MCSE 70-294: Planning, Implementing, and Maintaining a Windows
Server 2003 Active Directory InfrastructureSyngress knows what
passing the exam means to you and to your career. And we know that
you are often financing your own training and certification;
therefore, you need a system that is
comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality
instructor-led training, and Web-based exam simulation, the
Syngress Study Guide & DVD Training System guarantees 100%
coverage of exam objectives.
The Syngress Study Guide & DVD Training System includes:
Study Guide with 100% coverage of exam objectives By reading this
study guide and following the corresponding objective list, you can
be sure that you have studied 100% of the exam objectives.
Instructor-led DVD This DVD provides almost two hours of virtual
classroom instruction.
Web-based practice exams Just visit us at www.syngress.com/
certification to access a complete exam simulation.
Thank you for giving us the opportunity to serve your certification
needs. And be sure to let us know if there’s anything else we can
do to help you get the maximum value from your investment. We’re
listening.
www.syngress.com/certification
256_70-294_FM.qxd 9/6/03 10:19 AM Page i
256_70-294_FM.qxd 9/6/03 10:19 AM Page ii
Michael Cross Jeffery A. Martin Todd A. Walls Martin Grasdal
Technical Reviewer
Debra Littlejohn Shinder Technical Editor
Dr. Thomas W. Shinder Technical Editor
Exam 70-294: Planning, Implementing, and Maintaining a Windows
Server 2003
Active Directory Infrastructure
256_70-294_FM.qxd 9/6/03 10:19 AM Page iii
Syngress Publishing, Inc., the author(s), and any person or firm
involved in the writing, editing, or production (collectively
“Makers”) of this book (“the Work”) do not guarantee or warrant the
results to be obtained from the Work.
There is no guarantee of any kind, expressed or implied, regarding
the Work or its contents.The Work is sold AS IS and WITHOUT
WARRANTY. You may have other legal rights, which vary from state to
state.
In no event will Makers be liable to you for damages, including any
loss of profits, lost savings, or other incidental or consequential
damages arising out from the Work or its contents. Because some
states do not allow the exclusion or limitation of liability for
consequential or incidental damages, the above limitation may not
apply to you.
You should always use reasonable care, including backup and other
appropriate precautions, when working with computers, networks,
data, and files.
Syngress Media®, Syngress®,“Career Advancement Through Skill
Enhancement®,” “Ask the Author UPDATE®,” and “Hack Proofing®,” are
registered trademarks of Syngress Publishing, Inc. “Mission
Critical™,” and “The Only Way to Stop a Hacker is to Think Like
One™” are trademarks of Syngress Publishing, Inc. Brands and
product names mentioned in this book are trademarks or service
marks of their respective companies. KEY SERIAL NUMBER 001
TH33SLUGGY 002 Q2T4J9T7VA 003 82LPD8R7FF 004 Z6TDAA3HVY 005
P33JEET8MS 006 3SHX6SN$RK 007 CH3W7E42AK 008 9EU6V4DER7 009
SUPACM4NFH 010 5BVF3MEV2Z
PUBLISHED BY Syngress Publishing, Inc. 800 Hingham Street Rockland,
MA 02370 Planning, Implementing, and Maintaining a Windows Server
2003 Active Directory Infrastructure Study Guide & DVD Training
System
Copyright © 2003 by Syngress Publishing, Inc.All rights reserved.
Printed in the United States of America. Except as permitted under
the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in
a database or retrieval system, without the prior written
permission of the publisher, with the exception that the program
listings may be entered, stored, and executed in a computer system,
but they may not be reproduced for publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-94-9 Technical Editors: Debra Littlejohn Shinder
Cover Designer: Michael Kavish
Thomas W. Shinder Page Layout and Art by: Patricia Lupien Technical
Reviewer: Martin Grasdal Copy Editor: Beth Roberts Acquisitions
Editor: Jonathan Babcock Indexer: Rich Carlson DVD Production:
Michael Donovan DVD Presenter: Laura E. Hunter
256_70-294_FM.qxd 9/6/03 10:19 AM Page iv
vv
We would like to acknowledge the following people for their
kindness and support in making this book possible.
Will Schmied, the President of Area 51 Partners, Inc. and moderator
of www.mcseworld.com for sharing his considerable knowledge of
Microsoft networking and certification.
Karen Cross, Meaghan Cunningham, Kim Wylie, Harry Kirchner, Kevin
Votel, Kent Anderson, Frida Yara, Jon Mayes, John Mesjak, Peg
O’Donnell, Sandra Patterson, Betty Redmond, Roy Remer, Ron Shapiro,
Patricia Kelly,Andrea Tetrick, Jennifer Pascal, Doug Reil, David
Dahl, Janis Carpenter, and Susan Fryer of Publishers Group West for
sharing their incredible marketing experience and expertise.
The incredibly hard working team at Elsevier Science, including
Jonathan Bunkell, AnnHelen Lindeholm, Duncan Enright, David Burton,
Rosanna Ramacciotti, Robert Fairbrother, Miguel Sanchez, Klaus
Beran, and Rosie Moss for making certain that our vision remains
worldwide in scope.
David Buckland,Wendi Wong, Daniel Loh, Marie Chieng, Lucy Chong,
Leslie Lim,Audrey Gan, and Joseph Chan of Transquest Publishers for
the enthusiasm with which they receive our books.
Kwon Sung June at Acorn Publishing for his support.
Jackie Gross, Gayle Voycey,Alexia Penny,Anik Robitaille, Craig
Siddall, Darlene Morrow, Iolanda Miller, Jane Mackay, and Marie
Skelly at Jackie Gross & Associates for all their help and
enthusiasm representing our product in Canada.
Lois Fraser, Connie McMenemy, Shannon Russell, and the rest of the
great folks at Jaguar Book Group for their help with distribution
of Syngress books in Canada.
