You are on page 1of 28

c  


 c
c
 c
c
 c

2) Windows 2k - IIS 5 and windows 2k3 ² IIS 6


3) Windows 2k - IE 5 and Windows 2k3 - IE6
4) Terminal service are enhanced in win2k3
5) Windows 2k doesn't have 64 bit version
6) DNS Stub zone has introduced in win2k3.
7) Shadow copying has introduced.
8) Schema version has changed from ver.13 to ver.30.
9) In Win 2000 server we can apply 620 group policies but in 2003 we can apply nearly 720. 10) In 2000 we
cannot rename domain whereas in 2003 we can rename Domain.
11) In 2000 it supports of 8 processors and 64 GB RAM (In 2000 Advance Server) whereas in 2003
supports up to 64 processors and max of 512GB RAM.
12)2000 Supports IIS 5.0 and 2003 Supports IIS6.0
13)2000 doesn·t support Dot net whereas 2003 Supports Microsoft .NET 2.0
14)2000 has Server and Advance Server editions whereas 2003 has Standard, Enterprise, Datacenter and Web
server Editions.
15)2000 doesn·t have any 64 bit server operating system whereas 2003 has 64 bit server operating systems
(Windows Server 2003 X64 Std and Enterprise Edition)
16)2000 has basic concept of DFS (Distributed File systems) with defined roots whereas 2003 has Enhanced
DFS support with multiple roots.
17) In 2000 we can create 1 million users and in 2003 we can create 1 billion users.
18) In 2003 we have concept of Volume shadow copy service which is used to create hard disk snap shot which
is used in Disaster recovery and 2000 doesn·t have this service.

Volume shadow copies, a new Windows Server 2003 feature, are used to create copies of files at a specific
point in time, or set time interval. Shadow copies can only be created on NTFS volumes to create automatic
backups of files or data per volume. When enabled, the Shadow copies feature protects you from accidentally
losing important files in a network share. Remember that when users delete files from over the network, those
files are permanently deleted. Because shadow copies enable users to view previous versions of files, the
feature allows them to restore a backup of deleted files.

19)In 2000 we don·t have end user policy management, whereas in 2003 we have a End user policy
management which is done in GPMC (Group policy management console).
20)In 2000 we have cross domain trust relation ship and 2003 we have Cross forest trust relationship.
21)2000 Supports 4-node clustering and 2003 supports 8-node clustering.
22)2003 has service called Windows Share point Services (It is an integrated portfolio of collaboration and
communication services designed to connect people, information, processes, and systems both within and
beyond the organizational firewall).
23)2003 has telnet sessions available.
24)2000 supports IPV4 whereas 2003 supports IPV4 and IPV6.
25) In windows 2003 server, AD partion is 5 where as in 2k that is 3

The added partion is: 1) Global catelog 2) Application ,

  


Only one schema partition exists per forest. The schema partition is stored on all domain controllers in a
forest. The schema partition contains definitions of all objects and attributes that you can create in the
directory, and the rules for creating and manipulating them. Schema information is replicated to all domain
controllers in the attribute definitions.


 
 


There is only one configuration partition per forest. Second on all domain controllers in a forest, the
configuration partition contains information about the forest-wide active directory structure including what
domains and sites exist, which domain controllers exist in each forest, and which services are available.
Configuration information is replicated to all domain controllers in a forest.

 
 

Many domain partitions can exist per forest. Domain partitions are stored on each domain controller in a given
domain. A domain partition contains information about users, groups, computers and organizational units.
The domain partition is replicated to all domain controllers of that domain. All objects in every domain
partition in a forest are stored in the global catalog with only a subset of their attribute values.

ã  
 


Application partitions store information about application in Active Directory. Each application determines
how it stores, categorizes, and uses application specific information. To prevent unnecessary replication to
specific application partitions, you can designate which domain controllers in a forest host specific application
partitions. Unlike a domain partitions, an application partition cannot store security principal objects, such as
user accounts. In addition, the data in an application partition is not stored in the global catalog.

26)In 2k the Domain operation Roles and only two mode of operation and in Win2k3 there are 4 modes of
Domain operation [Native mode, Mixed mode , Itrative mode and windows 2003 mode .
27) In 2k3 there is stub zone but in 2k it is not
28) There cross trust & shortcut trust are available only in 2k3.
29) Group replication problem was there in 2k but it is removed from 2k3.
30) In 2k you have to create trust between parent & child but in 2k3 the trust between parent & child is
automatically
  
The Global Catalog server is the domain controller that stores a full copy of all objects in its host domain. It
also stores a partial copy of all objects in all other domains within the forest. The partial copy holds the list of
objects most frequently searched for. The first domain controller that is created in the first domain in a forest
is by default the Global Catalog server. If a domain only has one domain controller, that particular domain
controller and the GC server are the same server. If you add an additional domain controller to the domain,
you can configure that domain controller as the GC server. You can also assign additional domain controllers
to serve as GC servers for a domain. This is usually done to improve response time for user logon requests and
search requests.

In order for Global Catalog servers to store a full copy of all objects in its host domain, and a partial copy of all
objects in all other domains within the forest, GC replication has to occur between those domain controllers
that are configured as GC servers. GC replication does not occur between domain controllers that are not GC
servers.

The functions of the GC server are discussed in the following section. The functions performed by the GC
server can be summarized as follows:

¢ GC servers are crucial for Active Directory's UPN functionality because they m   mm
 
  when the domain controller handling the authentication request is unable to
authenticate the user account because the user account actually exists in another domain. The
authenticating domain controller would have no knowledge of the particular user account. The GC
server in this case assists in locating the user account so that the authenticating domain controller can
proceed with the logon request for the user.
¢ The GC server deals with all  m
m   m m
 m m   
 m
m. It can
find all Active Directory data irrespective of the domain in which the data is held. The GC server deals
with requests for the entire forest.
¢ The GC also makes it possible for users to m   m m  m m   
  
 m mm m m  .

ã      

Domain, Organizational Unit, User, Computer, Contact, Group, Shared Folder and Shared Printer

ã     



Domains, organizational units (OUs), domain trees and forests are considered logical structures. Sites and
domain controllers are considered 
m
m 
¢   are the main logical structure in Active Directory because they contain Active Directory
objects. Network objects such as users, printers, shared resources, and more, are all stored in
domains. Domains are also 
m  m Access to objects in the domain is controlled by access
control lists (ACLs). You can use the   
    to enable additional Active Directory
features. You do this by raising the domain functional level of the domain controllers within the
domain. In Windows 2000, the domain mode concept was used and not the domain functional level.
The domain functional levels that can be specified are Windows 2000 Mixed, Windows 2000 Native,
Windows Server 2003 Interim and Windows Server 2003.
¢ :m     :! An OU is a container that enables you to organize objects such as users,
computers and even other OUs in a domain to form a logical administrative group. An OU is the
smallest Active Directory component to which you can        m   mA domain can
have it own unique OU hierarchy.
¢   "m !When you group multiple domains into a hierarchical structure by adding
  
to a  m   # you are basically forming a domain tree. Domains are regarded as being part of the
same domain tree when they have a
   m
m  A $ m  mrelationship
is automatically created between the parent domain and child domains when you create the child
domain.
¢ ßm ! A forest is the grouping of multiple domain trees into a hierarchical structure. Domain trees in
a forest have a common schema, configuration, and global catalog. Domains within the forest are
linked by two-way transitive trust. Through the m 
   #you can enable additional forest
wide Active Directory features. The forest functional levels that can be set are Windows 2000, Windows
Server 2003 Interim, and Windows Server 2003.
¢ á ! In Active Directory, sites are formed through the grouping of multiple subnets. Sites are typically
defined as locations in which network access is highly reliable, fast and not very expensive.
¢   % m m %!A domain controller is a server that stores a write copy of Active Directory.
They maintain the Active Directory data store. Certain  mm  can be assigned to domain
controllers within a domain and forest. Domain controllers that are assigned special master roles are
called : m  &  mThese domain controllers host a master copy of particular data in Active
Directory. They also copy data to the remainder of the domain controllers. There are   m  
  mm  that can be defined for domain controllers. Two types of master roles, m $   m
m #are assigned to one domain controller in a forest. The other three master roles,   $ 
 mm #are applied to a domain controller in every domain.
÷ The á
 &  mis a forest-wide master role applied to a domain controller that manages all
changes in the Active Directory schema.
÷ The     &  mis a forest-wide master role applied to a domain controller that
manages changes to the forest, such as adding and removing a domain. The domain controller
serving this role also manages changes to the domain namespace.
÷ The v   ' v'&  m is a domain-wide master role applied to a domain controller that
creates unique ID numbers for domain controllers and manages the allocation of these
numbers.
÷ The %(  m is a domain-wide master role applied to a domain controller that operates like
a Windows NT primary domain controller. This role is typically necessary when there are
computers in your environment running pre-Windows 2000 and XP operating systems.
÷ The ' m m
m &  m is a domain-wide master role applied to a domain controller that
manages changes made to group memberships.

ã     

The Active Directory schema defines what types of objects can be stored in Active Directory. It also defines
what the attributes of these objects are. The schema is defined by the following two types of 
 )
m
   !

¢ á
 
 )
# also known as schema classes: Define the objects that can be created and stored
in Active Directory. The schema attributes store information on the schema class object when you
create a new class. A schema class is therefore merely a set of schema attribute objects.
¢ á
  m )
# also known as schema attributes: Schema attributes provide information on
object classes. The attributes of an object is also called the object' m m 

Although Active Directory includes a large number of object classes, you can create additional object classes if
necessary. These additions are known as *   
 Extensions can only be performed on the
domain controller acting the á
 &  mm 
The object classes that can be used on access control lists (ACLs) to protect security objects are User,
Computer, and Group. These object classes are called 
mm
 A security principal has a Security
Identifier (SID) which is a unique number. A security Principal's SID consists of the security Principal's domain
and a Relative ID (RID). The RID is a unique suffix.

