You are on page 1of 24

Virtual Private Networks (VPN) allow users working at home, on the road or at a

branch office to connect in a secure manner to a remote corporate server using the
public Internet. VPN server or host is a computer that accepts VPN connections from
VPN clients. A VPN server or host can be a NT/W2K server or W2K/XP Pro. VPN
client is a computer that initiates a VPN connection to a VPN server or host. A VPN
client can be an individual computer running MS Windows NT version 4.0, Windows
2000, 9x. VPN clients can also be any non-Microsoft Point-to-Point Tunneling
Protocol (PPTP) client or Layer Two Tunneling Protocol (L2TP) client using IPSec.

Basic VPN Requirement

• User Permission. Enable a user to access the VPN. To do this, go to AD

Users and Computers, select the user who need to access the VPN, click Dial-
in. Check Allow access on the Remote Access Permission (Dial-in or VPN).
• IP Configuration. The VPN server should have a static IP address and
assign the arrange IP addresses to VPN clients. The VPN server must also be
configured with DNS and WINS server addresses to assign to the VPN client
during the connection.
• Data Encryption. Data carried on the public network should be rendered
unreadable to unauthorized clients on the network.
• Protocol Support. The TCP/IP is common protocols used in the public
network. The VPN also include IP, Internetwork Packet Exchange (IPX),
NetBEUI and so on.
• Firewall Ports. When you place a VPN server behind your firewall, be sure
to enable IP protocol 47 (GRE) and TCP port 1723.
• Interface(s) for VPN server. If your network doesn't have a router or the
VPN is also a gateway, your computer must have at least two interfaces, one
connecting to the Internet and another connecting to the LAN. If it is behind
a router, you just need one NIC.
• One interface for VPN client. The interface can be a dial-in modem, or a
dedicated connection to the Internet.

Still need help, contact consultant

Q: Can I setup my VPN client as a router to direct all local computers traffic
to the VPN.

A: No, you need to setup site to site VPN.

Can't ping computer name when using VPN

If you have name resolution issue when using VPN, check the PPTP filtering on the
server. If you disable UDP ports 137 and 138 or TCP port 139, NetBIOS packets
can't pass through the network. You also need to enable these ports on all firewalls
and routers that are between the client and the server for unicast (point-to-point)

Configure RRAS tracing

When you need to monitor the activities of RRA and Dial-Up Networking
components, use the tracing functionality to configure RRA and Dial-Up Networking
components to log tracing information to a file. You can make RRA and Dial-Up
Networking tracing available by either configuring the registry or using the netsh

How to add DNS and WINS into your Cisco VPN server

If your VPN client cannot find servers or cannot ping computernmae, you may need
to add DNS and WINS into your VPN server. For example, to add DNS and WINS on
a Cisco Firewall PIX, add vpdn group 1 client configuation dns dnsservername and
vpdn group 1 client configuration wins winsservername..

How to assign a static IP to VPN client

If you have Windows 2003 server as VPN server, you can assign a static IP under
user's properties. If you use other Windows OS as VPN server, you may do create a
DHCP reservation.

How to connect to a Windows domain using Windows VPN at startup

If you are running w2k/xp pro setup for a domain controller, you will have a option
to "log on using dial-up connection" on logon screen after creating a VPN/dial-up
connection. In the Log On to Windows dialog box, the user can select the Log on
using dial-up connection check box. After clicking OK, the user is prompted to
choose a network connection.

How to configure VPN Packet Filters

When you setup the RRAS, a set of default Input and Output Filters on the external
adapter on the VPN server will be created. If you aren't running your server in a
highly secure environment, you can comfortably place the server outside the
firewall and restrict incoming VPN traffic to PPTP packets only. To display and
mortify these filters, go to Routing and Remote Access>IP Routing>General, and
then you can add or edit the packet filters of the dedicated Local Area Connection.
Or to enable PPTP filtering from Control Panel, select the Network applet, Protocols,
TCP/IP Protocols, the WAN adapter, Advanced. Then, select the Enable PPTP
Filtering check box, as Screen 1 shows. When you enable PPTP filtering, the server
will refuse all non-PPTP requests.

How do I set up a modem to dial into a remote compute

You need to install your modem from the control panel if you haven't already,
and you need to set up the dialup networking server on your remote computer.
(This is included with Win98, NT4 and w2k/xp. On Win95 it is in the Plus! pack,
but you need to get an update to version 1.3 or later from Microsoft's site. At
the time of writing it can be found here.) You can enable the dialup server from
the 'Connections' menu of the dial-up networking window. If it isn't there, or if
you've updated the dialup networking as mentioned above, you need to install it
using the Windows Setup section of 'Add/Remove Programs' in the control panel.

How many inbound dial-in connections are supported

W2K server supports 256 inbound dial-in connections while w2k pro supports 1.

How to create an incoming networking connection

You can configure an incoming connection to accept the following connection types:
(modem, ISDN, X.25), VPN (PPTP, L2TP), or direct (serial, infrared, DirectParallel).
On a computer running Windows 2000, 2003 or XP Pro, an incoming connection
can accept up to three incoming calls, up to one of each of these types. Note: on a
computer running Windows 2000/2003 Server, the number of inbound calls is only
limited by the computer and its hardware configuration.

To create VPN connection, open Networking Connections>New Connection

Wizard>Set up an advanced connection>Accept incoming connections, then follow
the instruction.