David Scott,Annette Scott, Delta Sams, Geoff Ebbs, Hedley Partis,
and Tricia Herbert of Woodslane for distributing our books
throughout Australia, New Zealand, Papua New Guinea, Fiji Tonga,
Solomon Islands, and the Cook Islands.
Winston Lim of Global Publishing for his help and support with
distribution of Syngress books in the Philippines.
A special thanks to Deb and Tom Shinder for going the extra mile on
our core four MCSE 2003 guides.Thank you both for all your
work.
Another special thanks to Daniel Bendell from Assurance Technology
Management for his 24x7 care and feeding of the Syngress network.
Dan manages our network in a highly pro- fessional manner and under
severe time constraints, but still keeps a good sense of
humor.
Acknowledgments
256_70-294_FM.qxd 9/6/03 10:19 AM Page v
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet
Specialist / Computer Forensic Analyst with the Niagara Regional
Police Service. He performs computer forensic examinations on
computers involved in criminal investigations, and has consulted
and assisted in cases dealing with computer-related/Internet
crimes. In addition to designing and maintaining their Web site at
www.nrps.com and Intranet, he has also provided support in the
areas of programming, hardware, network admin- istration, and other
services.As part of an information technology team that provides
support to a user base of over 800 civilian and uniform users, his
theory is that when the users carry guns, you tend to be more
motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which provides
computer- related services like Web page design, and Bookworms
(www.bookworms.ca), where you can purchase collectibles and other
interesting items online. He has been a free- lance writer for
several years, and is published over three dozen times in numerous
books and anthologies. He currently resides in St. Catharines,
Ontario Canada with his lovely wife Jennifer and his darling
daughter Sara.
Eriq Oliver Neale is an Information Technology manager for a large
manufacturing company headquartered in the southwest. His IT career
spans 16 years and just about as many systems. He has contributed
to a number of technical publications, including several MCSE exam
preparation titles. His article on MIDI, still considered one of
the seminal works on the topic, has been reprinted in hundreds of
publications in mul- tiple languages. Most recently, he has been
focusing on electronic data privacy issues in mixed platform
environments.When not working in and writing about informa- tion
technology, Eriq spends time writing and recording music in his
home studio for clients of his music publishing company. On clear
nights, he can be found gazing at the moon or planets through his
telescope, which he also uses for deep-space
astrophotography.
Todd A.Walls (CISSP, MCSE) is a Senior Security Engineer for COACT,
Inc., pro- viding information security support to a government
customer in Colorado Springs. Todd has over 19 years of IT
experience spanning the range of micro, mini, and mainframe
systems, running variants of UNIX,Windows, and proprietary
operating systems. His security systems experience includes
intrusion detection and prevention,
Contributors
vii
firewalls, biometrics, smart cards, password cracking,
vulnerability testing, and secure-computing designs and
evaluations. He is currently enrolled in graduate computer science
studies at Colorado Technical University with a concentration in
computer systems security.
Vinod Kumar is an author, developer and technical reviewer
specializing in Web and mobile technologies using Microsoft
aolutions. He has been awarded the Microsoft’s Most Valuable
Professional (MVP) in .NET. He Currently works for Verizon.Vinod is
a lead author for the forthcoming title Mobile Application
Development with .NET and has co authored several other books. He
had written many technical articles for sites like ASPToday, C#
Today, and CSharp-Corner. Vinod runs a community site named
www.dotnetforce.com which provides con- tent related to .NET. In
his free time he likes to spend time with his family and
friends.
Brian Frederick is a Lead Network Analyst for Aegon USA, one of the
top 5 insurance companies in the United States. Brian started
working with computers on the Apple II+. Brian attended the
University of Northern Iowa and is married with two adorable
children. He is also a technical instructor at a local community
college teaching MCSE, MCSA,A+, and Network+ certification courses.
Brian owes his success to his parents and brother for their support
and backing during his Apple days and in college, and to his wife
and children for their support and understanding when dad spends
many hours in front of the computer.
M.Troy Hudson (MCSE NT/2000, MCP, MCP+I, Master CNE, CNE-IW, CNE-4,
CNE-5, CNE-GW4, CNE-GW5,A+) is the computer services manager for
Sodexho at Granite School District Food Services in Salt Lake City,
UT. He currently manages around 90 sites using a lot of remote
management tools, inter- networking Microsoft Windows desktops with
Novell networks and ZENworks for Desktops.
Troy has been a consultant, trainer, and writer since 1997 and has
published items both on the Internet and with this publisher. He
has authored student cur- ricula and helped design training
material and labs for students trying to pass the Microsoft MCSE
exams. He holds a bachelor’s degree from the University of Phoenix
in e-Business.Troy currently resides in Salt Lake City, UT with his
wife Kim and eight children:“My family is the reason for taking on
extra projects and
256_70-294_FM.qxd 9/6/03 10:19 AM Page vii
viii
I am grateful for their support! I love you Kim, Jett, Ryan,
Rachael, James, McKay, Brayden, Becca and Hannah.”
Debra Littlejohn Shinder (MCSE) is a technology consultant,
trainer, and writer who has authored a number of books on
networking, including Scene of the Cybercrime: Computer Forensics
Handbook, published by Syngress Publishing (ISBN: 1-931836-65-5),
and Computer Networking Essentials, published by Cisco Press. She
is co-author, with her husband Dr.Thomas Shinder, of
Troubleshooting Windows 2000 TCP/IP (ISBN: 1-928994-11-3), the
best-selling Configuring ISA Server 2000 (ISBN: 1-928994-29-6), and
ISA Server and Beyond (ISBN: 1-931836-66-3). Deb is also a
technical editor and contributor to books on subjects such as the
Windows 2000 MCSE exams, the CompTIA Security+ exam, and
TruSecure’s ICSA certifi- cation. She edits the Brainbuzz A+
Hardware News and Sunbelt Software’s WinXP News and is regularly
published in TechRepublic’s TechProGuild and Windowsecurity.com.