A few other concepts associated with the Active Directory schema are:

¢ %  m  !Set a way for forming new object classes using existing object classes.
¢ á
 v ! The Active Directory directory service implements a set of rules into the Active Directory
schema that control the manner in which classes and attributes are utilized, and what values classes
and attributes can include. Schema rules are organized into Structure Rules, Syntax Rules, and
Content Rules
¢ ám
m v !The structure rule in Active Directory is that an object class can have only specific
classes directly on top of it. These specific classes are called  á mm Structure rules prevent
you from placing an object class in an inappropriate container.
¢ á  *v ! These rules define the types of values and ranges allowed for attributes.
¢ %  v dictate what attributes can be associated with a particular class.

  

The  
  is a central information store on the objects in a forest and domain, and is used to improve
performance when searching for objects in Active Directory. The first domain controller installed in a domain is
designated as the global catalog server by default. The  
  m mstores a full replica of all objects in
its host domain, and a partial replica of objects for the remainder of the domains in the forest. The partial
replica contains those objects which are frequently searched for. It is generally recommended to configure a
global catalog server for each site in a domain. You can use the Active Directory Sites and Services console to
set up additional global catalog servers.

    
ã    

Active Directory enables you to perform 


     m  through Group Policy. Through group
policies, you can deploy applications and configure scripts to execute at startup, shutdown, logon, or logoff.
You can also implement password security, control certain desktop settings, and redirect folders. When you
create new group policies in Active Directory, the policy is stored as m
:)
 : In Active
directory, you can apply a GPO to a domain, site or Organizational Unit.

ã      


 

Each object in the Active Directory data store must have a unique name. Active Directory supports a number
of object naming schemes for naming objects:

¢     !Each object has a DN. The DN uniquely identifies a particular object and
uniquely identify where the object is stored. The components that make up the DN of an object are:
÷ CN - common name
÷ OU - organizational unit
÷ DC - domain component
¢ A
 
 is merely a different manner of depicting the object's DN in a method that is simpler
to interpret.
¢ v       v! The RDN identifies a particular object within a parent container or
OU.
¢      m '!A GUID is a unique hexadecimal number that is assigned to an object
at the time that the object is created. The GUID of an object never changes.
¢  mm
   ! The UPN is made up of the user account name of the user, and a domain
name that identifies the domain that contains the user account.

ã      




In Active Directory, replication ensures that any changes made to a domain controller within a domain are
replicated to all the other domain controllers in the domain. Active Directory utilizes &&  m 
 to
replicate changes in the Active Directory data store to the domain controllers. With MultiMate replication,
domains are considered peers to one another.

With Windows Server 2003, the    % 


%
 m %%is used to create a replication topology
of the forest, to ensure that the changes are replicated efficiently to the domain controllers. A m 
 
reflects the physical connections utilized by domain controllers to replicate the Active Directory
directory to domain controllers in a site, or in different sites. ' m $ m 
 occurs when the Active
Directory directory is replicated within a site. When replication occurs between sites, it is known   m$ 
m 
  Since the bandwidth between sites are typically slow, information on   )
is utilized to
identify the most favourable link that should be used for moving replication data between sites in Active
Directory.

ã     


  

In Active Directory, when two domains trust each other or a trust relationship exists between the domains, the
users and computers in one domain can access resources residing in the other domain. The trust relationships
supported in Windows Server 2003 are summarized below:

¢  m +%m!A parent/child trust relationship exists between two domains in Active Directory
that have a common contiguous DNS namespace, and who belong to the identical forest. This trust
relationship is established when a child domain is created in a domain tree.
¢ "m vm!A tree root trust relationship can be configured between root domains in the same
forest. The root domains do not have a common DNS namespace. This trust relationship is established
when a new tree root domain is added to a forest.
¢ ám
m!This trust relationship can be configured between two domains in different domain trees
but within the same forest. Shortcut trust is typically utilized to improve user logon times.
¢ (* m m!External trust relationships are created between an Active Directory domain and a
Windows NT4 domain.
¢ v  m!A realm trust relationship exists between an Active Directory domain and a non-Windows
Kerberos realm.
¢ ßm m!Forest trust can be created between two Active Directory forests.

ã
 c  

  



Domain and forest functional levels provides the means by which you can enable additional domain-wide and
forest-wide Active Directory features, remove outdated backward compatibility within your environment, and
improve Active Directory performance and security. In Windows 2000, the terminology used to refer to domain
functional levels was domain modes. Forests in Windows 2000 have one mode and domains can have the
domain mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory came the
introduction of the Windows Server 2003 interim functional level and Windows Server 2003 functional level for
both domains and forests. The four domain functional levels that can be set for domain controllers are
Windows 2000 mixed, Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. The
default domain functional level is Windows 2000 mixed. The three forest functional levels are Windows 2000,
Windows Server 2003 interim, and Windows Server 2003. The default forest functional level is Windows 2000.

When the Windows Server 2003 functional level is enabled in your environment, additional Active Directory
domain-wide and forest-wide features are automatically enabled. Windows Server 2003 functional level is
enabled in your environment when all domain controllers are running Windows Server 2003. The Active
Directory Domains And Trusts console is used to raise the functional levels of domains and forests in Active
Directory.

 
 

!

When raising the domain functional level from Windows mixed to Windows 2000 native or the Windows Server
2003 functional level, domain controllers are regarded as peers to each other. What this essentially means is
that the domain master concept no longer exists. It also means that pre-Windows 2000 replication no longer
exists. If you are considering raising the domain functional level within your environment to Windows Server
2003, you should remember that after the domain functional level is raised, you cannot add any Windows
2000 server to the particular domain.
O
 c"# 
 

!

Any newly installed domain controller operates in Windows 2000 mixed domain functional level for the domain
by default. This makes the Windows 2000 mixed domain functional level the default functional level for all
Windows Server 2003 domains. Windows 2000 mixed domain functional level enables the Windows Server
2003 domain controller to operate together with Windows NT 4, Windows 2000, and Windows Server 2003
domain controllers. The only Windows NT domain controllers supported are Windows NT backup domain
controllers (BDCs). Windows NT primary domain controllers do not exist in Active Directory. In Active
Directory, domain controllers act as peers to one another. Windows 2000 mixed domain functional level is
usually used to migrate domain controllers from Windows NT to Windows 2000 domain controllers.

You can raise Windows 2000 mixed domain functional level to

¢ Windows 2000 native domain functional level


¢ Windows Server 2003 domain functional level

The Active Directory domain features that are available in Windows 2000 mixed domain functional level are
listed below:

¢ Local and Global groups


¢ Distribution Groups
¢ Distribution Group nesting
¢ Global Catalog support
¢ Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 mixed domain functional level
are listed below:

¢ Renaming domain controllers


¢ Universal Groups
¢ Security group nesting
¢ SID History
¢ Update logon timestamp
¢ Group conversion between Security Groups and Distribution Groups
¢ Users/Computers container redirection
¢ Constrained delegation
¢ User password support on the InetOrgPerson object

c
 c 
 

!

The Windows 2000 native domain functional level enables Windows Server 2003 domain controllers to operate
with Windows 2000 domain controllers and Windows Server 2003 domain controllers. This domain functional
level is typically used to support domain controller upgrades from Windows 2000 to Windows Server 2003.
Windows NT 4.0 backup domain controllers are not supported in the Windows 2000 native domain functional
level. Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain functional level.

You can raise the Windows 2000 native domain functional level to

¢ Windows Server 2003 domain functional level.

The Active Directory domain features that m     in Windows 2000 native domain functional level are
listed below:

¢ Local and Global groups


¢ Distribution Groups
¢ Distribution group nesting
¢ Security group nesting
¢ Universal Groups
¢ Group conversion between Security Groups and Distribution Groups
¢ Global Catalog support
¢ SID History
¢ Up to 1,000,000 domain objects are supported

The Active Directory domain features that are not supported in Windows 2000 native domain functional level
are listed below:

¢ Renaming domain controllers


¢ Update logon timestamp
¢ Users/Computers container redirection
¢ Constrained delegation
¢ User password support on the InetOrgPerson object

O
 c  $
  
 

!

Windows Server 2003 interim domain functional level enable domain controllers running Windows Server 2003
to function in a domain containing both Windows NT 4.0 domain controllers and Windows Server 2003 domain
controllers. Domain controllers running Windows 2000 are not supported in this domain functional level. You
can only set this domain functional level when upgrading from Windows NT to Windows Server 2003. In fact,
the Windows Server 2003 interim domain functional level can only be raised to Windows Server 2003 domain
functional level. Windows Server 2003 interim domain functional level is also typically used when you are not
going to immediately upgrade your Windows NT 4.0 backup domain controllers to Windows Server 2003, and
when your existing Windows NT domain has groups consisting of over 5,000 members.

The Active Directory domain features that m     in Windows Server 2003 interim domain functional
level are listed below:

¢ Local and Global groups


¢ Distribution groups
¢ Distribution group nesting
¢ Global Catalog support
¢ Up to 40,000 domain objects are supported

The Active Directory domain features that are not supported in Windows Server 2003 interim domain
functional level are listed below:

¢ Renaming domain controllers


¢ Universal Groups
¢ Security group nesting
¢ SID History
¢ Update logon timestamp
¢ Group conversion between Security Groups and Distribution Groups
¢ Users/Computers container redirection
¢ Constrained delegation
¢ User password support on the InetOrgPerson object

O
 c   
 

!

