P. 1
Interview

Interview

|Views: 31|Likes:
Published by Sameer Ahmed

More info:

Published by: Sameer Ahmed on May 29, 2012
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

09/15/2013

pdf

text

original

What are trust relationships?

In the Windows NT domain model, domains had to be bound together through trust relationships, simply because the SAM databases used in those domains could not be joined. What this meant was that where a domain trusted another Windows NT domain, the members of the domain could access network resources located in the other domain. Defining trust relationships between domains eliminates the need for an Administrator to configure user accounts in multiple domains. In a trust relationship, the two domains are referred to as the trusting domain and the trusted domain. The trusted domain is the domain where the trust relationship is created. The trusting domain is the other domain specified in the trust, that is, the one wherein network resources can to be accessed. The trusting domain in this case recognizes the logon authentications of the trusted domain. The logon trust relationship is supported by the NT LanManager Challenge Response. This allows pass-through authentication of users from the trusted domain. One of the shortfalls of Windows NT trust relationships is that trusts between domains were one-way and nontransitive. This meant that the defined trust relationship ended with the two domains between which the particular trust was created. The rights implicit in the trust relationship also flowed only in one single direction. Because of this, defining and managing trust relationships in the Windows NT domain structure was a cumbersome and labor intensive task. The Windows NT domain worked well in small enterprises where one domain typically existed in the enterprise. In those larger enterprises that have multiple domains, Administrators have to define trust relationships between the domains in order for a user in one domain to access resources in another domain. In Windows 2000 and Windows 2003, Active Directory is built on the concept of trust relationships between domains. Although the actual concept of trust relationships is not new in Windows Server 2003, there are new trust capabilities and trust types available for Windows Server 2003 Active Directory domains. In Windows Server 2003, authentication of users or applications occurs through the use of one of the following trust protocols: • • NT LAN Manager (NTLM) protocol: This protocol is used when one of the computers in the trust relationship does not support the Kerberos version5 protocol. The Kerberos version 5 protocol is the default trust protocol used when computers in trust relationships are running Windows Server 2003.

The characteristics of Windows Server 2003 trusts are outlined below: • Trusts can be nontransitive or transitive: o Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also trust Domain3. Nontransitive trust: The defined trust relationship ends with the two domains between which the particular trust is created.

o •

Trusts can be one-way or two-way trusts:

o

One-way trusts: Based on the direction of the trust, one-way trust can further be broken into either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive: Incoming Trust: With incoming trust, the trust is created in the trusted domain, and users in the trusted domain are able to access network resources in the trusting domain or other domain. Users in the other domain cannot however access network resources in the trusted domain. Outgoing Trust: In this case, users in the other domain able to access network resources in the initiating domain. Users in the initiating domain are not able to access any resources in the other domain.

o

Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are able to access network resources in either one of the dolmans. A two-way, transitive trust relationship is the trust that exists between parent domains and child domains in a domain tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3, then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive trust is the default trust relationship between domains in a tree. It is automatically created and exists between top-level domains in a forest.

Trusts can be implicit or explicit trusts: o Implicit: Automatically created trust relationships are called implicit trust. An example of implicit trust is the two-way, transitive trust relationship that Active Directory creates between a parent and child domains. Explicit: Manually created trust relationships are referred to as explicit trust.

o

Window Server 2003 Active Directory Forest Trust Capability
Forest trust is a new feature introduced with Windows Server 2003 Active Directory. To better understand the feature, lets first look at how forest trust was established in the Windows NT and Windows 2000 domain structures. In these domain structures, when users located in one forest needed to access resources located in a different forest, an external trust relationship had to be defined between the two domains. External trusts are one-way and nontransitive in nature. This in turn increases the Administrative effort required to create and maintain the external trusts needed to enable forest trust in the Windows NT and Windows 2000 domain structures. Forest trust on the other hand enables you to create two-way trust relationships between all domains in two forests. The number of external trusts that has to be configured in Windows NT and Windows 2000 domain structures is reduced in Windows Server 2003 Active Directory domains. The trust between the Active Directory forests is transitive in nature.

Types of Active Directory Trust Relationships
The types of trust relationships that can be created and configured for Active Directory domains are discussed in this section. As an Administrator for Active Directory Windows Server 2003 domains, it is important to understand the different types of trust that are supported in Windows Server 2003, and to know which trust relationship to create for the different network resource access requirements that exist within your organization.

Tree-root trust: Tree-root trust is automatically/implicitly created when a new tree root domain is added to a forest. The trust relationship exists between two root domains within the same forest. For instance, if you have an existing forest root domain, and you add a new tree root domain to the same forest, tree-root trust is formed between the new tree root domain and the existing forest root domain. Tree-root trust is transitive and two-way. Parent-child trust: Parent-child trust is implicitly established when new child domains are added to a domain tree. Parent-child trust is a two-way, transitive trust relationship. Active Directory automatically creates a trust relationship between the new child domain, and the domain directly above it in the domain namespace hierarchy. What this means is that the trust relationship exists between those domains that have a common contiguous DNS namespace and who are part of the same forest. Parent-child trust enables authentication requests of child domains to be passed through the parent domain for authentication. In addition, when a new domain is added to the tree, trust relationships are created with each domain in the tree. This means that network resources in the individual domains of the tree can be accessed by all other domains in the tree. Shortcut trust: Shortcut trust is explicitly created by an Administrator, and can defined to be either one-way transitive trust, or two-way transitive trust. Shortcut trust is usually created when you want to speed up, or enhance authentiction performance between two domains in different trees but within the same forest. One-way shortcut trust should be created when users in Domain1 need to access Active Directory objects in Domain2 but users in Domain2 do not need to access objects in Domain1. Two-way shortcut trust should be created when users in each domain need to access objects in each other domain. Realm trust: Realm trust is explicitly created by an Administrator, and can be defined as either transitive trust or nontransitive trust, and can also either be one-way trust or twoway trust. Realm trust enables you to create a trust relationship between a Windows Server 2003 Active Directory domain and a non-Windows Kerberos version 5 realm. Realm trust therefore facilitates interoperability between a Windows Server 2003 domain and a realm used in Kerberos version 5 implementations. External trust: External trust is explicitly defined by an Administrator to enable trust between domains that are located in different forests, and to create trust between an Active Directory domain and a down-level Windows NT 4 domain. External trust is always nontransitive but can be either one-way trusts or two-way trusts. External trust is usually only created in Windows Server 2003 Active Directory environments when users need to access network resources in a domain that resides in a different forest, and forest trust cannot be created between the two domains. When external trust is created between an Active Directory domain and a down-level Windows NT 4 domain, it is a one-way, nontransitive trust relationship. Forest trust: Forest trust is explicitly created by an Administrator to enable trust between two Active Directory forests. Forest trust is transitive in nature, and can either be one-way or two-way. Forest trust is only available in Windows Server 2003. Before you can create forest trust between two forests, each domain in the particular forests, and each forest, has to be raised to, and running at the Windows Server 2003 functional level. Because forest trust is created between two root domains of two forests, it can create two-way trusts with each domain within the two forests. This basically means that users would be able to access Active Directory objects between all domains encompassed by the particular forest trust relationship.

Shortcut trust. As mentioned earlier. or two-way transitive trust. Shortcut Trust Before you can create any shortcut trusts. nor do you have to perform any configuration or management tasks for the trust relationships. When you set selective authentication for incoming shortcut trust. in that the former four trusts have to be explicitly created and managed. Shortcut trust is typically configured in an intricate forest where users continually need to access resources of domains belonging to different trees. • The Active Directory tool that you use to create shortcut trust is the Active Directory Domains and Trusts console. you should have Enterprise Admin or Domain Admin permissions for the Windows Server 2003 domain. What shortcut trust essentially does is it shortens the trust path traversed for authentication requests made between domains of different trees. and you should have the permissions required for the nonWindows Kerberos version 5 realm.Planning Considerations for Trust Relationships Tree-root trust and Parent-child trust is implicitly created by Active Directory when new domains are created. Shortcut trust can be one-way transitive trust. Realm Trust In order to create realm trust. Shortcut trust improves query response performance as well. The console enables you to specify selective authentication for incoming shortcut trust and outgoing shortcut trust. What this means is that you do not need to explicitly create these trusts. Another requirement is that the domains you are creating shortcut trust for. are Windows Server 2003 domains that reside in the same forest. Shortcut trust is usually created to speed up authentication between two domains in different trees but within the same forest. The other domain's users would need to transverse the full trust path when handling authentication requests. you need to plan which type of trust relationship to create for the domains within your Active Directory environment. You would need to create two-way shortcut trust when the users in each domain need to use the shortened trust path for authentication requests. If domain wide authentication is specified on the incoming shortcut trust. External Trust . You would typically create realm trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5 Kerberos realm. Realm trust. Because of the different types of trust relationships that can be created. What this means is that you can set authentication differently for the two forms of trust. users in the other domain and users in the local domain have the identical permissions to network resources. and as either be one-way trust or two-way. External trust and Forest trust differ to Tree-root and Parent-child trust. • You would need to create one-way shortcut trust when the optimized tust path is only needed for one of the domains in the trust. You can create Realm trust as either transitive or nontransitive trust. you would need to specify permissions for every resource that users in the other domain should be able to access. you must be a member of the Enterprise Admin or Domain Admin groups in each domain in the forest.

The foreign security principals can be examined in the Active Directory Users And Computers console. Recall from an earlier discussion. You would create two-way Forest trust in cases where users in either one of the forests need to access resources hosted in the other forest. When the Properties dialog box of the domain you chose opens. Forest Trust You need to belong to the Enterprise Admins groups in each forest that you want to create forest trust between. Forest trust is transitive. When the Trust Name page opens. 3. 5. You would create one-way Forest trusts when users in the trusted forest need to access Active Directory objects in the trusting forest. This action starts the New Trust Wizard. How to create Shortcut trust using Active Directory Domains and Trusts 1.You need to be a member of Enterprise Admins or Domain Admins of the Windows Server 2003 domain and you need to be a member Enterprise Admins or Domain Admins of the other domain. and click Properties from the shortcut menu. 8. but those users in the trusting forest do not need to access resources in the trusted forest. Groups. Click Next. This trust relationship enables users to access Active Directory objects between all domains impacted by the particular forest trust relationship. In addition to this. you can select one of the following options: o Two-Way: Click this option if you want to define two-way Shortcut trust. Open the Active Directory Domains and Trusts console. and each company within the enterprise still needs to maintain some form of administrative independence. that External trust is always nontransitive in nature. to create one-way External trust or two-way External trust. When the External trust is created. You can explicitly define different authentication for incoming External trusts and outgoing External trusts. locate and right-click the domain for which you want to configure Shortcut trust. the domains within each forest and each particular forest have to be raised to the Windows Server 2003 functional level. and is typically used to enable trust between an Active Directory domain and a down-level Windows NT 4 domain. This would mean that users in each domain would be able to access resources in both domains. On the Direction Of Trust page. Forest trust is typically created when enterprises merge or takeovers occur. Click the New Trust button at the bottom of the dialog box. The only requirement is that Advanced Features are enabled. and can be one-way or two-way trust. enter the DNS name of the other domain that you want to create trust with. click the Trusts tab 4. Computers) from the external domain are able to access network resources in the internal domain (Windows Server 2003 domain). In the console tree. 7. Click Next on the Welcome To The New Trust Wizad page. security principals (Users. . 6. 2.

14. Click Next. 15. If you select Selective Authentication. You can select either Domain Wide Authentication or Selective Authentication. " Both This Domain And The Specified Domain: Selecting this option creates the Shortcut trust in the local domain and in the other domain that you indicated. Click Yes. After checking that the configuration settings are correct. Do Not Confirm The Incoming Trust. 17. 18. the wizard displays the Trust Password page. and This Domain Only was selected in Step 9. The Confirm Outgoing Trust page allows you to verify outgoing trust. The wizard then displays the Trust Password page. 11. click Next.o One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain. . Do Not Confirm The Outgoing Trust. Confirm The Outgoing Trust or click No. This is where you have to set the password for the trust. One-Way: Outgoing: This option should be selected if you want users of the other domain to be able to access resources in this particular domain. 12. When the Trust Creation Complete page appears. The New Trust Wizard displays different pages next. 13. and This Domain Only was selected in Step 9. Click Next. Click Finish when the Completing The New Trust Wizard page is displayed. 9. Click Next. The Confirm Incoming Trust page allows you to verify incoming trust. Click Next. Enter the password for the trust in the boxes. the wizard displays the User Name And Password page. you can select one of these options: o This Domain Only: Selecting this option creates the Shortcut trust in the local domain. based on what you have selected in the previous two steps. 16. the users in the other domain are not automatically authenticated for resources in the local domain. Click Next. The Trust Selections Complete page is displayed next. All the settings that you previously specified are shown on this page. Click Yes. The New Trust Wizard now creates the shortcut trust relationship. You have to provide the user name and password of an Administrator account that has the necessary rights in the other domain. Where One-Way: Incoming was selected in Step 8. When the Sides Of Trust page opens. click Next. the wizard displays the Outgoing Trust Authentication Level page. Where Both This Domain And The Specified Domain was selected in Step 9. 19. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. Click Next. o Click Next. o Click Next 10. Confirm The Incoming Trust or click No. Where Two-Way or One-Way: Outgoing was selected in Step 8.

enter the DNS name of the other domain for the realm trust. 3. Select Realm Trust. On the Direction Of Trust page. Open the Active Directory Domains and Trusts console. 6. 5. 13. o o Click Next 10. Click Next. o Click Next 9. you can select one of the following options: o Two-Way: Click this option if you want to define two-way Realm trust. In the console tree. All the settings that you previously specified are shown on this page. click Next. select one of the following options: o Nontransitive: Select this option if the Realm trust should end with the two domains betwen which it is created. The Trust Type page appears next. . One-Way: Outgoing: This option should be selected if you only want users of realm to be able to access resources in this particular domain. and click Properties from the shortcut menu. Click Next on the Welcome To The New Trust Wizard page. The Trust Selections Complete page is displayed next. Click Finish on the Completing The New Trust Wizard page. 7. Click Next. Click the New Trust button at the bottom of the dialog box. When the Trust Name page opens. After checking that the configuration settings are correct. This would mean that users in the domain and realm would be able to access resources in both the domain and realm. click the Trusts tab 4. Transitive: Select this option if you want this particular domain and all other trusted domains to create trust with the realm and other trusted realms. 12. 11. The New Trust Wizard creates the Realm trust relationship. One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the realm. The wizard displays the Trust Password page next. Enter the password for the trust in the boxes.How to create Realm trust using Active Directory Domains and Trusts 1. 8. When the Properties dialog box of the domain opens. Click Next. 2. When the Transitivity Of Trust page opens. locate and right-click the domain for which you want to configure Realm trust.

In the Selected Domain's IP Address List. locate and right-click the domain in the initial forest which you want to configure External trust. Click Start. 12. Open the Active Directory Domains and Trusts console. One-Way: Incoming: This option should be enabled if you only want users of this particular domain to be able to access resources in the other domain. When the Trust Name page opens. 2. In the console tree. 5. and click Properties from the shortcut menu. Select the External Trust option. enter the DNS name of the domain in the other forest. click the Trusts tab 11. 10. and click Properties from the shortcut menu. Click Next on the Welcome To The New Trust Wizard page. Click OK 8. You use the DNS Administration tool to configure DNS forwarders. Click New. click the Forwarders tab. 1. The Direction Of Trust page is displayed straight after the Trust Name page if the forest functional level is not raised to Windows Server 2003. 13. 4. 9. Click Next. 3. The Trust Type page appears next if the forest functional level is raised to Windows Server 2003 forest functional level. and enter the DNS domain name that needs queries to be forwarded. of the servers to o o Click Next . 14. and click DNS. click Administrative Tools. Click Add 7. Right-click the DNS server. Click Next. 6. 15. This would mean that users in each domain would be able to access resources in both domains.How to create External trust using Active Directory Domains and Trusts You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests. enter the IP addresses which these queries are forwarded. Click the New Trust button at the bottom of the dialog box. You can select one of the following options: o Two-Way: Click this option if you want to define two-way External trust. When Properties dialog box of the DNS server opens. One-Way: Outgoing: This option should be selected if you only want users of the other domain to be able to access resources in this particular domain. When the Properties dialog box of the domain opens.

21. The New Trust Wizard now creates the External trust. Click Next. Where One-Way: Incoming was selected in Step 8. The wizard then displays the Trust Password page. Do Not Confirm The Outgoing Trust. 18. Click Next. 20. Use the DNS Administration Tool to configure the necessary DNS forwarder. 24. Confirm The Outgoing Trust or click No. and This Domain Only was selected in Step 9. If you select Selective Authentication. and This Domain Only was selected in Step 9. 23. 25. When the Trust Creation Complete page appears.16. Click Next. When the Sides Of Trust opens. Click Yes. Where Two-Way or One-Way: Outgoing was selected in Step 8. You have to provide the user name and password of an Administrator account that has the necessary rights. After checking that the configuration settings are correct. 19. based on what you selected in the previous two steps. click Next. . Click Next. the wizard displays the Trust Password page. the wizard displays the User Name And Password page. Enter the password for the trust. 1. In addition to this. This is where you have to set the password for the trust. Click Next 17. the users in the other domain are not automatically authenticated for resources in the local domain. Click Yes. Where Both This Domain And The Specified Domain was selected in Step 9. How to create Forest trust using Active Directory Domains and Trusts You first have to specify a DNS forwarder for each of the DNS servers that are authoritative for the trusting forests before you can use the Active Directory Domains and Trusts console to create Forest trust relationships. click Next. You can select either Domain Wide Authentication or Selective Authentication. Choosing Domain Wide Authentication results in the automatic authentication of users in the other domain for network resources in the local domain. Click Finish. 26. The New Trust Wizard displays different pages next. Do Not Confirm The Incoming Trust. the settings that you previously specified are shown. Click Next. you can select one of these options: o o This Domain Only: Selecting this option creates the trust in the local domain Both This Domain And The Specified Domain: Selecting this option creates the trust in the local domain and in the other domain. Click Next. ensure that the forest functional level for each forest is set to Windows Server 2003 forest functional level. The Confirm Incoming Trust page allows you to verify incoming trust. The Confirm Outgoing Trust page allows you to verify outgoing trust. the wizad displays the Outgoing Trust Authentication Level page. 22. Open the Active Directory Domains and Trusts console. Confirm The Incoming Trust or click No. When the Trust Selections Complete page is displayed.

