whereas 2003 has EnhancedDFS support with multiple roots.17) In 2000 we can create 1 million users and in 2003 we can create 1 billion users.18) In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot whichis used in Disaster recovery and 2000 doesnt have this service.

Volume shadow copies, a new Windows Server 2003 feature, are used to create copies of files at a specificpoint in time, or set time interval. Shadow copies can only be created on NTFS volumes to create automaticbackups of files or data per volume. When enabled, the Shadow copies feature protects you from accidentallylosing important files in a network share. Remember that when users delete files from over the network, thosefiles are permanently deleted. Because shadow copies enable users to view previous versions of files, thefeature allows them to restore a backup of deleted files.

19)In 2000 we dont have end user policy management, whereas in 2003 we have a End user policymanagement which is done in GPMC (Group policy management console).20)In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust relationship.21)2000 Supports 4-node clustering and 2003 supports 8-node clustering.22)2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration andcommunication services designed to connect people, information, processes, and systems both within andbeyond the organizational firewall).23)2003 has telnet sessions available.24)2000 supports IPV4 whereas 2003 supports IPV4 and IPV6.

25) In windows 2003 server, AD partion is 5 where as in 2k that is 3

The added partion is: 1) Global catelog 2) Application ,

Schema Partition

Only one schema partition exists per forest. The schema partition is stored on all domain controllers in aforest. The schema partition contains definitions of all objects and attributes that you can create in the

directory, and the rules for creating and manipulating them. Schema information is replicated to all domaincontrollers in the attribute definitions.

Configuration Partition

There is only one configuration partition per forest. Second on all domain controllers in a forest, theconfiguration partition contains information about the forest-wide active directory structure including whatdomains and sites exist, which domain controllers exist in each forest, and which services are available.Configuration information is replicated to all domain controllers in a forest.

Domain Partition


2/28

Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a givendomain. A domain partition contains information about users, groups, computers and organizational units.

The domain partition is replicated to all domain controllers of that domain. All objects in every domainpartition in a forest are stored in the global catalog with only a subset of their attribute values.

Application Partition

Application partitions store information about application in Active Directory. Each application determineshow it stores, categorizes, and uses application specific information. To prevent unnecessary replication tospecific application partitions, you can designate which domain controllers in a forest host specific application

partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such asuser accounts. In addition, the data in an application partition is not stored in the global catalog.

26)In 2k the Domain operation Roles and only two mode of operation and in Win2k3 there are 4 modes ofDomain operation [Native mode, Mixed mode , Itrative mode and windows 2003 mode .27) In 2k3 there is stub zone but in 2k it is not28) There cross trust & shortcut trust are available only in 2k3.29) Group replication problem was there in 2k but it is removed from 2k3.30) In 2k you have to create trust between parent & child but in 2k3 the trust between parent & child isautomaticallyGlobal Catalog

The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. Italso stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of

objects most frequently searched for. The first domain controller that is created in the first domain in a forestis by default the Global Catalog server. If a domain only has one domain controller, that particular domaincontroller and the GC server are the same server. If you add an additional domain controller to the domain,

you can configure that domain controller as the GC server. You can also assign additional domain controllersto serve as GC servers for a domain. This is usually done to improve response time for user logon requests andsearch requests.

In order for Global Catalog servers to store a full copy of all objects in its host domain, and a partial copy of allobjects in all other domains within the forest, GC replication has to occur between those domain controllersthat are configured as GC servers. GC replication does not occur between domain controllers that are not GCservers.

The functions of the GC server are discussed in the following section. The functions performed by the GCserver can be summarized as follows:

y GC servers are crucial for Active Directory's UPN functionality because theyresolve user principalnames (UPNs)when the domain controller handling the authentication request is unable toauthenticate the user account because the user account actually exists in another domain. Theauthenticating domain controller would have no knowledge of the particular user account. The GCserver in this case assists in locating the user account so that the authenticating domain controller canproceed with the logon request for the user.

y The GC server deals with all search requests of users searching for information in Active Directory. It canfind all Active Directory data irrespective of the domain in which the data is held. The GC server dealswith requests for the entire forest.

y The GC also makes it possible for users toprovide Universal Group membership information to thedomain controller for network logon requests.

Active Directory Objects

Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder and Shared Printer

Active Directory Components

Domains, organizational units (OUs), domain trees and forests are considered logical structures. Sites anddomain controllers are consideredphysical structures.


3/28

y Domainsare the main logical structure in Active Directory because they contain Active Directoryobjects. Network objects such as users, printers, shared resources, and more, are all stored indomains. Domains are also security boundaries. Access to objects in the domain is controlled by accesscontrol lists (ACLs). You can use the domain functional levelto enable additional Active Directoryfeatures. You do this by raising the domain functional level of the domain controllers within thedomain. In Windows 2000, the domain mode concept was used and not the domain functional level.

The domain functional levels that can be specified are Windows 2000 Mixed, Windows 2000 Native,Windows Server 2003 Interim and Windows Server 2003.

y Organizational Unit (OU):An OU is a container that enables you to organize objects such as users,computers and even other OUs in a domain to form a logical administrative group. An OU is thesmallest Active Directory component to which you can delegate administrative authority. A domain canhave it own unique OU hierarchy.

y Domain Trees:When you group multiple domains into a hierarchical structure by adding child domainsto aparent domain, you are basically forming a domain tree. Domains are regarded as being part of thesame domain tree when they have a contiguous naming structure. A two-way transitive trustrelationshipis automatically created between the parent domain and child domains when you create the childdomain.

y Forests:A forest is the grouping of multiple domain trees into a hierarchical structure. Domain trees ina forest have a common schema, configuration, and global catalog. Domains within the forest arelinked by two-way transitive trust. Through theforest functional level,you can enable additional forestwide Active Directory features. The forest functional levels that can be set are Windows 2000, WindowsServer 2003 Interim, and Windows Server 2003.

y Sites:In Active Directory, sites are formed through the grouping of multiple subnets. Sites are typicallydefined as locations in which network access is highly reliable, fast and not very expensive.

y Domain Controllers (DCs):A domain controller is a server that stores a write copy of Active Directory.They maintain the Active Directory data store. Certain master rolescan be assigned to domaincontrollers within a domain and forest. Domain controllers that are assigned special master roles arecalled Operations Masters.These domain controllers host a master copy of particular data in ActiveDirectory. They also copy data to the remainder of the domain controllers. There are five different typesof master rolesthat can be defined for domain controllers. Two types of master roles,forest-wide masterroles, are assigned to one domain controller in a forest. The other three master roles, domain-widemaster roles, are applied to a domain controller in every domain.

o The Schema Masteris a forest-wide master role applied to a domain controller that manages allchanges in the Active Directory schema.

o The Domain Naming Masteris a forest-wide master role applied to a domain controller thatmanages changes to the forest, such as adding and removing a domain. The domain controller

serving this role also manages changes to the domain namespace.o The Relative ID (RID) Masteris a domain-wide master role applied to a domain controller that

creates unique ID numbers for domain controllers and manages the allocation of thesenumbers.

o The PDC Emulatoris a domain-wide master role applied to a domain controller that operates likea Windows NT primary domain controller. This role is typically necessary when there arecomputers in your environment running pre-Windows 2000 and XP operating systems.

o The Infrastructure Masteris a domain-wide master role applied to a domain controller thatmanages changes made to group memberships.