Windows Server 2003 domain functional level is the highest level that can be specified for a domain. All
domain controllers in the domain are running Windows Server 2003. This basically means that Windows NT 4
and Windows 2000 domain controllers are not supported these domains. Once the domain level is set as
Windows Server 2003 domain functional level, it cannot be lowered to any of the previous domain functional
levels.

All Active Directory domain features m     in Windows Server 2003 domain functional level:

¢ Local and Global groups


¢ Distribution Groups
¢ Distribution group nesting
¢ Security group nesting
¢ universal Groups
¢ Group conversion between Security Groups and Distribution Groups
¢ Global Catalog support
¢ SID History
¢ Up to 1,000,000 domain objects are supported
¢ Renaming domain controllers
¢ Update logon timestamp
¢ Users/Computers container redirection
¢ Constrained delegation
¢ User password support on the InetOrgPerson object

3 c   %c   




   


1. Open the Active Directory Domains And Trusts console


2. Right-click the particular domain whose functional level you want verify, and select Raise Domain
Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current domain functional level.

3 c    




  O
 c
 


 
O
 c   




Before you can raise the domain functional level to Windows Server 2003 domain functional level, each domain
controller in the domain has to running Windows Server 2003.

To raise the domain functional level for a domain,

1. Open the Active Directory Domains And Trusts console


2. Right-click the particular domain whose functional level you want to raise, and select Raise Domain
Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the domain functional level for the
domain.
5. Click Raise
6. Click OK

 

!

While Window 2000 has only one forest functional level, Windows Server 2003 has three forest functional
levels. Through the forest functional levels, you can enable forest-wide Active Directory features in your Active
Directory environment. The forest functional levels are actually very much like the domain functional levels.

O
 c  

!

This is the default forest functional level, which means that all newly created Windows Server 2003 forests
have this level when initially created. The Windows 2000 forest functional level supports Windows NT 4,
Windows 2000 and Windows Server 2003 domain controllers.

The Active Directory forest features that m     in Windows 2000 forest functional level are listed below:

¢ Universal Group caching


¢ Application directory partitions
¢ Global Catalog replication enhancements
¢ Installations from backups
¢ The Active Directory quota feature
¢ SIS for system access control lists (SACL)

The Active Directory forest features that are not supported in Windows 2000 forest functional level are listed
below:
¢ Domain renaming
¢ Forest Trust
¢ Defunct schema objects
¢ Linked value replication
¢ Dynamic auxiliary classes
¢ Improved Knowledge Consistency Checker (KCC) replication algorithms
¢ Application groups
¢ InetOrgPerson objectClass
¢ NTDS.DIT size reduction

O
 c  $
   

!

Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are supported in the
Windows Server 2003 interim forest functional level. This level is used to when upgrading from Windows NT 4
to Windows Server 2003. The functional level is also configured when you are not planning to immediately
upgrade your existing Windows NT 4 backup domain controllers, or your existing Windows NT 4.0 domain has
groups consisting of over 5,000 members. No Windows 2000 domain controllers can exist if the Windows
Server 2003 interim forest functional level is set for the forest. The Windows Server 2003 interim forest
functional level can only be raised to the Windows Server 2003 forest functional level.

The Active Directory forest-wide features that are available in Windows Server 2003 interim forest functional
level are listed below:

¢ Universal Group caching


¢ Application directory partitions
¢ Global Catalog replication enhancements
¢ Installations from backups
¢ The Active Directory quota feature
¢ SIS for system access control lists (SACL)
¢ Improved Knowledge Consistency Checker (KCC) replication algorithms
¢ Linked value replication

The Active Directory forest features that are not supported in Windows Server 2003 interim forest functional
level are listed below:

¢ Domain renaming
¢ Forest Trust
¢ Defunct schema objects
¢ Dynamic auxiliary classes
¢ Application groups
¢ InetOrgPerson objectClass
¢ NTDS.DIT size reduction

O
 c    

!

All domain controllers in the forest have to be running Windows Server 2003 in order for the forest functional
level to be raised to the Windows Server 2003 forest functional level. What this means is that no domain
controllers in the Active Directory forest can be running Windows NT 4 and Windows 2000. In the Windows
Server 2003 forest functional level, all forest-wide Active Directory features are available, including the
following:

¢ Domain renaming
¢ Forest Trust
¢ Defunct schema objects
¢ Dynamic auxiliary classes
¢ Application groups
¢ Universal Group caching
¢ Application directory partitions
¢ Global Catalog replication enhancements
¢ Installations from backups
¢ The Active Directory quota feature
¢ SIS for system access control lists (SACL)
¢ Improved Knowledge Consistency Checker (KCC) replication algorithms
¢ Linked value replication
¢ InetOrgPerson objectClass
¢ NTDS.DIT size reduction

O    


  

In the Windows NT domain model, domains had to be bound together through trust relationships, simply
because the SAM databases used in those domains could not be joined. What this meant was that where a
domain trusted another Windows NT domain, the members of the domain could access network resources
located in the other domain. Defining trust relationships between domains eliminates the need for an
Administrator to configure user accounts in multiple domains.

In a trust relationship, the two domains are referred to as the trusting domain and the trusted domain. The
trusted domain is the domain where the trust relationship is created. The trusting domain is the other domain
specified in the trust, that is, the one wherein network resources can to be accessed. The trusting domain in
this case recognizes the logon authentications of the trusted domain. The logon trust relationship is supported
by the NT LanMan Challenge Response. This allows pass-through authentication of users from the trusted
domain. One of the shortfalls of Windows NT trust relationships is that trusts between domains were one-way
and nontransitive. This meant that the defined trust relationship ended with the two domains between which
the particular trust was created. The rights implicit in the trust relationship also flowed only in one single
direction. Because of this, defining and managing trust relationships in the Windows NT domain structure was
a cumbersome and labour intensive task. The Windows NT domain worked well in small enterprises where one
domain typically existed in the enterprise. In those larger enterprises that have multiple domains,
Administrators have to define trust relationships between the domains in order for a user in one domain to
access resources in another domain.

In Windows 2000 and Windows 2003, Active Directory is built on the concept of trust relationships between
domains. Although the actual concept of trust relationships is not new in Windows Server 2003, there are new
trust capabilities and trust types available for Windows Server 2003 Active Directory domains.

In Windows Server 2003, authentication of users or applications occurs through the use of one of the following
trust protocols:

¢ NT LAN Manager (NTLM) protocol: This protocol is used when one of the computers in the trust
relationship does not support the Kerberos version 5 protocol.
¢ The Kerberos version 5 protocol is the default trust protocol used when computers in trust
relationships are running Windows Server 2003.

The characteristics of Windows Server 2003 trusts are outlined below:

¢ Trusts can be nontransitive or transitive:


÷ Transitive trusts: With transitive trusts, trust is applicable for each trusted domain. What this
means is where Domain1 trusts Domain2, and Domain2 trusts Domain3; Domain1 would also
trust Domain3.
÷ Nontransitive trust: The defined trust relationship ends with the two domains between which
the particular trust is created.
¢ Trusts can be one-way or two-way trusts:
÷ One-way trusts: Based on the direction of the trust, one-way trust can further be broken into
either incoming trust or outgoing trusts. One way trust can be transitive or nontransitive:
 Incoming Trust: With incoming trust, the trust is created in the trusted domain, and
users in the trusted domain are able to access network resources in the trusting domain
or other domain. Users in the other domain cannot however access network resources in
the trusted domain.
 Outgoing Trust: In this case, users in the other domain able to access network resources
in the initiating domain. Users in the initiating domain are not able to access any
resources in the other domain.
÷ Two-way trusts: A two-way trust relationship means that where Domain1 trusts Domain2, then
Domain2 trusts Domain1. The trust basically works both ways, and users in each domain are
able to access network resources in eitherone of the dolmans. A two-way, transitive trust
relationship is the trust that exists between parent domains and child domains in a domain
tree. In two-way transitive trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3,
then Domain1 would trust Domain3 and Domain3 would trust Domain1.Two-way, transitive
trust is the default trust relationship between domains in a tree. It is automatically created and
exists between top-level domains in a forest.
¢ Trusts can be implicit or explicit trusts:
÷ Implicit: Automatically created trust relationships are called implicit trust. An example of
implicit trust is the two-way, transitive trust relationship that Active Directory creates between
a parent and child domains.
÷ Explicit: Manually created trust relationships are referred to as explicit trust.

  ã     


  

The types of trust relationships that can be created and configured for Active Directory domains are discussed
in this section. As an Administrator for Active Directory Windows Server 2003 domains, it is important to
understand the different types of trust that are supported in Windows Server 2003, and to know which trust
relationship to create for the different network resource access requirements that exist within your
organization.

