MCSE Self-Paced Training Kit (Exam 70-294): Planning ... · using Dsquery command, 9-6 to 9-7 using...

I-1

Index

AAccess-Based Enumeration, 11-30access control

for Active Directory objects. see Active Directory objects, access control

defined, 9-47multiple domains affecting, 4-5transferring operations master roles with, 4-26

access control entries (ACEs), 6-3access control lists. See ACLs (access control lists)account expiration date, setting, 7-21Accounting OUs, 17-23, 17-26Account lockout policy, 4-4, 13-5Account Operators group, 8-9Account Operators, OUs, 17-34Account Policies

best practices, 13-11creating domains for, 4-3 to 4-4overview of, 13-5 to 13-6

accumulative counters, 14-9ACEs (access control entries), 6-3Acldiag.exe, 9-18ACLs (access control lists)

defined, 6-28defining OUs with, 6-3storing for Active Directory objects, 9-16

Active Directory, 1-3 to 1-46administrative tasks, 1-33 to 1-34backing up data in. see backup, Active Directory datachange and configuration management, 1-27 to 1-28components, 1-9 to 1-10customizing MMCs. see MMCs (Microsoft Management

Consoles)defined, 1-43directory services and, 1-4 to 1-5DNS service, 1-31exam highlights, 1-43features, 1-6 to 1-7global catalog, 1-17 to 1-19group policies, 1-28 to 1-31infrastructure design. see infrastructure, planninglogical structures, 1-10 to 1-14object naming, 1-31 to 1-33objects, 1-8overview of, 1-4, 1-21performance monitoring. see performance monitoringphysical structures, 1-14 to 1-16Questions and Answers, answers, 1-45 to 1-46Questions and Answers, questions, 1-19 to 1-20,

1-34 to 1-35replication, 1-21 to 1-25restoring. see restore, Active Directory data

schema, 1-8 to 1-9summary, 1-20, 1-35trust relationships, 1-25 to 1-27

Active Directory Domains and Trusts console, 3-4 to 3-10domain functional levels, 3-4 to 3-7forest functional levels, 3-7 to 3-8overview of, 3-4UPN suffixes, 3-9 to 3-10

Active Directory installation, 2-18 to 2-37case scenario, 2-55 to 2-57, 2-64 to 2-65exam highlights, 2-61practice exercises, 2-33 to 2-35Questions and Answers, answers, 2-62 to 2-63Questions and Answers, questions, 2-36removing services from domain controller, 2-31 to 2-32summary, 2-36 to 2-37troubleshooting lab, 2-57 to 2-59using Active Directory Installation Wizard, 2-18 to 2-26using answer file, 2-26 to 2-27using Configure Your Server Wizard, 2-29 to 2-31using network or backup media, 2-27 to 2-29verifying, 2-38 to 2-43

Active Directory installation, preparation, 2-3 to 2-17, 2-44 to 2-55

DNS configuration, 2-12 to 2-15DNS configuration method, 2-12domain name, 2-9 to 2-11domain structure, 2-3 to 2-8location of database and log files, 2-11location of shared system volume folder, 2-11 to 2-12practice exercise, 2-15prerequisites, 2-3Questions and Answers, answers, 2-62Questions and Answers, questions, 2-16summary, 2-16 to 2-17

Active Directory installation, troubleshootingwith Dcdiag.exe, 2-47 to 2-49with Dcpromo log files, 2-49 to 2-50with Directory Service log, 2-45lab, 2-57 to 2-59with Netdiag.exe, 2-45 to 2-47with Ntdsutil.exe, 2-50 to 2-52overview of, 2-44practice exercise, 2-54Questions and Answers, answers, 2-64Questions and Answers, questions, 2-54 to 2-55scenarios, 2-52 to 2-53summary, 2-55

Active Directory installation, verifying, 2-38 to 2-43Directory Services Restore Mode boot option,

2-41 to 2-42DNS configuration, 2-39 to 2-40DNS integration with Active Directory, 2-40

70-294eBook.book Tuesday, March 14, 2006 4:47 PM

Microsoft Press

Note

MCSE Self-Paced Training Kit (Exam 70-294): Planning, Implementing, and Maintaining a Microsoft® Windows Server™ 2003 Active Directory® Infrastructure (ISBN 0-7356-2286-8) by Jill Spealman, Kurt Hudson, Melissa Craft, and Content Master. Published by Microsoft Press. Copyright © 2006 by Microsoft Corporation.

I-2

domain configuration, 2-38installation of shared system volume, 2-41practice exercise, 2-42 to 2-43Questions and Answers, answers, 2-63 to 2-64Questions and Answers, questions, 2-43summary, 2-43

Active Directory Installation Wizard, 2-18 to 2-26adding new domain controller, 2-20creating additional domains, 4-6 to 4-9creating first domain controller for new domain,

2-19 to 2-20creating multiple forests, 4-14 to 4-16creating multiple trees, 4-11 to 4-12installing Active Directory, 2-21 to 2-26overview of, 2-18 to 2-19

Active Directory–integrated forward lookup zone, 2-40Active Directory objects

case scenario, 9-43 to 9-45, 9-50 to 9-51exam highlights, 9-46 to 9-47troubleshooting lab, 9-42 to 9-43