How to establish VPN connection automatically

1. You can run rasdial.exe as a service by using instsrv.exe

2. Add rasdial.exe into startup.
3. Create IPSec VPN if you have static IP.

How to manage IP assignment on RRAS

Open RRAS, right-click on the RRAS server>Properties>IP. You will have two
options, DHCP and Static address pool.

How to schedule to connect and disconnect a VPN

You can use rasdial command plus scheduler.

How to setup VPN server on 2003 server

You may have two options to setup VPN server on Windows 2003. 1) Create an
incoming networking connection if you have small network or you want to setup
one PC to PC VPN; 2) If you have large numbers of incoming connections on a
server that operates as part of a distributed network or as a domain controller, you
should use RRA to create a VPN server.

How to setup VPN on w2k server with one NIC

Symptoms: When attempting to create VPN on w2k server with one NIC, you may
receive "You have chosen the last available connection as the Internet connection.
A VPN server required that one connection be used as the private network
connection" if you select the NIC.

1. You should highlight No internet connection instead of the NIC or LAN

2. You may try "Manually configured server option".

How to use PPTP through a Cisco PIX

In order to use PPTP through a PIX, you must have a one-to-one mapping from the
external IP to an internal IP for type 47 GRE packets and port 1723.

How to configure W2K server as VPN server

To setup a Windows 2000 server for VPN, open Routing and Remote Access console
in the Administrative Tools folder, right-click the server and then click Configure
and Enable Routing and Remote Access>Virtual private network [VPN] server. Click
Next if TCP/IP is only protocol you will use. Select a connection you will connect to
on the Internet Connection. You will have two options to assign IP to VPN clients.
The default is Automatically. It is recommended to configure the server to assign
client addresses from a static address pool, rather than assigning addresses from a
DHCP server. If you configure RAS to assign client addresses from a static address
pool, clients inherit the DNS and WINS settings from the RAS server. If your RAS
server can browse the network, clients should also be able to browse the network
with the same settings. If you prefer DHCP, verify that DHCP scope option 44
(WINS/NetBIOS name server) points to the WINS server and scope option 6 shows
the address of your DNS server. When you don't define these options, you almost
guarantee problems with client browsing. Finally, you can select using RADIUS or

NOTE: If VPN traffic is traveling through a router or firewall, configure the router or
firewall to pass PPTP (TCP Port 1723 and IP Protocol ID 47 [GRE - Generic Routing
Encapsulation]) or L2TP over IPSec (UDP Port 500 and IP Protocol ID 50
[Encapsulating Security Payload]) traffic to and from the VPN server.

How to configure Win 2000/XP Pro as VPN host

Prior to Windows 2000/XP Pro, you must add PPTP on NT 4.0 Server to establish
VPN connections. With the release of Windows 2000/XP Pro, you have the ability to
run a Windows 2000/XP Pro as a VPN host. However, Windows 2000/XP Pro enables
only one VPN connection at a time and requires Internet Protocol (IP).

Before you start the VPN configuration, you should have a equipment (modem, T1,
Frame Relay, ADSL, or cable modem) connecting to the Internet. Also make sure
you have correct TCP/IP settings on the W2K/XP.

To setup Win XP (in our case) Pro as VPN host, go to the Properties of My
Network Places>Create a New Connections>Set up a Advanced
Connection>Accept Incoming Connections. On the Devices for Incoming
Connections dialog box, do not select any device, only click Next and check
Allow Private Connections, and then click Next. On the Allowed Users dialog
box, select or add all users for whom you want to enable access. The accounts have
to exist on both computers that are involved in establishing the VPN connection. On
the New Connection Wizard, File and Printer Sharing for Microsoft
Networks, Internet Protocol (TCP/IP) and Client for Microsoft Networks
should be listed as networking components. By default, Allow callers to access my
local area network and Assign TCP/IP address automatically using DHCP are
checked. If you would like to keep the default settings, click Next to continue. Now,
the Incoming Connection icon should show on Incoming section under the
Properties of My Network Places and is ready to use.

How to configure a W2K/XP as VPN client

To connect to a VPN server, you should have a dail-in modem or a dedicated

connection to the Internet. To setup a XP client to access the VPN host, go to the
Properties of My Network Places>Create a New Connections>Connect to the
network at my workplace>Virtual Private Network connection. Type Computer that
will be showed as connection name in VPN section, select Do not dial the initial
connection and then type the VPN host IP. You have two options to create this
connection for anyone or for yourself.

How to configuring a multihomed VPN server

If the VPN server has two network cards, one for the LAN and one for the WAN,
leave the gateway on the LAN adapter blank. In the gateway field of the WAN
network interface, enter the TCP/IP address that your ISP defines; the gateway
address usually points to a router at your ISP. It is recommend you manually enter
the TCP/IP address, DNS and WINS for the LAN NIC instead of using DHCP.

Incoming Connection or RRAS

You can create an incoming connection on a computer acting as a remote access

server if it is running Windows 2000, XP Pro. or if it is a stand-alone computer
running Windows 2000/2003 Server. For large numbers of incoming connections on
a computer running Windows 2000/2003 Server as a router or as a domain
controller, or a member of a domain, you should use Routing and Remote Access to
create a remote access server.

Logon script with VPN

To run logon script while establishing a VPN, you may have two options. 1) create
a batch including rasdial.exe plus mapping. 2) Use Microsoft CMAK

Manage VPN connections

To manage VPN logon time, permissions, disconnect if idle for certain minutes,
maximum session other constraints, use Remote Access Policies under RRAS.