¢  &  : Tree-root trust is automatically/implicitly created when a new tree root domain is
added to a forest. The trust relationship exists between two root domains within the same forest. For
instance, if you have an existing forest root domain, and you add a new tree root domain to the same
forest, tree-root trust is formed between the new tree root domain and the existing forest root domain.
Tree-root trust is transitive and two-way.
¢  
&  : Parent-child trust is implicitly established when new child domains are added to a
domain tree. Parent-child trust is a two-way, transitive trust relationship. Active Directory
automatically creates a trust relationship between the new child domain, and the domain directly above
it in the domain namespace hierarchy. What this means is that the trust relationship exists between
those domains that have a common contiguous DNS namespace and who are part of the same forest.
Parent-child trust enables authentication requests of child domains to be passed through the parent
domain for authentication. In addition, when a new domain is added to the tree, trust relationships are
created with each domain in the tree. This means that network resources in the individual domains of
the tree can be accessed by all other domains in the tree.
¢    : Shortcut trust is explicitly created by an Administrator, and can defined to be either
one-way transitive trust, or two-way transitive trust. Shortcut trust is usually created when you want
to speed up, or enhance authentiction performance between two domains in different trees but within
the same forest. One-way shortcut trust should be created when users in Domain1 need to access
Active Directory objects in Domain2 but users in Domain2 do not need to access objects in Domain1.
Two-way shortcut trust should be created when users in each domain need to access objects in each
other domain.
¢  : Realm trust is explicitly created by an Administrator, and can be defined as either
transitive trust or nontransitive trust, and can also either be one-way trust or two-way trust. Realm
trust enables you to create a trust relationship between a Windows Server 2003 Active Directory
domain and a non-Windows Kerberos version 5 realm. Realm trust therefore facilitates interoperability
between a Windows Server 2003 domain and a realm used in Kerberos version 5 implementations.
¢
#
 : External trust is explicitly defined by an Administrator to enable trust between
domains that are located in different forests, and to create trust between an Active Directory domain
and a down-level Windows NT 4 domain. External trust is always nontransitive but can be either one-
way trusts or two-way trusts. External trust is usually only created in Windows Server 2003 Active
Directory environments when users need to access network resources in a domain that resides in a
different forest, and forest trust cannot be created between the two domains. When external trust is
created between an Active Directory domain and a down-level Windows NT 4 domain, it is a one-way,
nontransitive trust relationship.
¢  : Forest trust is explicitly created by an Administrator to enable trust between two Active
Directory forests. Forest trust is transitive in nature, and can either be one-way or two-way. Forest
trust is only available in Windows Server 2003. Before you can create forest trust between two forests,
each domain in the particular forests, and each forest, has to be raised to, and running at the Windows
Server 2003 functional level. Because forest trust is created between two root domains of two forests, it
can create two-way trusts with each domain within the two forests. This basically means that users
would be able to access Active Directory objects between all domains encompassed by the particular
forest trust relationship.

ã
 c
' %
 
 
ã    

To ensure availability of mission critical resources and network objects, and business continuity, you would
need to perform back ups of Active Directory if it is running in your environment. This is because Active
Directory normally hosts mission critical data, and resources. Backups are typically preformed for a number of
reasons, including the following:

¢     
c %


   

 (   
 (

   c  : Having a readily accessible back up of Active Directory would ensure that you
can recover any important Active Directory objects which were deleted in error. Backups also prove
invaluable when unauthorized users intentionally delete or modify data. The backup would enable you
to restore data to its previous state of integrity. Because certain hardware failures such as corrupted
hard disk drives can cause considerable loss of data, backing up your data would ensure that the
business can continue to perform its mission critical functions when such an event does occur.
¢  
  : It is recommended to regularly back up mission critical data so that any
previous version of information can be accessed, if necessary, at some time in the future.

Because Active Directory is dependant on the Registry, you need to back up files within the system directory.
These files are called system files.  basically contains the main configuration information in
Windows 2000, and Windows Server 2003. What actual information is included in system state data is
determined by operating system (OS) configuration. System state typically includes the following important
data, files and components:

¢ The Windows Registry


¢ The contents of the SYSVOL directory
¢ Files which are protected by the Windows File Protection system
¢ Boot and system files: Ntdetect.com, Ntldr and Bootsect.dat.
¢ The COM+ Class Registration database
¢ The Active Directory database (Ntds.dit), including all log files and checkpoint files
¢ Cluster service files
¢ Certificate service files
¢ The Internet Information Server (IIS) metabase

You can use one of the methods listed below to back up Active Directory.

¢ You can back up the system state data only


¢ You can back up Active Directory as part of a full system backup
¢ You can back up Active Directory as part of a partial system backup

In Windows 2000 Active Directory, you could only perform one of the following restore methods:

¢ Authoritative Restore
¢ Non- Authoritative

When it comes to  


O
 c  ã    , you can use one of the following restore
methods:

¢   : In Windows 2000, this was your Non-Authoritative restore method. A Normal restore
functions pretty much the same as a Non-Authoritative restore. With a Normal restore, the Backup
utility is run on the computer while in Directory Services Restore Mode. After the domain controller is
rebooted, normal replication occurs with replication partners.

A normal restore is typically performed when the following conditions exist:

¢
÷ A domain has multiple domain controllers, and only one domain controller is operational. You
can use a Normal restore to restore all other domain controllers in the domain.
÷ A domain has a single domain controller, and that domain controller has to be restored. You
can also choose to alternatively perform a Primary restore of Active Directory.
¢ ã   : An Authoritative restore of Active Directory has to be performed in cases where
a Normal restore would not be able to return Active Directory to the correct state. For instance, if an
organizational unit was deleted in error, a Normal restore would only result in the particular OU being
deleted once again, after replication. This is basically due to the replication partners having a higher
version number for the particular OU. An Authoritative restore has a similar process to that of a
Normal restore, the difference being that after system data is restored, you define certain Active
Directory objects as being authoritative. When Active Directory objects are defined as authoritative, the
particular objects have the higher version numbers. This results in these objects being replicated to the
other domain controller's copies of the Active Directory database.
¢    : The Primary restore method is used when each domain controller within a domain
hosting multiple domain controllers, needs to be restored. What this means is that the entire domain
has to be reconstructed from the Active Directory backup. This method can also be used to restore
Active Directory for a domain that only has one domain controller. The Primary restore method is
selected in Windows Server 2003 Backup utility by merely enabling the Primary restore method
checkbox. This removes previous complexities associated with performing this type of restore in
Windows 2000. The Primary restore process is also very similar to that performed for a Normal restore
of Active Directory.

ã
$
  
   

A group can be defined as a collection of accounts that are grouped together so that Administrators can assign
permissions and rights to the group as a single entity. This removes the need for an Administrator to
individually assign permissions and rights to each account. Therefore, while a user account is associated with
an individual, or one entity; a group account or a group, is created to simplify the administration of multiple
user accounts (users). When you grant permissions to a group, all accounts that are part of that particular
group are granted the permissions. Permissions actually controls which actions users can perform on a
network resource. Rights on the other hand relate to system tasks.

Windows Server 2003 provides user accounts and group accounts (of which users can be a member). User
accounts are designed for individuals. Group accounts are designed to make the administration of multiple
users easier.

The following entities can be added to groups:

¢ User accounts
¢ Computer accounts
¢ Contacts
¢ Other group's members
¢ Other groups

The administrative tasks typically performed on groups are summarized below:

¢ Assign permissions to groups to access shared resources. Each group member would be able to access
the shared resources.
¢ Assign rights to groups so that they can perform certain system tasks such as backing up or restoring
files.
¢ Groups are also used to distribute bulk e-mail to its members.

You have to specify a group type and a group scope when you create a new group. Group types and group
scopes are discussed throughout the remainder of this Article.

   

You can create two types of groups in Active Directory. Each group type is used for a different purpose.
Security groups are the group type which is created for security purposes, while distribution groups is the
group type created for purposes other than security purposes. Security groups are typically created for
assigning permissions, while distribution groups are usually created for distributing bulk e-mail to users. As
you can see, the main difference between the two groups is the manner in which each group type is used.
Active Directory does however allow you to convert a security group to a distribution group, and to convert a
distribution group to a security group if the domain functional level is raised to Windows 2000 Native or above.

¢ Security groups: A security group is a collection of users who have the same permissions to resources,
and the same rights to perform certain system tasks. These are the groups to which you assign
permissions so that its members can access resources. Security groups therefore remove the need for
an Administrator to individually assign permissions to users. Users that need to perform certain tasks
can be grouped in a security group, and then assigned the necessary permissions to perform these
tasks. Each user that is a member of the group would have the same permissions. In addition to this,
any e-mail sent to a security group is received by each member of that particular group. When a
security group is first created, it receives a SID. It is this SID that enables permissions to be assigned to
security groups - the SID can be included in the DACL of a resource. An access token is created when a
user logs on to the system. The access token contains the SID of the user, and the SID of those groups
to which the user is a member of. This access token is referenced when the user attempts to access a
resource - the access token is compared with the DACL of the resource to determine which permissions
the user should receive for the resource.
¢ Distribution groups: Distribution groups are created to share information with a group of users
through e-mail messages. Thus, a distribution group is not created for security purposes. A
distribution does not obtain a SID when it is created. Distribution groups enable the same messag to be
simultaneously sent to its group members - messages do not need to be individually sent to each user.
Applications such as Microsoft Exchange that work with Active Directory can use distribution groups to
send bulk e-mail to groups of users.

   

The different group scopes make it possible for groups to be used differently to assign permissions for
accessing resources. The scope of a group defines the place in the network where the group will be used or is
valid. This is the degree to which the group will be able to reach across a domain, domain tree, or forest. The
group scope also determines what users can be included as group members.

In Active Directory, there are three different group scopes.

¢  m: Global groups are containers for user accounts and computers accounts in the domain,
and are used to assign permissions to objects that reside in any domain in a tree or forest. You can
include a global group in the access control list (ACL) of objects in any domain in the tree/forest. A
global group can however only have members from the domain in which it is created. What this means
is that a global group cannot include user accounts, computer accounts, and global groups from other
domains.

The domain functional level set for the domain determines which members can be included in the
global group.

÷ Windows 2000 Mixed: Only user accounts and computer accounts from the domain in which
the group was created, can be added as group members.
÷ Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, and other
global groups from the domain in which the group was created, can be added as group members
¢   ,
m: Domain local groups can have user accounts, computer accounts, global groups,
and universal groups from any domain as group members. However, you can only use domain local
groups for assigning permissions to local resources, or to resources that reside in the domain in which
the domain local group was created. This means that you can only include domain local groups in the
ACL of objects that are located in the local domain.

The domain functional level set for the domain determines which members can be included in the
domain local group.