Click Next. Both This Domain And The Specified Domain: Selecting this option creates the trust in the local forest and in the other forest. In the Welcome To The New Trust Wizard page. On the Direction Of Trust page select one of the following options: o Two-Way: Click this option if you want to define two-way Forest trust. Choosing Domain Wide Authentication results in the automatic authenticationof users in the other forest for network resources in the local forest. The wizard then displays the Trust Password page. . Where Two-Way or One-Way: Outgoing was selected in Step 7. When the Properties dialog box of the domain opens. When the Sides Of Trust opens. click the Trusts tab and then click the New Trust button. and click Properties from the shortcut menu. Where Both This Domain And The Specified Domain was selected in Step 8. 10. When the Trust Selections Complete page is displayed. Click Next. 4. the wizard displays the Outgoing Trust Authentication Level page. Click Next. This is where you have to set the password for the trust. In the Trust Type page. the wizard displays the Trust Password page. click Next 5. Where One-Way: Incoming was selected in Step 7. Click Next. you can select one of these options: o o This Domain Only: Selecting this option creates the trust in the local forest. One-Way: Outgoing: This option should be selected if you only want users of the other forest to be able to access resources in this particular forest. In the console tree. and This Domain Only was selected in Step 8. 3. 7. This would mean that users in each forest would be able to access resources in both forests. and This Domain Only was selected in Step 8. o o Click Next 8. click Next.2. locate and right-click the domain in the initial forest which you want to configure Forest trust for. If you specify Selective Authentication. Click Next 9. 11. 6. Enter the password for the trust. 12. select the Forest Trust option. Enter the DNS name of the domain in the other forest on the Trust Name page. the wizard displays the User Name And Password page. One-Way: Incoming: This option should be enabled if you only want users of this particular forest to be able to access resources in the other forest. the users in the other forest are not automatically authenticated for resources in the local forest. Click Next. After checking that the configuration settings are correct. Click Next. the settings that you previously specified are shown. You have to provide the user name and password of an Administrator account that has the necessary rights. You can select either Domain Wide Authentication or Selective Authentication.

click the No. How to validate existing Active Directory trust relationships 1. Click Yes to verify that you want to remove the trust relationship. Click Next. The Confirm Incoming Trust page allows you to verify incoming trust. and click OK 7. pen the Active Directory Domains And Trusts console. Click the Remove button alongside the box. Click Yes to verify that you want to remove the trust relationship. In the console tree. Do Not Confirm The Incoming Trust. right-click a domain that is defined in the trust relationship which you want to validate. Click Yes. and select Properties from the shortcut menu. and select Properties from the shortcut menu. When the Trust Creation Complete page appears. Click the Trusts tab. 3. You can select the trust you want to examine in one of the following boxes: . 5. 10. 17. Click the Trusts tab 4. Choose the appropriate option in the Active Directory dialog box. How to remove existing Active Directory trust relationships 1. Confirm The Outgoing Trust or click No. Click Finish on the Completing The New Trust Wizard page. Remove The Trust From The Local Domain Only option. Remove The Trust From Both The Local Domain And The Other Domain option. right-click a domain that is specified in the trust relationship which you want to remove. Do Not Confirm The Outgoing Trust. 14. Use the Domains Trusted By This Domain (Outgoing Trusts) box to select the trust you want to remove. and then click OK 11. Click Next. Open the Active Directory Domains And Trusts console 2. 15. 3. 2. 4. The Confirm Outgoing Trust page allows you to verify outgoing trust. 8. In the console tree. click the Yes. If you want to remove the trust from the local domain and the other domain. Confirm The Incoming Trust or click No. Use the Domains That Trust This Domain (Incoming Trusts) box to select the trust you want to remove. 6. Click Yes.13. If you want to remove the trust from the local domain only. Enter the appropriate user name and password combination in the User Name and Password boxes and click OK. 9. click Next. 16. The New Trust Wizard now creates the Forest trust.

click Yes. If this parameter is not specified. click the No. defines the trust password for the Windows domain if a non-Windows Kerberos realm is defined. the current user account is used. Do Not Validate The Incoming Trust option and click OK. If this parameter is not specified. click the Validate button. 6. 10. /add. 7. indicates the name of the trusted domain. indicates that a trust relationship should be created . Enter the appropriate user name and password combination in the User Name and Password boxes and click OK 9. If you want to verify incoming trust and outgoing trust.o o Domains Trusted By This Domain (Outgoing Trusts) box Domains That Trust This Domain (Incoming Trusts) box 5. indicates the user account that should be used. When the Properties dialog box of the trust opens. /ud:[Domain\]User. The netdom trust command is used to create and manage trusts: netdom trust TrustingDomainName /d: TrustedDomainName [/ud:[Domain\]User] [/pd:{Password|*}] [/uo: User] [/po:{Password|*}] [/verify] [/reset] [/passwordt: NewRealmTrustPassword] [/add [/realm]] [/remove [/force]] [/twoway] [/kerberos] [/transitive[:{YES|NO}]] [/verbose] • • • • • • • • TrustingDomainName. If you only want to verify outgoing trust. indicates the name of the trusting domain /d: TrustedDomainName. a message is displayed indicating this. Netdom. click the Properties button. indicates the password associated with the user account. /pd:{Password|*}. /verify. Click OK How to create and manage trust relationships using the Windows Domain Manager Command-lineTool You can use the Windows Domain Manager command line tool to create and manage Active Directory trusts. resets the trust password for trusted domains /passwordt: NewRealmTrustPassword. verifies the trust password for a particular trust /reset. Validate The Incoming Trust option. 8. After you have selected the trust. the domain to which this computer is a member of is utilized. After the trust is validated.exe is included with the Windows Support Tools available on the Windows Server 2003 Setup CD-ROM.

ASP. /kerberos.20 databases.SMTP Connector: Forward to smart host or use DNS to route to each address 6. SMTP. What are the required components of Windows Server 2003 for installing Exchange 2003? . 4 SGs x 5 DBs. should be removed. SMTP/POP/IMAP/OWA – INETINFO. 12. /transitive[:{YES|NO}]. RPC – 135. slowness in handing messages off to local delivery or SMTP delivery. 1. POP3 – 110. data can only be restored to the last backup. What Exchange process is responsible for communication with AD? .Setup /forest prep 3. RPC.This means mail is not being sent to other servers.Add /3Gb switch to boot. IMAP4 – 143.SMTP – 25.In the event of a corrupt database.EXE. What would a rise in remote queue length generally indicate? .• • • • • • • /realm. POP3. What are the standard port numbers for SMTP.NET. What connector type would you use to connect to the Internet.This indicates a performance issue or outage on the local server. NNTP.EXE 11. It could also be databases being dismounted or a lack of disk space.ini 7. Configuration Domain Controller 5. and what are the two methods of sending mail over that connector? .3268 10. indicates that the trust relationship should be removed /force. defines the trust as being created with a non-Windows Kerberos realm /remove. indicates whether trust should be created as transitive or nontransitive trust. LDAP – 389.Normal Domain Controller. LDAP and Global Catalog? . This can be explained by outages or performance issues with the network or remote servers. Name the process names for the following: System Attendant? – MAD. What would a rise in the Local Delivery queue generally mean? . indicates verbose output should be displayed. What 3 types of domain controller does Exchange access? .DSACCESS 4. /twoway. . Global Catalog . Information Store – STORE. indicates that the trust protocol should be the Kerberos protocol. 9. IMAP4. /verbose. W3SVC 2.EXE. How would you optimize Exchange 2003 memory usage on a Windows Server 2003 server with more than 1Gb of memory? . What is the maximum amount of databases that can be hosted on Exchange 2003 Enterprise? . What must be done to an AD forest before Exchange can be deployed? . indicates that the trusted domain object as well as the cross-reference object for the other domain. Reasons could be slowness in consulting AD. What are the disadvantages of circular logging? . indicates that two-way trust should be created. 8. Global Catalog.

you configure a reverse lookup zone and proceed to add records. SOA records contain the current serial number of the zone. what is the first step the client takes to resolve the FQDN name into an IP address? Answer: Performs a recursive search through the primary DNS server based on the network interface configuration 5. The local interface on the DNS server was not configured to allow dynamic updates. By default. What are they used for? Answer: SOA records contain a TTL value. 4. SOA records contain the e-mail address of the person who is responsible for maintaining the zone. you installed a DNS server and created a zone.DNS Interview Questions and Answer 1. What is the main purpose of SRV records? Answer: SRV records are used in locating hosts that provide certain network services. after the installation of the domain controller. . What is the main purpose of a DNS server? Answer: DNS servers are used to resolve FQDN hostnames into IP addresses and vice versa 3. Secure services in your network require reverse name resolution to make it more difficult to launch successful attacks against the services. 6. if the name is not found in the cache or local hosts file. which is used in zone transfers. used by default in all resource records in the zone. SOA records must be included in every zone. Which record types do you need to create? Answer: PTR Records 2. you are unable to locate infrastructure SRV records anywhere in the zone. naming it as you would name your AD domain. However. Before installing your first domain controller in the network. To set this up. What is the most likely cause of this failure? Answer: The zone you created was not configured to allow dynamic updates.

8. and it is critical to keep this zone up-to-date. Replication between domain controllers takes up a significant amount of bandwidth. Your users complain that everything is slow. What should you do? Answer: Change the replication scope to all DNS servers in the domain. the requesting party received authoritative reply. Preliminary research of the problem indicates that it takes a considerable amount of time to resolve names of resources on the Internet. Your company uses ten domain controllers. three of which are also used as DNS servers. 10. Which of the following conditions must be satisfied to configure dynamic DNS updates for legacy clients? Answer: The zone to be used for dynamic updates must be configured to allow dynamic updates. the resolution process is effectively over. dynamic updates for legacy clients. which contains several thousand resource records. This zone also allows dynamic updates. At some point during the name resolution process. You are looking to cut bandwidth usage for the purpose of replication. The DHCP server must support. . 9.. Which further actions are likely to be taken after this reply? Answer: After receiving the authoritative reply. You have one companywide AD-integrated zone.7. You are administering a network connected to the Internet. Local client computers are not caching replies… The cache. What is the most likely reason for this? Answer: DNS servers are not caching replies.dns file may have been corrupted on the server. and be configured to allow.

DHCP Infrastructure Dynamic Host Configuration Protocol (DHCP) is an IP standard for simplifying management of host IP configuration. Hierarchy of Managed Entities . The DHCP standard provides for the use of DHCP servers as a way to manage dynamic allocation of IP addresses and other related configuration details for DHCP-enabled clients on your network.

Dynamic Host Configuration Protocol (DHCP) NAP Components DHCP Scopes DHCP Runtime DHCP Database DHCP Service DHCPv6 Runtime DHCPv6 Scopes DHCPv6 Service . A Dynamic Host Configuration Protocol (DHCP) scope is the consecutive range of possible IP addresses that the DHCP server can lease to clients on a subnet. Dynamic Host Configuration Protocol version 6 (DHCPv6) runtime includes normal operating functions of the DHCPv6 server. Examples of these functions include lease issuance and rogue detection. DHCP NAP requires proper NPS/RADIUS configuration. security update requirements. and responds to requests from DHCP clients. The Dynamic Host Configuration Protocol (DHCP) Server service is a process that runs in the background on a computer running Windows Server and provides IP addresses to clients.Managed Entities Name DHCP Server Description A Dynamic Host Configuration Protocol (DHCP) server is a computer running the DHCP Server service that holds information about available IP addresses and related configuration information. A Dynamic Host Configuration Protocol version 6 (DHCPv6) scope is the consecutive range of possible IPv6 addresses that the DHCP server can lease to clients on a subnet. The Dynamic Host Configuration Protocol version 6 (DHCPv6) Server service is a process that runs in the background on a computer running Windows Server and that provides Internet Protocol version 6 (IPv6) addresses to clients. DHCP servers can enforce health policy requirements any time a computer attempts to lease or renew an IP address configuration on the network. Scopes typically define a single physical subnet on your network to which DHCP services are offered. DHCP enforcement is the easiest enforcement to deploy because all DHCP client computers must lease IP addresses. and other settings. required computer configurations. Examples of these functions include lease issuance and rogue detection. and remediation technology that is included in Windows Vista and Windows Server 2008. as defined by the DHCP administrator. With NAP. enforcement. Dynamic Host Configuration Protocol (DHCP) enforcement includes a DHCP NAP enforcement server component and a DHCP NAP enforcement client component. Scopes typically define a single physical subnet on your network to which DHCP services are offered. Scopes are the primary way for the DHCP server to manage distribution and assignment of IP addresses and any related configuration parameters to DHCP clients on the network. Network Access Protection (NAP) is a health policy creation. Scopes are the primary way for the DHCP server to manage distribution and assignment of IP addresses and any related configuration parameters to DHCP clients on the network. The Dynamic Host Configuration Protocol (DHCP) service database is a dynamic database that is updated as DHCP clients are assigned or as they release their TCP/IP configuration parameters. system administrators can enforce health requirements. or migrated to another server. Dynamic Host Configuration Protocol (DHCP) runtime includes normal operating functions of the DHCP server. The DHCP server database can be backed up and restored. By using DHCP enforcement. which can include software requirements.

A clue that you are in charge of the options. there will never be another 'Duplicate IP address' problem to eat into your valuable time. hosts hosts. 4. Easy to update a default gateway or DNS server's IP address. DNS Server P rotocol .g. Backup. e. 5. DHCP servers provide this configuration in the form of an address-lease offer to requesting clients. No IP duplicate addresses.Install and Configure Options Relay Agents APIPA . How will you configure those dotty dot numbers on your TCP/IP property tabs? Manually. you would have to visit every machine.manual configuration is boring and labour intensive. Reconcile and Audit Troubleshooting Benefits of DHCP All clients and servers need an IP address on a TCP/IP network.g.msn networks protocols services DHCP in Windows Server 2003 D ynamic . DHCP options give a sense of central control.DHCP Client With a DHCP server installed and configured on your network. 3.Database.Client and Server DHCP . 2. or automatically via DHCP? Let us investigate what advantages an automatic DHCP service has over the manual alternative.User Classes DHCP .Means that clients IP address may change H ost . Manual changes would be a nightmare.The rules controlling the flow of packets between client and server Tutorial for DHCP in Windows 2003 Benefits of DHCP .Indicates that this is a system for clients. e. . DHCP needs much less effort .How to save effort Strategies . Provided you configure the DHCP scopes intelligently.When all else fails DHCP . C:\WINDOWS\system32\drivers\etc---------contains these 5 files 1. DHCP-enabled clients can obtain their IP address and related configuration parameters dynamically each time they start and join your network. Above all. XP machines C onfiguration .

56.254.56. because there are so many settings in so many places. I thought that you would need one DHCP server on each subnet . it is full of surprises and hidden treasures.121 to 10. However. even for file and print servers. However. Each scope has a class C Subnet Mask /24 (255. take the time to develop your DHCP tactics.56. Slowly I am warming to this DHCP idea. I have a series of tutorials to help you. then provide redundancy by splitting each scope so that each DHCP server gets a non-overlapping range. if the servers have a reserved IP address then they come under the umbrella of your scope options and so there would be no extra work.10.255. you may forget to change the servers default gateway. If you have two DHCP servers.1 to 10.0) Strategies for the servers What are you going to do about the IP addresses for the servers themselves? Configure static IP addresses.120 Server B: 10. Tutorial to Install and Configure DHCP Servers . Select static IP addresses. when I first saw DHCP. For those subnets without a DHCP you configure a DHCP Relay Agent. DHCP is easy to both install and configure. The result would be a loss of what ever service the servers were providing. For example: Server A: 10. Let me elaborate. and no loss of service.) If you try the strategy of DHCP address for file and print servers. Summary DHCP is now a well established strategy for providing computers with IP addresses. but then you change the default gateway. What I now recommend as a default. consider a RESERVATION for each server.255. but use a different range. is two DHCP servers for the whole company. the killer advantage is that you can set DNS and Router options even for the servers.wrong.10. Choose DHCP configuration.10.Strategies for the clients and servers 10 years ago. then EXCLUDE a range from the scope. (Except the DHCP server itself. Install and Configure DHCP in Windows Server 2003 As services go. if you set server IP addresses manually.56.10. then explore the properties of both the DHCP server icon and the scopes. I am willing to bet that my tutorial will unearth at least one new option that will improve your DHCP performance. However.

Windows Components. while /renew will do what it says. Here is a table summarising how a DHCP service results in clients getting an IP address. Networking Services. If you are interested in seeing these packets. top up the lease.DHCP Install Address Leases Scope Options Address Reservations Authorize . if you only have 250 IP addresses but 300 possible clients. use Network monitor to capture DHCP in action. or Type 015 Domain name. you would have to delete and start afresh. Client DHCPDiscover --> DHCPRequest --> Server <--. It also makes sense to set short leases if you are likely to discontinue a scope in the near future.DHCPOffer <--. you can add and change the options such as Type 006 DNS server.DHCP Server in Active Directory Activate . However. if you make a mistake with the subnet mask. Here are the classic 4 packets that clients exchange during a lease negotiation. you cannot amend that scope. configuring the scope options needs thought. For example. Halfway through their lease clients attempt to renew their lease. Take for example the 8 day default lease.DHCPack DHCPInform Server check that it is Authorized in Active Directory . when it restarts it will continue to have the same IP address. Only reduce the duration if you are short of IP addresses. then navigate to: Add Remove Programs. if the client is shutdown for 2 days. IPCONFIG /all will show you the lease. For instance. DHCP Address Leases Lease is a good name for a DHCP IP property. Let us begin with a straightforward job to install DHCP. Whilst adding the DHCP service is easy.DHCP Scope Summary DHCP Install This tutorial will guide you through the steps needed to get your DHCP server installed and configured correctly. Get your Windows Server CD ready.

. Then right click the DHCP server icon. but it comes into play if there are two DHCP servers and both make an offer to a potential client. In Windows 2003 when you enter the MAC address DHCP strips out the hyphens if you absentmindedly include them amongst the HEX numbers. and an attempt to eliminate rogue DHCP servers set up junior administrators in a large company. after all. and Authorize. you need to logon (or RunAs) a member of the Enterprise Admins group. This is an example of Microsoft's new security initiative.Routing and Remote Access Creating your own User Class .Note 1: DHCPRequest may seem strange. These options can be set at the Scope Level. Scope Options. The most likely cause of Nack is the client is trying to renew an IP address from the wrong DHCP server. ' I do no know you'. Examples of DHCP Scope Options: Router (Default Gateway). Once in a blue moon you see DHCPNack this is a negative acknowledgement which mean. Address Reservation Reserving IP addresses is useful in two situations. How does DHCP know which machine to lease a particular IP? The answer is by its MAC address (also called NIC or Physical address). So. Server Level. for file and print servers and for important machines where leases are in short supply. Authorize . this the most likely place that I will win my bet that you will find a new setting which will improve your network performance. Take the time to investigate Scope Options.See more here. DNS Servers (006) Domain Name (015) WINS (044 and 046) Classes (Advanced Tab) Vendor Class . Reservation Level or at the Class Level (Tricky). that may have been the very reason why you decided to make reservations in the first place. Note 2: DHCPack.DHCP Server In a Windows Server 2003 (or 2000) domain all DHCP servers need to be authorized in Active Directory. So find all four places and make up your mind which would be the best level for your network. Remember that you can set DHCP Options for the reservations.Windows 98 Machines User Class . To find the MAC address ping the machine then type arp -a.