Security on Windows VPN Server

A Windows 2000 VPN server is installed with a default set of Input and Output
filters on the external adapter. These filters support PPTP, L2TP, and IPSec
connectivity only and block other traffic.. However, the filters can be modified. To
modify the filters, go to RRAS>IP Routing>General, right-click the external adapter
and select Properties.

Which ports need to be opened for running VPN

A: PPTP VPN uses TCP Port 1723, IP Protocol 47 (GRE); L2TP: UDP Port 1701;
IPSec: UDP Port 500, Pass IP protocol 50 and 51. Note: 47 is a protocol number
and not TCP port. The protocol name is GRE. It'll make a big difference when
configuring your firewall or router.

What statements are required to allow a VPN inbound past my Cisco PIX?

The following example is a simple PPTP access list:

access-list 110 permit tcp any host x.x.x.x eq 1723

access-list 110 permit gre any host x.x.x.x

Note: 1. x.x.x.x is outside ip. 2. If you use 6.3.1, you will need to enable fixup
protocol pptp 1723.

Why doesn't my w2k/xp have "log on using dial-up connection" option on

the logon screen

1. You must create a VPN or dial-up connection.

2. Your administrator may disable this option.
3. If the computer is not a member of a domain, the Log on using dial-up
connection check box does not appear.

What is Tunneling?

Tunneling is a mechanism provided to transfer data securely between two networks. The data is
split into smaller packets and passed through the tunnel. The data passing through the tunnel has
3 layers of encryption. The data is encapsulated. Tunneling can be approached by Point to Point
tunneling protocol.
More Differences
Almost any machine that can connect to the LAN Only server class devices with SCSI Fibre
(or is interconnected to the LAN through a WAN) Channel can connect to the SAN. The
can use NFS, CIFS or HTTP protocol to connect Fibre Channel of the SAN has a limit of
to a NAS and share files. around 10km at best
A NAS identifies data by file name and byte A SAN addresses data by disk block
offsets, transfers file data or file meta-data (file's number and transfers raw disk blocks.
owner, permissions, creation data, etc.), and
handles security, user authentication, file locking
A NAS allows greater sharing of information File Sharing is operating system dependent
especially between disparate operating systems and does not exist in many operating
such as Unix and NT. systems.
File System managed by NAS head unit File System managed by servers
Backups and mirrors (utilizing features like Backups and mirrors require a block by
NetApp's Snapshots) are done on files, not block copy, even if blocks are empty. A
blocks, for a savings in bandwidth and time. A mirror machine must be equal to or greater
Snapshot can be tiny compared to its source in capacity compared to the source
volume. volume.

The Wires
--NAS uses TCP/IP Networks: Ethernet, FDDI, ATM (perhaps TCP/IP over Fibre Channel
--SAN uses Fibre Channel

The Protocols
--SAN uses Encapsulated SCSI
The Five FSMO Roles

There are just five operations where the usual multiple master model breaks down, and the Active
Directory task must only be carried out on one Domain Controller. FSMO roles:

1. PDC Emulator - Most famous for backwards compatibility with NT 4.0

BDC's. However, there are two other FSMO roles which operate even in
Windows 2003 Native Domains, synchronizing the W32Time service and
creating group policies. I admit that it is confusing that these two jobs
have little to do with PDCs and BDCs.
2. RID Master - Each object must have a globally unique number
(GUID). The RID master makes sure each domain controller issues
unique numbers when you create objects such as users or computers.
For example DC one is given RIDs 1-4999 and DC two is given RIDs 5000
- 9999.
3. Infrastructure Master - Responsible for checking objects in other
other domains. Universal group membership is the most important
example. To me, it seems as though the operating system is paranoid
that, a) You are a member of a Universal Group in another domain and b)
that group has been assigned Deny permissions. So if the Infrastructure
master could not check your Universal Groups there could be a security
4. Domain Naming Master - Ensures that each child domain has a
unique name. How often do child domains get added to the forest? Not
very often I suggest, so the fact that this is a FSMO does not impact on
normal domain activity. My point is it's worth the price to confine joining
and leaving the domain operations to one machine, and save the tiny risk
of getting duplicate names or orphaned domains.
5. Schema Master - Operations that involve expanding user properties
e.g. Exchange 2003 / forestprep which adds mailbox properties to users.
Rather like the Domain naming master, changing the schema is a rare
event. However if you have a team of Schema Administrators all
experimenting with object properties, you would not want there to be a
mistake which crippled your forest. So its a case of Microsoft know best,
the Schema Master should be a Single Master Operation and thus a FSMO
ISA Server supports many more functions than its predecessor. The following options are
available with this new product:

• Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of
functions allowing it to compete with other similar products available on the IT market. With
Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases
from NT). These are used to provide specific security functions at user or group level. This
feature is not supported by a majority of third-party products that use either separate user
databases or IP addressing. Firewall functions are enhanced to support so called stateful packet
inspection, i.e. a solution for improved security where data packets passing through the firewall
are intercepted and analyzed at either a protocol or connectivity level.
• Policy-based administration – ISA Server lets the administrators manage using predefined
policy rules. Policies can include a set of consistent rules regarding users, groups of users,
protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise.
For businesses that use networks with Active Directory enhancements, multi-tiered enterprise
policies are those that match their needs to have a comprehensive IT system, to facilitate
management of the entire enterprise and its infrastructure.
• Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based
networks. The wizards supplied with ISA Server help to configure VPN tunneling and may
activate the RRAS service if not already initialized.
• Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically
open firewall ports for authorized Internet users on a session-by-session basis. This considerably
simplifies the administrator’s duties in situations where there are applications that frequently
change ports though they communicate with each other.
• IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion
Detection System. This module had been purchased from Internet Security Systems, the leading
developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types
of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan
Attack. Once an attack has been detected and identified, ISA may decide either to disable the
attack or notify administrators about the event.
• Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to
automatically refresh frequently requested www pages on reverse and scheduled caching basis.
• Reports – the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is
that ISA features numerous report generating possibilities. By scheduling report generation
connected. for example, with the users’ actions or security related events, managing ISA Server
based networks is a simple task.
• Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-
based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be
registered in order to have gatekeeper enabled.
• Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server
delivers to clients and servers a transparent and secure access to the Internet with no need to
configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA
Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration
Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to
jump aggressively into the mass market sector associated with Web security and fast Web access

Definition Benefits Drawbacks Full Backup: A complete backup of

everything you want to backup. Restoration is fast, since you only need one set of
backup data. The backing up process is slow.
High storage requirements.

Differential Backup: The backup software looks at which files have changed since
you last did a full backup. Then creates copies of all the files that are different from
the ones in the full backup.

If you do a differential backup more than once, it will copy all the files, or parts of
files that have changed since the last full backup, even if you already have identical
copies of those files in a previous differential backup.
For restoring all the data, you will only need the the last full backup, and the last
differential backup. Faster to create than a full backup.

Restoration is faster than using incremental backup.

Not as much storage needed as in a full backup. Restoration is slower than using a
full backup.

Creating a differential backup is slower than creating an incremental backup.

Incremental Backup: The backup software creates copies of all the files, or parts
of files that have changed since previous backups of any type (full, differential or

For example if you did a full backup on Sunday. An incremental backup made on
Monday, would only contain files changed since Sunday, and an incremental backup
on Tuesday, would only contain files changed since Monday, and so on. This method
is the fastest when creating a backup.

The least storage space is needed. Restoring from incremental backups is the
slowest because it may require several sets of data to fully restore all the data. For
example if you had a full backup and six incremental backups. To restore the data
would require you to process the full backup and all six incremental backups.

Page File On current Microsoft™ Windows™ operating systems, a pagefile is

the name given to a portion of the hard disk reserved to augment Random Access
Memory (RAM). The pagefile acts as virtual RAM, or virtual memory, to improve
access time for frequently used programs and data. All else being equal, the less
RAM a system has, the larger the pagefile is likely to be. If enough RAM is present
there may be no pagefile.

RAM is a quick-storage area designed to improve access time to frequently used programs,
processes, and files. Retrieving data from RAM is faster than retrieving it from standard platter-
style hard disks. As a computer system boots, it stores many routines into RAM so that the
system can perform better. As the user opens programs, even more RAM is consumed. Firewalls,
antivirus programs and other software that runs in the background also consumes RAM.

An Introduction to Groups
A group can be defined as a collection of accounts that are grouped together so that
Administrators can assign permissions and rights to the group as a single entity. This removes
the need for an Administrator to individually assign permissions and rights to each account.
Therefore, while a user account is associated with an individual, or one entity; a group account or
a group, is created to simplify the administration of multiple user accounts (users). When you
grant permissions to a group, all accounts that are part of that particular group are granted the
permissions. Permissions actually controls which actions users can perform on a network
resource. Rights on the other hand relate to system tasks.

Windows Server 2003 provides user accounts and group accounts (of which users can be a
member). User accounts are designed for individuals. Group accounts are designed to make the
administration of multiple users easier.

The following entities can be added to groups:

• User accounts
• Computer accounts
• Contacts
• Other group's members
• Other groups

The administrative tasks typically performed on

groups are summarized below:

• Assign permissions to groups to access

shared resources. Each group member
would be able to access the shared
• Assign rights to groups so that they can perform certain system tasks such as backing up
or restoring files.
• Groups are also used to distribute bulk e-mail to its members.

You have to specify a group type and a group scope when you create a new group. Group types
and group scopes are discussed throughout the remainder of this Article.
Group Types
You can create two types of groups in Active Directory. Each group type is used for a different
purpose. Security groups are the group type which is created for security purposes, while
distribution groups is the group type created for purposes other than security purposes. Security
groups are typically created for assigning permissions, while distribution groups are usually
created for distributing bulk e-mail to users. As you can see, the main difference between the two
groups is the manner in which each group type is used. Active Directory does however allow you
to convert a security group to a distribution group, and to convert a distribution group to a
security group if the domain functional level is raised to Windows 2000 Native or above.