÷ Windows 2000 Mixed: User accounts, computer accounts, and global groups from any domain
can be added as group members.
÷ Windows 2000 Native / Windows Server 2003: User accounts, computer accounts, global
groups, and universal groups from any domain can be added as group members. You can also
add other domain local groups from the same domain as group members.
¢   m m: Universal groups can have user accounts, computer accounts, global groups, and
other universal groups, from any domain in the tree or forest as members. This basically means that
you can add members from any domain in the forest to a universal group. You can use universal
groups to assign permissions to access resources that are located in any domain in the forest.
Universal groups are only available when the domain functional level for the domain is Windows 2000
Native or Windows Server 2003. Universal groups are not available when domains are functioning in
the Windows 2000 Mixed domain functional level. You can convert a universal group to a global group
or to a domain local group if the particular universal group has no other universal group as a group
member. When adding members to universal groups, it is recommended to add global groups as
members and not individual users.

When groups contain other groups as members, group nesting occurs. Group nesting occurs when you add
groups to other groups. Group nesting assists in reducing the number of instances that you need to assign
permissions, and in reducing replication traffic. As mentioned previously, the domain functional level set for
the domain determines what group nesting can be implemented, as summarized below:

¢ Windows 2000 Mixe:


÷ Global groups: User accounts and computers accounts in the same domain.
÷ Domain local groups: User accounts, computers accounts, and global groups from any domain.
¢ Windows 2000 native or Windows Server 2003:
÷ Global groups: User accounts, computer accounts, and other global groups in the same domain.
÷ Domain local groups: User accounts, computers accounts, global groups and universal groups
from any domain; and other domain local groups in the same domain.
÷ Universal groups: User accounts, computers accounts, global groups, and universal groups
from any domain.

The scope of a group can be changed as well. You can use the Active Directory Users And Computers (ADUC)
console to view and modify the scope of an existing group. The command-line can also be used - dsget and
dsmod. The rules that govern this capability are summarized below:

¢ You can convert domain local groups and global groups to universal groups
¢ You can convert universal groups to domain local groups or to global groups.
¢ You cannot convert domain local groups to global groups.
¢ You cannot convert global groups to domain local groups.

If you are using Windows Server 2003 Active Directory, Windows Server 2003 creates a few default security
groups that are used to assign administrative permissions to users. The default security groups are created in
the Users folder in Active Directory Users And Computers (ADUC).

¢ The default domain local groups that are created are listed below:
÷ Cert Publishers: Members of this group are able to publish certificates to Active Directory
÷ DnsAdmins: Group members have administrative access to the DNS server service.
÷ HelpServicesGroup: Group members are able to assign rights to support applications.
÷ RAS and IAS Servers: Servers assigned to this default group can access a user's remote access
properties.
÷ TelnetClients: Group members have administrative access to Telnet Server.
¢ The default global groups that are created are listed below:
÷ Domain Admins: Members of the Domain Admins group have permissions to perform
administrative functions on computers in the domain.
÷ Domain Users: Group members are user accounts that are created in the domain.
÷ Domain Computers: Group members are computer accounts that are created in the domain.
This includes all workstations and servers that are part of the domain.
÷ Domain Controllers: Group members are domain controllers of the domain.
÷ Domain Guests: Group members are guest accounts in the domain.
÷ Group Policy Creator: Group members are able to change the domain's group policy.
÷ DnsUpdateProxy: Group members are DNS clients. Members are able to perform dynamic
updates for clients such as DHCP servers.
¢ The default universal groups that are created are listed below:
÷ Enterprise Admins: Members of this group are able to perform administrative functions for the
whole network.
÷ Schema Admins: Members of this group can perform administrative tasks on the schema.

When formulating a strategy for setting up domain local groups and global groups, follow the guidelines listed
below:

¢ You should add users that perform the same function in the organization to a global group.
¢ Domain local groups should be created for a resource(s) that needs to be shared by multiple users.
¢ You should then add any global groups that have to access a resource(s) to the appropriate domain
local group.
¢ The domain local group should be assigned with the proper permissions to the resource.

In addition to the above mentioned group scopes, another group called a local group, can be created. A local
group is basically used on the local computer to assign permissions to resources that are located on the
computer on which the particular local group is created. Local groups are created in the local security
database and are not present in Active Directory. This means that you cannot create local groups on domain
controllers.

The tools and utilities which you can use to assist in troubleshooting Group Policy are listed below:

¢ Resultant Set Of Policy (RSOP) Wizard


¢ Gpresult.exe
¢ Gpupdate.exe
¢ WinPolicies
¢ GPOTool
¢ Event Viewer
¢ Log Files

   
  $
 


To successfully troubleshoot policy inheritance issues, you need to thoroughly understand how policy
inheritance affects the application of Group Policy settings within GPOs. You also need to understand how
enabling the Block Policy Inheritance option and No Override option affect policy inheritance. Inheritance
signifies that Group Policy settings which affect user configuration and computer configuration are the
resultant set of policies inherited from parent containers. Policies are usually passed down from a parent
container to its associated child containers. When the policy setting for a parent OU is set to Enabled or
Disabled; and the child OU does not have the same policy setting configured, the child OUs inherits the policy
setting of its parent OU. The exception being that a Group Policy setting defined for a child OU overrides the
same setting which it inherited from its parent OU.

Group policy settings are processed in the order specified below:

1. ,
:: Because the local GPO is applied first, it means that policies defined at the local computer
have the least priority.
2. á :: Site GPOs are GPOs which are linked to sites. The order of the different site GPOs are
determined and defined by the Administrator.
3.   :: Domain GPOs are applied next. GPOs linked to a domain have precedence over site
GPOs and local GPOs.
4. ::   :   
 m
m m m
 are applied before any other OUs. OU
GPOs linked to the OU closest to the user or computer is then applied. When  : 
    
 mm
  m  :  - :   .

.

'  m
can be explicitly specified for a site, domain or OU; and is not applied to any GPOs or
GPO links. When enabled for a site, domain or OU; it prevents any Group Policy settings from passing down
from higher up in the tree, to the particular site, domain or OU for which it is enabled. The only exception is
that any GPO links which have the No Override settings enabled are not blocked, but are applied. When the 
: mm    is enabled for a GPO which is linked to a site, domain or OU, no Group Policy settings
contained in the particular GPO is overridden by other GPOs. Because of the hierarchical manner in which
GPOs are applied, and there happens to be more than one GPO which has the No Override setting enabled, the
GPO highest in the tree has precedence.
A few techniques for troubleshooting Group Policy inheritance are listed below:

¢ GPOs can only be linked to sites, domains and OU, and then applied to users and computers.
¢ Remember that while child OUs, by default inherit the Group Policy Settings of its associated parent
OUs; child domains do not inherit Group Policy settings from parent domains.
¢ A factor to consider when troubleshooting policy inheritance is that when both the Block Inheritance
option and the No Override option are enabled, the No Override option has precedence.
¢ Remember that the Block Inheritance applies to the entire site, domain, or OU; and therefore can
prevent Group Policy settings from being applied. If you have a situation where a particular GPO is not
being applied, verify that the GPO is not being blocked./li>
¢ Verify that the user or computer belong to a security group that has the Allow


   

A few factors that you should include or consider when planning the design of the forest are discussed in the
following section:

¢ " m
m  m   : Most large organizations usually consist of many smaller businesses
or companies that have been acquired my business mergers. With these organizations, there is usually
a need for some form of business independence within the organization. To cater for this need, there
may be a requirement that certain business be separated from others. This separation is usually
achieved by the implementation of forests.
¢ '  m  m m : Smaller companies within a larger organization might each need to
store different data in the Active Directory data store. In cases where the objects that need to be stored
in the Active Directory schema differ, you might need to create different forests to service this
requirement.
¢ ,  
m: Legal factors also sometimes lead to the formation of forests. This typically occurs with
organizations such as financial institutions where certain data has to be completely separated from
other data.
¢ %
m: With the deployment of multiple forests comes the need for additional hardware, and
increased administrative costs. Shared infrastructures are usually the most costs effective solution.
However, this solution could possibly not meet the requirements of the organization.
¢  

m: It is extremely important to plan and manage namespaces if you plan to create
multiple forests with more than one domain tree. Remember that for each forest, you have to define a
one DNS namespace. For each domain tree that you create, you have to define another namespace.
¢ '  m  m : Each forest that you plan to create has to have a designated owner, or a
group of owners. The forest owner is responsible for the operation of the forest. This includes the
following:
÷ Forest root domain
÷ Sites and subnets, including site group policies
÷ The schema
÷ The replication process
÷ Security policies for the domain.
÷ Domain controller group policies
÷ Specifying the appropriate owners or administrators for each Organizational Unit (OU).
÷ Specifying forest service admins and domain service admins.
¢ "   m   : You should implement a testing strategy and testing environment in which to
test your forest design. The testing environment should ideally be a separate Active Directory
environment to the production environment, but should mirror the production environment.

 

   

The factors that typically affect the domain design are summarized below:

¢  m 

m: Where organizations span may geographical regions, you might consider
implementing a geographic domain design to control replication over different regions within the
enterprise. Domain controllers would then only replicate data in its local domain.
¢ O 
: The cost of implementing and maintaining unreliable WAN links could be high, as is
the case in some countries.
¢ . v m ß
m: There may be cases where different businesses within the same
organization can indeed share a forest, but the nature of their business might lead to each business
needing to have its own domains. This is normally necessary when each business needs to implement
its own domain security policies.
¢    ám  : Each domain has to have a NetBIOS name and a DNS name. Each domain
name has to be unique. When assigning NetBIOS names, try using names that you would not need to
change, and use Internet standard characters. NetBIOS names should typically be 15 characters, or
less than 15 characters in length. When you assign DNS names, try to keep the prefix of the DNS name
and NetBIOS name the same.

    



  

A domain controller  m 


 
 m
mm
mm   to which it belongs. It is also
responsible for managing that directory.