Active Directory Schema

The Active Directory schema defines what types of objects can be stored in Active Directory. It also defines

what the attributes of these objects are. The schema is defined by the following two types of schema objects ormetadata:

y Schema class objects, also known as schema classes: Define the objects that can be created and storedin Active Directory. The schema attributes store information on the schema class object when youcreate a new class. A schema class is therefore merely a set of schema attribute objects.

y Schema attribute objects, also known as schema attributes: Schema attributes provide information onobject classes. The attributes of an object is also called the object'properties.

Although Active Directory includes a large number of object classes, you can create additional object classes ifnecessary. These additions are known as extensions to the schema. Extensions can only be performed on thedomain controller acting the Schema Master role.


4/28

The object classes that can be used on access control lists (ACLs) to protect security objects are User,Computer, and Group. These object classes are called security principals. A security principal has a SecurityIdentifier (SID) which is a unique number. A security Principal's SID consists of the security Principal's domainand a Relative ID (RID). The RID is a unique suffix.

A few other concepts associated with the Active Directory schema are:

y Class Derivations:Set a way for forming new object classes using existing object classes.y SchemaRules:The Active Directory directory service implements a set of rules into the Active Directory

schema that control the manner in which classes and attributes are utilized, and what values classes

and attributes can include. Schema rules are organized into Structure Rules, Syntax Rules, andContent Rules

y StructureRules:The structure rule in Active Directory is that an object class can have only specificclasses directly on top of it. These specific classes are called PossibleSuperiors. Structure rules prevent

you from placing an object class in an inappropriate container.

y SyntaxRules:These rules define the types of values and ranges allowed for attributes.y ContentRulesdictate what attributes can be associated with a particular class.

Global Catalog

The global catalogis a central information store on the objects in a forest and domain, and is used to improveperformance when searching for objects in Active Directory. The first domain controller installed in a domain isdesignated as the global catalog server by default. The global catalog serverstores a full replica of all objects inits host domain, and a partial replica of objects for the remainder of the domains in the forest. The partialreplica contains those objects which are frequently searched for. It is generally recommended to configure aglobal catalog server for each site in a domain. You can use the Active Directory Sites and Services console toset up additional global catalog servers.

Group Policies and Active Directory

Active Directory enables you to performpolicy based administrationthrough Group Policy. Through grouppolicies, you can deploy applications and configure scripts to execute at startup, shutdown, logon, or logoff.You can also implement password security, control certain desktop settings, and redirect folders. When youcreate new group policies in Active Directory, the policy is stored as Group PolicyObjects (GPOs). In Activedirectory, you can apply a GPO to a domain, site or Organizational Unit.

Active Directory Object Naming Schemes

Each object in the Active Directory data store must have a unique name. Active Directory supports a numberof object naming schemes for naming objects:

y Distinguished name (DN):Each object has a DN. The DN uniquely identifies a particular object anduniquely identify where the object is stored. The components that make up the DN of an object are:

o CN - common nameo OU - organizational unito DC - domain component

y A canonical nameis merely a different manner of depicting the object's DN in a method that is simplerto interpret.

y Relative distinguished name (RDN):The RDN identifies a particular object within a parent container orOU.

y Globally unique identifier (GUID):A GUID is a unique hexadecimal number that is assigned to an objectat the time that the object is created. The GUID of an object never changes.

y User principal name (UPN):The UPN is made up of the user account name of the user, and a domainname that identifies the domain that contains the user account.

Active Directory Replication

In Active Directory, replication ensures that any changes made to a domain controller within a domain arereplicated to all the other domain controllers in the domain. Active Directory utilizes MultiMate replicationto


5/28

replicate changes in the Active Directory data store to the domain controllers. With MultiMate replication,domains are considered peers to one another.

With Windows Server 2003, the Knowledge Consistency Checker (KCC)is used to create a replication topologyof the forest, to ensure that the changes are replicated efficiently to the domain controllers. A replicationtopologyreflects the physical connections utilized by domain controllers to replicate the Active Directorydirectory to domain controllers in a site, or in different sites. Intra-site replicationoccurs when the ActiveDirectory directory is replicated within a site. When replication occurs between sites, it is known inter-sitereplication. Since the bandwidth between sites are typically slow, information on site link objectsis utilized toidentify the most favourable link that should be used for moving replication data between sites in Active

Directory.

Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, theusers and computers in one domain can access resources residing in the other domain. The trust relationshipssupported in Windows Server 2003 are summarized below:

y Parent/Child trust:A parent/child trust relationship exists between two domains in Active Directorythat have a common contiguous DNS namespace, and who belong to the identical forest. This trustrelationship is established when a child domain is created in a domain tree.

y TreeRoot trust:A tree root trust relationship can be configured between root domains in the sameforest. The root domains do not have a common DNS namespace. This trust relationship is established

when a new tree root domain is added to a forest.y Shortcut trust:This trust relationship can be configured between two domains in different domain trees

but within the same forest. Shortcut trust is typically utilized to improve user logon times.

y External trust:External trust relationships are created between an Active Directory domain and aWindows NT4 domain.

y Realm trust:A realm trust relationship exists between an Active Directory domain and a non-WindowsKerberos realm.

y Forest trust:Forest trust can be created between two Active Directory forests.An Overview of Domain and Forest Functionallevels

Domain and forest functional levels provides the means by which you can enable additional domain-wide and

forest-wide Active Directory features, remove outdated backward compatibility within your environment, andimprove Active Directory performance and security. In Windows 2000, the terminology used to refer to domainfunctional levels was domain modes. Forests in Windows 2000 have one mode and domains can have thedomain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came theintroduction of the Windows Server 2003 interim functional level and Windows Server 2003 functional level forboth domains and forests. The four domain functional levels that can be set for domain controllers areWindows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. Thedefault domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000,Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000.

When the Windows Server 2003 functional level is enabled in your environment, additional Active Directorydomain-wide and forest-wide features are automatically enabled. Windows Server 2003 functional level isenabled in your environment when all domain controllers are running Windows Server 2003. The Active

Directory Domains And Trusts console is used to raise the functional levels of domains and forests in ActiveDirectory.

Domain Functional Levels

When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server2003 functional level, domain controllers are regarded as peers to each other. What this essentially means isthat the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longerexists. If you are considering raising the domain functional level within your environment to Windows Server2003, you should remember that after the domain functional level is raised, you cannot add any Windows2000 server to the particular domain.


6/28

Windows 2000 Mixed Domain Functional Level

Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domainby default. This makes the Windows 2000 mixed domain functional level the default functional level for allWindows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003domain controllers. The only Windows NT domain controllers supported are Windows NT backup domaincontrollers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In ActiveDirectory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level isusually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers.

You can raise Windows 2000 mixed domain functional level to

y Windows 2000 native domain functional levely Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000 mixed domain functional level arelisted below:

y Local and Global groupsy Distribution Groupsy Distribution Group nestingy Global Catalog supporty Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 mixed domain functional levelare listed below:

y Renaming domain controllersy Universal Groupsy Security group nestingy SID Historyy Update logon timestampy Group conversion between Security Groups and Distribution Groupsy

Users/Computers container redirectiony Constrained delegationy User password support on the InetOrgPerson object

windows 2000 Native Domain Functional Level

The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operatewith Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functionallevel is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003.Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functionallevel. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level.