• Security groups: A security group is a collection of users who have the same permissions
to resources, and the same rights to perform certain system tasks. These are the groups to
which you assign permissions so that its members can access resources. Security groups
therefore remove the need for an Administrator to individually assign permissions to
users. Users that need to perform certain tasks can be grouped in a security group, and
then assigned the necessary permissions to perform these tasks. Each user that is a
member of the group would have the same permissions. In addition to this, any e-mail
sent to a security group is received by each member of that particular group. When a
security group is first created, it receives a SID. It is this SID that enables permissions to
be assigned to security groups – the SID can be included in the DACL of a resource. An
access token is created when a user logs on to the system. The access token contains the
SID of the user, and the SID of those groups to which the user is a member of. This
access token is referenced when the user attempts to access a resource – the access token
is compared with the DACL of the resource to determine which permissions the user
should receive for the resource.
• Distribution groups: Distribution groups are created to share information with a group of
users through e-mail messages. Thus, a distribution group is not created for security
purposes. A distribution does not obtain a SID when it is created. Distribution groups
enable the same messag to be simultaneously sent to its group members – messages do
not need to be individually sent to each user. Applications such as Microsoft Exchange
that work with Active Directory can use distribution groups to send bulk e-mail to groups
of users.

Group Scopes
The different group scopes make it possible for groups to be used differently to assign
permissions for accessing resources. The scope of a group defines the place in the network where
the group will be used or is valid. This is the degree to which the group will be able to reach
across a domain, domain tree, or forest. The group scope also determines what users can be
included as group members.

In Active Directory, there are three different group scopes.

• Global groups: Global groups are containers for user accounts and computers accounts in
the domain, and are used to assign permissions to objects that reside in any domain in a
tree or forest. You can include a global group in the access control list (ACL) of objects
in any domain in the tree/forest. A global group can however only have members from
the domain in which it is created. What this means is that a global group cannot include
user accounts, computer accounts, and global groups from other domains.

The domain functional level set for the domain determines which members can be
included in the global group.

o Windows 2000 Mixed: Only user accounts and computer accounts from the
domain in which the group was created, can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, and other global groups from the domain in which the group was
created, can be added as group members
• Domain Local groups: Domain local groups can have user accounts, computer accounts,
global groups, and universal groups from any domain as group members. However, you
can only use domain local groups for assigning permissions to local resources, or to
resources that reside in the domain in which the domain local group was created. This
means that you can only include domain local groups in the ACL of objects that are
located in the local domain.

The domain functional level set for the domain determines which members can be
included in the domain local group.

o Windows 2000 Mixed: User accounts, computer accounts, and global groups from
any domain can be added as group members.
o Windows 2000 Native / Windows Server 2003: User accounts, computer
accounts, global groups, and universal groups from any domain can be added as
group members. You can also add other domain local groups from the same
domain as group members.
• Universal groups: Universal groups can have user accounts, computer accounts, global
groups, and other universal groups, from any domain in the tree or forest as members.
This basically means that you can add members from any domain in the forest to a
universal group. You can use universal groups to assign permissions to access resources
that are located in any domain in the forest. Universal groups are only available when the
domain functional level for the domain is Windows 2000 Native or Windows Server
2003. Universal groups are not available when domains are functioning in the Windows
2000 Mixed domain functional level. You can convert a universal group to a global group
or to a domain local group if the particular universal group has no other universal group
as a group member. When adding members to universal groups, it is recommended to add
global groups as members and not individual users.

When groups contain other groups as members, group nesting occurs. Group nesting occurs
when you add groups to other groups. Group nesting assists in reducing the number of instances
that you need to assign permissions, and in reducing replication traffic. As mentioned previously,
the domain functional level set for the domain determines what group nesting can be
implemented, as summarized below:

• Windows 2000 Mixe:

o Global groups: User accounts and computers accounts in the same domain.
o Domain local groups: User accounts, computers accounts, and global groups from
any domain.
• Windows 2000 native or Windows Server 2003:
o Global groups: User accounts, computer accounts, and other global groups in the
same domain.
o Domain local groups: User accounts, computers accounts, global groups and
universal groups from any domain; and other domain local groups in the same
o Universal groups: User accounts, computers accounts, global groups, and
universal groups from any domain.

The scope of a group can be changed as well. You can use the Active Directory Users And
Computers (ADUC) console to view and modify the scope of an existing group. The command-
line can also be used – dsget and dsmod. The rules that govern this capability are summarized

• You can convert domain local groups and global groups to universal groups
• You can convert universal groups to domain local groups or to global groups.
• You cannot convert domain local groups to global groups.
• You cannot convert global groups to domain local groups.

If you are using Windows Server 2003 Active Directory, Windows Server 2003 creates a few
default security groups that are used to assign administrative permissions to users. The default
security groups are created in the Users folder in Active Directory Users And Computers

• The default domain local groups that are created are listed below:
o Cert Publishers: Members of this group are able to publish certificates to Active
o DnsAdmins: Group members have administrative access to the DNS server
o HelpServicesGroup: Group members are able to assign rights to support
o RAS and IAS Servers: Servers assigned to this default group can access a user's
remote access properties.
o TelnetClients: Group members have administrative access to Telnet Server.
• The default global groups that are created are listed below:
o Domain Admins: Members of the Domain Admins group have permissions to
perform administrative functions on computers in the domain.
o Domain Users: Group members are user accounts that are created in the domain.
o Domain Computers: Group members are computer accounts that are created in the
domain. This includes all workstations and servers that are part of the domain.
o Domain Controllers: Group members are domain controllers of the domain.
o Domain Guests: Group members are guest accounts in the domain.
o Group Policy Creator: Group members are able to change the domain's group
o DnsUpdateProxy: Group members are DNS clients. Members are able to perform
dynamic updates for clients such as DHCP servers.
• The default universal groups that are created are listed below:
o Enterprise Admins: Members of this group are able to perform administrative
functions for the whole network.
o Schema Admins: Members of this group can perform administrative tasks on the

When formulating a strategy for setting up domain local groups and global groups, follow the
guidelines listed below:

• You should add users that perform the same function in the organization to a global
• Domain local groups should be created for a resource(s) that needs to be shared by
multiple users.
• You should then add any global groups that have to access a resource(s) to the
appropriate domain local group.
• The domain local group should be assigned with the proper permissions to the resource.