Deb specializes in security issues and Microsoft products. She
lives and works in the Dallas-Fort Worth area and can be contacted
at
[email protected] or via the website at www.shinder.net.
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry veteran
who has worked as a trainer, writer, and a consultant for Fortune
500 companies including FINA Oil, Lucent Technologies, and Sealand
Container Corporation. Tom was a Series Editor of the
Syngress/Osborne Series of Windows 2000 Certification Study Guides
and is author of the best selling books Configuring ISA Server
2000: Building Firewalls with Windows 2000 (Syngress Publishing,
ISBN: 1- 928994-29-6) and Dr.Tom Shinder’s ISA Server and Beyond
(ISBN: 1-931836-66-3). Tom is the editor of the Brainbuzz.com Win2k
News newsletter and is a regular contributor to TechProGuild. He is
also content editor, contributor and moderator for the World’s
leading site on ISA Server 2000, www.isaserver.org. Microsoft rec-
ognized Tom’s leadership in the ISA Server community and awarded
him their Most Valued Professional (MVP) award in December of
2001.
Technical Editors
ix
Jeffery A. Martin (MCSE, MCDBA, MCT, MCP+I, MCNE, CNI, CCNP, CCI,
CCA, CTT,A+, Network+, I-Net+, Project+, Linux+, CIW,ADPM) has been
working with computers and computer networks for over 15 years.
Jeffery spends most of his time managing several companies that he
owns and consulting for large multinational media companies. He
also enjoys working as a technical instructor and training others
in the use of technology.
Martin Grasdal (MCSE+I, MCSE/W2K MCT, CISSP, CTT+,A+) is an inde-
pendent consultant with over 10 years experience in the computer
industry. Martin has a wide range of networking and IT managerial
experience. He has been an MCT since 1995 and an MCSE since 1996.
His training and networking experience covers a number of products,
including NetWare, Lotus Notes, Windows NT,Windows 2000,Windows
2003, Exchange Server, IIS, and ISA Server.As a manager, he served
as Director of Web Sites and CTO for BrainBuzz.com, where he was
also responsible for all study guide and technical content on the
CramSession.com Web site. Martin currently works actively as a
consultant, author, and editor. His recent consulting experience
includes contract work for Microsoft as a technical contributor to
the MCP program on projects related to server technologies. Martin
lives in Edmonton,Alberta, Canada with his wife Cathy and their two
sons. Martin’s past authoring and editing work with Syngress has
included the following titles: Configuring and Troubleshooting
Windows XP Professional (ISBN: 1-928994-80-6), Configuring ISA
Server 2000: Building Firewalls for Windows 2000 (ISBN:
1-928994-29-6), and Dr.Tom Shinder’s ISA Server & Beyond: Real
World Security Solutions for Microsoft Enterprise Networks (ISBN:
1- 931836-66-3).
Technical Editor and Contributor
x
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA,A+,
Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the
University of Pennsylvania, where she provides network planning,
implementation and trou- bleshooting services for various business
units and schools within the University. Her specialties include
Microsoft Windows NT and 2000 design and implementa- tion,
troubleshooting and security topics.As an “MCSE Early Achiever” on
Windows 2000, Laura was one of the first in the country to renew
her Microsoft credentials under the Windows 2000 certification
structure. Laura’s previous expe- rience includes a position as the
Director of Computer Services for the Salvation Army and as the LAN
administrator for a medical supply firm. She also operates as an
independent consultant for small businesses in the Philadelphia
metropolitan area and is a regular contributor to the TechTarget
family of Web sites.
Laura has previously contributed to the Syngress Publishing’s
Configuring Symantec Antivirus, Corporate Edition (ISBN:
1-931836-81-7). She has also con- tributed to several other exam
guides in the Syngress Windows Server 2003 MCSE/MCSA DVD Guide and
Training System series as a DVD presenter, con- tributing author,
and technical reviewer.
Laura holds a bachelor’s degree from the University of Pennsylvania
and is a member of the Network of Women in Computer Technology, the
Information Systems Security Association, and InfraGard, a
cooperative undertaking between the U.S. Government and other
participants dedicated to increasing the security of United States
critical infrastructures.
DVD Presenter
Exam Objective Map Objective Chapter Number Objective Number
1 Planning and Implementing an Active 1 Directory
Infrastructure
1.1 Plan a strategy for placing global catalog 8 servers.
1.1.1 Evaluate network traffic considerations when 8 placing global
catalog servers.
1.1.2 Evaluate the need to enable universal group 8 caching.
1.2 Plan flexible operations master role placement. 7 1.2.1 Plan
for business continuity of operations 7
master roles. 1.2.2 Identify operations master role dependencies. 7
1.3 Implement an Active Directory directory service 4
forest and domain structure. 4 1.3.1 Create the forest root domain.
4 1.3.2 Create a child domain. 4
xi
MCSE 70-294 Exam Objectives Map and Table of Contents
All of Microsoft’s published objectives for the MCSE 70- 294 Exam
are covered in this book. To help you easily
find the sections that directly support particular objectives,
we’ve listed all of the exam objectives below, and mapped them to
the Chapter number in which they are covered. We’ve also assigned
num- bers to each objective, which we use in the subse-
quent Table of Contents and again throughout the book to identify
objective coverage. In some chapters,
we’ve made the judgment that it is probably easier for the student
to cover objectives in a slightly different sequence than
the order of the published Microsoft objectives. By reading this
study guide and fol- lowing the corresponding objective list, you
can be sure that you have studied 100% of Microsoft’s MCSE 70-294
Exam objectives.