You can raise the Windows 2000 native domain functional level to

y Windows Server 2003 domain functional level.The Active Directory domain features that are availablein Windows 2000 native domain functional level arelisted below:

y Local and Global groupsy Distribution Groupsy Distribution group nestingy Security group nestingy Universal Groupsy Group conversion between Security Groups and Distribution Groups


7/28

y Global Catalog supporty SID Historyy Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 native domain functional levelare listed below:

y Renaming domain controllersy Update logon timestampy Users/Computers container redirectiony Constrained delegationy User password support on the InetOrgPerson object

Windows Server 2003 Interim Domain Functional Level

Windows Server 2003 interim domain functional level enable domain controllers running Windows Server 2003to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domaincontrollers. Domain controllers running Windows 2000 are not supported in this domain functional level. Youcan only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact,the Windows Server 2003 interim domain functional level can only be raised to Windows Server 2003 domainfunctional level. Windows Server 2003 interim domain functional level is also typically used when you are notgoing to immediately upgrade your Windows NT 4.0 backup domain controllers to Windows Server 2003, and

when your existing Windows NT domain has groups consisting of over 5,000 members.

The Active Directory domain features that are availablein Windows Server 2003 interim domain functionallevel are listed below:

y Local and Global groupsy Distribution groupsy Distribution group nestingy Global Catalog supporty Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows Server 2003 interim domain

functional level are listed below:

y Renaming domain controllersy Universal Groupsy Security group nestingy SID Historyy Update logon timestampy Group conversion between Security Groups and Distribution Groupsy Users/Computers container redirectiony Constrained delegationy User password support on the InetOrgPerson object

Windows Server 2003 Domain Functional Level

Windows Server 2003 domain functional level is the highest level that can be specified for a domain. Alldomain controllers in the domain are running Windows Server 2003. This basically means that Windows NT 4and Windows 2000 domain controllers are not supported these domains. Once the domain level is set asWindows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functionallevels.

All Active Directory domain features are availablein Windows Server 2003 domain functional level:

y Local and Global groupsy Distribution Groupsy Distribution group nesting


8/28

y Security group nestingy universal Groupsy Group conversion between Security Groups and Distribution Groupsy Global Catalog supporty SID Historyy Up to 1,000,000 domain objects are supportedy Renaming domain controllersy Update logon timestampy Users/Computers container redirectiony Constrained delegationy User password support on the InetOrgPerson object

How to check which domain function level is set for the domain

1. Open the Active Directory Domains And Trusts console2. Right-click the particular domain whose functional level you want verify, and select Raise Domain

Functional Level from the shortcut menu.3. The Raise Domain Functional Level dialog box opens4. You can view the existing domain functional level for the domain in Current domain functional level.

How to raise the domain functionallevel to the Windows 2000 native domain functionallevel orWindows Server 2003 domain functionallevel

Before you can raise the domain functional level to Windows Server 2003 domain functional level, each domaincontroller in the domain has to running Windows Server 2003.

To raise the domain functional level for a domain,

1. Open the Active Directory Domains And Trusts console2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain

Functional Level from the shortcut menu.3. The Raise Domain Functional Level dialog box opens.4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the

domain.5. Click Raise6. Click OK

Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functionallevels. Through the forest functional levels, you can enable forest-wide Active Directory features in your ActiveDirectory environment. The forest functional levels are actually very much like the domain functional levels.

Windows 2000 Forest Functional Level

This is the default forest functional level, which means that all newly created Windows Server 2003 forestshave this level when initially created. The Windows 2000 forest functional level supports Windows NT 4,

Windows 2000 and Windows Server 2003 domain controllers.

The Active Directory forest features that are availablein Windows 2000 forest functional level are listed below:

y Universal Group cachingy Application directory partitionsy Global Catalog replication enhancementsy Installations from backupsy The Active Directory quota featurey SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed

below:


9/28

y Domain renamingy Forest Trusty Defunct schema objectsy Linked value replicationy Dynamic auxiliary classesy Improved Knowledge Consistency Checker (KCC) replication algorithmsy Application groupsy InetOrgPerson objectClassy NTDS.DIT size reduction

Windows Server 2003 Interim Forest Functional Level

Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in theWindows Server 2003 interim forest functional level. This level is used to when upgrading from Windows NT 4to Windows Server 2003. The functional level is also configured when you are not planning to immediatelyupgrade your existing Windows NT 4 backup domain controllers, or your existing Windows NT 4.0 domain hasgroups consisting of over 5,000 members. No Windows 2000 domain controllers can exist if the WindowsServer 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forestfunctional level can only be raised to the Windows Server 2003 forest functional level.

The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functionallevel are listed below:

y Universal Group cachingy Application directory partitionsy Global Catalog replication enhancementsy Installations from backupsy The Active Directory quota featurey SIS for system access control lists (SACL)y Improved Knowledge Consistency Checker (KCC) replication algorithmsy Linked value replication

The Active Directory forest features that are not supported in Windows Server 2003 interim forest functionallevel are listed below:

y Domain renamingy Forest Trusty Defunct schema objectsy Dynamic auxiliary classesy Application groupsy InetOrgPerson objectClassy NTDS.DIT size reduction

Windows Server 2003 Forest Functional Level

All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functionallevel to be raised to the Windows Server 2003 forest functional level. What this means is that no domaincontrollers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the WindowsServer 2003 forest functional level, all forest-wide Active Directory features are available, including thefollowing:

y Domain renamingy Forest Trusty Defunct schema objectsy Dynamic auxiliary classesy Application groupsy Universal Group cachingy Application directory partitionsy Global Catalog replication enhancements


10/28

y Installations from backupsy The Active Directory quota featurey SIS for system access control lists (SACL)y Improved Knowledge Consistency Checker (KCC) replication algorithmsy Linked value replicationy InetOrgPerson objectClassy NTDS.DIT size reduction

What are trust relationships

In the Windows NT domain model, domains had to be bound together through trust relationships, simplybecause the SAM databases used in those domains could not be joined. What this meant was that where adomain trusted another Windows NT domain, the members of the domain could access network resourceslocated in the other domain. Defining trust relationships between domains eliminates the need for anAdministrator to configure user accounts in multiple domains.

In a trust relationship, the two domains are referred to as the trusting domain and the trusted domain. Thetrusted domain is the domain where the trust relationship is created. The trusting domain is the other domainspecified in the trust, that is, the one wherein network resources can to be accessed. The trusting domain inthis case recognizes the logon authentications of the trusted domain. The logon trust relationship is supportedby the NT LanMan Challenge Response. This allows pass-through authentication of users from the trusteddomain. One of the shortfalls of Windows NT trust relationships is that trusts between domains were one-wayand nontransitive. This meant that the defined trust relationship ended with the two domains between whichthe particular trust was created. The rights implicit in the trust relationship also flowed only in one singledirection. Because of this, defining and managing trust relationships in the Windows NT domain structure wasa cumbersome and labour intensive task. The Windows NT domain worked well in small enterprises where onedomain typically existed in the enterprise. In those larger enterprises that have multiple domains,Administrators have to define trust relationships between the domains in order for a user in one domain toaccess resources in another domain.

In Windows 2000 and Windows 2003, Active Directory is built on the concept of trust relationships betweendomains. Although the actual concept of trust relationships is not new in Windows Server 2003, there are newtrust capabilities and trust types available for Windows Server 2003 Active Directory domains.

In Windows Server 2003, authentication of users or applications occurs through the use of one of the following

trust protocols:

y NT LAN Manager (NTLM) protocol: This protocol is used when one of the computers in the trustrelationship does not support the Kerberos version 5 protocol.

y The Kerberos version 5 protocol is the default trust protocol used when computers in trustrelationships are running Windows Server 2003.