¢ The domain controller is responsible for m 


  
     m
 m
mm 

 m   m   
 m m     The default replication setting is that domain
controllers in a site replicate changes made to its replica of Active Directory to all domain controllers
within the domain each 15 minutes. You can control the amount of replication traffic that is generated
within your Active Directory environment by specifying how often replication should occur.
¢ Domain controllers also  

 mm m


    They locate Active Directory
objects, authenticate access to these objects, validate user logon attempts, and authenticate user
passwords. User account changes such as an account being disabled is immediately replicated by the
particular domain controller to all domain controllers within the domain.
¢   
 m mm
 m

  m  má


m'  m á'a user attempts to
log on to the system, a request to authenticate the user is sent to each domain controller within the
domain. The user is authenticated via Kerberos security after a domain controller is located and a
secure connection is established. Authentication is based on the user providing a username and
password that correspond to those in the Active Directory database. The session information, or access
token of the account is stored in memory. This includes rights and group membership details. When
the user attempts to access network resources, the access token and the permissions of the resource
are compared to ascertain what access is permitted to the network resource.
¢ Multiple domain controllers m   m
in your Active Directory environment. In the
Windows NT domain model, no changes could be made to the domain database when the primary
domain controller was unavailable. With Active Directory, because domain controllers function as peers
to one another, changes can be made to the Active Directory database from any domain controller in
the domain. When a domain controller is unavailable, the remainder of the domain controllers continue
to provide access to network resources.
¢ Domain controllers also   m   m m

 á#/%# m m
m# 
v  

This in turn facilitates centralized management and security.

ã
 c  
)
*
+*,

An organizational unit (OU) is a container that is used to logically organize and group Active Directory objects
within domains. OUs are not part of the DNS namespace. They are used to organize Active Directory objects
into logical administrative groups. OUs therefore serve as containers in which you can create and manage
Active Directory objects. OUs are considered the smallest unit to which an Administrator can assign
permissions to resources within Active Directory.

An OU enables you to apply security policies, deploy applications, delegate administrative control for Active
Directory objects, and to run scripts. An important thing to understand is that OUs are not security principals.
The user accounts, group accounts, and computer accounts within the OUs are security principals.

 
-
  " 


The following section looks at what actually happens when each FSMO role fails:

¢ A á
 &  m m is basically only evident when an Administrator attempts to change the Active
Directory schema. What this means is that a Schema Master failure is invisible to your standard
network users. You should only seize this role to the domain controller designated as the standby
schema master if the existing Schema Master can in fact never be recovered.
¢ As is the case with a Schema Master failure,     &  m m is only evident if an
Administrator is attempting to add a domain to the forest, or remove a domain from the forest. A
Domain Naming Master failure can generally not be perceived by your standard network users. You
should only seize this role to the domain controller designated as its standby when the existing Domain
Naming Master would never be operational again.
¢ A v'&  m m is only evident to Administrators if they are attempting to add new Active Directory
objects in the particular domain where the RID Master failed. When this happens, the RID Master is
unable to allocate relative IDs to the domain controllers on which the new Active Directory objects are
being created. A RID Master failure cannot be detected by your conventional network users. You should
also generally only seize this OM role when the existing domain controller assigned with the RID Master
role would never recover from the failure.
¢ An ' m m
m &  m m is also not visible to your standard network users. The failure only
impacts Administrators that are attempting to move user accounts, or rename them. Consider moving
the role to the designated standby domain controller if the existing domain controller assigned with the
Infrastructure Master is to be unavailable for a reasonably extended period of time, and the changes
that need to be made are pertinent.
¢ Unlike the OM role failures previously described that are not evident to your standard network users, a
%(  m m does impact network users. It is important to immediately seize this role to its
designated standby domain controller if the domain contains any Windows NT backup domain
controllers. You can always return this role to its previous domain controller when it is recovered and
online again.

3

The DHCP lease process consists of four messages sent between the DHCP server and the DHCP client:

¢ DHCPDISCOVER message: This message is sent by a client when it boots up on the network to request
an IP address lease from a DHCP server. The message is    m 

 over the network,
requesting for a DHCP server to respond to it
¢ DHCPOFFER message: This message is a response to a DHCPDISCOVER message, and is sent by one
or numerous DHCP servers.
¢ DHCPREQUEST message: The client sends the initial DHCP server which responded to its request a
DHCP Request message. The message indicates that the client is requesting the particular IP address
for lease.
¢ DHCPACK message: The DHCP Acknowledge message is sent by the DHCP server to the DHCP client
and is the process whereby which the DHCP server assigns the IP address lease to the DHCP client.

The DHCP Relay Agent makes it possible for DHCP broadcast messages to be sent over routers that do not
support forwarding of these types of messages.

3 

A 
 can be defined as a set of IP addresses which the DHCP server can allocate or assign to DHCP clients.
A scope contains specific configuration information for clients that have IP addresses which are within the
particular
scope. Scope information for each DHCP server is specific to that particular DHCP server only, and is not
shared
between DHCP servers. Scopes for DHCP servers are configured by administrators.

A  m
 is the grouping of scopes under one administrative entity that enables clients to obtain IP
addresses, and renew IP addresses from any scope that is part of the superscope.

Superscopes are typically created for under the following circumstances:

¢ The existing scope.s IP addresses supply is being depleted.


¢ You want to use two DHCP servers on the same subnet. This is usually for providing redundancy.
¢ You need to move clients from one range of IP addresses to a different range of IP addresses.

 ã
 
3
The       /% are summarized below:

¢ DHCP is included with Windows Server 2003: To implement DHCP requires no additional costs.
¢ Centralized, simpler management of IP addressing: You can manage IP addressing from a central
location.
¢ DHCP also provides for the simple deployment of other configuration options, such as default gateway
and DNS
suffix.
¢ Because the system assigns IP addresses, it leads to less incorrect configurations of IP addresses. This
is mainly
due to IP configuration information being entered at one location, and the server distributing this
information to
clients.
¢ Duplicated IP addresses are prevented.
¢ IP addresses are also preserved. DHCP servers only allocate IP addresses to clients when they request
them.
¢ The DHCP service of Windows Server 2003 can assign IP addresses to both individual hosts, and
multicast groups.
Multicast groups are used when communication occurs with server clusters.
¢ The Windows Server 2003 DHCP service supports clustering. This enables you to set up high
availability DHCP
servers.
¢ In Windows Server 2003, DHCP integrates with Dynamic DNS (DDNS). This facilitates dynamic IP
address management
because the DHCP server registers the client computer.s Address (A) records and pointer (PTR) records
in the DNS
database when the client obtains an IP address. This is made possible through DHCP integration with
Dynamic DNS
(DDNS).
¢ You can monitor the pool of available IP addresses, and also be notified when the IP address pool
reaches a certain
threshold.
¢ Through authorizing DHCP servers in Active Directory, you can restrict your DHCP servers to only
those that are
authorized. Active Directory also allows you to specify those clients that the DHCP server can allocate
addresses
to.
¢ Dynamic IP addressing through DHCP easily scales from small to large networking environments.

 
 
3

The       /% are summarized below:

¢ The DHCP server can be a single point of failure in networking environments that only have one DHCP
server.
¢ If your network has multiple segments, you have to perform either of the following additional
configurations:
÷ Place a DHCP server on each segment
÷ Place a DHCP relay agent on each segment
÷ Configure routers to forward Bootstrap Protocol (BootP) broadcasts.
¢ All incorrectly defined configuration information will automatically be propagated to your DHCP clients.
¢ There are a few DHCP client implementations that do not function correctly with a Windows Server
2003 DHCP
server.




ã    $
 
 c

DNS is the m m m m   m   m


 O 0111 O á m m0112#and
provides a hierarchically distributed and scalable database; provides name registration, name resolution and
service location for Windows 2000 and Windows Server 2003 clients; and locates domain controllers for logon.
A á m m is a computer running the DNS Server service that provides domain name services. The DNS
server manages the DNS database that is located on it. The information in the DNS database of a DNS server
pertains to a portion of the DNS domain tree structure or namespace

(Domain Name System (DNS) is an $






 
%  (IETF) standard name service that
allows your computer to register and resolve domain names. The DNS makes it possible to assign domain
names to organizations independent of the routing of the numerical IP address. In other words, DNS is a
system that translates domain names into IP addresses. This is necessary because computers only make use
of IP addresses yet we use only human readable names since the names are easier to remember than IP
addresses. Without this DNS resolution, the internet would be a very inconvenient place. DNS resolution is
therefore a very important task)

A á  is the contiguous portion of the DNS domain name space over which a DNS server has authority,
or is authoritative. A zone is a portion of a namespace - it is not a domain. A domain is a branch of the DNS
namespace. A DNS zone can contain one or more contiguous domains. A DNS server can be authoritative for
multiple DNS zones. 3  store resource records for the zones over which a DNS server has authority

In DNS, a standard primary DNS server is the authoritative DNS server for a DNS zone. There are a number of
zones used in Windows Server 2003 DNS. The different types of zones used in Windows Server 2003 DNS are
listed below:

¢ m m  !This is the only zone type that can be edited or updated because the data in the zone is
the original source of the data for all domains in the zone. Updates made to the primary zone are made
by the DNS server that is authoritative for the specific primary zone. You can also back up data from a
primary zone to a secondary zone.
¢ á
  m  !A secondary zone is a read-only copy of the zone that was copied from the master
server during zone transfer.
¢ 
 m
m$  m    !An Active Directory-integrated zone is a zone that stores its zone data
in Active Directory. DNS zone files are not needed. This type of zone is an authoritative primary zone.
Zone data of an Active Directory-integrated zone is replicated during the Active Directory replication
process. Active Directory-integrated zones also enjoy the security features of Active Directory.
¢ á  !A stub zone is a new Windows Server 2003 feature. Stub zones only contain those resource
records necessary to identify the authoritative DNS servers for the master zone.
¢ Õ Start Of Authority (SOA) resource record for the zone.
¢ Õ Name Server (NS) resource record for the zone.
¢ Õ Host (A) resource records that identify the authoritative servers for the specific zone.
¢

"        O á m m0112á m  m m m   
 m
m$
  m    Both primary zones and secondary zones are standard DNS zones that use zone files. The
main difference between primary zones and secondary zones is that primary zones can be updated. Secondary
zones contain read-only copies of zone data.