256_70-294_Obj.qxd 9/6/03 10:24 AM Page xi
xii Exam Objective Map
1.3.3 Create and configure Application Data 4 Partitions.
1.3.4 Install and configure an Active Directory 7 domain
controller.
1.3.5 Set an Active Directory forest and domain 4 functional level
based on requirements.
1.3.6 Establish trust relationships. Types of trust 5 relationships
might include external trusts, shortcut trusts, and cross-forest
trusts.
1.4 Implement an Active Directory site topology. 6 1.4.1 Configure
site links. 6 1.4.2 Configure preferred bridgehead servers. 6 1.5
Plan an administrative delegation strategy. 5 1.5.1 Plan an
organizational unit (OU) structure 5
based on delegation requirements. 1.5.2 Plan a security group
hierarchy based on 5
delegation requirements. 2 Managing and Maintaining an Active All
chapters
Directory Infrastructure 2.1 Manage an Active Directory forest and
domain 4
structure. 2.1.1 Manage trust relationships. 5 2.1.2 Manage schema
modifications. 8 2.1.3 Add or remove a UPN suffix. 8 2.2 Manage an
Active Directory site. 6 2.2.1 Configure replication schedules. 6
2.2.2 Configure site link costs. 6 2.2.3 Configure site boundaries.
6 2.3 Monitor Active Directory replication failures. 6
Tools might include Replication Monitor, Event Viewer, and support
tools.
2.3.1 Monitor Active Directory replication. 6 2.3.2 Monitor File
Replication service (FRS) 6
replication.
Exam Objective Map xiii
2.4 Restore Active Directory directory services. 11 2.4.1 Perform
an authoritative restore operation. 11 2.4.2 Perform a
nonauthoritative restore operation. 11 2.5 Troubleshoot Active
Directory. All chapters 2.5.1 Diagnose and resolve issues related
to Active 6
Directory replication. 2.5.2 Diagnose and resolve issues related
to
operations master role failure. 7 2.5.3 Diagnose and resolve issues
related to the 11
Active Directory database. 3 Planning and Implementing
User,Computer, 2
and Group Strategies 3.1 Plan a security group strategy. 3 3.2 Plan
a user authentication strategy. 3 3.2.1 Plan a smart card
authentication strategy. 3 3.2.2 Create a password policy for
domain users. 3 3.3 Plan an OU structure. 5 3.3.1 Analyze the
administrative requirements for 5
an OU. 3.3.2 Analyze the Group Policy requirements for an 5
OU structure. 3.4 Implement an OU structure. 5 3.4.1 Create an OU.
5 3.4.2 Delegate permissions for an OU to a user or 5
to a security group. 3.4.3 Move objects within an OU hierarchy. 5 4
Planning and Implementing Group Policy 9 4.1 Plan Group Policy
strategy. 9 4.1.1 Plan a Group Policy strategy by using Resultant
9
Set of Policy (RSoP) Planning mode. 4.1.2 Plan a strategy for
configuring the user 9
environment by using Group Policy. 4.1.3 Plan a strategy for
configuring the computer 9
environment by using Group Policy.
256_70-294_Obj.qxd 9/6/03 10:24 AM Page xiii
xiv Exam Objective Map
4.2 Configure the user environment by using 9 Group Policy.
4.2.1 Distribute software by using Group Policy. 10 4.2.2
Automatically enroll user certificates by using 9
Group Policy. 4.2.3 Redirect folders by using Group Policy. 9 4.2.4
Configure user security settings by using 9
Group Policy. 4.3 Deploy a computer environment by using
Group Policy. 4.3.1 Distribute software by using Group Policy. 10
4.3.2 Automatically enroll computer certificates by 9
using Group Policy. 4.3.3 Configure computer security settings by
using 9
Group Policy. 5 Managing and Maintaining Group Policy 9 5.1
Troubleshoot issues related to Group Policy 9
application. deployment. Tools might include RSoP and the gpresult
command.
5.2 Maintain installed software by using 10 Group Policy.
5.2.1 Distribute updates to software distributed by 10 Group
Policy.
5.2.2 Configure automatic updates for network 10 clients by using
Group Policy.
5.3 Troubleshoot the application of Group Policy 9 security
settings. Tools might include RSoP and the gpresult command.