So. Activate .Installation Relay Agent . The RIS service also needs to be Authorized before it becomes active.In action Conflict Detection APIPA Summary and Challenges DHCP Relay Agent . each scope must be activated individually. but while NT 4. The toughest part is investigating all the Scope options and decide whether to implement them at the Server or Scope level. Once you have found the relay agent. Summary of Configuring DHCP Installing DHCP is easy.Installation It is rare for Microsoft to remove functionality. . discover how to install and configure a DHCP relay agent. Keep your eye on the red or green arrows to judge your success. like all broadcasts. if you have a modern Router which is RFC 1542 compliant. right click the scope to activate (or deactivate).Relay Agent for Windows Server 2003 Instead of deploying a DHCP server on every subnet.Incidentally. Tutorial for DHCP Relay Agent Relay Agent . Relay Agent . cannot pass across routers. This page will provide a step-by-step tutorial on getting the most from your DHCP Server.Concept DHCPDiscover packets. the Router acts as a Relay Agent. Note you may have to Refresh from the server icon. then you can forward the DHCPDiscover packets to a DHCP server in a different subnet. is the proverbial piece of cake.0 Workstations could act as DHCP Relay agents. Authorizing and Activating are straightforward.Concept Relay Agent . Here is a major strategic decision . configuring it to listen for DHCPDiscover packets.what use will you make of DHCP reservations? DHCP . In this instance. often pressing F5 is not enough. In fact that was a lie. By far the hardest part of mastering the DHCP relay agent is installing it. XP and W2K Pro cannot.DHCP Scope Even after you Authorize a server.

and check the Hop Count threshold. What is not obvious is where you find the relay agent. which subnet to offer an IP address. DHCP Relay Agent.In action Let us turn this tutorial to see how the Relay Agent works. The first time it worked I thought that it was a miracle that the client got the correct IP address. To do this adjust the Boot threshold. When you think about it. The conflict detection feature means that the DHCP server checks by pinging the proposed address lease before actually issuing it. Boot Threshold The boot threshold setting is for the cautious (or paranoid). Relay Agent . especially if you configure more than one. Conflict Detection Where you have relay agents. Trap: you forget to add an interface. you should consider how long the Relay Agent should wait for the main DHCP server to respond.So you need to install the relay agent on a Windows Server 2003. The secret of successful relaying is to create the appropriate scope on the DHCP server. From the Routing and Remote Access interface. hence the RRAS location to install and configure the DHCP Relay agent makes sense. Just right click the DHCP Relay Agent. On reflection. and then select properties from the shortcut menu. the relay agent is a type of router. . navigate to the IP Routing. So now I understand how the server knows. In these circumstances. Such people would have a DHCP server AND a Relay Agent on the SAME subnet. so calculate the maximum hop count that you need and configure the Relay Agent accordingly. As I say once you find and install the Relay Agent. I realized that the Relay Agent adds the Source IP address when it contacts DHCP. Hop Count How many routers lie between your client and its DHCP server? Each router would represent 1 hop. there is a possibility of duplicate IP addresses. Naturally. What happens is the Relay agent intercepts DHCPDiscover packets from clients and then unicasts to the DHCP on their behalf. right click the Interface. if the server receives a reply that IP address is not offered. the answer is in Routing and Remote Access. not the server. from its list of scopes. configuring is easy. all you need to do is tell the router or DHCP relay agent the IP address of the real DHCP servers. See that 'ISP' interface in the screen shot is Enabled.

and pay attention to detail.0 address if there were no DHCP server. When you set up a relay agent there are a number of other factors to consider.Concept The idea is that you may wish a sub-set of computers to have a different default gateway. and when to run IPCONFIG on the clients. Topics for DHCP Configuration Creating your own User Class Set your own Predefined Options Summary and Challenges Creating your own User Class . properties. My tutorial compares the difficulty of installation with ease of configuring. Summary and Challenges. the fact that the client has a valid IP address means that it can keep on polling to see if a DHCP server has come back online. To set the threshold. right click the server icon. and conflict Detection. Whilst APIPA is a sign of failure. Now actually making your own User Class work is one of the most difficult jobs in the whole of computing. APIPA If all else fails. and then you needed to reboot to obtain a valid IP address. User Classes . Hop Count. check your.Conflict Detection is a property of the DHCP server as a whole and not of individual scopes.x. So go slowly.0. in particular watch out for what needs configuring on the server. Boot Threshold.A tough challenge User Classes . a client would end up with a 0. then Advanced (Tab).254.Configuration .y where x and y are two random numbers between 1 and 254.0.0 days. In NT 4. then clients give themselves an Automatic IP address in the range 169. Take the scenario where you have 6 directors who need internet access and would like those machines to have different DHCP scope options.

2) Add your chosen User Class. Director. type http:// ISA-yourServer: 80 /wpad. where you can automatically set the ISA proxy server for your DHCP clients. press enter. (See Diagram 1) The crucial button is the: Add. The trick is to get rid of the dot under ASCI and add a name that you will use for this special User Class. Crucial point. a new Default Gateway. For example. would be the answer in for our example. In 'real life' I would use a logon script to set this command. The key is to tell the clients which User Class they belong to. select: Set Predefined Options. Keep you eye out for Predefined options like WPAD 252. Important: In the Predefined Option and Values dialog box. enter WPAD Change the Data Type box to: String. I have one 'killer use' for Predefined options. Next.dat in the box Note : 80 is the default port of the ISA AutoDiscovery service Summary and DHCP Challenge Creating the server and client side of the DHCP User Classes is one of the most challenging and satisfying configuration tasks. To do this choose the advance tab on the Options. Right click the DHCP server option. 3) Remember to create the special options for example. . type: 252. In the Code box. IPCONFIG /setclassid director. to set the WPAD (Web Proxy Auto Detect) for XP clients. 4) Now we switch our attention to the clients. 5) Test your /setclassid with IPCONFIG / all or IPCONFIG /showclassid Set your own DHCP Predefined Options. However.1) Create your User Class. I am sure that there will be more uses for Predefined options in the next few years. From the DHCP server icon. but it may be easier to control via a DHCP option. Now you could set the ISA server Proxy with a group policy. in the Name box. select Define User Classes from the short cut menu. your average user would not be able to remember this command.

scopes and leases of the clients.) . Tutorial Topics for DHCP Database DHCP .Display Statistics DHCP Database Backing up the DHCP Database Reconcile DHCP Audit Log Summary . Understanding this database will help you backing up and restore a DHCP server. This is because it's the first item on the menu.Challenges DHCP . go to the command line and type: NET Stop DHCPServer. NOT DHCPyourservername. Stored in this DHCP.. 'How many leases are left?' Next. Well the time may come where you need to backup.. Either right click the DHCP Server icon. Check out this folder: %systemroot%\system32\dhcp\dhcp. I just hope that you are not afflicted by this blind spot. I find 'Display Statistics' the most difficult tab to find on the DHCP server. menu. 1) Stop the DHCP service. At the very least. See the screen shot to find the Display Statistics.mdb are the addresses.Display Statistics Bizarrely. Display Statistics is one of the most interesting and rewarding items on the DHCP menu. and is often masked by the very highlight that should attract me. I expect you will want to check your lease statistics. My first thought is. Display Statistics is available at both the server and the scope level. select All tasks then Stop. In any event. (For once the command really is DHCPserver.mdb As time goes by the database will grow. I look to see if there have been any NACKS or lease declines. reconcile or compact the DHCP database.mdb database is this.DHCP Database Topics Perhaps you have never given the DHCP database a thought. and best practice dictates that you should consolidate the database by freeing up space taken up by old leases. DHCP Database DHCP has its own database. The procedure for compacting the dhcp. Alternatively.

navigate to: %systemroot%\system32\dhcp\dhcp. . then just backup the files in the %systemroot%\system32\dhcp\Backup\ directory. you get a separate log for each day of the week. and unsurprisingly.mdb.see diagram above. when you select the server icon.mdb database is backed up every hour. Either use the GUI. The third surprise is that you can only automatically backup to a local folder. Backing up the DHCP Database The first surprise is that this dhcp. you can: Reconcile All Scopes .2) At the command line. What this does is copies the existing database. 3) Jetpack dhcp. compacts it. 4) Remember to restart DHCP. there is a GUI to backup the DHCP database. however.mdb temp.mdb. What can happen is that when you restore a database. if you do. The second surprise is that the old jetpack database engine controls the database. Finally. so a 'Reconcile' will ensure that the database and registry data are consistent once more. The logs are a wealth of information. then copies it back to the original location . Reconcile Reconcile is a technical term for making sure that DHCP information is consistent. then DHCP will stop working and you will either have to restore. NET Start DHCPServer Warning: Do not 'mess' with any of the files that you find in the %systemroot%\system32\dhcp folder. It all depends on the 'focus' of what you select. the detailed information from a recent restore maybe different. (not below) DHCP Audit Log Once you setup DHCP auditing.clever. or else re-install DHCP. not just about the health of the server. or if you are at the command line. the registry just stores basic or summary information. Specifically. there is a miss-match between lease information in the database and the same information in the DHCP server's registry. but also which machine gets which IP address for how long. Bear in mind that you can either reconcile individual scopes or choose all scopes. Should you need a 'real' backup. If you select an individual scope that that is the limit of what you can reconcile.

254. Take the time to learn all its switches. There may be nothing wrong. However on a business network. more than likely it means that the DHCP server is down. this is known as APIPA.To setup Auditing. IPCONFIG will be your number one troubleshooting tool. Discover how many leases you have issued with 'Display Statistics. Interface DHCP Bottlenecks Summary APIPA (Automatic Private IP Address) When you run IPCONFIG. check whether or not auditing is set up on your DHCP server. Auditing removes the last reason for having static IP addresses. DHCP Server has stopped .x.Orientation. Finally.Static address Trap . Also. Luddites who resist DHCP often justify static IP addresses on the grounds that you can always account for which machine had which IP address on a particular day. on a small network this could be 'By design'. Summary . but DHCP does not give many problems.Subnet mask Trap . /release /renew. With DHCP Auditing you can achieve the same result and have all the benefits of central administration. then check out these symptoms and their associated cures.DHCP Challenges The DHCP database is full of surprises. accountability.DHCP Relay Agent. or the Relay Agent is not doing its job. However if you are suffering from an APIPA address or a mis-configuration. Diehards. then select properties. For example IPCONFIG /all. if you see address beginning 169. understand where you can Reconcile the scopes. instant control over default gateways and a raft of other options.y. Topics for DHCP Troubleshooting APIPA (Automatic Private IP Address) DHCP Server has stopped DHCP Database is corrupted Trap . and master how to compact the dhcp. DHCP Troubleshooting It maybe famous last words.mdb. finding a Scope Option Trap . Next discover where the database is situated. right click the DHCP server.

but you do not know where this IP address is coming from. or a property of the DHCP server option? For example. Trap . Interface Make sure that you add the interface to the Relay Agent. must have a fixed IP address. Trap .Subnet mask You cannot change a subnet once you have configured a scope. The Relay Agent is found under the Routing and RAS server icon. If it is Authorized (Green down arrow on server Icon). the clients have a default gateway address of 10. As a rule of thumb if you cannot find what you are looking for on the server.Static address It goes without saying that the very DHCP server itself.If the DHCP server is newly installed then check that it has been Authorized in Active Directory by an Enterprise Admin. Whilst you add the interface itself. either just ruthlessly delete the affected scopes and start again. firstly check through the system and application event logs.DHCP Relay Agent.Orientation. See more on DHCP Relay Agent DHCP Bottlenecks . Trap .10. and vica versa! See more about configuring DHCP scope Trap .56. If your worst fears are confirmed. Alternatively. finding a Scope Option Are you looking for a property of an individual scope. See here for more information. DHCP Database is corrupted When you suspect that the DHCP database is corrupt. then check that the scope is activated. attempt to restore the database from backup. by right clicking the Relay Agent object. The DHCP server cannot be its own client. All that you can do is delete that scope and the start again. then you have two choices. try the scope. select New Interface from the short cut menu.200.

mundane task for example. to find Active Directory resources such as Global Catalog Servers and also Domain Controllers that authenticate Logon or Kerberos requests. however here are a selection of tips and traps for when you are stuck.Names & Namespace Types of DNS Zone Conditional Forwarding Installing DNS Server DNS Queries Resource Records DNS Naming Rules Basic DNS Server Troubleshooting Advanced DNS Troubleshooting Debug Logging for DNS in Windows Server 2003 DNSLint .mdb ===============***************=============== DNS (Domain Name System) in Windows 2003 Server The purpose of the tutorials in this section is to help you get you started with DNS's terms and concepts. Firstly. When it comes to troubleshooting connectivity. connecting to a printer share. DNS is one of THE most difficult tasks in Windows 2003.If you suspect that there is more DHCP activity than necessary. and thirdly. for example Requests /sec. Mastering DNS is not easy. then setup a performance log and monitor the key counters. See more about Performance Monitor here. so take the time to learn the principles behind Microsoft's dynamic DNS.Utility Introduction to DNS in Windows Server 2003 There are three scenarios in which your network needs DNS. Dhcp backup path: %systemroot%\system32\dhcp\dhcp. Secondly to locate pages on the internet. The purpose of this page is to act as a mini site map and provide pointers to DNS topics of interest. The secret of having a fast and secure Active Directory network. New Features for DNS in Windows Server 2003 DNS . Summary DHCP servers are normally well behaved. is planning then configuring your DNS Server. .

The difference is that Stub Zones have only 3 records. Finally. however Server 2003 has a surprising number of neat new dynamic DNS features. What's new in Windows Server 2003 DNS The big improvements in Microsoft's DNS came in Windows 2000. to be a 'top techie' forget those exams. if you can troubleshoot DNS then you can not only talk the talk but you can walk the walk and rule that server room. Recursive. DNS is hierarchical. Namespace.DNS makes it possible for clients to access network resources using alphanumeric names rather than pure IP addresses. The killer reason for implementing DNS is that Active Directory relies on DNS for finding Global Catalog. thus reducing the administrative load. SOA. Make a start by listing the DNS terms and understanding how they fit together. As you learn about DNS Server watch out for ways to increase your computing vocabulary. Unlike WINS. and Incremental to name just a few of the DNS keywords. However. For instance you need to understand. Kerberos and Logon Servers. the more difficult the subject is to master. The similarity is that both Zones have a read only copy of the server that is authoritative for a child DNS domain. For example Will your DNS name match our email domain? Who will be in charge of DNS. NS and A. New DNS Topics for Windows Server 2003 DNS Stub Zones _MSDCS Zones Conditional Forwarding Debug Logging DNSLint Utility Universal Caching DNS Stub Zones Stub Zones are rather like DNS Secondary zones. Before you install DNS on a production network you need to answer a whole series of questions. with advent of Windows 2000 DNS became dynamic DNS. whereas Secondary zones have a full set of A records. DNS passes this ' difficulty ' test with flying colours. DNS Summary DNS is the most difficult topic in the whole of Active Directory in general and TCP/IP in particular. My rule is the more unusual words and acronyms. you or must you rely on a Unix department? One 'Litmus Test' for a difficult topic is the number of specialist terms a component uses. the logic is that you create the Stub Zone only in the Root domain and the Stub Zone then has three records for . In practical terms. My tutorials will give you step-by-step guidance on how to get the most out of Microsoft's Dynamic DNS. it means that clients can update their own DNS Server records automatically. Authoritative.

Right click on the Forward Lookup Zones folder. then quckgear.org. If I am in guybay.org. Incidentally. More on DNSLint Related Feature . for example _GC. or perhaps you want to restrict replication to Domain Controllers in the local domain. provided I knew the server IP address in quickgear. The important features are switches for Active Directory. and follow the wizard. Or. _MSDCS DNS Zones These DNS records beginning with an underscore are for servers to locate resources. reduce network traffic. for instance Exchange 2003. More on Debug Logging DNSLint Utility In the Windows Server 2003 support folder there is a marvelous utility called DNSLint. When you need to create a Stub Zone.org. for example mail delivery.each child domain. then I could go via the root ' . To start Debug Logging navigate to the DNS snap-in. MX records. Needless to say. For example. in Windows Server 2003 these _MSDCS records have been moved to their own zone. is that you can apply the technique to other services. then the server Icon properties. I could set up conditional forwarding and so take a shortcut. then the org server. What this does is display information about DNS in HTML format. A bonus of learning about Debug Logging in DNS. and are unnecessary if you only have one domain. The benefit of this new arrangement is that you can control the resource replication. you may want to replicate records to all Domain Controllers in the Forest. the A (Host) records in the Stub zone are referred to as 'glue' records. The point of Stub Zones is to streamline administration.Universal Group Caching . Stub Zones are only needed in large complicated Forests. then master Debug Logging. While these resource records exist in Windows 2000. improve name resolution and possibly. 404 web pages error. means Global Catalog and _DC means Domain controller. Configure Conditional Forwarding from the Forwarders tab of the very DNS server (not the forward lookup zone tab). ' domain. just call for the DNS snap-in.com and I am running DNS and I want to contact quickgear. Conditional Forwarding Conditional DNS forwarding is rather like taking a short cut. More on Conditional Forwarding Debug Logging for DNS If you are troubleshooting a DNS connectivity problem.

particularly in large forests. properties. NTDS Settings. Study the DNS namespace and make wise decisions when you create names for domain. Drill down to Site-name. unless the domain controller is sure it has enumerated all the Universal groups it will not let you logon . Hosts Files and Hostnames DNS Namespace DNS Name Server (NS) Rules of DNS Naming Summary of Naming DNS . servers and hosts.Universal Groups sound great.just in case there is a security violation. If the domain controller can check the cache for Universal Groups then it can logon the user with the correct security tokens without troubling domain controllers in other parts of the forest. Also stick to the best practice of only adding Global Groups to Universal Groups. Summary of New DNS Features In Windows 2000. server. and find NTDS Site Settings. (If you only see a general tab. and they are great if you only use them when Global groups would NOT get the job done. and add new DNS features which speed up network performance. The operating system's paranoia is that you may be a member of a Universal group in a distant part of the forest that has been used to deny permissions. resolves and maps names. Back-track from the server NTDS. to the Site NTDS. My point is avoid adding individual accounts to a security Universal Group. Once you have decided to implementing Universal Group Caching. Topics for DNS Names Introduction to DNS Names Hosts. If you are really stuck then just ask for Help : Enable Universal Group Caching. site Settings. DNS made a huge jump from DNS in NT4. subdomain.0 What Windows Server 2003 does is iron a few clunky wrinkles. So. This is the logon problem that Universal Group Caching solves. then you have drilled down too far.) Check the Box which says Enable Universal Group Caching. DNS Names in Windows 2003 Server This page explains how DNS uses. The answer to the security versus speed dilemma is Universal Group Caching. visit the Active Directory Sites and Services. A domain controller will not let you logon until it has checked all the Universal groups that you could possible be a member of.

. Try an experiment with 'Trace Route' Tracert computerperformance. On the internet there is an extra layer because we prefer to use a FQDN (Fully Qualified Domain Name) such as www.computerperformance. The link between this history lesson and basics. for example.co.144. review the basics and test with ping.co.SomeISP.computerperformance.uk 64. but harder for you and I to understand.239.239. The answer is if you do get into a tangle. or a UNC path.com has a record for the web site we want. Hosts Files and HostNames When ever you have trouble understand DNS.SomeISPCom www.com NameServer. New features are supposed to make DNS easier and faster.computerperformance. www. Hosts is also the name of a file found in the %systemroot%System32\drivers\etc folder. Always remember that computers prefer to use an IP address and that the role of DNS is a database of host records. but for now back comes the reply that NameServer. return to the basics.co. Now that name could refer to a server.69. where is BigServer? Back comes the reply BigServer .Introduction to DNS Names The purpose of DNS is to provide a connection when we type a name. Hosts means a simple (A) record that maps a machine name (HostName) to an IP address. Hosts.. you can check the FQDN found at System Icon.1. In modern DNS. Let us start with a simple network where DNS maps the HostName to IP address.uk/ We will look at the detail later. In this example we want to access the root web page at www. distributed system and called it DNS.uk/. then type hostname at the command prompt.uk NameServer. What they don't tell you is that each extra setting makes it more scaleable and less error prone for the DNS server.69 NameServer has a record for the Computer Performance web at IP address 64. You will need this information to configure this setting when installing Active Directory.co. Computer Name.1. Can you believe that once upon a time (1983) this was how everyone mapped hostnames and IP addresses? Then in 1984 Paul Mockapetris invented a hierarchical.10.computerperformance.uk. It's an exaggeration to say that DNS provides the connect. is that when all else fails edit that hosts file in the \drivers\etc folder and add the hostname and IP address to make your connection work. a web site.10. Change. An organization called InterNic provide and control the extra mapping layer.SomeISP. More. If you like to match theory to practical. In addition. a host. .co. but it does supply the answer to the name to IP address mapping. DNS Servers are designed to answer queries.144.

dot or 'null'.com or bigserver. What happens next is .uk extensions. However one day you may consider an extra level of domains for example. edu. where we find the familiar . web and email address.info and . or referred to as has holding DNS leaf objects. For example.com. however it is shorter than. Take as an example a query for the FQDN web.' 7 Top Level Domains (TLD): com. This is the part of the namespace that we recognise e. . by just one person. research. mil. if you see such a dot or period in your DNS Server Forward Lookup Zone then it's not a mistake. internet domain as yourdoman.g.net . one of my hobby-horses and frustrations is that those 7 Top Level Domains were invented.microsoft.yourdomain.com.yourdomain. Hostname for example.com and have ad. Subdomains are optional. . org. co. you have found the top level of your DNS system. web. Levels of Namespace 1 Root .commerce.' and soon percolate down to the next level. This level is sometimes called the leaf. Whereas. I love the concept and design behind the word Namespace. Approach the DNS namespace as if admiring a pyramid. On the internet all attempts to answer queries start at the '. They are not needed by small companies or beginners.biz. microsoft as in microsoft. gov.com. Incidentally. hierarchical structure of names that join up to form a FQDN. So.com.'.org .microsoft. Having been rude about the moniker.uk Lots of Second level domains. almost over-night.com for your Active Directory domain. net.com.yourdomain. leave your email. (As were DNS and IP 4).co. The other use of subdomains is where you want a different domain names for your Active Directory.DNS Namespace I think that Namespace is a pretentious word. committees have taken about ten years to thrash out IP 6 and more TLD for example . At the top is the '.