An Active Directory-integrated zone can be defined as an improved version of a primary DNS zone because it
can use multi-master replication and the security features of Active Directory. The zone data of Active
Directory-integrated zones are stored in Active Directory. Active Directory-integrated zones are authoritative
primary zones.

A few advantages that Active Directory-integrated zone implementations have over standard primary zone
implementations are:

¢ Active Directory replication is faster, which means that the time needed to transfer zone data between
zones is far less.
¢ The Active Directory replication topology is used for Active Directory replication, and for Active
Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and
Active Directory are integrated.
¢ Active Directory-integrated zones can enjoy the security features of Active Directory.
¢ The need to manage your Active Directory domains and DNS namespaces as separate entities is
eliminated. This in turn reduces administrative overhead.
 )
 
  c    

  .

¢ ßm  m! When you configure a secondary DNS server for a zone, and start the secondary DNS
server, the secondary DNS server requests a full copy of the zone from the primary DNS server. A full
transfer is performed of all the zone information. Full zone transfers tend to be resource intensive. This
disadvantage of full transfers has led to the development of incremental zone transfers.
¢ '
m    m  m!With an incremental zone transfer, only those resource records that have
since changed in a zone are transferred to the secondary DNS servers. During zone transfer, the DNS
databases on the primary DNS server and the secondary DNS server are compared to determine
whether there are differences in the DNS data. If the DNS data of the primary and secondary DNS
servers are the same, zone transfer does not take place. If the DNS data of the two servers are different,
transfer of the delta resource records starts. This occurs when the serial number on the primary DNS
sever database is higher than that of secondary DNS server's serial number. For incremental zone
transfer to occur, the primary DNS server has to record incremental changes to its DNS database.
Incremental zone transfers require less bandwidth than full zone transfers.
¢ 
 m
mm  m!These zone transfers occur when Active Directory-integrated zones are
replicated to the domain controllers in a domain. Replication occurs through Active Directory
replication.
¢ á is a mechanism that enables a primary DNS server to inform secondary DNS servers when
its database has been updated. DNS Notify informs the secondary DNS servers when they need to
initiate a zone transfer so that the updates of the primary DNS server can be replicated to them. When
a secondary DNS server receives the notification from the primary DNS server, it can start an
incremental zone transfer or a full zone transfer to pull zone changes from the primary DNS servers.
¢ When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, and
stored on any new domain controllers automatically. Synchronization takes place automatically when
new domain controllers are deployed.

  /
 ã    &
 )


When deciding on whether to implement primary DNS zones or Active Directory-integrated DNS zones,
remember to include the DNS design requirements of your environment. Primary zones and secondary zones
are standard DNS zones that use zone files. An Active Directory-integrated zone stores its zone data in Active
Directory, and can therefore use multi-master replication and the security features of Active Directory.

If you are going to be implementing Active Directory-integrated zones, you can choose between the following
zone replication scope options:

¢ "áá m m' " 


 m
mßm  ! Zone data is replicated to all DNS servers
running on domain controllers in the Active Directory forest.
¢ "áá m m' " 
 m
m   !Zone data is replicated to all DNS servers
running on domain controllers in the Active Directory domain.
¢ "  % m m' " 
 m
m   !Zone data is replicated to all domain
controllers in the Active Directory domain.
¢ "  % m má
 ' " á
 :" ß 
 m
m m  !
Zone data is replicated based on the replication scope of the particular application directory partition.

The main advantages that Active Directory-integrated zones have over standard primary DNS zones are:

¢ Active Directory replication is faster, which means that the time needed to transfer zone data between
zones is far less.
¢ The Active Directory replication topology is used for Active Directory replication, and for Active
Directory-integrated zone replication. There is no longer a need for DNS replication when DNS and
Active Directory are integrated.
¢ Active Directory-integrated zones can enjoy the security features of Active Directory.
¢ The need to manage your Active Directory domains and DNS namespaces as separate entities is
eliminated. This in turn reduces administrative overhead.
¢ When DNS and Active Directory are integrated; the Active Directory-integrated zones are replicated, and
stored on any new domain controllers automatically. Synchronization takes place automatically when n

  ã +ã,   


This is the first record in the DNS database file. The SOA record includes information on the zone property
information, such as of the primary DNS server for the zone, and version information.

The fields located within the SOA record are listed below:

¢ ám
; the host for who the DNS database file is maintained
¢ % 
 $ ; e-mail address for the individual who is responsible for the database file.
¢ á m    m; the version number of the database.
¢ v m  ; the time that a secondary DNS server waits, while determining whether database updates
have
been made, that have to be replicated via zone transfer.
¢ v m ; the time for which a secondary DNS server waits before attempting a failed zone transfer
again.
¢ (*m   ; the time for which a secondary DNS server will continue to attempt to download zone
information. Old zone information is discarded when this limit is reached.
¢ "  ; the time that the particular DNS server can cache resource records from the DNS database
file.

  +,   

The Name Server (NS) resource record provides a list of the authoritative DNS servers for a domain, as well
authoritative DNS server for any delegated subdomains. Each zone must have one (or more) NS resource
records at the
zone root. The NS resource record indicates the primary and secondary DNS servers for the zone defined in the
SOA
resource record. This in turn enables other DNS servers to look up names in the domain.

3 +ã,   

The host (A) resource record contains the IP address of a specific host, and maps the FQDN to this 32-bit IPv4
addresses. Host (A) resource records basically associates the domain names of computers (FQDNs) or hosts
names to their
associated IP addresses. Because a host (A) resource record statically associates a host name to a specific IP
address,
you can manually add these records to zones if you have machines who have statically assigned IP addresses.

The methods which are used to add host (A) resource records to zones are:

¢ Manually add these records, using the DNS management console.


¢ You can use the Dnscmd tool at the command line to add host (A) resource records.
¢ TCP/IP client computers running Windows 2000, Windows XP or Windows Server 2003 use the DHCP
Client service to both
register their names, and update their host (A) resource records.

ã+ã"
,   

Alias (CNAME) resource records ties an alias name to its associated domain name. Alias (CNAME) resource
records are
referred to as
 
 . By using canonical names, you can hide network information from the clients
who
connect to your network. Alias (CNAME) resource records should be used when you have to rename a host that
is defined
in a host (A) resource record in the identical zone.

"# 
 +"0,   

The mail exchanger (MX) resource record provides routing for messages to mail servers and backup servers.
The mail
MX resource record provides information on which mail servers processes e-mail for the particular domain
name. E-mail
applications therefore mostly utilize MX resource records.

A mail exchanger (MX) resource record has the following parameters:

¢ Priority
¢ Mail server

The mail exchanger (MX) resource record enables your DNS server to work with e-mail addresses where no
specific mail server is defined. A DNS domain can have multiple MX records. MX resource records can
therefore also be used to provide failover to different mail servers when the primary server specified is
unavailable. In this case, a server preference value is added to indicate the priority of a server in the list. Lower
server preference values specify higher preference.

 
 +,   

The pointer (PTR) resource record points to a different resource record, and is used for reverse lookups to point
to A resource records. Reverse lookups resolve IP addresses to host names or FQDNs.

You can add PTR resource records to zones through the following methods:

¢ Manually add these records, using the DNS management console.


¢ You can use the Dnscmd tool at the command line to add PTR resource records.

  +1,   

Service (SRV) resource records are typically used by Active directory to locate domain controllers, LDAP
servers, and global catalog servers. The SRV records define the location of specific services in a domain. They
associate the location of a service such as a domain controller or global catalog server; with details on how the
particular service can be contacted.

The fields of the service (SRV) resource record are explained below:

¢ Service name
¢ The protocol used
¢ The domain name associated with the SRV records.
¢ The port number for the particular service
¢ The Time to Live value
¢ The class
¢ The priority and weight.
¢ The target specifying the FQDN of the particular host supporting the service

 /
  

If you are not using Active Directory-integrated zones, the specific zone database files that are used for zone
data
    : When new A type resource records are added to the domain, they are stored in this file.
When a zone is created, the Domain Name file contains the following:

÷ A SOA resource record for the domain


÷ A NS resource record that indicates the name of the DNS server that was created.
¢ v  m , : This database file contains information on a reverse lookup zone.
¢ %
  : This file contains a listing of the names and addresses of root name servers that are needed
for resolving names which are external to the authoritative domains.
¢ . : This file controls the startup behavior of the DNS server. The boot file supports the commands
listed below:
÷ Directory command; this command defines the location of the other files specified in the Boot
file.
÷ Primary command; defines the domain for which this particular DNS server has authority.
÷ Secondary; specifies a domain as being a secondary domain.
÷ Cache command; this command defines the list of root hints used for contacting DNS servers
for the root domain

The name differences between the NetBIOS naming system and DNS namespace are noted below:

¢ A NetBIOS name cannot be greater than 16 characters.


¢ With DNS, up to 255 characters can be used for names.
¢ The NetBIOS naming system is a flat naming system.
¢ The namespace used by DNS is a hierarchical space, or hierarchical system. The DNS naming system
is called the    
f. If you decide to use a private domain namespace, and there is no
interaction with the Internet, it does not have to be unique.

Three  m  exist for querying a DNS server for name resolution:

¢ Iterative queries
¢ Recursive queries
¢ Inverse queries

*
 

  2 

When a client sends a recursive query to a DNS server, the DNS server has to return either of the following
responses.