256_70-294_Obj.qxd 9/6/03 10:24 AM Page xiv
Contents
xv
Directory Data Store …………………………………………5 Policy-Based Administration
…………………………………9 Directory Access Protocol ……………………………………10 Naming
Scheme ……………………………………………11 Installing Active Directory to Create a
Domain Controller …15
1 Understanding How Active Directory Works ………………………19 Directory
Structure Overview …………………………………19 Sites ………………………………………………………………20
Domains …………………………………………………………21 Domain Trees
……………………………………………………22 Forests ……………………………………………………………24
Organizational Units ……………………………………………25 Active Directory
Components …………………………………26 Logical vs. Physical Components
………………………………27
Domain Controllers …………………………………………28 Schema
………………………………………………………31 Global Catalog ………………………………………………31
Replication Service …………………………………………32
1 Using Active Directory Administrative Tools …………………………34
Graphical Administrative Tools/MMCs …………………………35
Active Directory Users and Computers ………………………38 Active Directory
Domains and Trusts ………………………40 Active Directory Sites and Services
…………………………44
Command-Line Tools ……………………………………………45
xvi Contents
Cacls …………………………………………………………46 Cmdkey ………………………………………………………47 Csvde
…………………………………………………………47 Dcgpofix ……………………………………………………49 Dsadd
…………………………………………………………49 Dsget …………………………………………………………49 Dsmod
………………………………………………………50 Dsmove ………………………………………………………50 Ldifde
…………………………………………………………51 Ntdsutil ………………………………………………………53 Whoami
………………………………………………………54
1 Implementing Active Directory Security and Access Control ………55
Access Control in Active Directory ……………………………55
Role-Based Access Control …………………………………60 Authorization Manager
………………………………………60
Active Directory Authentication …………………………………61 Standards and
Protocols …………………………………………62
Kerberos ………………………………………………………62 X.509 Certificates
……………………………………………63 LDAP/SSL ……………………………………………………63 PKI
……………………………………………………………64
1 What’s New in Windows Server 2003 Active Directory? ……………65 New
Features Available on All Windows
Server 2003 Computers ………………………………………68 New Features Available Only
with
Windows Server 2003 Domain/Forest Functionality …………69 Domain
Controller Renaming Tool …………………………70 Domain Rename Utility
……………………………………70 Forest Trusts …………………………………………………70 Dynamically
Links Auxiliary Classes …………………………70 Disabling Classes
……………………………………………70 Replication …………………………………………………70
Summary of Exam Objectives ………………………………………72 Exam Objectives Fast
Track …………………………………………73 Exam Objectives Frequently Asked Questions
………………………75 Self Test ………………………………………………………………76 Self Test Quick
Answer Key …………………………………………81
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xvi
Contents xvii
Chapter 2 Working with User, Group, and Computer Accounts 83
Introduction …………………………………………………………84 3 Understanding Active
Directory Security Principal Accounts ………84
Security Principals and Security Identifiers ……………………85 Tools to
View and Manage Security Identifiers ………………90
Naming Conventions and Limitations …………………………92 3 Working with
Active Directory User Accounts ……………………99
Built-In Domain User Accounts ………………………………101 Administrator
………………………………………………102 Guest ………………………………………………………103 HelpAssistant
………………………………………………104 SUPPORT_388945a0 ………………………………………104
InterOrgPerson ……………………………………………104
Creating User Accounts ………………………………………105 Creating Accounts
Using
Active Directory Users and Computers …………………105 Creating Accounts
Using the DSADD Command …………110
Managing User Accounts ………………………………………113 Personal Information Tabs
…………………………………115 Account Settings ……………………………………………118 Terminal
Services Tabs ………………………………………122 Security-Related Tabs
………………………………………126
3 Working with Active Directory Group Accounts …………………131 Group
Types ……………………………………………………131
Security Groups ……………………………………………132 Distribution Groups
…………………………………………132
Group Scopes in Active Directory ……………………………133 Universal
……………………………………………………134 Global ………………………………………………………134 Domain
Local ………………………………………………135
Built-In Group Accounts ………………………………………135 Default Groups in
Builtin Container ………………………136 Default Groups in Users Container
…………………………138
Creating Group Accounts ………………………………………140 Creating Groups Using
Active
Directory Users and Computers …………………………141 Creating Groups Using
the DSADD Command ……………142
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xvii
xviii Contents
Managing Group Accounts ……………………………………143 3 Working with Active
Directory Computer Accounts ………………150
Creating Computer Accounts …………………………………150 Creating Computer
Accounts by Adding a
Computer to a Domain …………………………………151 Creating Computer Accounts
Using
Active Directory Users and Computers …………………152 Creating Computer
Accounts Using the DSADD Command 155
Managing Computer Accounts …………………………………156 3 Managing Multiple
Accounts ………………………………………162
Implementing User Principal Name Suffixes …………………162 Moving Account
Objects in Active Directory …………………164
Moving Objects with Active Directory Users and Computers 164 Moving
Objects with the DSMOVE Command …………165 Moving Objects with the
MOVETREE Command ………166
Troubleshooting Problems with Accounts ……………………168 Summary of Exam
Objectives ………………………………………170 Exam Objectives Fast Track
…………………………………………171 Exam Objectives Frequently Asked Questions
……………………173 Self Test ……………………………………………………………174 Self Test Quick
Answer Key ………………………………………179
Chapter 3 Creating User and Group Strategies 181 Introduction
………………………………………………………182 Creating a Password Policy for Domain
Users ……………………182
Creating an Extensive Defense Model …………………………183 Strong Passwords
……………………………………………184 System Key Utility …………………………………………185
Defining a Password Policy ……………………………………187 Applying a Password
Policy …………………………………187 Modifying a Password Policy ………………………………190
Applying an Account Lockout Policy ………………………190
Creating User Authentication Strategies ……………………………192 Need for
Authentication ………………………………………193 Single Sign-On
…………………………………………………194