The characteristics of Windows Server 2003 trusts are outlined below:

y Trusts can be nontransitive or transitive:o Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this

means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would alsotrust Domain3.

o Nontransitive trust: The defined trust relationship ends with the two domains between whichthe particular trust is created.

y Trusts can be one-way or two-way trusts:o One-way trusts: Based on the direction of the trust, one-way trust can further be broken into

either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive: Incoming Trust: With incoming trust, the trust is created in the trusted domain, and

users in the trusted domain are able to access network resources in the trusting domainor other domain. Users in the other domain cannot however access network resources inthe trusted domain.

Outgoing Trust: In this case, users in the other domain able to access network resourcesin the initiating domain. Users in the initiating domain are not able to access anyresources in the other domain.


11/28

o Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, thenDomain2 trusts Domain1. The trust basically works both ways, and users in each domain areable to access network resources in eitherone of the dolmans. A two-way, transitive trustrelationship is the trust that exists between parent domains and child domains in a domaintree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3,then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitivetrust is the default trust relationship between domains in a tree. It is automatically created andexists between top-level domains in a forest.

y Trusts can be implicit or explicit trusts:o Implicit: Automatically created trust relationships are called implicit trust. An example of

implicit trust is the two-way, transitive trust relationship that Active Directory creates betweena parent and child domains.

o Explicit: Manually created trust relationships are referred to as explicit trust.Types ofActive Directory Trust Relationships

The types of trust relationships that can be created and configured for Active Directory domains are discussedin this section. As an Administrator for Active Directory Windows Server 2003 domains, it is important tounderstand the different types of trust that are supported in Windows Server 2003, and to know which trustrelationship to create for the different network resource access requirements that exist within yourorganization.

y Tree-root trust: Tree-root trust is automatically/implicitly created when a new tree root domain isadded to a forest. The trust relationship exists between two root domains within the same forest. Forinstance, if you have an existing forest root domain, and you add a new tree root domain to the sameforest, tree-root trust is formed between the new tree root domain and the existing forest root domain.

Tree-root trust is transitive and two-way.

y Parent-child trust: Parent-child trust is implicitly established when new child domains are added to adomain tree. Parent-child trust is a two-way, transitive trust relationship. Active Directoryautomatically creates a trust relationship between the new child domain, and the domain directly aboveit in the domain namespace hierarchy. What this means is that the trust relationship exists betweenthose domains that have a common contiguous DNS namespace and who are part of the same forest.Parent-child trust enables authentication requests of child domains to be passed through the parentdomain for authentication. In addition, when a new domain is added to the tree, trust relationships arecreated with each domain in the tree. This means that network resources in the individual domains ofthe tree can be accessed by all other domains in the tree.

y Shortcut trust: Shortcut trust is explicitly created by an Administrator, and can defined to be eitherone-way transitive trust, or two-way transitive trust. Shortcut trust is usually created when you wantto speed up, or enhance authentiction performance between two domains in different trees but withinthe same forest. One-way shortcut trust should be created when users in Domain1 need to accessActive Directory objects in Domain2 but users in Domain2 do not need to access objects in Domain1.

Two-way shortcut trust should be created when users in each domain need to access objects in eachother domain.

y Realm trust: Realm trust is explicitly created by an Administrator, and can be defined as eithertransitive trust or nontransitive trust, and can also either be one-way trust or two-way trust. Realmtrust enables you to create a trust relationship between a Windows Server 2003 Active Directorydomain and a non-Windows Kerberos version 5 realm. Realm trust therefore facilitates interoperabilitybetween a Windows Server 2003 domain and a realm used in Kerberos version 5 implementations.

y External trust: External trust is explicitly defined by an Administrator to enable trust betweendomains that are located in different forests, and to create trust between an Active Directory domainand a down-level Windows NT 4 domain. External trust is always nontransitive but can be either one-way trusts or two-way trusts. External trust is usually only created in Windows Server 2003 ActiveDirectory environments when users need to access network resources in a domain that resides in adifferent forest, and forest trust cannot be created between the two domains. When external trust iscreated between an Active Directory domain and a down-level Windows NT 4 domain, it is a one-way,nontransitive trust relationship.

y Forest trust: Forest trust is explicitly created by an Administrator to enable trust between two ActiveDirectory forests. Forest trust is transitive in nature, and can either be one-way or two-way. Foresttrust is only available in Windows Server 2003. Before you can create forest trust between two forests,each domain in the particular forests, and each forest, has to be raised to, and running at the WindowsServer 2003 functional level. Because forest trust is created between two root domains of two forests, itcan create two-way trusts with each domain within the two forests. This basically means that users


12/28

would be able to access Active Directory objects between all domains encompassed by the particularforest trust relationship.

An Overview on Backing up and Restoring Active Directory

To ensure availability of mission critical resources and network objects, and business continuity, you wouldneed to perform back ups of Active Directory if it is running in your environment. This is because ActiveDirectory normally hosts mission critical data, and resources. Backups are typically preformed for a number ofreasons, including the following:

y Protect your network environment from the accidental deletion of, or modification of data, andfrom hardware failures: Having a readily accessible back up of Active Directory would ensure that youcan recover any important Active Directory objects which were deleted in error. Backups also proveinvaluable when unauthorized users intentionally delete or modify data. The backup would enable youto restore data to its previous state of integrity. Because certain hardware failures such as corruptedhard disk drives can cause considerable loss of data, backing up your data would ensure that thebusiness can continue to perform its mission critical functions when such an event does occur.

y Store mission critical data: It is recommended to regularly back up mission critical data so that anyprevious version of information can be accessed, if necessary, at some time in the future.

Because Active Directory is dependant on the Registry, you need to back up files within the system directory.These files are called system files. System state data basically contains the main configuration information inWindows 2000, and Windows Server 2003. What actual information is included in system state data is

determined by operating system (OS) configuration. System state typically includes the following importantdata, files and components:

y The Windows Registryy The contents of the SYSVOL directoryy Files which are protected by the Windows File Protection systemy Boot and system files: Ntdetect.com, Ntldr and Bootsect.dat.y The COM+ Class Registration databasey The Active Directory database (Ntds.dit), including all log files and checkpoint filesy Cluster service filesy Certificate service filesy The Internet Information Server (IIS) metabase

You can use one of the methods listed below to back up Active Directory.

y You can back up the system state data onlyy You can back up Active Directory as part of a full system backupy You can back up Active Directory as part of a partial system backup

In Windows 2000 Active Directory, you could only perform one of the following restore methods:

y Authoritative Restorey Non- Authoritative

When it comes to restoring Windows Server 2003 Active Directory, you can use one of the following restoremethods:

y Normal Restore: In Windows 2000, this was your Non-Authoritative restore method. A Normal restorefunctions pretty much the same as a Non-Authoritative restore. With a Normal restore, the Backuputility is run on the computer while in Directory Services Restore Mode. After the domain controller isrebooted, normal replication occurs with replication partners.

A normal restore is typically performed when the following conditions exist:

yo A domain has multiple domain controllers, and only one domain controller is operational. You

can use a Normal restore to restore all other domain controllers in the domain.


13/28

o A domain has a single domain controller, and that domain controller has to be restored. Youcan also choose to alternatively perform a Primary restore of Active Directory.

y AuthoritativeRestore: An Authoritative restore of Active Directory has to be performed in cases wherea Normal restore would not be able to return Active Directory to the correct state. For instance, if anorganizational unit was deleted in error, a Normal restore would only result in the particular OU beingdeleted once again, after replication. This is basically due to the replication partners having a higherversion number for the particular OU. An Authoritative restore has a similar process to that of aNormal restore, the difference being that after system data is restored, you define certain ActiveDirectory objects as being authoritative. When Active Directory objects are defined as authoritative, theparticular objects have the higher version numbers. This results in these objects being replicated to theother domain controller's copies of the Active Directory database.

y Primary Restore: The Primary restore method is used when each domain controller within a domainhosting multiple domain controllers, needs to be restored. What this means is that the entire domainhas to be reconstructed from the Active Directory backup. This method can also be used to restoreActive Directory for a domain that only has one domain controller. The Primary restore method isselected in Windows Server 2003 Backup utility by merely enabling the Primary restore methodcheckbox. This removes previous complexities associated with performing this type of restore inWindows 2000. The Primary restore process is also very similar to that performed for a Normal restoreof Active Directory.