In addition to the above mentioned group scopes, another group called a local group, can be
created. A local group is basically used on the local computer to assign permissions to resources
that are located on the computer on which the particular local group is created. Local groups are
created in the local security database and are not present in Active Directory. This means that
you cannot create local groups on domain controllers.

How to find User OU

So here's the solution:
1.) Goto Active Directory users and Computers
2.) Goto menu "View" and enable "Advanced Features"
3.) No find your user and check his/her properties. You'll see that there will be an
additional tab called "Object", which shows the cannonical name. Hence the tree to
the OU will be displayed.

Globle Catalog server

The global catalog is a distributed data repository that is stored in global catalog servers and
issued via multimaster replication. It basically is composed of a representation (partial) of every
object in the multidomain Active Directory forest that can also be searched. The global catalog is
used because searches can be made faster because they don't need to go through the hassle of
involving referrals to different domain controllers.In addition, the global catalog allows finding
an object that you wish without needing to know the object's domain name. This is possible
because not only does it hold a full, writable domain directory replica, but it also has a partial,
read-only replica of all the domain directory partitions in the forest. Therefore, by being
composed of only the most used attributes during searching, all objects in every domain in any
small or big forest can be found and represented
in the database of one global catalog server.

To maintain the ability to conduct a full, fast, and

effective search, the global catalog is constantly
updated by the Active Directory replication
system. These attributes that are replicated to the
catalog are known as partial attribute set (PAS).
The PAS, in a Windows 2000 Server environment
will cause a full synchronization of the global
catalog to occur even if it may be a minor change.
However, this issue was improved upon in the Windows 2003 Server environment with a change
in the PAS by only updating the attributes that change.

How Does It Work?

As an example, if a user decides to search for all printers within the forest, a global catalog
server will process the request submitted by the user by searching through the global catalog, and
then output the results. Had it not been for the global catalog server, the user would have had to
have searched separately in every forest.

When a user tries to run a certain query (an example of an interactive domain logon), the domain
controller will authenticate the user by first validating the user's identity and also all groups that
the user is a part of. This is because the global catalog is the hold of all memberships to all
groups, which means that this access to a global catalog server is necessary to accessing all
forests, and thus is a requirement for Active Directory authentications. Therefore, it is best to
have at least one global catalog server in one Active Directory site. This is because then, the
authenticating domain controller does not need to transmit queries over a WAN connection to
source information and process tasks.

Ports Commonly Used by Global Catalog Servers

Service Name UDP TCP
LDAP 3268 (global catalog)
LDAP 3269 (global catalog SSL)
LDAP 389 389
LDAP 636 (SSL)
RPC/REPL 135(endpoint mapper)
Kerberos 88 88(global catalog)
DNS 53 53
SMB over IP 445 4

Active Directory Replication

As mentioned in an earlier section, the Active Directory database is replicated
between domain controllers. The data replicated between controllers called "data"
are also called "naming context". Only the changes are replicated, once a domain
controller has been established. Active Directory uses a multimaster model which
means changes can be made on any controller and the changes are sent to all other
controllers. The replication path in Active Directory forms a ring which adds
reliability to the replication.

How Replication is Tracked

• USN - Each object has an Update Sequence Number (USN), and if

the object is modified, the USN is incremented. This number is
different on each domain controller.
• Stamps - Each object has a stamp with the version number,
timestamp, and the GUID of the domain controller where the
change was made

Domain controllers each contain a "replica" which is a copy of the domain

directory. The "directory update type" indicates how the data is replicated. The
two types are:

• Origination update - A change made by an administrator at the

local domain controller.
• Replicated update - A change made to the replica because of a
replication from a replication partner.

Replication Sequence

• Latency - The required time for all updates to be completed
throughout all comain controllers on the network domain or forest.
• Convergence - The state at which all domain controllers have the
same replica contents of the Active directory database.
• Loose consistency - The state at which all changes to the
database are not yet replicated throughout all controllers in the
database (not converged).

1. A change is made to the Active Directory database on a domain

controller. The attribute of the object and the new USN is written
to the database. The entire object is NOT replicated. This is called
an atomic operation becuase both changes are done, or neither
change is done. This is an origination update. There are four types:
o Add - An object is added to the database.
o Delete - An object is deleted from the database.
o Modify - An object in the database has its attributes
o Modify DN - An object is renamed or moved to another
2. The controller the change was made on (after five minutes of
stablilty), notifies its replication partners that a change was made.
It sends a change notification to these partners, but only notifies
one partner every 30 seconds so it is not overwhelmed with
update requests. Each controller, in turn, when it is updated,
sends a change notice to its respective replication partners.
3. The replication partners each send an update request with a USN
to the domain controller that the change was made on. The USN
identifies the current state of the domain controller making the
change. Each change has a unique USN. This way the domain
controller that has the change knows the state of the domain
controller requesting the changes and only the changes are
required to be sent. The time on each controller, therefore, does
not need to be synchronized exactly although timestamps are
used to break ties regarding changes.