Interactive Logon ……………………………………………194 Network Authentication
……………………………………195
Authentication Types ………………………………………………195 Kerberos
………………………………………………………195
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xviii
Contents xix
Passport Authentication ……………………………………200 Educating Users
………………………………………………202
Planning a Smart Card Authentication Strategy ……………………203 When to
Use Smart Cards ……………………………………205
Implementing Smart Cards …………………………………………206 PKI and Certificate
Authorities ………………………………206 Setting Security Permissions
……………………………………208 Enrollment Stations ……………………………………………209
Enabling Certificate Templates ………………………………209 Requesting an
Enrollment Agent Certificate ………………211
Enrolling Users …………………………………………………211 Installing a Smart Card
Reader ……………………………212 Issuing Smart Card Certificates
……………………………213 Assigning Smart Cards ………………………………………214 Logon
Procedures …………………………………………215 Revoking Smart Cards
………………………………………215
Planning for Smart Card Support ………………………………216 Planning a Security
Group Strategy ………………………………217
Understanding Group Types and Scopes ………………………218 Security and
Distribution Groups …………………………218 Local, Domain Local, Global, and
Universal Groups ………219
Security Group Best Practices …………………………………224 Designing a Group
Strategy for a Single Domain Forest …225 Designing a Group Strategy
for a Multiple Domain Forest 226
Summary of Exam Objectives ………………………………………230 Exam Objectives Fast
Track …………………………………………232 Exam Objectives Frequently Asked
Questions ……………………233 Self Test ……………………………………………………………235 Self
Test Quick Answer Key ………………………………………241
Chapter 4 Working with Forests and Domains 243 Introduction
………………………………………………………244 Understanding Forest and Domain
Functionality …………………244
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xix
xx Contents
The Role of the Forest …………………………………………246 New Forestwide Features
……………………………………247
The Role of the Domain ………………………………………254 New Domainwide Features
…………………………………256
Domain Trees …………………………………………………259 Forest and Domain Functional
Levels …………………………259
Domain Functionality ………………………………………260 Forest Functionality
…………………………………………265
1.3.5 Raising the Functional Level of a Domain and Forest ……………270
Domain Functional Level …………………………………270 Forest Functional Level
……………………………………272 Optimizing Your Strategy for Raising Functional
Levels …273
1.3/2.1 Creating the Forest and Domain Structure …………………………275
Deciding When to Create a New DC …………………………275 Installing Domain
Controllers …………………………………276
1.3.1 Creating a Forest Root Domain ……………………………278 Creating a New
Domain Tree in an Existing Forest ………285
1.3.2 Creating a New Child Domain in an Existing Domain ……288
Creating a New DC in an Existing Domain ………………293 Assigning and
Transferring Master Roles ……………………300
1.3.3 Using Application Directory Partitions ……………………313
Establishing Trust Relationships ………………………………315
Direction and Transitivity ……………………………………315 Types of Trusts
………………………………………………317
Restructuring the Forest and Renaming Domains ……………318 Domain
Rename Limitations ………………………………318 Domain Rename Limitations in a
Windows 2000 Forest …319 Domain Rename Limitations in a
Windows Server 2003 Forest ……………………………319 Domain Rename
Dependencies ……………………………320 Domain Rename Conditions and Effects
…………………322 Domain Rename Preliminary Steps ………………………323 Performing
the Rename Procedure …………………………334 Steps to Take After the Domain
Rename Procedure ………354
Implementing DNS in the Active Directory Network Environment 365
DNS and Active Directory Namespaces ………………………367 DNS Zones and
Active Directory Integration …………………367 Configuring DNS Servers for
Use with Active Directory ……370
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xx
Contents xxi
Integrating an Existing Primary DNS Server with Active Directory
………………………370
Creating the Default DNSApplication Directory Partitions 371 Using
dnscmd to Administer Application Directory Partitions 372
Securing Your DNS Deployment ………………………………373 Summary of Exam
Objectives ………………………………………374 Exam Objectives Frequently Asked
Questions ……………………376 Exam Objectives Fast Track
…………………………………………377 Self Test ……………………………………………………………379 Self Test
Quick Answer Key ………………………………………387
Chapter 5 Working with Trusts and Organizational Units 389
Introduction ………………………………………………………390
1.3.6/ Working with Active Directory Trusts ……………………………390
2.1.1
Types of Trust Relationships ……………………………………394 Default Trusts
………………………………………………395 Shortcut Trust ………………………………………………395 Realm
Trust …………………………………………………396 External Trust ………………………………………………396
Forest Trust …………………………………………………397
Creating, Verifying, and Removing Trusts ………………………398 Securing
Trusts Using SID Filtering ……………………………400
3.3.1/ Working with Organizational Units ………………………………401
3.4.3
Understanding the Role of Container Objects ………………402 3.4/ 3.4.1
Creating and Managing Organizational Units ……………………402
Applying Group Policy to OUs ………………………………406 3.4.2 Delegating
Control of OUs …………………………………407
1.5/1.5.1/ Planning an OU Structure and Strategy for Your
Organization ……408 3.3/3.3.2
Delegation Requirements ………………………………………409 Security Group Hierarchy
………………………………………410
Summary of Exam Objectives ………………………………………412 Exam Objectives Fast
Track …………………………………………413 Exam Objectives Frequently Asked
Questions ……………………414
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxi
xxii Contents
Self Test ……………………………………………………………416 Self Test Quick Answer Key
………………………………………423
Chapter 6 Working with Active Directory Sites 425 Introduction
………………………………………………………426 Understanding the Role of Sites
……………………………………426
Replication ……………………………………………………427 Authentication
…………………………………………………427
Interactive Logon Authentication …………………………428 Network
Authentication ……………………………………429
Distribution of Services Information …………………………429 Relationship of
Sites to Other Active Directory Components ……431
Relationship of Sites and Domains ……………………………431 Physical vs.