An Introduction to Groups

A group can be defined as a collection of accounts that are grouped together so that Administrators can assign

permissions and rights to the group as a single entity. This removes the need for an Administrator toindividually assign permissions and rights to each account. Therefore, while a user account is associated withan individual, or one entity; a group account or a group, is created to simplify the administration of multipleuser accounts (users). When you grant permissions to a group, all accounts that are part of that particulargroup are granted the permissions. Permissions actually controls which actions users can perform on anetwork resource. Rights on the other hand relate to system tasks.

Windows Server 2003 provides user accounts and group accounts (of which users can be a member). Useraccounts are designed for individuals. Group accounts are designed to make the administration of multipleusers easier.

The following entities can be added to groups:

y User accountsy Computer accountsy Contactsy Other group's membersy Other groups

The administrative tasks typically performed on groups are summarized below:

y Assign permissions to groups to access shared resources. Each group member would be able to accessthe shared resources.

y Assign rights to groups so that they can perform certain system tasks such as backing up or restoringfiles.

y Groups are also used to distribute bulk e-mail to its members.You have to specify a group type and a group scope when you create a new group. Group types and groupscopes are discussed throughout the remainder of this Article.

Group Types

You can create two types of groups in Active Directory. Each group type is used for a different purpose.Security groups are the group type which is created for security purposes, while distribution groups is thegroup type created for purposes other than security purposes. Security groups are typically created for


14/28

assigning permissions, while distribution groups are usually created for distributing bulk e-mail to users. Asyou can see, the main difference between the two groups is the manner in which each group type is used.Active Directory does however allow you to convert a security group to a distribution group, and to convert adistribution group to a security group if the domain functional level is raised to Windows 2000 Native or above

y Security groups: A security group is a collection of users who have the same permissions to resources,and the same rights to perform certain system tasks. These are the groups to which you assignpermissions so that its members can access resources. Security groups therefore remove the need foran Administrator to individually assign permissions to users. Users that need to perform certain taskscan be grouped in a security group, and then assigned the necessary permissions to perform these

tasks. Each user that is a member of the group would have the same permissions. In addition to this,any e-mail sent to a security group is received by each member of that particular group. When asecurity group is first created, it receives a SID. It is this SID that enables permissions to be assigned tosecurity groups - the SID can be included in the DACL of a resource. An access token is created when auser logs on to the system. The access token contains the SID of the user, and the SID of those groupsto which the user is a member of. This access token is referenced when the user attempts to access aresource - the access token is compared with the DACL of the resource to determine which permissionsthe user should receive for the resource.

y Distribution groups: Distribution groups are created to share information with a group of usersthrough e-mail messages. Thus, a distribution group is not created for security purposes. Adistribution does not obtain a SID when it is created. Distribution groups enable the same messag to besimultaneously sent to its group members - messages do not need to be individually sent to each user.Applications such as Microsoft Exchange that work with Active Directory can use distribution groups to

send bulk e-mail to groups of users.

Group Scopes

The different group scopes make it possible for groups to be used differently to assign permissions foraccessing resources. The scope of a group defines the place in the network where the group will be used or isvalid. This is the degree to which the group will be able to reach across a domain, domain tree, or forest. Thegroup scope also determines what users can be included as group members.

In Active Directory, there are three different group scopes.

y Global groups: Global groups are containers for user accounts and computers accounts in the domain,and are used to assign permissions to objects that reside in any domain in a tree or forest. You caninclude a global group in the access control list (ACL) of objects in any domain in the tree/forest. Aglobal group can however only have members from the domain in which it is created. What this meansis that a global group cannot include user accounts, computer accounts, and global groups from otherdomains.

The domain functional level set for the domain determines which members can be included in theglobal group.

o Windows 2000 Mixed: Only user accounts and computer accounts from the domain in whichthe group was created, can be added as group members.

o Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, and otherglobal groups from the domain in which the group was created, can be added as group members

y Domain Local groups: Domain local groups can have user accounts, computer accounts, global groups,and universal groups from any domain as group members. However, you can only use domain localgroups for assigning permissions to local resources, or to resources that reside in the domain in whichthe domain local group was created. This means that you can only include domain local groups in theACL of objects that are located in the local domain.

The domain functional level set for the domain determines which members can be included in thedomain local group.

o Windows 2000 Mixed: User accounts, computer accounts, and global groups from any domaincan be added as group members.


15/28

o Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, globalgroups, and universal groups from any domain can be added as group members. You can alsoadd other domain local groups from the same domain as group members.

y Universal groups: Universal groups can have user accounts, computer accounts, global groups, andother universal groups, from any domain in the tree or forest as members. This basically means that

you can add members from any domain in the forest to a universal group. You can use universalgroups to assign permissions to access resources that are located in any domain in the forest.Universal groups are only available when the domain functional level for the domain is Windows 2000Native or Windows Server 2003. Universal groups are not available when domains are functioning inthe Windows 2000 Mixed domain functional level. You can convert a universal group to a global groupor to a domain local group if the particular universal group has no other universal group as a groupmember. When adding members to universal groups, it is recommended to add global groups asmembers and not individual users.

When groups contain other groups as members, group nesting occurs. Group nesting occurs when you addgroups to other groups. Group nesting assists in reducing the number of instances that you need to assignpermissions, and in reducing replication traffic. As mentioned previously, the domain functional level set forthe domain determines what group nesting can be implemented, as summarized below:

y Windows 2000 Mixe:o Global groups: User accounts and computers accounts in the same domain.o Domain local groups: User accounts, computers accounts, and global groups from any domain.

y Windows 2000 native or Windows Server 2003:o Global groups: User accounts, computer accounts, and other global groups in the same domain.o Domain local groups: User accounts, computers accounts, global groups and universal groups

from any domain; and other domain local groups in the same domain.o Universal groups: User accounts, computers accounts, global groups, and universal groups

from any domain.

The scope of a group can be changed as well. You can use the Active Directory Users And Computers (ADUC)console to view and modify the scope of an existing group. The command-line can also be used - dsget anddsmod. The rules that govern this capability are summarized below:

y You can convert domain local groups and global groups to universal groupsy You can convert universal groups to domain local groups or to global groups.y You cannot convert domain local groups to global groups.y You cannot convert global groups to domain local groups.

If you are using Windows Server 2003 Active Directory, Windows Server 2003 creates a few default securitygroups that are used to assign administrative permissions to users. The default security groups are created inthe Users folder in Active Directory Users And Computers (ADUC).

y The default domain local groups that are created are listed below:o Cert Publishers: Members of this group are able to publish certificates to Active Directoryo DnsAdmins: Group members have administrative access to the DNS server service.o HelpServicesGroup: Group members are able to assign rights to support applications.o RAS and IAS Servers: Servers assigned to this default group can access a user's remote access

properties.

o TelnetClients: Group members have administrative access to Telnet Server.y The default global groups that are created are listed below:

o Domain Admins: Members of the Domain Admins group have permissions to performadministrative functions on computers in the domain.

o Domain Users: Group members are user accounts that are created in the domain.o Domain Computers: Group members are computer accounts that are created in the domain.