Neither is it easy to rename your DNS namespace if you make a mistake.that the .uk. then investigate Active Directory Integrated Zones. MX and other records.com. For instance. it is easy to focus on the forward lookup zone. Also decide how many zones to configure. DNS Name Server (NS). numbers and also the hyphen(-). rehearse in your mind how DNS name resolution works. Moreover. before you register or configure the name of your DNS domain. Name Server has several shades of meaning.com. Name Servers know about other Name servers. but overlook the reverse lookup zone. _gc (Global Catalog) and _dc (Domain Controller).co. be sure that you choose the most suitable type of zone. I wish that I had chosen computer-performance. The most important nuance of Name Server is that here is a server that holds copies of these DNS resource records. In DNS. The Underscore (_) is a reserved character used by Microsoft DNS for its Active Directory services. lower case a-z. Always investigate the Start of Authority (SOA) record. Rules of DNS naming If you are planning a new domain. Therefore. Servers that are authoritative are responsible for answering queries about their Host. Perhaps ownership best describes this usage of the word Authority. In fact name servers have a whole world of their own where they replicate records and forward queries. Examples of _SRV records include. So if you are registering a domain a hyphen gives you more naming possibilities.microsoft. along side Host (A). Name Servers also register the records and are responsible for DNS house keeping. Summary of DNS Naming DNS Naming is not trivial.com. Types of DNS Zones in Windows Server 2003 When you plan a DNS installation. Another important DNS and Name Server concept is that of Authority. you can see which server is the Primary or ultimate source of all records for that domain. Topics for DNS Zones in Windows 2003 . what characters can you use in DNS? The answer is letters A-Z. if your goal is to install a Windows Server 2003 domain. my wife had a stroke of genius in having a hyphen in her domain name fashion-era. To digress. Once you find the SOA. MX and CNAME. NS is a particular type of DNS record. and of course Microsoft's own DNS knows the whereabouts of web.com server knows where to find Microsoft.

the advantage of looking at DNS from different angles is that you get a sense of perspective. fewer errors and easier configuration with low maintenance. (There are many ways of analyzing DNS zones.0. Active Directory Integrated Zones are a special case of Primary Zones.Main Zone or Subzone Summary of DNS Types Active Directory-Integrated DNS If the situation is that you are about to install Active Directory and have complete charge of DNS (no Unix DNS in the background) then aim for Active DirectoryIntegrated Zones. . Naturally there are also Secondary Zones. where the all servers are required to be Domain Controllers. gets updates from the primary server by zone transfer. which hold read only copies of the Primary Zones. In a sense. however. There are two uses for this Primary / Secondary model : 1) The domain's main records are held on a Unix server 2) If your DNS servers are not Domain Controllers. I find this provides a natural fork for decision making (and troubleshooting). Active Directory-Integrated v Primary Zone This pairing could be called Windows 200x v NT 4. NS.0 DNS model. _SRV). Primary Zones This is the NT 4.One of the coincidence with DNS is how many of the components come in pairs. Scopes of DNS Zones Secure and Non Secure Dynamic Updates Forward and Reverse Lookup Zones DNS Level . with Windows 200x improved incremental replication (IXFR). Only by viewing the multiple sides of DNS will you be able to you judge how to configure your servers.) Scopes of DNS Zones Primary Zone . The big advantage is efficient DNS record replication.Read only copies of records. Be sure to research thoroughly. plan carefully and test to destruction before you implement a production DNS network.Holds Read and Write copies of all resource records (A. Efficient in the sense of less network traffic. See more on resource records Secondary Zone .

In truth.com zone. Remember that DNS is hierarchical. Later they could have subzones such as. a tiny zone with just pointers to another domain. In particular. they can PING a server's IP address and then they use a Reverse Lookup query to discover the hostname. Forward Lookup .Stub Zone . moreover you should check which level or levels you need to create zones. (Store the zone in Active Directory is available for Primary Zone) Secure and Non Secure Dynamic Updates Starting with Windows 2000. . and it will have authority to answer queries for host records in the guybay. The first point to note is that they bought a . The default and recommended setting for Active Directory-Integrated is Secure only. See more on Stub Zones here.New in Windows 2003. DNS tells you the IP address.guybay. customers.com from InterNIC. DNS Zone Directions. Think of Stub Domains like secondary zones.Main Zone or Subzone Let us end this section with a reminder that DNS is hierarchical. For example NS and SOA and A record of the main server in that Stub domain. Take as an example a company that has bought the domain name guybay. remember the reverse lookup otherwise utilities such as NSLookup or DNSLint fail.com.com is installed will be a name server. DNSLint and other utilities. DNS became Dynamic.org.Forward and Reverse When you configure a DNS remember that there are 2 directions of DNS Zone. This can happen if you get a visiting laptop which picks up an IP address from DHCP but does not release it because they do not disconnect gracefully from the network. Forward Lookup zones supply the main DNS mechanism for finding Hosts (A). This is a huge advantage over the old model where you had to update records manually.net or .com. DNS gives you the hostname. Reverse Lookup is required by NSLookup. their DNS zone will be . Name Servers (NS) or Service (_gc).com rather than . With secure updates you avoid lots of rogue records cluttering your DNS records. Reverse Lookup . I think of Reverse Lookup as a hackers tool. The company server where guybay.guybay.You know the hostname.You know the IP. Secure Updates means that only machines with computer records in Active Directory can add or update their Host (A) records with DNS servers. See more here on installing DNS Zones DNS Level . When it comes to configuring DNS servers. Here is an example of the levels. but with only 3 records.

com then you can configure that server as a conditional forwarder. In a nutshell. 4. The root server forwards your request to the . Deeper thought raises more problems than it solves.. To summarise.. Forwarders (Tab). Only by investigating forward... Conditional Forwarding is like taking a short cut....com is an associate of your organization.. Guy's main zone customers. 2.. plan carefully and test to destruction before you implement a production DNS network..com kindly provide the IP address of their server which is authoritative for shootemup.com server who in turn forwards the request to shootemup.com auctions.. What condition? Where does it forward? Above all where do find this feature. The answer is that your server goes the long way around and ' walks the root hints '. Configuring Conditional Forwarding Let us begin by discovering where you configure Conditional Forwarding.. One last question.. Start at the server icon in the DNS snap-in (not the Forward Lookup Zone).org. reverse and Active Directory zones will you be able to you judge how to configure your servers.. the Condition is that one of your clients query is for shootemup.com's server.. Take the scenario where shootemup... The server (Alan in the diagram)...com... The Forwarding is to the IP address specified at the Forwarders tab of your DNS server. ' on the internet.. what happens if your clients query someonelse. Be sure to research thoroughly..guybay.com .1.. ' . Moreover.. Unless of ... There are many ways of implementing DNS zones. but through looking at DNS from different angles you get a sense of perspective.. Top Level Domain (TLD) guybay.. 3. So what would happen without Conditional Forwarding? The answer is that your server would ' walk the root hints '. ' .. Conditional and Forwarding then this feature becomes self explanatory. If shootemup. contacts the root server ' ..com See more on DNS Naming here (2 subzones) Summary of DNS Zone Types.guybay. Conditional Forwarding in Windows 2003 DNS If you think carefully about the two words. properties. Root Zone com .. your users are for ever querying their server. Right click.

for example guybay. There are times when it is best to trust the DNS wizard to configure the settings.com. See here for the importance of DNS Naming. This decision is especially important where you are installing DNS / Active Directory on a domain controller in a 'green field' site. then DNS will automatically add an A (Host) record for your own machine. What makes installing DNS difficult is that usually the goal is to install Active Directory and DNS is merely a stepping stone. Summary DNS in Windows 2000 was a huge improvement over NT4.guybay.course you are friendly with someonelse. add a few new features which speed up performance in large forests. A plan is essential and the time it takes to prepare a checklist will repay ten fold in saved frustration. A setting that is easy to overlook is the TCP/IP properties of the network icon. Tutorial for Installing DNS Zones in Windows Server 2003 Preparing the DNS Server Installing the DNS Server Service Creating the Zones Installing Active Directory Summary Preparing the DNS Server It is crucial to ' Get all your ducks in a row '. I have assumed that you plan to install a forward lookup zone.com) should match your Active Directory domain name. but what about the reverse lookup zone? It only takes a minute to install the reverse lookup zone and without it utilities like DNSLint and NSLookup will not function. Computer Name (tab) with the namespace of your main DNS domain. By that I mean match the names in System Icon.0 Windows Server 2003 new DNS features iron out a few problems.org and configure another Conditional Forwarder. for example ad. Installing DNS Zones in Windows Server 2003 Installing DNS is deceptive. If you add our own DNS name to the ' Preferred DNS server '. The biggest challenge is managing all the places and all the settings which require names. Another . or whether you want sub-domain. this is particularly true for Active Directories _MSDCS records. Decide if this DNS name (guybay.com. One variation of this trap is to forget to add the Preferred DNS server to the second or third network card.

Forward Lookup Zones . First job.com? ad. To install the DNS service navigate to Control Panel. Print Spooler. Add or Remove Programs. Mechanically adding zones is straightforward. SMTP. Networking Services.variation is to forget to add other DNS servers to the list of DNS servers underneath the TCP/IP properties tab. Once you launch the DNS snap-in. moreover only you can decide. For example. Creating the DNS Zones Installing the DNS service is the easy part. More traditional administrators use the administrators' folder or the Computer Management console.org or yourcompany. extension will you for your Active Directory domain? guybay. but your DNS server will only function correctly if you understand.guybay. ranking along side Alerter. what if any. As soon as the installation completes I would create an MMC and add the DNS snapin. Take the time to familiarize yourself with which settings are on which tabs of the Server Icon and also. then plan the fully qualified domain name. just right click and add the server by name. Windows Components. which settings are found on the property sheets of the Forward and Reverse Lookup zones. tick the Domain Name System (DNS). Installing the DNS Server Service Remember that DNS is a service. These are hard questions with far reaching answers. get your Windows 2003 Server CD ready.org? or plain guybay (no extension).

Right click the Forward Lookup Zone yellow folder and select. . My reasoning is that if have the Reverse Lookup in-place from day one. Follow the simple action of typing in 10 then 1. Next comes the zone name. the SOA for the primary zone. If you additional information on configuring DNS Zones . you would start by creating a forward lookup zone on your DNS server.read this page.Normally.0. Once it works then I can start tightening up security.0 would mean an network ID of 10. then all the PTR (Pointer) records are created automatically. These days Windows works out the reverse numbers from your simple input. Stub zones are more efficient and create less replication traffic. Stub Zones Conceptually. (Note I have decided to use the .0. My advice would be to use Stub Zones in situations where most of these are true: You have a large Active Directory Forest. For example 10. Here is where your planning will repay as you have to decide on a Primary.255. stub zones are like secondary zones in that they have a read only copy of a primary zone.com extension. Stub Zones only have 3 records.1. New Zone.Store the zone in Active Directory. Why are you creating a Reverse Lookup Zone? So that NSLookup and DNSLint work properly. or just those in your domain.1 Subnet mask 255.) I would allow secure and non secure dynamic updates. My thinking is let us give DNS the best chance of working. your DNS server can refer that query to the correct Name Server because it knows its Host (A) record. NS and Host (A) record. this is important to get right otherwise you have to delete your zone and start all over again. Make sure that you have a PTR record for each NIC and IP address.1. I would not worry too much about this as you can change your mind and move the radio button later. The only planning here is to calculate your network IP. Reverse Lookup Zones Do take a minute to create a Reverse Lookup Zone. Note the check box for . The alternative is that if you create the Reverse Lookup 6 months down the line then you have to add those PTR records manually. Secondary or possibly a Stub zone. (Do not go into ' over-think ' and type in 1 then 10. In Windows Server 2003 you can decide to replicate the DNS information to all DC in the Forest. Now comes the magic moment when you press finish and see at least 3 records SOA. The idea is that if a client queries a record in the Stub Zone. The two differences are Stub Zones have fewer records.com. In my example I would type guybay. NS record and a Host (A) record.

dom. Let the DCPROMO wizard install the (_SRV) resource records. Step two: run DCPROMO. Occasionally. My advice is never add these records manually. If that does not work. give up and start again. Windows Server 2003 automatically creates a top level DNS Forward Lookup Zone called _MSDCS. registration which adds resource records such as Host (A) into the DNS database. run DCPROMO to demote.your. Computer (Tab) . especially with Windows 2000 the (_SRV) records are not installed. this was hidden away as a subzone under your.You use Active Directory Integrated DNS. Topics for DNS Query Authoritative DNS Servers Iterative and Recursive Queries Root Hints DNS Caching DNS Forwarders Summary . Previously. and then configuring the forward. Secondly there are queries where clients seek those resource records. In particular decide which name to use and then configure this name at the System Icon.10. reconfigure the System Icon.55. reverse and stub zones. for example just records for the first domain controller.try again.21. Users in one domain often issue DNS queries to other domains Installing Active Directory Step one: you have the bare bones of DNS installed. DNS Queries in Windows Server 2003 Always remember that there are two sides to DNS. Firstly. for example where is BigServer? Back comes the reply from DNS: BigServer IP = 10. the trick is to stop then start the Netlogon service and miraculously the records will be created. The secret is to let the DCPROMO wizard automatically add the (_SRV) records to DNS. DNS is delegated and distributed throughout the Child Domains. Computer (Tab). My tutorial will take you through installing the DNS Service. See more on Installing Active Directory and DNS here Summary of Installing DNS Zones When you install DNS take the time to plan carefully.dom.

However. What would happen is that the server queries the root hints in an attempt to find the whereabouts of the microsoft. In practical terms a good DNS uses both methods to resolve the query and again from a practical point of view the best thing you can do is make sure the 'Root Hints' are set correctly on the server and the firewall. Recursive Query Recursive is the simpler query of the pair to understand in that its all or nothing. A recursive query is the type of name resolution that an XP client may send to its DNS server.com says to its DNS server: ' Give me the IP address of webserver. contacting Authoritative server is good news because you get an instant response of an IP address. Authoritative DNS Servers have ownership and knowledge about resource records for a particular domain.' Your server could respond to the effect. Whereas I a normally like to savour and remember terms. or a host not found error message.com go away'. your server would take up the search on behalf of the client. DNS queries divide into two sub types. From the point of view of a query. however if the DNS server does not know the answer then takes up the search on behalf of the client. This would come back as an official reply: 'server not found'. To check which DNS servers are authoritative. More likely. Iterative Query An iterative Query is usually conversations between DNS Servers. recursive or iterative.com. The DNS server either returns the full answer or a 'server not found' error. If the server knows the answer to the query. whereas a recursive query is usually a client asking a DNS server for name resolution. DNS turns to forwarders. select the Forward Lookup Zone.microsoft. then no problem.com domain servers. What happens with an iterative query is that the requesting server 'steps' the DNS root . The key difference between a recursive and iterative request is that the server does all the work on behalf of the client. which can then return the IP address for the queried host. Consider an example where an XP client in yourdomain. if that server was not authoritative then. this pair don't help that much in understanding DNS. finally Primary Server: Iterative and Recursive Queries Technically. properties and then Start of Authority (Tab). domain name. iterative queries and root hints. 'I am not authoritative for microsoft. as we will see.Authoritative DNS Servers The goal of a DNS query is to find an authoritative DNS server.

On the other hand. Launch your DNS Snap-in. 3600000 IN NS A. You can inspect this file in the %systemroot%\windows32\dns\samples folder.ISI.com and as Microsoft would be authoritative for web.hints.41.9. 'Try the . select the Server Icon.NET.4 . formerly NS. right click select Properties and then select the Root Hints tab. Root hints are stored in a physical file called cache. IP address'.0.com servers at w. The key difference is that a server can respond to an iterative query with a partial reply. .microsoft. back comes the IP address.com server would iteratively point your DNS to microsoft. B. Then the .107 These NS records of the ' .ROOT-SERVERS. ' root servers are loaded into the Root Hint tab of your DNS server.ROOT-SERVERS. formerly NS1.NET. Here is what cache. 3600000 NS B.EDU .com. .dns looks like . ' Where is Microsoft. at last. Root Hints If your Windows DNS server is connected to the internet and your clients want to find websites.ROOT-SERVERS. .com?' If this was a recursive query.NET. Test your forward and reverse lookups by clicking on the Monitoring Tab visible from your server properties.INTERNIC.ROOT-SERVERS. But with an iterative query the root server gives its best shot and says. 3600000 A 198. A. then see more on root hints here. server not found'. You may also be able to see the Monitoring Tab on the above diagram.z.y. then you need to check your root hints.dns. What Root Hints do is act as pointers to servers that know the IP address of the top level domains.NET .0.x. 3600000 A 128. then the root server would say 'I don't know. The good news is that Root Hints are installed be default. . if your DNS server is not connected to the internet. This 'stepping' the root hints is known as an iterative query.NET. this partial reply will be a stepping stone to finding the Fully Qualified Domain Name. With luck. It says to the root servers.

For security reasons. Small sites sometimes manage DNS through caching only servers. A bad cache can be a liability in that it gives the requestor incorrect information. Conditional Forwarding Another classic use of forwards is where companies have subsidiaries. so they forward all such queries to severs on the internet facing side of the firewall or perimeter network. or is this a query problem? DNS queries invariably involve many steps. . I can right click the folder and Clear Cache. The situation is that when your DNS server receives a query. forwarder by nature. See more on conditional forwarding Summary of DNS Query When configuring or troubleshooting DNS. The clever idea with conditional forwarders is that only certain namespaces are forwarded to particular servers. Another reason that I like to view the Cached Lookups folder is so that when I am troubleshooting. perimeter networks or DMZ (demilitarised zone. One reason that I like to set the DNS snap-in to View. and cache records the few users need but as they have no Zones themselves. If you clients are experiencing problems. Instead of going the long-way around using the root hints. for which it is not authoritative. the point is that the learn. it refers directly to a server that has the appropriate resource records.com. the internal DNS servers know nothing of the internet root hints. partners or people they know and contact regularly query.DNS Caching DNS Servers build up a cache of previously resolved queries. If you have a subsidiary called Acme. This technique is useful where you have Active Directory Integrated zones and want a DNS server which is not a domain controller. Secondary zones contacting their primary zone would be an example of forwarders.com to their DNS servers. in particular examine the root hints and the forwarders tabs. then check the DNS Server Properties. the network administrators configure Conditional Forwarders. their is no associated replication traffic. while other queries could go out to the internet via the root hints. As requests are looked up on other servers. so records are added to the cache. One major use of Forwarders is for networks which use firewalls. start by asking: 'Is this a registration problem. Moreover. A good cache has the twin benefits of faster response time and less network traffic. DNS Forwarders Forwarder by name. it contacts a server that does know the answer to that query. Advanced is that I can then see which records are in the Cached Lookups folder. then you could configure all queries for Acme. instead of 'walking' the root hints.