¢ The resource record containing the IP address that is associated with the host name that was
requested.
¢ An error message can also be returned to the client, stating that the host name or domain does not
exist. When the DNS server does not find the queried name in its zone information, it starts querying
other DNS servers. The error is only returned to the client when it cannot obtain the required
information from any of the other DNS servers.

You can use the DNS console to disable recursive queries for a specific DNS server. In this case, the DNS
server will only be able to use iterative queries.

*
 

$ 2 

When a client sends an iterative query to a DNS server, the DNS server returns the best answer which it can to
the client.

The response can be either of the following:

¢ The requested resolved name.


¢ A referral to a different DNS server that could provide the information which the client requested.

Referrals are just pointers to a DNS server that has authority for a lower portion of the DNS namespace.

*
 

$
 2 

In an inverse query, the DNS resolver sends a request to a DNS server to resolve the host name associated with
a known IP address. Only a thorough search of all domains would provide the correct answer. DNS resolvers
are programs that use DNS queries to request information from the DNS servers. In Windows Server 2003, the
DNS Client service performs the function of the DNS resolver. A DNS resolver can communicate and issue
name queries to remote DNS servers, or to the DNS server running locally.

The different query response types which can be returned from the DNS server are:
¢ Authoritative answer: This is a positive response which is returned to a client. The authority bit set in
the DNS
message indicates that the reply was received from a DNS server that has direct authority for the name
queried in the message.
¢ Positive answer: This response type returns the queried resource record that corresponds to the name
and record type queried in the original query.
¢ Referral answer: A referral response is returned if the DNS server does not support recursion. A referral
contains additional resource records for resolving the request.
¢ Negative answer: A negative answer is returned to the client when the following events occur:
÷ The name queried does not exist in the DNS namespace. This information is obtained from an
authoritative server.
÷ The authoritative server indicated that the name queried does exist in the DNS namespace.
However, there are no resource records of this type present for the requested name.

*
 

 c ! % 
 ! % 

These types of lookups or queries are defined below:

¢ ßm m,: Forward lookups are also called forward queries. Forward lookups are used to resolve
host names to IP addresses in the DNS domain.
Forward queries contain the following:
÷ SOA resource record.
÷ NS resource record.
÷ Any other record that ties the IP address to the FQDN (excludes the PTR resource record).

When forward queries are issued, they are dealt with as follows:

÷ A resolver requests the IP address for a host name.


÷ The forward lookup is sent to the DNS server.
÷ The DNS server searches for an A type resource record that is associated with the host name in
the request.
÷ If the DNS server finds a matching A type resource record, the IP address is returned o the
client.
÷ If the DNS server does not find a match, it proceeds to query the other DNS servers.
¢ v  m ,: Reverse lookups are also known as reverse queries. The process that occurs when
reverse lookups are sent is illustrated below:
÷ A resolver requests the domain name for a specific IP address.
÷ The reverse lookup zone is used to resolve the query. A reverse lookup zone contains PTR
resource records. These records are used for reverse lookups to point to A resource records.

RAID 0

RAID 0 (striped disks) distributes data across multiple disks in ways that gives improved speed at any given
instant. If one disk fails, however, all of the data on the array will be lost, as there is neither parity nor
mirroring. In this regard, RAID 0 is somewhat of a misnomer, in that RAID 0 is non-redundant. A RAID 0 array
requires a minimum of two drives. A RAID 0 configuration can be applied to a single drive provided that the
RAID controller is hardware and not software (i.e. OS-based arrays) and allows for such configuration. This
allows a single drive to be added to a controller already containing another RAID configuration when the user
does not wish to add the additional drive to the existing array. In this case, the controller would be set up as
RAID only (as opposed to SCSI in non-RAID configuration), which requires that each individual drive be a part
of some sort of RAID array.

RAID 1

RAID 1 mirrors the contents of the disks, making a form of 1:1 ratio realtime mirroring. The contents of each
disk in the array are identical to that of every other disk in the array. A RAID 1 array requires a minimum of
two drives.

RAID 3, RAID 4
RAID 3 or 4 (striped disks with dedicated parity) combines three or more disks in a way that protects data
against loss of any one disk. Fault tolerance is achieved by adding an extra disk to the array, which is
dedicated to storing parity information; the overall capacity of the array is reduced by one disk. A RAID 3 or 4
array requires a minimum of three drives: two to hold striped data, and a third for parity. With the minimum
three drives needed for RAID 3, the storage efficiency is 66 percent. With six drives, the storage efficiency is 87
percent.
RAID 5
Striped set with distributed parity or interleave parity requiring 3 or more disks. Distributed parity requires all
drives but one to be present to operate; drive failure requires replacement, but the array is not destroyed by a
single drive failure. Upon drive failure, any subsequent reads can be calculated from the distributed parity
such that the drive failure is masked from the end user. The array will have data loss in the event of a second
drive failure and is vulnerable until the data that was on the failed drive is rebuilt onto a replacement drive. A
single drive failure in the set will result in reduced performance of the entire set until the failed drive has been
replaced and rebuilt.
RAID 6
RAID 6 (striped disks with dual parity) combines four or more disks in a way that protects data against loss of
any two disks. For example, if the goal is to create 10x1TB of usable space in a RAID 6 configuration, we need
two additional disks for the parity data.
RAID 10
RAID 1+0 (or 10) is a mirrored data set (RAID 1) which is then striped (RAID 0), hence the "1+0" name. A RAID
1+0 array requires a minimum of four drives ² two mirrored drives to hold half of the striped data, plus
another two mirrored for the other half of the data. In Linux, MD RAID 10 is a non-nested RAID type like RAID
1 that only requires a minimum of two drives and may give read performance on the level of RAID 0.
RAID 01
RAID 0+1 (or 01) is a striped data set (RAID 0) which is then mirrored (RAID 1). A RAID 0+1 array requires a
minimum of four drives: two to hold the striped data, plus another two to mirror the first pair.

 
#       ã$.

- Failure-resistant disk systems (FRDS) (meets a minimum of criteria 1 - 6):

1. Protection against data loss and loss of access to data due to disk drive failure
2. Reconstruction of failed drive content to a replacement drive
3. Protection against data loss due to a "write hole"
4. Protection against data loss due to host and host I/O bus failure
5. Protection against data loss due to replaceable unit failure
6. Replaceable unit monitoring and failure indication

- Failure-tolerant disk systems (FTDS) (meets a minimum of criteria 7 - 15 ):

7. Disk automatic swap and hot swap


8. Protection against data loss due to cache failure
9. Protection against data loss due to external power failure
10. Protection against data loss due to a temperature out of operating range
11. Replaceable unit and environmental failure warning
12. Protection against loss of access to data due to device channel failure
13. Protection against loss of access to data due to controller module failure
14. Protection against loss of access to data due to cache failure
15. Protection against loss of access to data due to power supply failure

- Disaster-tolerant disk systems (DTDS) (meets a minimum of criteria 16 - 21):

16. Protection against loss of access to data due to host and host I/O bus failure
17. Protection against loss of access to data due to external power failure
18. Protection against loss of access to data due to component replacement
19. Protection against loss of data and loss of access to data due to multiple disk failure
20. Protection against loss of access to data due to zone failure
21. Long-distance protection against loss of data due to zone failure

+  ,ã$

As there is no basic RAID level numbered larger than 9, nested RAIDs are usually unambiguously described by
concatenating the numbers indicating the RAID levels, sometimes with a "+" in between. For example, RAID 10
(or RAID 1+0) consists of several level 1 arrays of physical drives, each of which is one of the "drives" of a level
0 array striped over the level 1 arrays. It is not called RAID 01, to avoid confusion with RAID 1, or indeed,
RAID 01. When the top array is a RAID 0 (such as in RAID 10 and RAID 50) most vendors omit the "+", though
RAID 5+0 is clearer.

¢ RAID 0+1: striped sets in a mirrored set (minimum four disks; even number of disks) provides fault
tolerance and improved performance but increases complexity. The key difference from RAID 1+0 is
that RAID 0+1 creates a second striped set to mirror a primary striped set. The array continues to
operate with one or more drives failed in the same mirror set, but if drives fail on both sides of the
mirror the data on the RAID system is lost.
¢ RAID 1+0: mirrored sets in a striped set (minimum two disks but more commonly four disks to take
advantage of speed benefits; even number of disks) provides fault tolerance and improved performance
but increases complexity.

The key difference from RAID 0+1 is that RAID 1+0 creates a striped set from a series of mirrored
drives. In a failed disk situation, RAID 1+0 performs better because all the remaining disks continue to
be used. The array can sustain multiple drive losses so long as no mirror loses all its drives.

¢ RAID 5+1: mirror striped set with distributed parity (some manufacturers label this as RAID 53).

 

The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the
network. Instead of having to think of a specific machine name for each set of files, the user will only have to
remember one name; which will be the 'key' to a list of shares found on multiple servers on the network. Think
of it as the home of all file shares with links that point to one or more servers that actually host those shares.
DFS has the capability of routing a client to the closest available file server by using Active Directory site
metrics. It can also be installed on a cluster for even better performance and reliability. Medium to large sized
organizations are most likely to benefit from the use of DFS - for smaller companies it is simply not worth
setting up since an ordinary file server would be just fine.

*
 

   
 
It is important to understand the new concepts that are part of DFS. Below is an definition of each of them.

 .You can think of this as a share that is visible on the network, and in this share you can have
additional files and folders.


%. A link is another share somewhere on the network that goes under the root. When a user opens this
link they will be redirected to a shared folder.

 +    ,. This can be referred to as either a root or a link. If you have two identical shares,
normally stored on different servers, you can group them together as Dfs Targets under the same link.