This includes all workstations and servers that are part of the domain.o Domain Controllers: Group members are domain controllers of the domain.o Domain Guests: Group members are guest accounts in the domain.o Group Policy Creator: Group members are able to change the domain's group policy.o DnsUpdateProxy: Group members are DNS clients. Members are able to perform dynamic

updates for clients such as DHCP servers.

y The default universal groups that are created are listed below:


16/28

o Enterprise Admins: Members of this group are able to perform administrative functions for thewhole network.

o Schema Admins: Members of this group can perform administrative tasks on the schema.When formulating a strategy for setting up domain local groups and global groups, follow the guidelines listedbelow:

y You should add users that perform the same function in the organization to a global group.y Domain local groups should be created for a resource(s) that needs to be shared by multiple users.y You should then add any global groups that have to access a resource(s) to the appropriate domain

local group.y The domain local group should be assigned with the proper permissions to the resource.

In addition to the above mentioned group scopes, another group called a local group, can be created. A localgroup is basically used on the local computer to assign permissions to resources that are located on thecomputer on which the particular local group is created. Local groups are created in the local securitydatabase and are not present in Active Directory. This means that you cannot create local groups on domaincontrollers.

The tools and utilities which you can use to assist in troubleshooting Group Policy are listed below:

y Resultant Set Of Policy (RSOP) Wizardy

Gpresult.exey Gpupdate.exey WinPoliciesy GPOTooly Event Viewery Log Files

Troubleshooting Policy Inheritance

To successfully troubleshoot policy inheritance issues, you need to thoroughly understand how policyinheritance affects the application of Group Policy settings within GPOs. You also need to understand howenabling the Block Policy Inheritance option and No Override option affect policy inheritance. Inheritancesignifies that Group Policy settings which affect user configuration and computer configuration are the

resultant set of policies inherited from parent containers. Policies are usually passed down from a parentcontainer to its associated child containers. When the policy setting for a parent OU is set to Enabled orDisabled; and the child OU does not have the same policy setting configured, the child OUs inherits the policysetting of its parent OU. The exception being that a Group Policy setting defined for a child OU overrides thesame setting which it inherited from its parent OU.

Group policy settings are processed in the order specified below:

1. Local GPO: Because the local GPO is applied first, it means that policies defined at the local computerhave the least priority.

2. Site GPO: Site GPOs are GPOs which are linked to sites. The order of the different site GPOs aredetermined and defined by the Administrator.

3.

Domain GPO

s: Domain GPOs are applied next. GPOs linked to a domain have precedence over siteGPOs and local GPOs.4. OU GPOs linked to theOU highest in the Active Directory hierarchyare applied before any other OUs. OU

GPOs linked to the OU closest to the user or computer is then applied. When theOU that contains theuser or computer has a GPO linked to it; that GPO is applied last.

Block Policy Inheritancecan be explicitly specified for a site, domain or OU; and is not applied to any GPOs orGPO links. When enabled for a site, domain or OU; it prevents any Group Policy settings from passing downfrom higher up in the tree, to the particular site, domain or OU for which it is enabled. The only exception isthat any GPO links which have the No Override settings enabled are not blocked, but are applied. When the NoOverride settingis enabled for a GPO which is linked to a site, domain or OU, no Group Policy settingscontained in the particular GPO is overridden by other GPOs. Because of the hierarchical manner in whichGPOs are applied, and there happens to be more than one GPO which has the No Override setting enabled, the

GPO highest in the tree has precedence.


17/28

A few techniques for troubleshooting Group Policy inheritance are listed below:

y GPOs can only be linked to sites, domains and OU, and then applied to users and computers.y Remember that while child OUs, by default inherit the Group Policy Settings of its associated parent

OUs; child domains do not inherit Group Policy settings from parent domains.

y A factor to consider when troubleshooting policy inheritance is that when both the Block Inheritanceoption and the No Override option are enabled, the No Override option has precedence.

y Remember that the Block Inheritance applies to the entire site, domain, or OU; and therefore canprevent Group Policy settings from being applied. If you have a situation where a particular GPO is notbeing applied, verify that the GPO is not being blocked./li>

y Verify that the user or computer belong to a security group that has the AllowForest Design Factors

A few factors that you should include or consider when planning the design of the forest are discussed in thefollowing section:

y The structure of the organization: Most large organizations usually consist of many smaller businessesor companies that have been acquired my business mergers. With these organizations, there is usuallya need for some form of business independence within the organization. To cater for this need, theremay be a requirement that certain business be separated from others. This separation is usuallyachieved by the implementation of forests.

yIdentify operation requirements: Smaller companies within a larger organization might each need tostore different data in the Active Directory data store. In cases where the objects that need to be storedin the Active Directory schema differ, you might need to create different forests to service thisrequirement.

y Legal factors: Legal factors also sometimes lead to the formation of forests. This typically occurs withorganizations such as financial institutions where certain data has to be completely separated fromother data.

y Cost factors: With the deployment of multiple forests comes the need for additional hardware, andincreased administrative costs. Shared infrastructures are usually the most costs effective solution.However, this solution could possibly not meet the requirements of the organization.

y Namespace factors: It is extremely important to plan and manage namespaces if you plan to createmultiple forests with more than one domain tree. Remember that for each forest, you have to define aone DNS namespace. For each domain tree that you create, you have to define another namespace.

y Identify the forest owner(s): Each forest that you plan to create has to have a designated owner, or agroup of owners. The forest owner is responsible for the operation of the forest. This includes thefollowing:

o Forest root domaino Sites and subnets, including site group policieso The schemao The replication processo Security policies for the domain.o Domain controller group policieso Specifying the appropriate owners or administrators for each Organizational Unit (OU).o Specifying forest service admins and domain service admins.

y Testing the forest design: You should implement a testing strategy and testing environment in which totest your forest design. The testing environment should ideally be a separate Active Directory

environment to the production environment, but should mirror the production environment.

Domain Design Factors

The factors that typically affect the domain design are summarized below:

y Geographical factors: Where organizations span may geographical regions, you might considerimplementing a geographic domain design to control replication over different regions within theenterprise. Domain controllers would then only replicate data in its local domain.

y WAN link costs: The cost of implementing and maintaining unreliable WAN links could be high, as isthe case in some countries.

y BusinessRequirementFactors: There may be cases where different businesses within the sameorganization can indeed share a forest, but the nature of their business might lead to each business


18/28

needing to have its own domains. This is normally necessary when each business needs to implementits own domain security policies.

y Domain NameStrategy: Each domain has to have a NetBIOS name and a DNS name. Each domainname has to be unique. When assigning NetBIOS names, try using names that you would not need tochange, and use Internet standard characters. NetBIOS names should typically be 15 characters, orless than 15 characters in length. When you assign DNS names, try to keep the prefix of the DNS nameand NetBIOS name the same.