If your server receives a query for an unknown domain.NET. Topics for DNS Root Hints Finding Root Hints Root Hint Choices Configuration if legitimately connected to the Internet Alternative '.4 Root Hint Choices I know it's obvious but you have to be connected to the internet to take advantage of root hints.ROOT-SERVERS.NET. 3600000 A 198. A. . However. Confusion may be caused by your web server or your .INTERNIC. Another problem is that you are connected to the internet but there is a conflict between the DNS name you are using internally and the same domain name that is registered on the internet.0.' Root Configuration Reversing your Root Hint Actions Summary of Root Hints Finding Root Hints Root hints are pointers to top level DNS servers on the internet.dns file looks like in notepad. Here is what the cache.dns are the IP addresses of a dozen 'well known' servers which hold information about the .org and other top level domains (TLD). .com. The point is that if your DNS server is not connected to the internet then you these root hints are a liability as they will not work and only introduce time delays while queries try and contact unreachable IP addresses.dns. Inside cache.net. formerly NS.41.DNS Root Hints in Windows 2003 Root Hints are a vital cog in configuring your DNS Server. You can inspect this file in the %systemroot%\windows32\dns\samples folder. Perhaps it was a triumph for planning that you examined the root hints as soon as you ran DCPROMO.NET . . 3600000 IN NS A. then the root hints give a clue as to where to search for the answer.ROOT-SERVERS. in my opinion you cannot be a successful DNS troubleshooter without understanding root hints. Maybe you were lucky and the root hints magically configured themselves correctly. Every Windows server comes pre-configured with a physical file called cache. .

' root domain. For instance your ISP or InterNic may have legitimately assigned a different IP address for your domain name.Exchange server registering the same domain name but with a different IP address. (Note.' domain on your DNS Server. . not the Zone Folder. Check the DNS Server. You may also be able to see the Monitoring Tab on the above diagram. conflict free IP address and domain name. Properties. Configuration if legitimately connected to the Internet I use legitimate to mean a valid. create a local '. . In this instance go with the default. Root Hints tab.) Test your forward and reverse lookups by clicking on the Monitoring Tab visible from your server properties. Alternative ' ' Root Configuration Where your server is not connected to the internet you need to take action and create a '. The solution is simple and elegant. You also need this configuration if there is a conflict between your local domain name and domain name on the internet. start at the Server Icon.

then simply delete the '. If deleting the root domain on your serve did not work then try Copy from the server and type the IP address of another of your DNS Servers (Other Domain Controller?). or copy from the %systemroot%\system32\dns\sample folder. the Fully Qualified Domain Name box should be 'greyed out'. As these IP addresses remain constant. is right click the Server Icon and select All Tasks. in desperation you start ripping out configurations that the server needs. All is well unless your server is not allowed to connect to the internet. here is list: Type of Record A (Host) What it does Classic resource record. The easiest way to restart DNS.' domain. DNS Resource Records in Windows 2003 It all started with Host records. in which case you need to configure your own '. Summary of DNS Root Hints Root Hints provide a link between your DNS Server and top level DNS Servers on the internet. If you made a mistake. or circumstances dictate that you need to recreate those original root hint pointers. When managing your DNS Server there are many instances when restarting the DNS Server produces the desired effect of a refresh. When that got cumbersome and a pain to update.. a proper database called DNS (Domain Name System) was invented by Paul Mockapetris in 1983. Microsoft automatically load them into your DNS Server's root hints. The result of your configuration is that when you return to examine the root hints.' (some call this character a dot others a period). choose New Zone. and name it '. In the beginning there were just flat text files with a list of servers and corresponding IP addresses.All that you need to do is expand your DNS server and right click Forward Lookup Zone. Since then the DNS types of records have grown. there are no servers listed. Reversing your Root Hint Actions Sometimes when troubleshooting.' local Root domain. Maps .

e. and which you need to create yourself. for example MX records for Exchange. . Following a TechNet article. dc = domain controller. Required for Active Directory. It is possible to create more records in the DNS manager. for example _SRV records. Summary Take the time to investigate DNS Resource Records. particularly for other domains.g. The mission of a DNS Query is to locate a server that is Authoritative for a particular domain. for example.hostname to IP PTR Maps IP to hostname (Reverse of A (Host) Found in Reverse Lookup Zone CName NS MX Canonical name. MX records required to deliver internet email. Make a point of finding the Start of Authority (SOA) tab at the DNS Server. _SRV and _MSDCS SOA Custom / Special Purpose of Resource Records Without resource records DNS could not resolve queries. However I would only do this in extreme circumstance. Identifies DNS name servers. The easy part is for the Authoritative server to check the name in the query against its resource records. Whole family of underscore service records. gc = global catalog. Important for forwarders Mail servers. Understand which are created automatically. in plain English an alias.

100 b) By Hostname.domain. Depending on the results from Ping.1. but the a dirty cache prevents confirmation.guybay. check the Default Gateway and Subnet Mask. On more than one occasion /flushdns has saved me tearing my hair out. Ping BigServer c) By fully qualified domain name. check the common trouble spots. Inevitably it turned out to be the common or garden variety. Beware of making the problem worse by altering settings that are correct. Should that field be empty or incorrect then adjust the IP address at the Network Icon. and write down what you configured. while /displaydns may give you extra information on what name resolution the client has achieved. Change one factor at a time. for example is the reply BigServer or BigServer. What you are particularly interested in is the DNS Server's IP address. Ping 10.0. begin with the basics.Troubleshooting Tips for DNS in Windows Server 2003 During my career as a biologist when we went on field trips.com. . 2) Do not neglect IPCONFIG Collect information about default gateways and DNS servers with IPCONFIG's switches. investigate the most obvious solution. My point is this. Remember that Ipconfig has 3 DNS specific switches. particularly the /all. Topics for Troubleshooting DNS 1) 2) 3) 4) 5) 6) Start with Ping IPCONFIG DNS snap-in NSLookup Hosts file Event Viewer 1) Start Troubleshooting with Ping Can you ping the target machine? a) By IP address. Ping BigServer. when it comes to troubleshooting DNS. Ipconfig /registerdns can save a reboot.com Examine the replies for clues. What happens is that you may have solved the problem. I had a student who always claimed that he had found a rare bird. TCP/IP properties.

for example zone replication. (Also vica versa. For basic Active Directory / DNS configuration check that the _msdcs records were created by DCPROMO.) One trap is to investigate the DNS server icon when you should be looking at the Forward Lookup Zone.) About half the solution to DNS problems require a restart of the DNS service. you look at the domain properties instead of the DNS server icon. depends on the problem. If the problem involves internet connectivity. then check the root hints. (In the diagram Alan is the name of the server. Click on View (Menu) and make sure that Advanced is ticked. However. then check you have a Host (A) record for the machine you are trying to contact. see here for more information. This is rather like 'Show All files'.3) Time to look at the DNS server snap-in At the DNS console. . I would follow up PING with a check of the Monitor Tab on the DNS Server icon. If you have a more difficult problem. Properties. domain name. If you are checking basic connectivity. If not try restarting the Netlogon service. Precisely what to look for in the Snap-in. fortunately Microsoft supply a Restart option on the 'All Tasks' menu. then click on the Server Icon.

Instead of NSLookup I would use DNSLint see more here 5) Hosts files Reverting to hosts files may seem like taking a step backwards into the dark ages. (Not in the \i386 or dllcache folder) Once you have opened the hosts file with notepad. then I mastered it. Once you have added the host entry try once more to contact with Ping.1 BigServer.0. At first I was in awe of NSLookup. By all means check the system log or even the application log. use the above DNS snap-in. experiment with hostnames and IP addresses for the server that you wish to connect. Instead. for example you are troubleshooting from an XP machine. What you are looking for depends on the problem area. Example of Hosts file entries 10. Database Load and there really is a DNS Sanity Check! See here for Advanced DNS Troubleshooting Techniques .0. But here are a few categories to check: Domain Name Problems.10.guybay. NSLookup will fail.10. Resource Record.com 6) Event Viewer In truth the Event Viewer should be the first place to look for clues. without the corresponding Reverse Lookup Zone. the killer use of NSLookup is if you do not have the DNS snap-in. The point to remember is that DNS has its own Log.1 BigServer or 10. but do investigate the DNS log. The beauty of the hosts file is its simplicity and the fact that the client operating system reads the hosts file BEFORE it queries DNS. but many is the time that this trust old technology has solved a problem. Be sure that you are editing the hosts file in the %systemroot%\system32\drivers\etc. then I realized that it did not give me any more information than the DNS snap-in.4) NSLookup My conclusion for troubleshooting with NSLookup is avoid it. So. not the last! Mastering the Event Viewer is an art in itself. where ever possible. The trap with NSLookup is that you forget to configure the PTR records.

If it's a Web browsing problem. Here are my favourite DNS tips. 12. Advanced DNS Troubleshooting for Windows Server 2003 So you need to solve a DNS problem. Remember to add PTR records in the reverse lookup zone. Will ipconfig /flushdns magically cure the problem? Alternatively. Ipconfig and the DNS snap-in. Beware that the cause is nothing to do with DNS. 2. Where next? That depends on your situation. Can the very DNS server itself resolve addresses and queries? 4. The situation is that you have checked the basics and you still suspect that DNS is not working properly. Delegation. which sites are available. are the MX records correct? 10. I once ripped out a perfectly good DNS configuration because I overlooked testing the physical network. Start with Ping. 7. Do you have correct IP address in the resource records for the very server itself. remember the Event Viewer. Topics for Troubleshooting DNS Gather evidence by asking questions Tests that you can make on DNS Troubleshooting Methods Assemble your Toolkit (Basic DNS Troubleshooting) Gather evidence by asking questions 1. 6. Is the problem related to the internet? How are the Root Hints configured? 11.Summary of Troubleshooting DNS When Troubleshooting DNS server. For Email delivery problems. 3. Is the server Authoritative for the domain that you are querying? 8. Is there one DNS client affected or many clients. restart the DNS service. always begin with the basics. One of my favourite troubleshooting utilities is Monitor Server on the DNS Server snap-in. If you have subzones has delegation given the correct permissions? Tests that you can make on DNS . 9. A variation of this external cause theme is that a firewall could be blocking DNS ports 53. Also. 5.

It is good practice to create MX records to point to your own server. and hostnames with only numbers. . a basic check that your Type 006 Option is set to the correct DNS server. Match Host (A) record with PTR in Reverse Lookup Zone.The scenario: when you attempt to cure a DNS problem by changing a setting. Test Simple and Recursive Queries. First. Domain name. Could unneeded CName records be masking or confusing Host (A) records? FTP and WWW CName aliases are fine. Properties. failure could cause problems with internet resolution. check that all NS records point to servers that exist and are authoritative for that domain. Make sure the setting Allows Transfer. DNS. At least nothing happens until you either restart the DNS service or close then reopen the DNS Snap-in. right click and Replicate Now. properties Monitor (Tab). Check client TCP/IP properties. DNS Check list DNS Server. Registering Records in DNS Check DHCP. Replication problems Increment the Serial Number to force replication. Register this connection's address in DNS. NTDS Settings. drill down through Default-first-name-site. So remember to make liberal use of Refresh and also right click the server icon. All Tasks. Navigate to the Forward Lookup Zone (not server icon). MX records. Increment (Button). Restart. Are there any non-standard characters in any of your names? Be wary of underscores. nothing seems to happen. but for all other cases use CName sparingly. If the recursive query fails. If you are using Active Directory integrated zones. At the Domain properties. investigate Dynamic DNS Settings. Note there is also a Clear Cache setting. Advanced. This is the equivalent of IPCONFIG /registerdns Problems with Active Directory. which is the equivalent of IPCONFIG /flushdns. Next find the DNS (tab) in DHCP. check the Root Hints. Lame Delegations. servers. SOA (Tab) serial number. Check Zone transfer (Tab). then you could force an instant replication by going to Active Directory Sites and Services.

If not try restarting the Netlogon services. PING . Assemble the Toolkit Command Prompt 1. now is the time to press your buttons. At this point I assume that you have been using the 'techie' approach and sadly it has not worked for your problem. Contact the most likely people. The Event Log Microsoft have provided a clue by situating a copy of the DNS Event log right underneath the server icon. I'll call the first method the 'techie' approach and the second the Henry Ford method. what is there email address. Phone a friend! Ask for help. then give the Henry Ford method a chance. revert to how it was and see if that cures the problem. blue for an engine expert. I have noticed that people approach problem solving in two distinct ways. it's time to call in favour. or a spelling misNake in a forwarder name. Troubleshooting Methods Ask: 'what has changed recently?' What were the last settings to change? Has any hardware changed? If so reverse engines. on this occasion I would try a reboot to see if that causes the _msdcs to be populated. spot what is out of the ordinary. IPCONFIG /flushdns /registerdns /displaydns 2. red for electrical etc. or better still their mobile number.Check that the _msdcs folder exists and is populated with lots of records. Legend has it Henry Ford knew little about car manufacturing but had a row of buttons. It may worth a quick look in the system event log. So take advantage of this invitation to search for error messages and lookup the Event ID in TechNet. such as resource records that is different. explain the problem and appeal to their problem solving skills. While I am not a great fan of rebooting in Windows 2003. perhaps your DNS problem is a symptom of a bigger problem and not the underlying cause. When you are stuck. Pattern recognition is a vital troubleshooting skill. So. if so. Which expert do you know. Look for patterns. Can you reproduce the problem? Can make the fault reoccur? If so write down any error messages and go to TechNet and experiment with different combinations of key words from the event viewer or message box.

Make it a habit to collect a wide variety of utilities from Ping to DNSLint.DNS log Debugging Logging (Tab) Summary of Troubleshooting DNS The secret of troubleshooting DNS is to follow a structured plan.3. 6. 4. Debug Logging for DNS in Windows Server 2003 Why would you use DNS' debug logging? The answer is to track down problems with DNS queries. Perhaps the most common problem is why does a DNS query result in an unknown server error when you know the domain name is valid. click on the server icon itself. Secondary DNS servers do not receive notifications or updates. Write down changes that you have made.404 error. (No use looking on Forward Lookup Zones). 8. properties. Cannot find a server by its a UNC path. . 5. Email delivery error.Do you need them? Event Viewer . Play the detective and ask questions. Monitoring (Tab) Root Hints (Tab) . Scenarios for creating a DNS Debug Log Web page not found . Where do you find the debug log settings? Open the DNS snap-in. TraceRt (Trace route) Route Print NSLookup DNSLint See More here on DNSLint DNSCmd NetDiag and DCDiag See more here on NetDiag DNS Server Icon 1. 7. 3. updates or notification errors. 2. 4.

the debug information gets appended to the log with the latest information at the bottom.com.Query Failure PACKET UDP Snd 10. Most likely a temporary problem causing a timeout error. What you want! No problem The query name does not exist.Query success! PACKET UDP Snd 10.1. Problem seen with NOTAUTH SERVFAIL .0.0. Here are two examples from my Windows Server 2003 Debug Log e:\log\wed.good news. Watch out for error codes. Error Code NOERROR NXDOMAIN Explanation Success. It helps to look for patterns. This server is not authoritative for the domain in the query. Good news. Note: Always turn off the log when you finish. I have no record for this host.1. Interpreting the Debug log The trick to deciphering the log is to parse or divide up the line. However that server is not SOA.1. Could be a secondary server trying to transfer a zone from the server.log: Example 1: .0.1 successfully resolved a machine called LLANELLI at cp.1 R Q [8085 A DR NOERROR] (8)LLANELLI(2)cp(3)com(0) Here the query send to 10. NXDOMAIN. for example Rcv Q (Incoming Request Query) or Snd R Q (Outgoing Response to Query). indicating a problem with the query. With luck the retry will work. otherwise the processor will be stressed unnecessarily. or NOERROR .Make sure that you enter a valid path and filename in the box at the bottom called: File path and name. Example 2 . See diagram.1 R Q [8385 A DR NXDOMAIN] (7)EZINE(2)cp(3)com(0) In this example the query returned NXDOMAIN meaning it has no record of a machine called EZINE.

TCP 53. Could be the result of an email check. find the Debug Logging tab and set a path to the filename which stores the data. Navigate to the DNS server icon. so my killer feature of DNSLint is that it displays port numbers e. Perhaps this .htm output Firewall problems plague me. Request or Response. DNSLint is my current favourite. Incoming or Outgoing./ad DNS Sample Report Displays port numbers .email transfer. or else you can use Find in the resultant log to track down the server name you are interested in. Could be a request for a zone transfer which is refused because the requestor does not have permission REFUSED Filtering the log Either you can filter the log so that it only captures particular data./d /s Troubleshooting Email with DNSLint . For basic connectivity errors you cannot beat Ping and Ipconfig. Security problem.HTML output Where does DNSLint come from? Getting started with DNSLint . As a bonus it displays the information as HTML. DNSLint troubleshooting Utility for DNS I am always on the lookout for a good new Microsoft utility. create a Debug log. We do not like your domain because we cannot reply to it.g. Possible filters include the following pairs: UDP or TCP. Check permissions. But what if they don't solve the problem? The answer is try DNSLint./c Checking Active Directory with . As a result we will not accept your incoming mail. Summary If you experience DNS connectivity problems. Topics for DNSLint Displays port numbers .

For example. However I was hoping for a list of _gc or ./d /s As with many of Windows 2003's command line utilities there are whole bank of switches.50 The second and subsequent times you run DNSLint. for example SMTP or POP3.but only under my breath! Does DNSLint work with Windows 2000? Yes just provided you have access to the Windows Server 2003 CD. try the /c switch. I blamed the customer . By accident if discovered that to get the most out of DNSLint I needed the a reverse lookup zone. To get started try DNSLint /d yourdom. (Who remembers to pipe the output of Ipconfig to a text file?) Where does DNSLint come from? The first question that I ask about any utility is where do you find it? In the case of DNSLint the answer is: Support Cabinet on Windows Server 2003 CD. However there is a trap with /d.com. For further email testing.1./c Another feature of DNSLint is that it displays MX records which will assist in tracking down email delivery problems. You must add another switch: /s server IP./ad To tell the truth I was disappointed with this /ad switch. But I went to a customers site and got egg on my face when DNSLint would not display correctly. 25 SMTP and 110 POP. Troubleshooting Email with DNSLint . /r serverx. It is possible this only works if the ports are the defaults.is the start of a new trend by Microsoft to replace the DOS output of command line utilities is permanent files. To be clear if you just want to test SMTP the command would be: DNSLint /d guybay. Even better use the /r and specify your own filename.com /c smtp Checking Active Directory . To be fair it is only designed to troubleshoot forest replication. I say by accident as I normally set up a reverse lookup zone as best practice.htm file. Technically /s avoids the timeout when DNSLint tries to contact InterNIC whois Example go to the command line type: DNSLint /d yourdom.0. if you are NOT connected to the internet. or /t if you prefer a text file. meaning overwrite the dnslint. append the /y switch.htm.net /s 10. Getting started with DNSLint .

computerperformance.cp.computerperformance.11 dns1.219 10.20 Domain name tested: computerperformance.uk Hostmaster: msnhst.computerperformance.co.3.1.232.co.197.37 Host (A) records for domain from server: 10.uk 10.97.cp.uk IP Address: 10.0.uk The following 4 DNS servers were identified as authoritative for the domain: DNS server: dns1.computerperformance.dc.cp.sj.computerperformance.197.126 ----------------------------------------------------------------------- .co.co.20 dns1.151 dns1.3.uk 10.1.1.computerperformance.uk 10.220 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.102 10.122 10 mailc.uk 10.3.co.computerperformance.1.computerperformance.230.co.107.co.107. I even tried the /v (Verbose) mode .uk 10. just the bare bones of the Glue record for Active Directory Forest replication DNS Sample report DNSLint Report System Date: Wed Jan 26 09:47:25 2005 Command run: dnslint /d computerperformance.128.230.0.computerperformance.1.1.0.218 10.107.uk.124 10 mailb.1.uk 10.co.230.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.co.co.computerperformance.20 Responding to queries: YES UDP port 53 responding to queries: YES TCP port 53 responding to queries: Not tested Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.co.uk Zone serial number: 54234 Zone expires in: 83._dc records.uk /s 10.co.100 10.but no dice.1.uk 10.68.1.1.