4. Changes are made through replication partners until all partners

are replicated. At some point, replication partners will attempt to
replicate partners that are already updated. This is where
propagation dampening is used.

If no changes have been performed in six hours, replication procedures are performed to be sure
no information has been missed.

Information sent during an update includes:

• Updated object
• The GUID and USN of the domain server with the originating update.
• A local USN of the update on the updated object.
Replication Path

The replication path that domain controller Active Directory replicated data travels through an
enterprise is called the replication topology. Connection objects are used to define the
replication paths between domain controllers. Active Directory, by default, sets up a two way
ring replication path. The data can travel in both directions around the ring which provides
redundancy and reliability. Two types of replication occur in the path:

• Direct replication - When replication is done from a primary source of data.

• Transitive replication - When replication is done from a secondhand or
replicated source of data.

The Knowledge Consistency Checker (KCC) (running on all domain controllers) generates the
replication topology by specifying what domain controllers will replicate to which other domain
controllers in the site. The KCC maintains a list of connections, called a replication topology, to
other domain controllers in the site. The KCC ensures that changes to any object are replicated to
all site domain controllers and updates go through no more than three connections. Also an
administrator can configure connection objects.

The KCC uses information provided by the administrator about sites and subnets to
automatically build the Active Directory replication topology.

Propagation Dampening


• Propagation dampening is used to prevent unnecessary replication by

preventing updates from being sent to servers that are already updated.
Each domain controller keeps a list of other known domain controllers and
the last USN received from each controller. Two up-to-date vector numbers
support this:
o Replica GUID
o Update Sequence Number (USN) - Mentioned earlier it is incremented
anytime an origination or replicated update is received. The USN
stored is from the originating server. It is stored as metadata with:
 An attribute indicating "added" or "changed" for the object being
 The GUID (above).
 A local USN for the object attribute changed.
 The changed data.

The up-to-date vector numbers are incremented when replication

occurs with the originating server. Each domain controller has its own
different USN (They may not start at the same number). The highest
USN from each domain controller that is stored in other domain
controllers is called the high watermark for that domain controller.
• Propagation delay describes the amount of time required for a change to
be replicated to domain controllers throughout the domain.
• Ring Topology - The Active Directory replication process uses a ring
topology where the replication partners form a ring. This adds reliability to
the process and also helps decrease propagation delay.

The information sent in an update request includes the high water mark entry for the originating
server for the last change received. If the highwater mark received from the server that sent the
update request is the same as the highwatermark for the originating server on the server receiving
the request, the receiving server will not send the replicated information.

The usnChanged parameter is the highest USN number for any object.

Replication Partitions

Types of Active Directory data storage categories which are called partitions:

• Schema partition - Defines rules for object creation and modification for all
objects in the forest. Replicated to all domain controllers in the forest.
Replicated to all domain controllers in the forest, it is known as an
enterprise partition.
• Configuration partition - Information about the forest directory structure is
defined including trees, domains, domain trust relationships, and sites (TCP/IP
subnet group). Replicated to all domain controllers in the forest, it is known
as an enterprise partition.
• Domain partition - Has complete information about all domain objects
(Objects that are part of the domain including OUs, groups, users and others).
Replicated only to domain controllers in the same domain.
o Partial domain directory partition - Has a list of all objects in the
directory with a partial list of attributes for each object.

These partitions are all replicated between domain controllers by Active directory. Different
partitions may be replicated between different replication partners.

Replication Conflict

Replication conflict occurs when changes are made to the same object and attribute before the
changes can be replicated throughout all domain controller's copies of the database. Additional
data (metadata) stored for each object attribute includes (not related to USN):

• Time stamp of the last change.

• Attribute version number - For each object's attributes, this value is the
same on all domain controllers.

When an Active Directory database update is received on a domain controller, one of the
following happens:
• If the update attribute version number is higher than the current version
number on the controller, the new value of the attribute is stored and the
version number is updated.
• If the update attribute version number and stored attribute version number
are the same, timestamps are used to resolve the conflict.
• If the both version numbers and both timestamps are the same, the update
from the controller with the highest GUID is used.

File Replication Service

In Windows 2000, the SYSVOL share is used to to authenticate users. The SYSVOL share
includes group policy information which is replicated to all local domain controllers. File
replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users
and Computers" tool is used to change the file replication service schedule.

Intrasite Replication

Replication that happens between controllers inside one site. All of the subnets inside the site
should be connected by high speed network wires. Replication between two sites may need to be
sent over a slower WAN link or leased line. Intrasite replication data is sent uncompressed.

Site replication is done using Remote Procedure Call (RPC). If a change is made, replication
occurs within five minutes, and replication is done every six hours if no changes were made.
Domain controllers that receive updates replicate that information to other domain controllers on
their route list. All changes are therefore completed within a site within 15 minutes since there
can only be three hops.

The topology used here is the ring topology talked about earlier and this replication
is automatically set up by Active Directory, but may be modified by an

DNS Replication

The DNS IP address and computer name is stored in Active Directory for Active Directory
integrated DNS zones and replicated to all local domain controllers. DNS information is not
replicated to domain controllers outside the domain.

Intersite Replication

Intrasite replication is replication between sites and must be set up by an administrator.