The Role of Domain Controllers

A domain controller holds a replica of the Active Directory directory for the domainto which it belongs. It is alsoresponsible for managing that directory.

y The domain controller is responsible for replicating all changes made to their Active Directory replica tothe remainder of the domain controllers within the domain. The default replication setting is that domaincontrollers in a site replicate changes made to its replica of Active Directory to all domain controllerswithin the domain each 15 minutes. You can control the amount of replication traffic that is generatedwithin your Active Directory environment by specifying how often replication should occur.

y Domain controllers also manage access to network resources in the domain.They locate Active Directoryobjects, authenticate access to these objects, validate user logon attempts, and authenticate userpasswords. User account changes such as an account being disabled is immediately replicated by theparticular domain controller to all domain controllers within the domain.

y Domain controllers track user account information throughSecurity Identifiers (SIDs). a user attempts tolog on to the system, a request to authenticate the user is sent to each domain controller within thedomain. The user is authenticated via Kerberos security after a domain controller is located and asecure connection is established. Authentication is based on the user providing a username andpassword that correspond to those in the Active Directory database. The session information, or accesstoken of the account is stored in memory. This includes rights and group membership details. Whenthe user attempts to access network resources, the access token and the permissions of the resourceare compared to ascertain what access is permitted to the network resource.

y Multiple domain controllersprovide fault tolerancein your Active Directory environment. In theWindows NT domain model, no changes could be made to the domain database when the primarydomain controller was unavailable. With Active Directory, because domain controllers function as peersto one another, changes can be made to the Active Directory database from any domain controller inthe domain. When a domain controller is unavailable, the remainder of the domain controllers continueto provide access to network resources.

y Domain controllers also integrate with network services such asDNS, DHCP, Kerberos security, andRemote Access.This in turn facilitates centralized management and security.

An Overview of Organizational Units (OUs)

An organizational unit (OU) is a container that is used to logically organize and group Active Directory objectswithin domains. OUs are not part of the DNS namespace. They are used to organize Active Directory objectsinto logical administrative groups. OUs therefore serve as containers in which you can create and manageActive Directory objects. OUs are considered the smallest unit to which an Administrator can assignpermissions to resources within Active Directory.

An OU enables you to apply security policies, deploy applications, delegate administrative control for Active

Directory objects, and to run scripts. An important thing to understand is that OUs are not security principalsThe user accounts, group accounts, and computer accounts within the OUs are security principals.

The Consequences of FSMOs Failing

The following section looks at what actually happens when each FSMO role fails:

y A Schema Master failureis basically only evident when an Administrator attempts to change the ActiveDirectory schema. What this means is that a Schema Master failure is invisible to your standardnetwork users. You should only seize this role to the domain controller designated as the standby

schema master if the existing Schema Master can in fact never be recovered.


19/28

y As is the case with a Schema Master failure, Domain Naming Master failureis only evident if anAdministrator is attempting to add a domain to the forest, or remove a domain from the forest. ADomain Naming Master failure can generally not be perceived by your standard network users. Youshould only seize this role to the domain controller designated as its standby when the existing DomainNaming Master would never be operational again.

y A RID Master failureis only evident to Administrators if they are attempting to add new Active Directoryobjects in the particular domain where the RID Master failed. When this happens, the RID Master isunable to allocate relative IDs to the domain controllers on which the new Active Directory objects arebeing created. A RID Master failure cannot be detected by your conventional network users. You shouldalso generally only seize this OM role when the existing domain controller assigned with the RID Masterrole would never recover from the failure.

y An Infrastructure Master failureis also not visible to your standard network users. The failure onlyimpacts Administrators that are attempting to move user accounts, or rename them. Consider movingthe role to the designated standby domain controller if the existing domain controller assigned with theInfrastructure Master is to be unavailable for a reasonably extended period of time, and the changesthat need to be made are pertinent.

y Unlike the OM role failures previously described that are not evident to your standard network users, aPDC Emulator failuredoes impact network users. It is important to immediately seize this role to itsdesignated standby domain controller if the domain contains any Windows NT backup domaincontrollers. You can always return this role to its previous domain controller when it is recovered andonline again.

DHCP

The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client:

y DHCPDISCOVER message: This message is sent by a client when it boots up on the network to requestan IP address lease from a DHCP server. The message is sent as a broadcast packetover the network,requesting for a DHCP server to respond to it

y DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by oneor numerous DHCP servers.

y DHCPREQUEST message: The client sends the initial DHCP server which responded to its request aDHCP Request message. The message indicates that the client is requesting the particular IP addressfor lease.

y DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP clientand is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.

The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not

support forwarding of these types of messages.

DHCP scopes

A scopecan be defined as a set of IP addresses which the DHCP server can allocate or assign to DHCP clients.A scope contains specific configuration information for clients that have IP addresses which are within theparticularscope. Scope information for each DHCP server is specific to that particular DHCP server only, and is notsharedbetween DHCP servers. Scopes for DHCP servers are configured by administrators.

A superscopeis the grouping of scopes under one administrative entity that enables clients to obtain IPaddresses, and renew IP addresses from any scope that is part of the superscope.

Superscopes are typically created for under the following circumstances:

y The existing scope.s IP addresses supply is being depleted.y You want to use two DHCP servers on the same subnet. This is usually for providing redundancy.y You need to move clients from one range of IP addresses to a different range of IP addresses.

The Advantages of using DHCP


20/28

The main advantages of using DHCPare summarized below:

y DHCP is included with Windows Server 2003: To implement DHCP requires no additional costs.y Centralized, simpler management of IP addressing: You can manage IP addressing from a central

location.

y DHCP also provides for the simple deployment of other configuration options, such as default gatewayand DNSsuffix.

y Because the system assigns IP addresses, it leads to less incorrect configurations of IP addresses. Thisis mainly

due to IP configuration information being entered at one location, and the server distributing thisinformation toclients.

y Duplicated IP addresses are prevented.y IP addresses are also preserved. DHCP servers only allocate IP addresses to clients when they request

them.

y The DHCP service of Windows Server 2003 can assign IP addresses to both individual hosts, andmulticast groups.Multicast groups are used when communication occurs with server clusters.

y The Windows Server 2003 DHCP service supports clustering. This enables you to set up highavailability DHCPservers.

y In Windows Server 2003, DHCP integrates with Dynamic DNS (DDNS). This facilitates dynamic IPaddress managementbecause the DHCP server registers the client computer.s Address (A) records and pointer (PTR) recordsin the DNSdatabase when the client obtains an IP address. This is made possible through DHCP integration withDynamic DNS(DDNS).

y You can monitor the pool of available IP addresses, and also be notified when the IP address poolreaches a certainthreshold.

y Through authorizing DHCP servers in Active Directory, you can restrict your DHCP servers to onlythose that areauthorized. Active Directory also allows you to specify those clients that the DHCP server can allocateaddresses

to.y Dynamic IP addressing through DHCP easily scales from small to large networking environments.

The Disadvantages of using DHCP

The main disadvantages of using DHCPare summarized below:

y The DHCP server can be a single point of failure in networking environments that only have one DHCPserver.

y If your network has multiple segments, you have to perform either of the following additionalconfigurations:

o Place a DHCP server on each segmento Place a DHCP relay agent on each segmento Configure routers to forward Bootstrap Protocol (BootP) broadcasts.

y All incorrectly defined configuration information will automatically be propagated to your DHCP clients.y There are a few DHCP client implementations that do not function correctly with a Windows Server

2003 DHCPserver.

DNS

DNS and Active Directory Integration Overview

DNS is theprimary name registration and resolution service inWindows 2000 andWindowsServer 2003, and

provides a hierarchically distributed and scalable database; provides name registration, name resolution and


21/28

service location for Windows 2000 and Windows Server 2003 clients; and locates domain controllers for logon.A DNSserveris a computer running the DNS Server service that provides domain name services. The DNSserver manages the DNS database that is located on it. The information in the DNS database of a DNS serverpertains to a portion of the DNS domain tree structure or namespace