20 dns1.co.218 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.co.uk IP Address: 10.co.co.102 10.37 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.uk 10.uk 10.co.computerperformance.107.107.dc.220 10.dc.68.151 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.computerperformance.co.1.197.68.uk.computerperformance.computerperformance.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: .230.uk 10.uk 10.uk Zone serial number: 54234 Zone expires in: 83.1.uk 10.11 dns1.computerperformance.128.107.uk IP Address: 10.computerperformance.1.computerperformance.uk.1.co.computerperformance.0.co.uk 10.uk Hostmaster: msnhst.3.1.cp.1.1.computerperformance.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.3.DNS server: dns1.computerperformance.co.3.1.computerperformance.232.230.sj.cp.128.197.100 10.230.computerperformance.219 10.126 ---------------------------------------------------------------------DNS server: dns1.uk Zone serial number: 54234 Zone expires in: 83.co.151 dns1.1.co.37 Host (A) records for domain from server: 10.uk 10.122 10 mailc.co.97.cp.124 10 mailb.232.co.computerperformance.uk Hostmaster: msnhst.

co.cp.124 10 mailb.232.107.1.232.68.computerperformance.computerperformance.uk 10.sj.dc.computerperformance.219 10.co.co.1.107.128.1.1.computerperformance.68.107.197.sj.computerperformance.uk 10.uk 10.co.151 dns1.107.co.uk 10.co.computerperformance.co.computerperformance.co.11 Responding to queries: YES Answering authoritatively for domain: YES SOA record data from server: Authoritative name server: dns.0.33 day(s) Refresh period: 900 seconds Retry delay: 600 seconds Default (minimum) TTL: 7200 seconds Additional authoritative (NS) records from server: dns1.1.computerperformance.1.uk 10.218 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.128.230.230.computerperformance.computerperformance.uk 10.20 dns1.co.dns1.0.computerperformance.37 Host (A) records for domain from server: 10.218 10.1.11 dns1.126 .uk 10.cp.uk Zone serial number: 54234 Zone expires in: 83.computerperformance.computerperformance.97.11 dns1.230.co.sj.3.computerperformance.co.computerperformance.20 dns1.3.uk 10.1.100 10.uk Hostmaster: msnhst.co.uk 10.3.100 10.37 Host (A) records for domain from server: 10.uk 10.126 ---------------------------------------------------------------------DNS server: dns1.co.102 10.124 10 mailb.220 10.1.computerperformance.97.3.197.122 10 mailc.1.1.uk 10.151 dns1.122 10 mailc.3.co.107.107.uk.computerperformance.uk 10.1.uk IP Address: 10.uk 10.102 Mail Exchange (MX) records from server (preference/name/IP address): 10 maila.3.dc.1.co.197.uk.co.1.97.197.cp.230.uk 10.1.co.

Windows Server Update Services . Group policy which regulates which clients get which patches. As a bonus you can create a Group Policy to control who gets what and when. security updates and hotfixes locally. When time is short you can omit the approval stage.WSUS My goal is persuade you to download WSUS (Windows Server Update Services) for your Windows 2003 Domain. If you have the time you can test then 'Approve' the patches before your XP or Vista clients update from their local WSUS server. error DNSLint developed by Tim Rains Summary Do you have a problem with DNS? Investigate solutions with DNSLint.----------------------------------------------------------------------Legend: warning. For example. The WSUS program is free from Microsoft. . Not only will you get a friendly HTML output. what have you got to lose? Introduction to WSUS 3 Elements of WSUS Installing WSUS Configuring WSUS WUS Introduction to WSUS The principle behind WSUS is that your Windows 2003 server contacts Microsoft's master update service on the internet and copies down all the patches. WSUS itself. 3 Elements of WSUS 1. the service which runs on the Windows 2003 (Member) server 2. apply patches to XP computers in Accounts OU at 02:00hrs. AU which runs on the clients (XP or Vista). but it will display port numbers and Glue records for Active Directory replication. the concept is sound. or just give the patches a quick look. 3.

so here is the clue that you configure it by typing: http://ServerName/susadmin in the browser. and SUS is not different you can easily check which patches have been approved and when your server synchronized with the Microsoft master serer on the web. Network administrator's that I have talked to prefer the 'Approve' method because they like to control which SUS patches to let out onto their network. In Welsh WUS. missed Welsh. .0).adm is responsible for the WSUS updates. This wuau. that new scrum half is a bit of a wus'.0) used to be called WUS (2. could mean a friend as in 'Watch ya wus.0. WUS could also mean. After that Group Policy takes over and distributes the approved updates to the clients.adm comes automatically with Windows Server 2003. you can bypass approval and let Group Policy roll out the patches just as they come from Microsoft's site. you need at least 500MB disk space per locale. Once installed.msi from Microsoft (No worries it's free) 2) Make sure that your server is running at least IIS v 5. The group policy template wuau. dew bach. Configuring WSUS on the Server As I mentioned earlier.that's all you need to do on the client side. unfortunately for Microsoft. How to Install AU clients Apply SP2 on XP or SP3 on Windows 2000 Pro . Alternatively.What WSUS does is work with Intellimirror and Group Policy to support XP clients. The rest of the install is handled by Group Policy. Microsoft have always been good at providing logs. 'Dew. Thus a few years back Microsoft discretely phased out the word WUS and heralded son of WUS . It seemed that whoever trawled the world's languages checking an acronym is not rude. WSUS . SUS needs IIS v5. When you have downloaded and checked the updates.WSUS. Installing WSUS Server Side 1) Download the WSUS product as a . an idiot. you can select patches or hotfixes that are needed and then 'Approve' the update.0 3) Run the installation Wizard 4) On the server.WUS in a name? WSUS (3. you net to 'Set Options' to align the configurations with your network. a fool.

currently in version 3. install. the Microsoft multiple master model uses a change notification mechanism. you can physically create a new computer account in the NTDS. Finally. SQL Server. another administrator on another DC. Occasionally problems arise if two administrators perform duplicate operations before the next replication cycle.0 Summary What are you waiting for? I challenge you to download SUS from Microsoft's site. if you have three domain controllers. Active Directory does it's . or change a user's password on any domain controller. Either you could be facing a disaster recovery. today at the same instant you create new users in that OU.dit database on any of the three. do not neglect to control SUS via Group Policy.WSUS WSUS (Windows Update Service) will enable you to update Office. Topics for FSMO Background of Operations Masters 5 FSMO Roles Checking which DC holds which FSMO role The 'Knack' of Changing Operations Master Advice and Troubleshooting FSMO Background of Operations Masters For most Active Directory operations. For example. or you are organized and want to get the most out of your Active Directory Forest. you created an OU called Accounts last week. test and then approve the updates. Within five minutes (15 seconds in Windows 2003). The benefit is you can add a computer. and other Microsoft products. Although you rarely need to deal with Microsoft's FSMO. there is the feeling that knowledge of these Operation Masters gives you power over your Windows 2003 Servers. FSMO (Flexible Single Master Operations) There are times when you may need to change the Domain Controller which holds one of the 5 FSMO roles. For example. where you have lost the first Windows 2003 Domain Controller. Watch out for WSUS. deletes that OU. the new computer object will be replicated to the other two domain controllers. SUS on the other hand neither supports Windows 9x nor does it support Microsoft Office. Windows 2003 uses the multiple master model. Technically.

0 BDC's. synchronizing the W32Time service and creating group policies.best to obey both administrators. Emulating a PDC is the most famous example of such a Single Master Operation.Responsible for checking objects in other other domains. Rather like the Domain naming master. . To me. It deletes the OU and creates the Users.g. So if the Infrastructure master could not check your Universal Groups there could be a security breach. you would not want there to be a mistake which crippled your forest. the result is the users are added to the orphaned objects in the 'LostAndFound' folder. creating a new child domain would be another example. RID Master .Each object must have a globally unique number (GUID). click: Advanced Features.Most famous for backwards compatibility with NT 4. However. and save the tiny risk of getting duplicate names or orphaned domains. so the fact that this is a FSMO does not impact on normal domain activity. a) You are a member of a Universal Group in another domain and b) that group has been assigned Deny permissions. changing the schema is a rare event. and the Active Directory task must only be carried out on one Domain Controller.chaos. Imagine what would happen if two administrators tried to make different changes to the same schema object . It was worth investigating how Active Directory handles orphaned objects because the point of FSMO is that a few operations are so critical that only one domain controller can carry out that process.Operations that involve expanding user properties e. but as it cannot create the Users in the OU because it was deleted. PDC Emulator . 4. there are two other FSMO roles which operate even in Windows 2003 Native Domains. 5. Universal group membership is the most important example. You can troubleshoot what has happed by locating the 'LostAndFound' folder in Active Directory Users and Computers. FSMO roles: 1. From the View Menu in Active Directory Users and Computer. Domain Naming Master . Schema Master . So its a case of Microsoft know best. Infrastructure Master . My point is it's worth the price to confine joining and leaving the domain operations to one machine. 2. The Five FSMO Roles There are just five operations where the usual multiple master model breaks down. For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000 9999. Exchange 2003 / forestprep which adds mailbox properties to users. How often do child domains get added to the forest? Not very often I suggest. 3.Ensures that each child domain has a unique name. That is why administrators can only change the schema on one Domain Controller. it seems as though the operating system is paranoid that. The RID master makes sure each domain controller issues unique numbers when you create objects such as users or computers. I admit that it is confusing that these two jobs have little to do with PDCs and BDCs. However if you have a team of Schema Administrators all experimenting with object properties.

PDC.) The Schema Master (5. Right Click.) are unique to the entire forest. 2. Operations Master. however its not a FSMO role as you can have more than one Global Catalog. if you have three domains there will be 3 PDC emulators.) are held in each domain. However.the Schema Master should be a Single Master Operation and thus a FSMO role.don't mess with the object definitions. RUN regsvr32 schmmgmt. See the 'Knack' for changing Operation Master Domain Naming Master (4. Active Directory Domains and Trusts. 5. Active Directory Schema 3) Select Active Directory Schema. 2. whilst two (4. and 3. (There is a also an important Global Catalog Role. File menu. but only 1 Schema Master. Right click your Domain and select Properties.) You can discover which server holds the Operation Master by opening Active Directory Users and Computers. and 3. Infrastructure (1. you can reveal the Schema and its FSMO settings thus: 1) Register the Schema Snap with this command. Operations Masters. click the Add button and select.) is the most difficult FSMO to find.dll 2) Run MMC. Thus. Schema Master (5.) To see the Domain Naming Master (4.). Checking which DC holds which FSMO role RID. navigate to the little used. The reason is the Schema snap-in is hidden by default. Add\Remove Snap-in. Perhaps is this is Microsoft saying . Operations Masters. See more on Global Catalog Server) How many FSMO Domain controllers in your Forest? Three of the FSMO roles (1. Right click your Domain and select Properties. See the 'Knack' for changing Operation Master Footnote .

I have to confess a hidden agenda with FSMO. If I want to instantly know how well someone knows Active Directory, I introduce FSMO into the conversation and watch their reaction. Professionals will know what FSMO means and its significance, amateurs just frown.

Who is this Group Policy Section for?
Administrators who want to plan their Windows 2003 Group Policy. Experienced network managers who wish to lockdown their users' Start menu. Network Architects who need to turn a desktop vision into reality. Those upgrading from Windows 9x or NT 4 who want an overview of XP policies.

What are Windows 2003 Group Policies?
If you desire, Group Policies can control every aspect of a computer desktop. Whilst the plan is to control the configuration of both the user and the computer settings; the technique is to define each setting once in an Active Directory Group Policy. For example, if you need to change everyone's proxy server, the add the IP addresses to a Group Policy rather than edit every Internet Explorer manually.

Group Policy Overview
It may help to remember that Group Policies manipulate registry values, so if the item that you want to control is in the registry, then it can be set by a policy. Where registry keys do not have ready-made policies, it is possible to create your own policy templates. However, designing your own templates would be a specialist job for your developers. Some say there are 700+ built-in polices for XP, while others tell me that there are over 850. What ever the exact total, the point is that Group Policies are here to stay, and that each new version of Windows will bring yet more settings to organize the desktop. Here are the commonest policy categories for XP / Windows Server 2003. Incidentally Windows Server 2003 SP1 added hundreds more Group Policies, particularly to the Inetres (Internet Explorer) section. Security settings, passwords: length, frequency, lockout duration. Desktop settings, which icons appear, and which are features are hidden. Software assigned to the user, which programs are available from the start menu. Folder redirection, where is the 'My documents' are stored? Settings which dictate the operating system behaviour, for example, disable unnecessary services such as IIS or telnet.

Guy's Group Policy Mission

My mission is to bring each Group Policy category or folder to life. I want to save you time by concentrating on what I consider are the best settings in each Group Policy folder. Look out for 'Guy's top selections' on each page. Occasionally, I express an opinion that a policy is of limited use - no sitting on the fence! However, even if a policy is only needed for specialist configurations, I still point out its purpose, just in case it applies to your situation. Before you begin evaluating policies, I urge you to decide on the security rating of your organization. It is important to have a reference point, otherwise it will be difficult to gain a perspective of what makes sense for your users. My advice is aimed at those who need medium security setting for their domains; therefore, if you are a high or low security company then make the necessary adjustments when assessing my selections. Remember, that the more security that you enforce, the more work there will be for you. For instance, do not insist on 14 letter, complex passwords, just because they are the highest settings. However, if there is a good business case for this level of security, then fair enough, but does take on extra help desk staff to cope with the resultant password lockouts.

Pre-requisites for creating policies
The advice and screen shots in this section are designed for Windows Server 2003, however many of the settings are available in Windows 2000. You have installed the GPMC (Group Policy Management Console) You create a test OU. (Not essential, but safer than using the default domain policy.) Right click your OU, Properties, Group Policy. Click on Open. Right click on your OU, and select 'Create and Link a GPO Here..' Right click your policy, then edit.

Active Directory Users, Computers, and Groups Operating System Abstract In the Microsoft® Windows® 2000 operating system, the Active Directory™ service provides user and computer accounts and distribution and security groups. The operating system integrates user, computer, and group security with the Windows 2000 security subsystem as a whole. This paper introduces administrators unfamiliar with Windows 2000 to the way users, computers, and groups are organized and how user authentication and authorization are used to provide security. On This Page Introduction Active Directory User and Computer Accounts Active Directory Groups User Authentication User Authorization Summary Appendix A: Built-in, Predefined, and Special Groups Appendix B: User Rights Introduction A great part of network administration involves management of users, computers, and groups. A successful operating system must ensure that only properly authenticated users and computers can logon to the network and that each network resource is available only to authorized users. In the Microsoft® Windows® 2000 operating system, the Active Directory™ service plays several major roles in providing security. Among these roles are the efficient and effective management of user logon authentication and user authorization. Both are central features of the Windows 2000 security subsystem and both are fully integrated with Active Directory. Active Directory user authentication confirms the identity of any user trying to log on to a domain and lets users access resources (such as data, applications, or printers) located anywhere on the network. A key feature of Windows 2000 user authentication is its single sign-on capability, which makes multiple applications

This paper describes Windows 2000 users. services. applications. and groups from the perspective of security. or No Access) are attached to Windows 2000 objects. • Access control permissions (such as Read. domains. network user and computer accounts. and sites). trees. User rights include both privileges (such as Back Up Files and Directories) and logon rights (such as Access this Computer from Network). with an emphasis on the security issues of authentication and authorization.and services available to the user over the network without the user having to provide credentials more than once. computers. the type of access actually granted is determined by what user rights are assigned to the user and which access control permissions are attached to the objects the user wishes to access. (For a list of all object types. trusts. as well as domains. Managers. see the section "Object Types. and security policies. An object is a distinct. access control can be defined not only for each object in the directory but also for each property of each object. forests. Concepts The following definitions will help you understand the basic concepts that are used throughout the paper: • User rights are assigned to groups (or users). see the section "For More Information" at the end of this document. shared volumes. named set of attributes. The following sections cover these topics: • • • • Active Directory User and Computer Accounts Active Directory Groups User Authentication User Authorization For security topics not covered in this paper and for information about the structure of Active Directory (including Active Directory objects. After a user account has received authentication and can potentially access an object. Full Control. and Tools. and printers. Write. Active Directory user authorization secures resources from unauthorized access. and includes shared resources such as servers. In the case of Active Directory objects. organizational units.") .

Access token. Each time a user logs on, Windows 2000 creates an access token. The access token is a representation of the user account and contains the following elements:

Individual SID. Security identifier (SID) representing the logged-on user

Group SIDs. SIDs representing the logged-on user's group memberships

User Rights. Privileges (associated with each SID) granted to the user or to groups to which the user belongs

When the user tries to access an object, Windows 2000 compares each SID in the user's access token to entries in an object's discretionary access control list (DACL) to determine whether the user has permission to access the object and, if access is allowed, what type of access it is. In some cases, user rights in the user's token may override the permissions listed in the DACL and access may be granted that way.

An access token is not updated until the next logon, which means that if you add a user to a group, the user must log off and log on before the access token is updated.

Security identifier (SID). A SID is a code that uniquely identifies a specific user, group, or computer to the Windows 2000 security system. A user's own SID is always attached to the user's access token. When a user is made a member of a group, the SID for that group is also attached to the user's access token.

Access Control List (ACL). Each Active Directory object (as well as each file, registry key, and so on) has two associated ACLs:

DACL. The discretionary access control list (DACL) is a list of user accounts, groups, and computers that are allowed (or denied) access to the object.

SACL. The System Access Control List (SACL) defines which events (such as file access) are audited for a user or group.

Access Control Entry (ACE). A DACL or SACL consists of a list of Access Control Entries (ACEs), where each ACE lists the permissions granted or denied to the users, groups, or computers listed in the DACL or SACL. An ACE contains a SID with a permission, such as Read access or Write access. Windows 2000 combines access permissions—if you have Read access to an object because you are a member of Group A and if you have Write access because you are a member of Group B, you have both Read and Write access to the object. However, if you have No Access as a member of Group C, you will not have access to the object. Figure 1 shows how a user's access token and an object's DACL let the user (in this case) access the object. When the user, Adam, requests access to the payroll file object, Windows 2000 compares each SID in Adam's access token to each ACE in the DACL to see if access is explicitly denied to Adam or to any group to which Adam belongs. It then checks to see if the requested access is specifically permitted. Windows repeats these steps until it encounters a No Access or until it has collected all the necessary permissions to grant the requested access. If the DACL does not specifically allow permission for each requested access, access is denied.