Logical Structure of the Network ………………433
The Relationship of Sites and Subnets …………………………433 1.4/2.2/
Creating Sites and Site Links ………………………………………434 2.2.3
Site Planning ……………………………………………………434 Criteria for Establishing
Separate Sites ……………………435 Creating a Site ………………………………………………436
Renaming a Site ……………………………………………438 Creating Subnets
……………………………………………441 Associating Subnets with Sites
………………………………444
1.4.1/2.2.2 Creating Site Links …………………………………………446 1.4.1/2.2.2
Configuring Site Link Cost …………………………………449
2.2/2.2.1/ Understanding Site Replication ……………………………………452
2.5.1
Purpose of Replication …………………………………………452 Types of Replication
………………………………………453 Intrasite Replication …………………………………………453
Intersite Replication ………………………………………454
1.4 Planning, Creating, and Managing the Replication Topology …455
Planning Replication Topology ……………………………455 Creating a Replication
Topology ……………………………456 Managing Replication Topology
……………………………456
Configuring Replication between Sites ………………………457 Configuring
Replication Frequency ………………………457 Configuring Site Link
Availability …………………………458
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxii
Contents xxiii
Configuring Site Link Bridges ………………………………458 1.4.2 Configuring
Bridgehead Servers ……………………………459 2.3 Troubleshooting Replication
Failure …………………………459
Troubleshooting Replication ………………………………460 2.3.1 Using Replication
Monitor …………………………………461
Using Event Viewer …………………………………………461 Using Support Tools
…………………………………………462
2.3.2 Monitoring File Replication Service Replication ……………463
Summary of Exam Objectives ………………………………………465 Exam Objectives Fast
Track …………………………………………465 Exam Objectives Frequently Asked
Questions ……………………467 Self Test ……………………………………………………………468 Self
Test Quick Answer Key ………………………………………474
Chapter 7 Working with Domain Controllers 475 Introduction
………………………………………………………476
1.3.4 Planning and Deploying Domain Controllers ………………………476
Understanding Server Roles ……………………………………476 Function of Domain
Controllers ………………………………480 Determining the Number of Domain
Controllers ……………481 Using the Active Directory Installation Wizard
………………484 Creating Additional Domain Controllers ………………………494
Upgrading Domain Controllers ………………………………500 Placing Domain
Controllers within Sites ………………………502
Backing Up Domain Controllers …………………………………503 Restoring Domain
Controllers …………………………………504
1.2/2.5.2 Managing Operations Masters ………………………………………505
Understanding the Operation Masters Roles …………………505
Forestwide Roles ……………………………………………506 Domainwide Roles
…………………………………………507
1.2.1 Transferring and Seizing Operations Master Roles ……………509
Transferring FSMOs ……………………………………………510
Transferring the Schema FSMO ……………………………510 Transferring Domain
Naming FSMO ………………………514 Transferring RID, PDC, or Infrastructure
FSMOs …………516
1.2.1 Responding to OM Failures ……………………………………516 Seizing the PDC
Emulator or Infrastructure FSMO ………516 Seizing the RID Master,
Domain
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxiii
xxiv Contents
Naming Master, and Schema Master FSMOs ……………517 Summary of Exam
Objectives ………………………………………523 Exam Objectives Fast Track
…………………………………………524 Exam Objectives Frequently Asked Questions
……………………526 Self Test ……………………………………………………………528 Self Test Quick
Answer Key ………………………………………537
Chapter 8 Working with Global Catalog Servers and Schema 539
Introduction ………………………………………………………540 Working with the Global
Catalog and GC Servers ………………540
Functions of the GC ……………………………………………541 2.1.3 UPN Authentication
………………………………………541
Directory Information Search ………………………………542 Universal Group
Membership Information …………………543
Customizing the GC Using the Schema MMC Snap-In ………543 Creating and
Managing GC Servers ……………………………545 Understanding GC Replication
………………………………547
Universal Group Membership ………………………………547 Attributes in GC
……………………………………………547
1.1 Placing GC Servers within Sites ………………………………548 1.1.1 Bandwidth
and Network Traffic Considerations ………………549 1.1.2 Universal Group
Caching …………………………………550
Troubleshooting GC Issues ……………………………………552 2.1.2 Working with the
Active Directory Schema ………………………551
Understanding Schema Components …………………………553 Classes
………………………………………………………554 Attributes ……………………………………………………555 Naming
of Schema Objects …………………………………559
Working with the Schema MMC Snap-In ……………………560 Modifying and
Extending the Schema …………………………561 Deactivating Schema Classes and
Attributes ……………………562 Troubleshooting Schema Issues
…………………………………563
Summary of Exam Objectives ………………………………………564 Exam Objectives Fast
Track …………………………………………565 Exam Objectives Frequently Asked
Questions ……………………566 Self Test ……………………………………………………………567 Self
Test Quick Answer Key ………………………………………573
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxiv
Contents xxv
Chapter 9 Working with Group Policy in an Active Directory
Environment 575
Introduction ………………………………………………………576 4/4.2.1 Understanding Group
Policy ………………………………………576
4.3.1 Terminology and Concepts ……………………………………577
Local and Non-Local Policies ………………………………577 User and Computer
Policies ………………………………577 Group Policy Objects ………………………………………580
Scope and Application Order of Policies ……………………580
Group Policy Integration in Active Directory …………………583 Group
Policy Propagation and Replication ……………………583
4/4.1 Planning a Group Policy Strategy …………………………………584
4.2.1/4.3.1
Using RSoP Planning Mode …………………………………584 Opening RSoP in Planning
Mode …………………………584 Reviewing RSoP Results …………………………………587
Strategy for Configuring the User Environment ………………588 Strategy
for Configuring the Computer Environment …………590
4/4.2.1 Implementing Group Policy ………………………………………596 4.3.1
The Group Policy Object Editor MMC ………………………595 Creating,
Configuring, and Managing GPOs …………………595
Creating and Configuring GPOs ……………………………596 Naming GPOs
………………………………………………597 Managing GPOs ……………………………………………598
Configuring Application of Group Policy ……………………600 General
………………………………………………………600 Links …………………………………………………………601 Security
……………………………………………………601 WMI Filter …………………………………………………602
Delegating Administrative Control ……………………………604 Verifying Group
Policy …………………………………………604
4/4.2.1 Performing Group Policy Administrative Tasks ……………………608
4.2.2/4.2.3 4.3.1/4.3.2
Automatically Enrolling User and Computer Certificates ……608
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxv
xxvi Contents
Computer Configuration ……………………………………612 User Configuration
…………………………………………613
Using Software Restriction Policies ……………………………616 Setting Up
Software Restriction Policies …………………616 Software Policy Rules