(Domain Name System (DNS) is an Internet Engineering Task Force (IETF) standard name service thatallows your computer to register and resolve domain names. The DNS makes it possible to assign domainnames to organizations independent of the routing of the numerical IP address. In other words, DNS is asystem that translates domain names into IP addresses. This is necessary because computers only make useof IP addresses yet we use only human readable names since the names are easier to remember than IP

addresses. Without this DNS resolution, the internet would be a very inconvenient place. DNS resolution istherefore a very important task)

A DNSzoneis the contiguous portion of the DNS domain name space over which a DNS server has authority,or is authoritative. A zone is a portion of a namespace - it is not a domain. A domain is a branch of the DNSnamespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative formultiple DNS zones. Zone filesstore resource records for the zones over which a DNS server has authority

In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone. There are a number ofzones used in Windows Server 2003 DNS. The different types of zones used in Windows Server 2003 DNS arelisted below:

y Primary zone:This is the only zone type that can be edited or updated because the data in the zone isthe original source of the data for all domains in the zone. Updates made to the primary zone are madeby the DNS server that is authoritative for the specific primary zone. You can also back up data from aprimary zone to a secondary zone.

y Secondary zone:A secondary zone is a read-only copy of the zone that was copied from the masterserver during zone transfer.

y Active Directory-integrated zone:An Active Directory-integrated zone is a zone that stores its zone datain Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone.Zone data of an Active Directory-integrated zone is replicated during the Active Directory replicationprocess. Active Directory-integrated zones also enjoy the security features of Active Directory.

y Stub zone:A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resourcerecords necessary to identify the authoritative DNS servers for the master zone.

y Start Of Authority (SOA) resource record for the zone.y Name Server (NS) resource record for the zone.y Host (A) resource records that identify the authoritative servers for the specific zone.y

The main zone types used inWindowsServer 2003 DNSenvironments are primary zones and Active Directory-integrated zones. Both primary zones and secondary zones are standard DNS zones that use zone files. Themain difference between primary zones and secondary zones is that primary zones can be updated. Secondaryzones contain read-only copies of zone data.

An Active Directory-integrated zone can be defined as an improved version of a primary DNS zone because itcan use multi-master replication and the security features of Active Directory. The zone data of ActiveDirectory-integrated zones are stored in Active Directory. Active Directory-integrated zones are authoritativeprimary zones.

A few advantages that Active Directory-integrated zone implementations have over standard primary zoneimplementations are:

y Active Directory replication is faster, which means that the time needed to transfer zone data betweenzones is far less.

y The Active Directory replication topology is used for Active Directory replication, and for ActiveDirectory-integrated zone replication. There is no longer a need for DNS replication when DNS andActive Directory are integrated.

y Active Directory-integrated zones can enjoy the security features of Active Directory.y The need to manage your Active Directory domains and DNS namespaces as separate entities is

eliminated. This in turn reduces administrative overhead.


22/28

The zone transfer methods which you can configure are:

y Full transfer:When you configure a secondary DNS server for a zone, and start the secondary DNSserver, the secondary DNS server requests a full copy of the zone from the primary DNS server. A fulltransfer is performed of all the zone information. Full zone transfers tend to be resource intensive. Thisdisadvantage of full transfers has led to the development of incremental zone transfers.

y Incremental zone transfer:With an incremental zone transfer, only those resource records that havesince changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNSdatabases on the primary DNS server and the secondary DNS server are compared to determinewhether there are differences in the DNS data. If the DNS data of the primary and secondary DNS

servers are the same, zone transfer does not take place. If the DNS data of the two servers are different,transfer of the delta resource records starts. This occurs when the serial number on the primary DNSsever database is higher than that of secondary DNS server's serial number. For incremental zonetransfer to occur, the primary DNS server has to record incremental changes to its DNS database.Incremental zone transfers require less bandwidth than full zone transfers.

y Active Directory transfers:These zone transfers occur when Active Directory-integrated zones arereplicated to the domain controllers in a domain. Replication occurs through Active Directoryreplication.

y DNSNotifyis a mechanism that enables a primary DNS server to inform secondary DNS servers whenits database has been updated. DNS Notify informs the secondary DNS servers when they need toinitiate a zone transfer so that the updates of the primary DNS server can be replicated to them. Whena secondary DNS server receives the notification from the primary DNS server, it can start anincremental zone transfer or a full zone transfer to pull zone changes from the primary DNS servers.

y When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, andstored on any new domain controllers automatically. Synchronization takes place automatically whennew domain controllers are deployed.

Primary Zones versus Active Directory-integrated zones

When deciding on whether to implement primary DNS zones or Active Directory-integrated DNS zones,remember to include the DNS design requirements of your environment. Primary zones and secondary zonesare standard DNS zones that use zone files. An Active Directory-integrated zone stores its zone data in ActiveDirectory, and can therefore use multi-master replication and the security features of Active Directory.

If you are going to be implementing Active Directory-integrated zones, you can choose between the followingzone replication scope options:

y To All DNSServers In The Active DirectoryForest option:Zone data is replicated to all DNS serversrunning on domain controllers in the Active Directory forest.

y To All DNSServers In The Active Directory Domain option:Zone data is replicated to all DNS serversrunning on domain controllers in the Active Directory domain.

y To All Domain Controllers In The Active Directory Domain option:Zone data is replicated to all domaincontrollers in the Active Directory domain.

y To All Domain ControllersSpecified In TheScopeOf TheFollowing Application Directory Partition option:Zone data is replicated based on the replication scope of the particular application directory partition.

The main advantages that Active Directory-integrated zones have over standard primary DNS zones are:

y Active Directory replication is faster, which means that the time needed to transfer zone data betweenzones is far less.

y The Active Directory replication topology is used for Active Directory replication, and for ActiveDirectory-integrated zone replication. There is no longer a need for DNS replication when DNS andActive Directory are integrated.

y Active Directory-integrated zones can enjoy the security features of Active Directory.y The need to manage your Active Directory domains and DNS namespaces as separate entities is

eliminated. This in turn reduces administrative overhead.

y When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, andstored on any new domain controllers automatically. Synchronization takes place automatically when n

Start ofAuthority (SOA) Resource Record


23/28

This is the first record in the DNS database file. The SOA record includes information on the zone propertyinformation, such as of the primary DNS server for the zone, and version information.

The fields located within the SOA record are listed below:

y Source host; the host for who the DNS database file is maintainedy Contact e-mail; e-mail address for the individual who is responsible for the database file.y Serial number; the version number of the database.y Refresh time; the time that a secondary DNS server waits, while determining whether database updates

have

been made, that have to be replicated via zone transfer.y Retry time; the time for which a secondary DNS server waits before attempting a failed zone transfer

again.

y Expiration time; the time for which a secondary DNS server will continue to attempt to download zoneinformation. Old zone information is discarded when this limit is reached.

y Time to live; the time that the particular DNS server can cache resource records from the DNS databasefile.

Name Server (NS) Resource Record

The Name Server (NS) resource record provides a list of the authoritative DNS servers for a domain, as wellauthoritative DNS server for any delegated subdomains. Each zone must have one (or more) NS resource

records at thezone root. The NS resource record indicates the primary and secondary DNS servers for the zone defined in theSOAresource record. This in turn enables other DNS servers to look up names in the domain.

Host (A) Resource Record

The host (A) resource record contains the IP address of a specific host, and maps the FQDN to this 32-bit IPv4addresses. Host (A) resource records basically associates the domain names of computers (FQDNs) or hostsnames to theirassociated IP addresses. Because a host (A) resource record statically associates a hos

What is the Difference Between Windows 2000 and Windows 2003

Documents