Figure 1: User authentication creates an access token for the user. The access token contains the user's primary SID, together with the SIDs of any groups to which the user belongs. This user is authorized to access this domain resource, a payroll file. Top of page

Active Directory User and Computer Accounts The Windows 2000 operating system uses a user or computer account to authenticate the identity of the user or computer and to authorize or deny access to domain resources. For example, users who are members of the Enterprise Administrators group are, by default, granted permission to log on at any domain controller in the Active Directory forest. Administrators can audit actions performed by user or computer accounts. You add, disable, reset, or delete user and computer accounts using the Active Directory Users and Computers tool. This section covers the following topics:
• • • •

User Accounts Computer Accounts Security Principals Group Policy Applied to User and Computer Accounts

User Accounts A user requires an Active Directory user account to log on to a computer or to a domain. The account establishes an identity for the user; the operating system then uses this identity to authenticate the user and to grant him or her authorization to access specific domain resources. User accounts can also be used as service accounts for some applications. That is, a service can be configured to log on (authenticate) as a user account, and it is then granted access to specific network resources through that user account. Predefined User Accounts Windows 2000 provides the following two predefined user accounts1:
• •

Administrator account Guest account

You can use these accounts to log on locally to a computer running Windows 2000 and to access resources on the local computer. These accounts are designed primarily for initial logon and configuration of a local computer. The Guest account is disabled and you must enable it explicitly if you want to allow unrestricted access to the computer. The Administrator account is the most

you create an individual user account for each user who will participate on your network. you can associate Group Policy configuration settings with three Active Directory containers— organizational units (OUs). Group Policy Applied to User and Computer Accounts In the Windows 2000 operating system environment. Then add each user account—including the Administrator and Guest accounts—to Window 2000 groups. you can grant security principals from the external domain access to resources in your forest. Security principals are directory objects that are automatically assigned SIDs when they are created. covered later) are referred to as security principals. and assign appropriate rights and permissions to each group. and they cannot be assigned computer accounts in Windows 2000 domains. domains. You cannot manually modify foreign security principals. a term that emphasizes the security that the operating system implements for these entities. which causes Active Directory to create a "foreign security principal" object for those security principals3. If you establish a trust relationship between a domain in your Windows 2000 forest and a Windows 2000 domain external to your forest. However. but you can see them in the Active Directory Users and Computers interface by enabling Advanced Features. Windows 2000 computer accounts provide a means for authenticating and auditing the computer's access to the network2 and its access to domain resources. add external security principals to a Windows 2000 group. Group Policy settings associated .powerful account because it is a member of the Administrators group by default. Computer Accounts Like user accounts. You can make foreign security principals members of domain local groups (covered later). Objects with SIDs can log on to the network and can then access domain resources. or sites. you can log on to a network and use Windows 98 and Windows 95 computers in Active Directory domains. To do so. Computers running Windows 98 and Windows 95 do not have the advanced security features of those running Windows 2000 and Windows NT. Security Principals Active Directory user and computer accounts (as well as groups. To enable the Windows 2000 user authentication and authorization features. This account must be protected with a strong password to avoid the potential for security breach to the computer. Each Windows 2000 computer to which you want to grant access to resources must have a unique computer account.

using the Active Directory Users and Computers tool. in any other domain in the forest. groups are created in domains. that is. Before you create groups. You can nest groups. A mixed-mode domain is . manage desktop appearance. Nesting groups makes it easier to manage users and can reduce network traffic caused by replication of group membership changes. Like user and computer accounts. manage applications. • Assign logon and logoff scripts to the user accounts in each organizational unit.with a given container either affect all users or computers in that container. and redirect folders from local computers to network locations. The system applies group policy to computers at boot time or to users when they log on. or in any Container class object (such as the default Users container). you can add a group as a member of another group (according to specified rules—see the section "Mode Governs Nesting Options"). (You can also set the group policy refresh interval policy for users or computers. see "For More Information. computers. in a mixed-mode network configuration. determine the number of domains you will have on your network and which of those domains (if any) are mixed-mode and which are native-mode: • Mixed-mode domain. Planning group strategies is an essential part of deploying Active Directory. You can use Group Policy to configure security options. and other groups. In Windows 2000.) Here are three examples of using group policy settings: • Set the minimum password length and the maximum length of time that a password remains valid for an entire domain. groups are Windows 2000 security principals. or they affect specified sets of objects within that container. they are directory objects to which SIDs are assigned at creation. the default refresh interval for both users and computers is 90 minutes. in any organizational unit. The Windows 2000 operating system installs." Top of page Active Directory Groups Groups are Active Directory (or local computer) objects that can contain users. You can create groups in the root domain. assign scripts. contacts. • Specify which applications are available to users when they log on. For detailed information about Group Policy. by default.

distribution groups are also briefly described to clarify the difference between the two group types. Important: Do not change from mixed to native mode if you have. The next two subsections describe the characteristics of security and distribution groups. and Special Groups Groups on Standalone Servers and Windows 2000 Professional Group Type: Security or Distribution Windows 2000 Server has two kinds of groups: • • Distribution groups Security groups Although this section is primarily about the role groups play in security.x clients. Domain Local.a networked set of computers running both Windows NT 4. Global. The following sections discuss the structure of groups and how you can use the various groups to help organize your network: • • • • • Group Type: Security or Distribution Group Scope: Local. (You can also have a mixed-mode domain running only Windows 2000 domain controllers. Both mixed-mode and native-mode domains can contain Windows NT 4. You use distribution groups with e-mail applications (such as Microsoft Exchange) to .) • Native-mode domain. Distribution Groups Distribution groups have only one function—to create e-mail distribution lists.0 and Windows 2000 domain controllers. Changing a domain from mixed mode to native mode is an irreversible operation. or Universal How Domain Mode Affects Groups Windows 2000 Built-in.0 backup domain controllers (BDCs) in the domain. any Windows NT 4. You can convert a domain to native mode when it contains only Windows 2000 Server domain controllers.0 member servers and Windows NT and Windows 9. or will have. Predefined.

keep the following general guidelines in mind: • Small organizations. you can also use security groups to send e-mail to all members of the group. Security Groups In the Windows 2000 operating system. You can add a contact to a security group. Distribution groups play no role in security (you do not assign permissions to distribution groups).send e-mail to the members of the group.) The token identifies the user. security groups are an essential component of the relationship between users and security. Security groups have two functions: • • To manage user and computer access to shared resources To filter Group Policy settings You collect users. and you cannot use them to filter Group Policy settings. The system uses the token to control access to securable objects and to control the ability of the user to perform various system-related operations on the local computer. computers. If you use an e-mail client that can use Active Directory for address book lookup. and other groups into a security group and then assign appropriate permissions to specific resources (such as file shares and printers) to the security group. and the privileges granted to the user and to the user's security groups. the user automatically gains the rights and permissions already assigned to that group. Windows 2000 creates an access token when a user logs on. As with a security group. and that contact is sent e-mail along with the other members of the group. or an e-mail system that uses Active Directory as its directory (such as Exchange 2000). you cannot assign rights and permissions to a contact. an access token is an object containing the security information for a logon session. (A process is software that is currently running. When implementing an administration strategy for security groups. you can add a contact to a distribution group so that the contact receives e-mail sent to the group. When you add a user to an existing group. Some small organizations with a Windows 2000 native-mode forest will choose to use security groups with Universal scope . Integral to understanding security groups is the concept of an access token. As explained in the Introduction. This simplifies administration by letting you assign permissions once to the group instead of multiple times to each individual user. the security groups to which the user belongs. and every process executed on behalf of the user has a copy of the token. However.

to manage all their group needs. scalability. Experience shows that using the approach described below will help you achieve maximum flexibility. a group that contains user accounts. that is. • Medium to large organizations. that is. • Some growing small organizations will choose to implement the Global/Local pattern used by larger organizations from the start. A local group can usually be thought of as a Resource group. • Put a global group into any domain local (or machine local) group in the forest (this is especially efficient when more than one domain is involved). two alternative strategies are available: • Use Universal groups initially and then convert to the Global/Local pattern (described next) recommended for medium to large organizations. For organizations that expect to grow. If this is the situation. use the guidelines for medium to large organizations. • Put users into security groups with global scope. • Put resources into security groups with domain local (or machine local) scope. . A global group can usually be thought of as an Accounts group. Using Account (global) groups and Resource (local) groups in the way described here lets you use groups to mirror your organization's functional structure. a large number of universal groups— especially where membership changes frequently—can cause a lot of replication traffic. a group to which you assign permissions to access a resource. • Assign permissions for accessing resources to the domain local (or machine local) groups that contain them. Because groups with universal scope (and their members) are listed in the global catalog database4. and ease of administration when managing security groups.

when you create a new group. Important: In the following discussion of group scope.• Delegate administration of groups to the appropriate manager or group leader. which exist in Windows 2000 to provide backward compatibility with Windows NT groups). you should put users only into global groups) from any trusted domain into a local or domain local group. you can place groups (or users—but. Understanding what these guidelines mean requires understanding the different kinds of group scope. remember that you assign permissions only to security groups (not to distribution groups). or Universal Both types of group—security and distribution—can have one of three scopes (four when you include local groups. You can establish trust between any two domains in any two forests. A group's scope determines the extent to which the group can be nested in other groups or referenced in DACLs on resources in the Active Directory domain or forest. Local groups are sometimes referred to as machine . Domain Local. Groups with Local Scope The local groups used in both Windows NT and Windows 2000 are precursors of and are in some ways similar to the domain local groups (described next) introduced in Windows 2000. If you have multiple forests. Group Scope: Local. explained in the next section. domain local and global groups exist in the Windows NT operating system (where they are called local groups and global groups). Global. typically. it is configured as a security group with global scope (in both mixed-mode and native-mode domains). The following subsections describe each type of group scope. Universal groups are new in Windows 2000. The four possible Windows 2000 group scopes are: • • • • Groups with local scope (also called local groups) Groups with domain local scope (also called domain local groups) Groups with global scope (also called global groups) Groups with universal scope (also called universal groups) With some minor differences. By default.

if you . Using Domain Local Groups Groups with domain local scope are designed to be used in DACLs on a domain's resources. (Note. that is. Local groups can have members from anywhere in the forest. from trusted domains in other forests. That is. • Permissions. to the printer permissions list. Local groups have the following features: • Mode. • Membership. • Permissions. domain local groups help you define and manage access to resources within a single domain. • Membership. it can be used to grant resource permissions on any Windows 2000 machine within the domain in which it exists (but not beyond its domain).local groups to contrast them with domain local groups. For example. Local groups are the only type of local group available in a Windows 2000 mixed-mode domain. that is. and from trusted down-level domains. and from trusted down-level domains. one at a time. you could add all five user accounts. to give five users access to a particular printer. domain local groups can have members from anywhere in the forest.) Groups with Domain Local Scope Domain local groups. In the case of Windows 2000 nativemode domains. a new feature of the Windows 2000 operating system. it can be used to grant resource permissions only on the machine on which it exists. A local group has only machine-wide scope. Like local groups. A domain local group has domain-wide scope. have the following features: • Mode. however. only Built-in groups have local scope. that local groups created on a domain controller are available on every domain controller in that domain and can be used to grant resource permissions on any domain controller in that domain. Later. Domain local groups are available only in native-mode (but not mixed-mode) domains. from trusted domains in other forests.

To do so. causing unnecessary network traffic. Put the five user accounts into a group with global scope (this is the Accounts group). not where the users are— which makes it in line with how administration is typically done. you would again have to specify all five accounts in the permissions list for the new printer. and you are done. Global groups can have members from within their own domain (only). perform the following steps: 1. Membership. (Global groups are described in the next subsection. it can be made a member of machine or domain . Doing so gives all five new members of the group access to the printer in one step. • Because a domain local group is associated with an access token built when a member of that group authenticates to a resource in that domain. you could take advantage of groups with domain local scope. you assigned a global group permission to access the printer. when you want to give another five users access to this printer. the global group can end up in a user's token anywhere in the forest. have the following features: • • Mode. effectively the same as Windows NT global groups. Or. (If. Using domain local groups in this way provides the following benefits: • Membership of the domain local group is controlled by the administrator(s) where the resource (the printer) is located.) Groups with Global Scope Global groups.wanted to give the same five users access to a new printer. 2.) Now. Create a group with domain local scope. you can simply add them to the global group that is a member of the domain local group which has permission to access the printer. • Permissions. Although a global group is limited to domain-wide scope as far as membership goes. and assign it permission to access the printer (this is the Resource group). Global groups exist in both mixed-mode and native-mode domains. unnecessary network traffic (carrying of membership information) is avoided. instead. and add this global group to the group having domain local scope.

which. Use global groups to collect users or computers that are in the same domain and share the same job. such as user and computer accounts. in turn. Members from such domains cannot have the universal group's SID added to their access token because universal groups are not available in mixed-mode domains. groups with global scope can be put into other groups in any trusting domain." "Managers. make these global groups members of domain local or machine local groups. but this is not recommended. Therefore. Membership of these groups can be efficiently managed by administrators of user domains. Membership. Universal groups can be granted permissions in any domain. Because group members typically need to access the same resources. For example. a new feature of the Windows 2000 operating system.) • Permissions. Universal groups are available only in native-mode domains. Universal groups can have members from any Windows 2000 domain in the forest." "RAS Servers" are all possible global groups. Using Global Groups Groups with global scope help you manage directory objects that require daily maintenance. because these administrators are familiar with the functions and roles played by users and computers in their domain. are listed on the DACL of needed resources. Using Universal Groups . or function. including in domains in other forests with which a trust relationship exists.local groups or granted permissions in any domain (including trusting domains in other forests and down-level domains with which a trust relationship exists). troubleshooting access problems would be difficult. have the following features: • • Mode. Groups with Universal Scope Universal groups. "Full-time employees. That is. (Universal groups can contain members from mixed-mode domains in the same forest. organizational role.

Group Scope and Replication Traffic Groups having universal scope—and all of their members—are listed in the global catalog. The reasons for this approach are explained next. A useful guideline is to designate widely used groups that seldom change as universal groups. Although few organizations will choose to implement this level of complexity. Using these groups thus reduces the size of the global catalog and reduces the replication traffic needed to keep the global catalog up-to-date. or will have. Therefore.0 backup domain controllers (BDCs) in the domain.0 member servers and Windows NT and Windows 9. these groups can help you represent and consolidate groups that span domains. but their individual members are not listed. and then make the universal group a member of a domain local (or machine local) group that has access permissions to resources. Important: Do not change from mixed to native mode if you have.0 domain controllers in addition to Windows 2000 domain controllers. the entire group membership must be replicated to all global catalogs in the domain tree or forest. if you use groups with universal scope. a mixed-mode domain typically has one or more Windows NT Server 4. Whenever one member of a group with universal scope changes. any membership changes in the groups having global scope do not affect the groups with universal scope. nest these groups within groups having universal scope.x clients. Changing a domain from mixed mode to native mode is an irreversible operation. you might use universal groups to build groups that perform a common function across an enterprise. Groups having global or domain local scope are also listed in the global catalog. For example. any Windows NT 4. How Domain Mode Affects Groups As explained above. A native-mode domain can have only Windows 2000 Server domain controllers. use groups with global or domain local scope if the group membership changes frequently. you can add user accounts to groups with global scope. Therefore.A small organization can use universal groups to implement a relatively simple group structure. Mode Determines Whether You Can Convert Group Types . use them in situations where the membership of the group does not change frequently. If you choose to use groups with universal scope in a multidomain environment. Using this strategy. although it can have only Windows 2000 domain controllers. Both mixed-mode and native-mode domains can include Windows NT 4.

Nesting also lessens the amount of network traffic caused by replication of group membership changes. a change to the membership requires that the whole attribute—that is.0 domain controller handles the logon. In mixed mode.0. When a user logs on to a domain account. The following list describes what can be contained in a group that exists in a native mode domain: • Groups with universal scope can contain user accounts. Mode Governs Nesting Options Updates to the Active Directory store must be made in a single transaction. the user's security group membership is resolved on the domain controller that handles the logon. Whether a domain is native or mixed mode does affect the behavior of security groups. Available nesting options depend on whether the domain is in native mode or mixed mode. Microsoft has tested and supports group memberships of up to 5.000 members. if a Windows NT 4. computer accounts. other universal groups. • Groups with global scope can contain user accounts from the same domain and other global groups from the same domain. Thus. . is a Windows 2000 domain controller. One consequence of this is that you should not create groups with more than 5. which. then it must be able to enumerate the members of the security groups to which the user belongs. the behavior of security groups in a Windows 2000 domain running in mixed mode must match the behavior of security groups in Windows NT 4. Windows 2000 lets you get around this limitation by nesting groups to increase the effective number of members. by definition. A Windows NT domain controller cannot handle group type conversion because it sees only security-enabled groups. you can convert a security group to a distribution group and vice versa. the whole membership list—be updated in a single transaction. Because group memberships are stored in a single multi-valued attribute. and global groups from any trusted domain. If a process needs to know the composition of the group.000 members. You cannot convert either group to the other in a mixed-mode domain. Mode Affects Security and Distribution Groups Differently Distribution groups are not affected by mode because distribution group membership is not enumerated at logon.In a native-mode domain. it has to ask an Active Directory server.

Predefined. They can also contain other domain local groups from within the same domain. because domain local groups have domain-wide scope. universal groups. an access token is created for the user containing his or her primary SID. When a domain is converted to native mode. local groups become domain local groups. At the time the domain is switched to native mode.0: . Predefined. put users into global groups. the SIDs of any domain local groups of which the user is a member are now added to the user's access token. and then assign access permissions to resources to the local groups. Groups on Standalone Servers and Windows 2000 Professional Universal groups. and Special groups. When a user is authenticated. together with the SIDs of any groups he or she belongs to. and Special Groups". Windows 2000 Built-in. (Typically. not into domain local groups. and Special Groups Windows 2000 provides three sets of default groups: Built-in. (It is not recommended to put users directly into local groups. and then assign permissions to the local groups). and the distinction between security and distribution groups are available only on Active Directory domain controllers and Windows 2000 member servers. Changing to Native Mode Impacts Groups When a Windows NT primary domain controller (PDC) is upgraded to Windows 2000 Active Directory. instead. These default groups are summarized in "Appendix A: Built-in. put user accounts into global groups. put global groups into local groups. • Global groups can contain only user accounts.• Groups with domain local scope can contain user accounts. group nesting. then put the global groups into domain local groups. and global groups from any trusted domain. Windows NT local groups become Windows 2000 local groups and Windows NT global groups become Windows 2000 global groups. Group accounts on Windows 2000 Server stand-alone servers and on Windows 2000 Professional function as in Windows NT 4.) Security groups in a mixed-mode domain can contain only the following: • Local groups can contain global groups and user accounts from trusted domains. Predefined.

the workstation can display global groups and universal groups both from that domain and from all domains in the forest. single sign-on provides quick and efficient access to resources. For users. However. Top of page User Authentication User authentication confirms the identity of any user trying to log on to a domain or access network resources. see the Windows 2000 Resource Kit "Authentication" chapter listed in "For More Information. A user can log on to the domain once. using a single password or smart card. The third subsection describes authenticating external users: • • • Interactive logon Network authentication Using certificates to authenticate external users For detailed technical descriptions of Windows 2000 user authentication.• The only groups you can create locally on a stand-alone server or Professional workstation are local groups. two-part process: interactive logon and network authentication. The first two subsections briefly describe these two aspects of authentication." Interactive Logon Interactive logon (the first part of the single sign-on process) confirms the user's identity to the user's Active Directory domain account or local computer. For administrators. When a . and can then access resources on any computer in the domain. Successful user authentication depends on both parts of this process. Windows 2000 authentication enables single signon to all network resources. • A local group created on a stand-alone server or Professional workstation can be assigned permissions only on that computer. You can assign permissions for the local computer to these groups or place them in the local computer groups. Windows 2000 user authentication. single sign-on reduces the amount of support required for users because the administrator needs to manage only one account per user. is implemented as a single. if you join a Windows 2000 Professional computer to a Windows 2000 domain. including single sign-on.