Replication Management

The administrative tool, "Active Directory Sites and Services", is used to manage Active
Directory replication. Replication data is compressed before being sent to minimze bandwidth
use. There are two protocols used to replicate AD:
• Normally Remote Procedure Call (RPC) is used to replicate data and is
always used for intrasite replication since it is required to support the FRS.
RPC depends on IP (internet protocol) for transport.
• Simple Mail Transfer Protocol (SMTP) may be used for replication
between sites.

SMTP can't replicate the domain partition, however. Therefore the remote site would need to be
in another domain to be able to effectively use SMTP for carrying replication data.

Bridgehead server - A domain controller that is used to send replication information to one or
more other sites.

Flexible Single Master Operations (FSMO) (discussed in an earlier section) can be transferred
manually to various domain controllers. Roles and tools used to transfer are:

• Schema Master - Use "Active Directory Domains and Trusts". Makes

changes to the database schema. Applications may remotely connect to the
schema master.
• Domain Naming Master - Use the MMC "Active Directory Schema Snap-in".
Adds or removes domains to or from the forest.
• Primary Domain Controller (PDC) Emulator - Use the "Active Directory
Users and Computers" administrative tool. When Active Directory is in mixed
mode, the computer Active Directory is on acts as a Windows NT PDC. Mixed
mode occurs when Active Directory interfaces with NT 4.0 BDCs or ones
without Windows 2000 Directory Service client software. In mixed mode,
computers without Windows 2000 client software must contact the PDC
emulator to change user account information.
• Relative ID Master (RID Master) - Use the "Active Directory Users and
Computers" administrative tool. All objects have a Security Identifier (SID)
and a domain SID. The RID assigns relative IDs to each domain controller.
• Infrastructure Master - Use the "Active Directory Users and Computers"
administrative tool. Updates group membership information when users from
other domains are moved or renamed.

Any master role can be transferred by using the command line program, ntdsutil.exe. When a
server performing a master role fails and goes offline, you can perform "seizing master
operations" to have another server perform that role. Only the ntdsutil.exe program can perform
this function. Commands include:

• connections - A connections prompt appears:

o connect to server "FQDN of server to connect to"
o quit
• sieze "name of role to transfer". Role names are:
o RID master
o schema master
o domain naming master
o infastructure master
Example: "sieze RID master"

Replication Associated Performance Monitor Counters

• DRA Inbound Bytes Not Compressed - Replicated uncompressed bytes

that are probably from a Directory Services Agent (another controller sending
data) in the same site.
• DRA Inbound Bytes Compressed (Before Compression) - Replicated
bytes received (as though in uncompressed form).
• DRA Inbound Bytes Not Compressed (After Compression) - Replicated
bytes received (as in compressed form).
• DRA Inbound Bytes Total The sum of the DRA Inbound Bytes Not
Compressed plus the DRA Inbound Bytes Not Compressed (After
• DRA Outbound Bytes Not Compressed - Replicated uncompressed bytes
that are being sent to another domain controller in the same site.

Schema Cache

A schema cache which is a copy of the schema in memory can be used to speed up schema
queries but should be used sparingly due to the high memory requirements. If the
schemaUpdateNow attribute is added to the RootDSE a schema cache update is done
immediately. Normally the schema cache is stored in memory when the system boots and
updated every five minutes.

Replication provides access to users and services at any time from any computer in the
domain and in the forest. Replication of information occurs by category, and these categories are
called a Directory Partitions. There are four types of Directory partitions:

1. Schema Partition
2. Configuration Partition
3. Domain Partition
4. Application Directory partition

Schema Partition
Only one schema partition exists per forest. The schema partition is stored on all domain
controllers in a forest. The schema partition contains description of all objects and attributes that
you can create in the directory, and the rules for creating and manipulating them. Schema
information is replicated to all domain controllers in the attribute definitions.

Configuration Partition
There is only one configuration partition per forest. This partition contains information about the
AD structure/topology, name and numbers of domain controllers in teach forest, domains and
sites structure. Configuration information is replicated to all domain controllers in a forest.

Application Partition
Application partitions store information about application in Active Directory. Unlike a domain
partitions, an application partition cannot store security principal objects, such as user accounts.
In addition, the data in an application partition is not stored in the global catalog.

As an example of application partition, if you use a Domain Name System (DNS) that is
integrated with Active Directory you have two application partitions for DNS zones --
ForestDNSZones and DomainDNSZones:

• ForestDNSZones is part of a forest. All domain controllers and DNSservers in

a forest receive a replica of this partition. A forest-wide application partition
stores the forest zone data.
• DomainDNSZones is unique for each domain. All domain controllers that are
DNS servers in that domain receive a replica of this partition. The application
partitions store the domain DNS zone in the DomainDNSZones.

Share vs. NTFS

Share permissions are the permissions you set for a folder when you share that folder. The share
permissions determine the type of access others have to the shared folder across the network.
There are three types of share permissions: Full Control, Change, and Read.

NTFS permissions determine the action users can take for a folder or file both across the network
and locally. Unlike share permissions, NTFS permissions offer several other permissions besides
Full Control, Change, and Read that can be set for groups or individually. The most restrictive
permission applies when share and NTFS permissions conflict.

Describe the concept of Subneting.

Subneting is a process of breaking the network into smaller units. These units care called as
subnets. Here a subnet could be several machines in a single LAN. Networks using IP can create
sub networks of logical addresses. With every IP address there some of the bits in the machine
can be used to identify a specific subnet. The IP address then contains three parts: the network
number, the subnet number, and the machine number.