………………………………………617 Precedence of Policies ………………………………………617 Best
Practices ………………………………………………618
4/4.2.1 Applying Group Policy Best Practices ………………………………619
4.3.1/5 4/4.2.1 Troubleshooting Group Policy ……………………………………621
4.3.1/5.1/ 5.3
4.1.1 Using RSoP ………………………………………………………622 Using gpresult.exe
………………………………………………623
Summary of Exam Objectives ………………………………………628 Fast Track
……………………………………………………………629 Exam Objectives Frequently Asked
Questions ……………………631 Self Test ……………………………………………………………633 Self
Test Quick Answer Key ………………………………………639
4.2.1/4.3.1Chapter 10 Deploying Software via Group Policy 641
Introduction ………………………………………………………642 Understanding Group Policy
Software Installation Terminology
and Concepts ……………………………………………………642 Group Policy Software
Installation Concepts …………………644
Assigning Applications ………………………………………644 Publishing Applications
……………………………………646 Document Invocation ………………………………………646
Application Categories ………………………………………647 Group Policy Software
Deployment vs. SMS
Software Deployment ……………………………………648 Group Policy Software
Installation Components ………………648
Windows Installer Packages (.msi) …………………………649 Transforms (.mst)
……………………………………………650
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxvi
Contents xxvii
Patches and Updates (.msp) …………………………………651 Application Assignment
Scripts (.aas) ………………………652 Deploying Software to Users
………………………………652 Deploying Software to Computers …………………………653
5.2 Using Group Policy Software Installation to Deploy Applications
…654 Preparing for Group Policy Software Installation ………………654
Creating Windows Installer Packages …………………………654 Using .zap Setup
Files …………………………………………656
Creating Distribution Points ………………………………659 Working with the GPO
Editor …………………………………660 Opening or Creating a GPO for Software
Deployment ………659 Assigning and Publishing Applications
…………………………662 Configuring Software Installation Properties
…………………664
The General Tab ……………………………………………665 The Advanced Tab
…………………………………………665 The File Extensions Tab ……………………………………666 The
Categories Tab …………………………………………666
5.2.1 Upgrading Applications …………………………………………667 5.2.2
Automatically Configuring Required Updates ……………668
Removing Managed Applications ………………………………669 Managing Application
Properties ………………………………670 Categorizing Applications
………………………………………673 Adding and Removing Modifications for
Application Packages 673
Troubleshooting Software Deployment ……………………………675 Verbose Logging
………………………………………………677 Software Installation Diagnostics Tool
…………………………678
Summary of Exam Objectives ………………………………………679 Exam Objectives Fast
Track …………………………………………679 Exam Objectives Frequently Asked
Questions ……………………681 Self Test ……………………………………………………………682 Self
Test Quick Answer Key ………………………………………688
Chapter 11 Ensuring Active Directory Availability 689 Introduction
………………………………………………………690 Understanding Active Directory
Availability Issues …………………690
The Active Directory Database …………………………………690 Data Modification to
the Active Directory Database …………692 The Tombstone and Garbage
Collection Processes ……………694
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxvii
xxviii Contents
RAID-1 ……………………………………………………700 RAID-5 ……………………………………………………701
Performing Active Directory Maintenance Tasks …………………701
Defragmenting the Database ……………………………………702
Understanding Active Directory Database Fragmentation …702 The
Offline Defragmentation Process ………………………703
Moving the Database or Log Files ……………………………707 2.5.3 Monitoring
the Database ………………………………………711
Using Event Viewer to Monitor Active Directory …………711 Using the
Performance Console to Monitor Active Directory 713
Backing Up and Restoring Active Directory ………………………720 Backing Up
Active Directory …………………………………720
Using the Windows Server 2003 Backup Utility …………721 Backing Up at
the Command Line …………………………733
2.4/2.4.1 Restoring Active Directory …………………………………733 2.4.2
Directory Services Restore Mode …………………………733 Normal Restore
……………………………………………734 Authoritative Restore ………………………………………741
Primary Restore ……………………………………………743
2.5.3 Troubleshooting Active Directory Availability ………………………745
Setting Logging Levels for Additional Detail …………………745 Using
Ntdsutil Command Options ……………………………747
Using the Integrity Command ……………………………747 Using the recover
Command ………………………………750 Using the Semantic Database Analysis
Command …………752 Using the esentutl Command ………………………………756
Changing the Directory Services Restore Mode Password ……758 Summary
of Exam Objectives ………………………………………759 Exam Objectives Fast Track
…………………………………………760 Exam Objectives Frequently Asked Questions
……………………762 Self Test ……………………………………………………………764 Self Test Quick
Answer Key ………………………………………769
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxviii
Contents xxix
Appendix Self Test Questions, Answers, and Explanations 771
Chapter 1:Active Directory Infrastructure Overview …………772 Chapter
2: Working with User, Group, and Computer Accounts 781 Chapter 3:
Creating User and Group Strategies ………………789 Chapter 4: Working
with Forests and Domains ………………797 Chapter 5: Working with Trusts
and Organizational Units ……809 Chapter 6: Working with Active
Directory Sites ………………819 Chapter 7: Working with Domain
Controllers …………………826 Chapter 8: Working with Global Catalog
Servers and Schema 840 Chapter 9: Working with Group Policy in an
Active
Directory Environment ………………………………………847 Chapter 10: Deploying
Software via Group Policy ……………855 Chapter 11: Ensuring Active
Directory Availability ……………864
Index 873
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxix
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxx
This book’s primary goal is to help you prepare to take and pass
Microsoft’s exam number 70-294, Planning, Implementing and
Maintaining a Microsoft Windows Server 2003 Active Directory
Infrastructure. At the time of this writing, the exam is expected
to be released in its beta ver- sion in June 2003. Our secondary
purpose in writing this book is to provide exam candi- dates with
knowledge and skills that go beyond the minimum requirements for
passing the exam, and help to prepare them to work in the real
world of Microsoft computer net- working in an Active Directory
domain environment.
What is Exam 70-294? Exam 70-294 is one of the four core
requirements for the Microsoft Certified Systems Engineer (MCSE)
certification. Microsoft’s stated target audience consists of IT
professionals with at least one year of work experience on a medium
or large company network.This means a multi-site network with