Windows 2000 uses one of the following industrystandard types of authentication: . the user logs on. local disk. then the authentication used is Windows NT LAN Manager (NTLM). If a smart card is used instead of a password. presents credentials (domain or local) to the computer to gain access to its resources (monitor. a user logs on to the network (with a password or smart card) using single sign-on credentials stored in Active Directory. When using the domain account. which is the Windows 2000 local security account database. the user's credentials are used for a single sign-on. Users using a local computer account. mouse. network access. With a local computer account. Network Authentication Network authentication (the second part of the single sign-on process) confirms the user's identity to any network service the user attempts to access. • If a password is used to log on to a Windows 2000 computer using a domain account in a Windows 2000 domain. (See next section for more about Kerberos and NTLM. and so on). Any Windows 2000 computer that is not a domain controller can store local user accounts.0 computer. Network authentication (described next) is transparent to users using a domain account.0 domain controller or if the user's computer is a Windows NT 4.user walks up to the computer to start work. • If the authenticating domain controller is a Windows NT 4. but those accounts can be used for access only to that local computer. a user logs on to a local computer using credentials stored in that computer's Security Accounts Manager5(SAM). For network authentication. keyboard. however. After logging on with a domain account.) • Local account. Windows 2000 uses Kerberos V5 authentication with certificates. must provide credentials (such as a user name and password) each time they access a network resource. an authorized user can access resources in the domain and any trusting domains. With a domain account. that is. Windows 2000 uses Kerberos version 5 (V5) for authentication. This process differs depending on the type of user account: • Domain account.

NTLM authentication also provides network authentication within Windows 2000 domains. takes place between a client and server—the server verifies the client identity. is a set of identification data for authenticating a security principle. Kerberos V5. as well as to other environments that support this protocol. where one or both computers is running Windows NT 4.0 or earlier. This dual verification. Tickets contain encrypted data (including an encrypted password) that confirms the user's identity to the requested service. A ticket. the default method of network authentication for services for computers running Windows 2000 server or client software. The Kerberos V5 authentication mechanism issues tickets for accessing network services. Except for entering a password or smart card credentials. NTLM is used as the authentication protocol for transactions between two computers in a domain. Kerberos provides fast. the system uses the NTLM protocol. The Kerberos V5 protocol verifies both the identity of users and of network services. and the client verifies the server's identity.• Kerberos V5 authentication. . In Windows 2000. If any computer involved in a transaction does not support Kerberos V5. Kerberos V5 authentication is used with either a password or a smart card for interactive logon. the Kerberos authentication process is invisible to the user. Kerberos replaces NTLM (see next subsection) as the primary security protocol for access to resources within or across Windows 2000 Server domains. see the link to the "Windows 2000 Kerberos Authentication" white paper listed in "For More Information. Based on Internet standard security. called mutual authentication. For a detailed technical description of Windows 2000 and Kerberos (and for some information about NTLM). single logon to Windows 2000 Server-based resources. (Recall that by default." • Windows NT LAN Manager (NTLM) authentication. issued by a domain controller. is the primary security protocol for authentication within Windows 2000 domains.

as well as Windows NT Workstation 4. After choosing a cipher suite. Windows 95/98. Client and server contact each other and choose a common cipher suite. a configuration that uses any combination of Windows NT 4. • User identity authentication.0 use the NTLM protocol for authentication in Windows 2000 domains. Examples of when you may . SSL/TLS consists of four operations: • Handshake and cipher suite negotiations. NTLM is also the authentication protocol for computers not participating in a domain. a method for encrypting data. • Secure Sockets Layer/Transport Layer Security (SSL/TLS) authentication.Windows 2000 is installed in a mixed-mode network configuration—that is. The client application and the server application communicate with each other. and a Message Authentication Code (MAC) specifying how application data will be hashed and signed to prove integrity. That is.) NTLM is used when either the client or server uses an earlier version of Windows.0 and Windows 2000. SSL/TLS provides authentication when a user attempts to access a secure Web server. computers with Windows 3. depending on the negotiated cipher suite's requirements). All data is encrypted using the negotiated bulk encryption method. which digital certificate format will be used) depends on the negotiated cipher suite. such as standalone servers and workgroups. or the precursors with which to create a key. that they will use for data encrypting (again. The server always authenticates its identity to the client. However. the client and server exchange a key.x. • Application data exchange. • Key exchange. The exact authentication method (primarily. whether the client needs to authenticate with the server depends on the application. The suite includes a method for exchanging the shared secret key. individuals who do not have an account in Active Directory. Using Certificates to Authenticate External Users Organizations must often support authentication of external users.

The external user must have a certificate. Certificates are digitally signed by the issuing certification authority (CA) and can be managed for a user. domain. or a service. Top of page User Authorization Besides confirming the identity of anyone attempting to access the network (user authentication. or organizational unit in which you have created the user account. To authenticate external users.want to provide external users with secure access to specific data within the enterprise include corporate partners who need extranet access. From the standpoint of the user. a good security system also protects specific resources—such as payroll data—from access by inappropriate users. • Create a user account. on the network . controlling access to resources. A certificate securely binds a public key to the entity that holds the corresponding private key held by the individual. such as the Internet. Any external user whose client program presents a mapped certificate can then access the permitted locations published on the appropriate Web site for your organization. a department that needs access to another department's intranet pages. you must do the following: • Use a certificate. or part of the public to whom you may want to provide selective access. Active Directory secures resources from unauthorized access. You must create a name mapping between the external user certificate and the Active Directory account you have created for authenticated access. a computer. You must establish a user account (for use by one or more external users). Active Directory supports external user authentication. A certificate is a file used for authentication and secure exchange of data on nonsecured networks. described in the preceding section). The external user's certificate must be issued by a CA that is listed in the certificate trust list for (or trusted by) the Active Directory site. • Map the certificate to the account. The authentication process is transparent to the external user. or objects.

takes precedence over all file and directory permissions. the right to perform a backup. However. You can think of them as user or group rights. The other type of user right (privileges) can override permissions assigned to Active Directory objects and are thus integral to this discussion. the type of access granted is determined by either the user rights that are assigned to the group (or user) or the access control permissions that are attached to the object. in this case. rather than repeatedly assigning the same set of user rights to each individual user account. Logon rights. rather than as simply user rights. even files on which their owners have set permissions that explicitly deny access to all users. because typically you assign rights to a group rather than to an individual user. This section covers these topics in the following subsections: • • User rights: Assigned to groups Access control permissions: Attached to objects User Rights: Assigned to Groups As an administrator. because they are one type of user right. Certain privileges can override permissions set on an object. For example. There are two types of user rights: • • Privileges. the right to logon locally. a user logged on to a domain account as a member of the Backup Operators group has the right to perform backup operations for all domain servers. which refer to the local computer. the right to back up files and directories. Once a user account has received authentication and can potentially access an object. From the standpoint of the object being protected. to simplify the task of account administration user rights are best administered on a group account basis. For example. It is easier to assign the set of user rights once to the group. For example. you remove the user from the group. Although user rights can apply to individual user accounts. Note: Strictly speaking. you can assign specific user rights to group accounts or to individual user accounts. A user right. do not belong in a discussion of Active Directory. this requires the ability to read all files on those servers. it is called object-based access control. including members of the Backup Operators group. To remove rights from a user. logon rights. . User rights are different from permissions (described next) because user rights apply to user accounts. They are included here briefly for clarity.is called user authorization. whereas permissions are attached to objects.

printer. see "Appendix B: User Rights. in addition to controlling access to a specific object. For example. but assign only Read and Write permissions to the Operators group. such as employees' names and phone numbers. and Delete permissions to the Administrators group. as well as the security events to be audited. for the file temp. but not grant access to the employees' home addresses. For Active Directory objects. you can also control access to a specific attribute of that object." Access Control Permissions: Attached to Objects Access control is the process of assigning permissions to access Active Directory objects. and special identities in the domain Groups and users in that domain and any trusted domains Local groups and users on the computer where the object resides Understanding access control permissions requires understanding the following interrelated concepts: • • • • Security descriptors Object ownership Object auditing Object permissions and inheritance Each of these topics is covered in the next subsections. A security descriptor is a set of information attached to an object (such as a file.dat. You can assign permissions for objects to the following: • • • Groups. For example. . Write. users. you can grant a user access to a subset of information. you might grant Read. Security Descriptors Windows 2000 implements access control by allowing administrators or owners of objects to assign security descriptors to objects stored in Active Directory (or to other types of objects).For a complete list of user rights (both privileges and logon rights). or service) that specifies the permissions granted to different groups (or users).

denied rights. and computers that are allowed or denied access to an object. As explained in the Introduction. for simplicity of administration. administrators can protect their network from intentional hostile acts by attackers and inadvertent mistakes by users. To read or change the SACL. Permissions can be applied to any object in Active Directory or on a local computer. • Group (for POSIX). To change a DACL. (POSIX is based on the UNIX operating system.dat in the example above. the owner is the creator of the object. a permission called WRITE_DAC is required. logon attempts. The entire set of permission entries in a security descriptor is known as a permission set. The entry contains a SID and a set of access rights. and object attributes. it is important to understand that . An ACE is an entry in an access control list (DACL or SACL). and system shutdowns.) Each assignment of permissions to a group (or user) is known as a permission entry or access control entry (ACE). • System Access Control List (SACL). objects. By default. • Discretionary Access Control List (DACL). A process (running on behalf of a user) with the user's access token that has a matching security ID is either allowed access rights. The Group component is for POSIX compliance and is associated with the "primary group" set in individual user objects in User Manager. Because the Active Directory security model associates a DACL and SACL with each of its containers. or allowed rights with auditing. for the file temp. except for objects created by an administrator. As explained in the introduction. in which case "Administrators" is the owner. Thus. user accounts. but. but it can be implemented by other operating systems. the SeSecurityPrivilege is required. the DACL (often referred to as ACL) is a list of specific groups.Each security descriptor for an object in Windows 2000 contains four security components: • Owner. the permission set includes two permission entries: one for the Administrators group and one for the Operators group. the SACL specifies which events are to be audited for which user or group. Examples of events you can audit are file access.

Object Ownership Every Active Directory object has an owner.the majority of permissions should be applied to groups. if an employee leaves the company. Administrators create and own most objects in Active Directory and on network servers (when installing programs on the server). Object Auditing Windows 2000 lets you audit users' attempts to access specific objects in Active Directory. Object Permissions and Inheritance Object permissions. Users create and own data files in their home directories. By default. • An administrator can take ownership of any object under his or her administrative control by using the Take Ownership privilege that administrators possess on computers they control. define the type of access granted to a group (or user) for an object or object property. are common to all types of objects: • Read permissions . The following permissions. and some data files on network servers. rather than to individual users. Users may also own objects that they have been allowed to create by way of delegation of administration. the administrator can take control of the employee's files. Windows 2000 assigns an owner to an object when the object is created. Object ownership can be transferred in the following ways: • The current owner can grant the Take Ownership permission to other users. For example. The permissions you can attach to an object vary with the type of object. that is. for example. also called access rights. the object's owner implicitly has the WRITE_DAC permission. the owner is the creator of the object. The owner controls how permissions are set for that object and to whom permissions are granted. You can then view these security-related events in the security log with the Event Viewer. allowing those users to take ownership at any time. however. users may own computer objects that they join to the domain.

Managers. Explicit permissions are attached directly to an object. Windows 2000 also supports per-property permissions. objects within a container inherit the permissions from that container when the objects are created. Object Types. an Active Directory object or a printer object) that a user or group is allowed to create or delete. and Tools . which eases the task of managing permissions. Inherited permissions ensure consistency of permissions among all objects within a given container. For Active Directory objects. Thus. the permissions attached to this folder are explicit permissions. In addition. while all subfolders and files within it have inherited permissions. all subfolders and files subsequently created within the Programs folder automatically inherit the permissions from that folder. • Per-property permissions.• • • Modify permissions Change owner Delete Two types of permissions exist: • Explicit permissions. two types of granularity exist: • Object-type permissions. Read or Write access to specific object properties. but also who has. or by user action. Inherited permissions are propagated to an object from a parent object. if you create a folder called Programs. By default. For example. the Programs folder has explicit permissions. For example. You can control not only who can see an Active Directory object. either when the object is created. • Inherited permissions. to provide more precise access control. for example. after you create the Programs folder. Object-type permissions define the types of objects (for example. Permissions for a single property are the finest level of granularity you can set.

you can publish a print queue in Active Directory and give only a certain group of users permission to find the queue in the directory. For example. see the link to "Active Directory Architecture" in "For More Information". For example.) Top of page Summary Active Directory works with the Windows 2000 security subsystem to ensure that only authenticated users and computers can log on to the network and that each network resource is available only to authorized users or groups. The Windows 2000 operating system automatically assigns SIDs to Active Directory security principals—user and computer accounts as well as groups— when they are created. then Printers Security Templates. then select Settings. the DACL on the print queue object in Active Directory controls only who can read/write the print queue object in the directory.Each type of object is controlled by an object manager and is managed using a specific tool. However. Objects with SIDs can log on to the network and can be given or denied access to domain resources. and its management tool: Object Manager Active Directory NTFS Server service Print spooler Service controllers The registry Object Type Active Directory objects Files and folders Shares Printers Services Registry keys Management Tool Active Directory Users and Computers Windows Explorer Windows Explorer Start menu. Security Configuration and Analysis regedit32 command A non-Active Directory object can also be represented by an Active Directory object by publishing it in the Active Directory. . to change the permissions on an Active Directory object. The following table shows each type of object. its object manager. (For more about object publishing. you use the Active Directory Users and Computers tool. it does not imply anything about access to the actual print queue resource on the print server.

trusts. forests. Windows 2000 has two group types. check out the web site at http://www. Each kind of scope differs in mode. . domains. which are attached to objects. global. you must first determine the number of domains you will have on your network and which of those domains are nativemode and which (if any) are mixed-mode. domain local.com/windows2000/technologies/directory/ad/default.asp. easy to administer security system for your network. and permissions. or universal scope. contacts. and its network authentication supports multiple authentication protocols. which are assigned to group (or user) accounts. you can look at the following links for more information: Active Directory Architecture white paper— Active Directory structure. including objects. and network authentication. trees. which confirms the user's identity to the domain or to the local computer. and sites. Windows 2000 interactive logon provides the user access to multiple applications and services with a single sign-on. After a user account is authenticated. user authentication and user authorization provide a strong. Windows 2000 Group Policy white paper—Details of Windows 2000 group policy. and other groups. computers. and computer access to shared resources and to filter Group Policy settings.Active Directory groups can contain users. group. Both security and distribution groups can have either local. You use distribution groups to create e-mail distribution lists. You use security groups to manage user. In addition. Microsoft Security Advisor Website—Security information. Together. which confirms the user's identity to a network service when the user attempts to access it. You can make use of this flexibility to build a group structure that fits the size and organizational requirements of your business.microsoft. organizational units. For More Information For the latest information on Windows 2000 Server and Active Directory. Secure Networking Using Windows 2000 Distributed Security Services white paper—Integration of Active Directory and Windows 2000 distributed security. and access control permissions. Windows 2000 user authentication is implemented as a two-part process: interactive logon. membership. the type of access granted to the user to specific network objects is determined by user rights. Before you create groups.

" and "User Rights" chapters in Windows 2000 Resource Kit. The Windows 2000 Resource Kit is scheduled to be published by Microsoft Press in the first half of the year 2000. you can either assign permissions to a printer to the Domain users group or you can put the Domain Users group into a Domain local group that has permissions for the Global Active Directory Users & Computers tool's Users folder . Backup Operations can back up and restore files & folders. Top of page Appendix A: Built-in." "Access Control. You use predefined groups to collect users in this domain into Global groups. because all users are automatically added to the Domain Users group. and Special Groups Windows 2000 provides the following types of default groups: Name Built-in groups: Account Operators Administrators Backup Operators Guests Print Operators Replicator Server Operators Users Predefined groups: Group name Cert Publishers Domain Admins Domain Computers Domain Controllers Domain Guests Domain users Enterprise Admins Group Policy Admins Schema Admins Scope Domain local Located In Active Directory Users & Computers tool's Builtin folder Purpose You use built-in groups to assign default sets of permissions to users who you want to have all or partial administrative control in that domain. and then you place the Global group into Domain local groups in this and other domains. For example. The Resource Kit is also located on the Windows 2000 Server and Advanced Server CDs as part of Support Tools. Predefined. See also the "Authentication.Windows 2000 Kerberos Authentication white paper—Information about Kerberos (and some about NTLM). For example.

or computer) during Access Check. Network users (users currently accessing a given network resource. Service (service accounts used by the service controller to start services under specific accounts become a member of this group). a user becomes a member of this group when the user does a network logon to a machine).printer. depending on circumstances.) Windows 2000 uses special identities to represent different users at different times. this wildcard SID lets users and computers have access to their own objects. Although you do not see special identities when administering groups and cannot place special identities into groups. and lets members of a group have permissions to the group). group. Principal Self (special identity that is replaced by the SID of the security principal object (user. you can assign rights and permissions to resources to special identities. n/a (Not viewable when you administer groups. . a user becomes a member of this group when the user does an interactive logon to a machine). Interactive users (users currently accessing a resource on the local computer. Special identity groups: Everyone (all current network users). Authenticated users (users who authenticate to one of the trusted domains).

see the "User Rights" chapter in the Windows 2000 Resource Kit. For a detailed description of each of the privileges and logon rights listed below.Creator/Owner (special identity that is replaced by the Owner SID in the object's security descriptor. this wildcard SID lets the owner of the object automatically have specific access to the object.) Top of page Appendix B: User Rights User rights are privileges and logon rights. You manage both types with the User Rights policy. The following list shows the privileges that can be assigned to a user or group: • • • • • • • • • • • • • • Act as Part of the Operating System Add Workstations to a Domain Back Up Files and Directories Bypass Traverse Checking Change the System Time Create a Token Object Create Permanent Shared Objects Create a Pagefile Debug Programs Enable Trusted for Delegation on User and Computer Accounts Force Shutdown from a Remote System Generate Security Audits Increase Quotas Increase Scheduling Priority .

and these processes require a complete set of user rights.• • • • • • • • • • • Load and Unload Device Drivers Lock Pages in Memory Manage Auditing and Security Log Modify Firmware Environment Values Profile a Single Process Profile System Performance Replace a Process-Level Token Restore Files and Directories Shut Down the System Take Ownership of Files or Other Objects Unlock a Laptop The following list shows the logon rights that can be assigned to a user or group: • • • • • • • • Access This Computer from Network Log On Locally Log On as a Batch Job Log On as a Service Deny Access to This Computer from the Network Deny Logon as a Batch Job Deny Logon as a Service Deny Local Logon The special user account LocalSystem has almost all privileges and logon rights assigned to it. 02/00 . because all processes that are running as part of the operating system are associated with this account.

Top of page 1 Some special purpose user accounts used by specific system services also exist (such as IUSR_Servername. in this case. 4 The Windows 2000 operating system's global catalog is a database kept on one or more domain controllers. the security identifier (SID) of the user is added to the DACL and. 2 When a computer accesses the network. which is a built-in account for anonymous access to IIS). and domain controller security accounts are stored in Active Directory . In Windows NT 4. but these special user accounts are not under consideration in this paper. Note that putting individual users onto DACLs is not recommended.0. both local and domain security principals are stored by SAM in the registry. this means that system services running on the computer in the LocalSystem context are accessing the network resources. workstation security accounts are stored by SAM in the local computer registry. In Windows 2000. The global catalog plays major roles in logging on users (in a native-mode domain only) and in querying. no foreign security principal object is created. 5 SAM is a protected subsystem of Windows NT and Windows 2000 that maintains the security accounts management database and provides an API for accessing the database. 3 If you place an external group (or user) directly into a Discretionary Access Control Lists (DACLs).

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->