Active Directory objects, access control, 9-15 to 9-35group membership affecting, 9-19 to 9-20overview of, 9-15 to 9-16ownership, overview of, 9-18 to 9-19ownership, transferring, 9-30permissions, administering special, 9-24 to 9-25permissions, assigning standard, 9-23 to 9-24permissions, best practices for assigning, 9-23permissions, changing inherited, 9-27permissions, defined, 9-15permissions, effective, 9-22 to 9-23permissions, inherited, 9-20 to 9-22permissions, overview of, 9-16 to 9-18permissions, removing security principals and related,

9-29 to 9-30permissions, removing special, 9-30permissions, setting inherited, 9-25 to 9-27practice exercises, 9-32 to 9-33Questions and Answers, answers, 9-48 to 9-49Questions and Answers, questions, 9-34selective authentication, 9-28 to 9-29summary, 9-35

Active Directory objects, delegating administrative control, 9-36 to 9-45

overview of, 9-36 to 9-40Questions and Answers, answers, 9-49 to 9-50Questions and Answers, questions, 9-41removing delegated permissions, 9-40 to 9-41summary, 9-42verifying delegated permissions, 9-40

Active Directory objects, locating, 9-3 to 9-14common objects and their contents, 9-3 to 9-4practice exercises, 9-10 to 9-12Questions and Answers, answers, 9-48Questions and Answers, questions, 9-13summary, 9-13 to 9-14

using Dsquery command, 9-6 to 9-7using Find option, 9-4 to 9-6using Netdom to list domain objects, 9-8using saved queries, 9-8 to 9-10

Active Directory quotas, 9-19, A-5Active Directory Replication Monitor. See Replmon.exe

(Active Directory Replication Monitor)Active Directory Schema snap-in, 3-11Active Directory security

Account Policies, 13-5 to 13-6best practices, 13-11defined, 13-4Event Log, 13-6 to 13-7File System, 13-7IP Security Policies, 13-10Local Policies, 13-6overview of, 13-3 to 13-5Public Key Policies, 13-8 to 13-10Questions and Answers, answers, 13-86Questions and Answers, questions, 13-11 to 13-12Registry, 13-7Restricted Groups, 13-7review, 13-12Software Restriction Policies, 13-10summary, 13-12System Services, 13-7wireless network policies, 13-8

Active Directory Service Interfaces (ADSI), 3-13 to 3-14Active Directory Sites and Services

configuring sites with, 5-11 to 5-15creating RSoP queries from, 11-7opening Group Policy Object Editor from, 10-7overview of, 3-10saving RSoP queries created from, 11-15 to 11-16

Active Directory Step-by-Step Guides, 2-8Active Directory tools, 3-3 to 3-17

Active Directory Domains and Trusts console, 3-4 to 3-10

Active Directory Schema snap-in, 3-11Active Directory Sites and Services console, 3-10Active Directory Users And Computers console, 3-10case scenario exercise, 3-55 to 3-56, 3-64 to 3-66exam highlights, 3-60 to 3-61overview of, 3-3practice exercises, 3-14 to 3-15Questions and Answers, answers, 3-62Questions and Answers, questions, 3-15 to 3-16summary, 3-16 to 3-17troubleshooting lab, 3-56 to 3-59Windows Support Tools, 3-11 to 3-14

Active Directory, troubleshooting, 14-36 to 14-52. See also diagnostic tools

diagnosing errors, 16-34, 16-36with directory service log, 14-14 to 14-16, 14-37 to 14-40domain controller, 16-35, 16-37Domain Naming master, 16-35, 16-37

Active Directory Installation Wizard


I-3

further reading, 16-5operations master role failures, 16-33, 16-36overview of, 14-36 to 14-37, 16-33with Performance console, 14-41 to 14-42with Performance Logs and Alerts, 14-32 to 14-33Questions and Answers, answers, 14-50 to 14-51,

16-36 to 16-37Questions and Answers, questions, 14-42 to 14-43,

16-34 to 16-35replication delays, 16-34, 16-36RID master, 16-35, 16-37security failure, 16-34, 16-36summary, 14-43with System Monitor, 14-14 to 14-16troubleshooting lab, 14-46

Active Directory Users And Computersadding members to groups, 8-24creating groups in, 8-22 to 8-23creating RSoP queries from, 11-7opening Group Policy Object Editor from, 10-7overview of, 3-10saving RSoP queries created from, 11-15 to 11-16troubleshooting manual replication in, 5-69

Add or Remove Programs, 12-4, 12-7Add/Remove Snap-In, MMCs, 3-23 to 3-27administrative tasks, 1-33 to 1-34administrative templates, 10-10 to 10-13, 11-17administrative templates, GPO, 10-13 to 10-14Administrator accounts, 7-5 to 7-6Administrators group, 8-9, 8-29Adminpak.msi, 3-23Adprep.exe, 3-5Adpromo command, 15-21ADSI (Active Directory Service Interfaces), 3-13 to 3-14advanced security settings. See special permissionsAdvanced Simulation Options page, RSoP, 11-11 to 11-12Advanced System Information-Policy tool, 11-23 to 11-24,

11-26 to 11-27A (host) resource records, 2-13 to 2-15alerts, creating, 14-28 to 14-30, 14-34Allow permissions, 9-16Anonymous Logon group, 8-13answer files, creating, 2-26 to 2-27answer files, parameters

AdministratorPassword, B-1AllowAnonymousAccess, B-1AutoConfigDNS, B-2ChildName, B-2ConfirmGc, B-2CreateOrJoin, B-2 to B-3CriticalReplicationOnly, B-3DatabasePath, B-3DisableCancelForDnsInstall, B-3DNSOnNetwork, B-4DomainNetBiosName, B-4IsLastDCInDomain, B-4LogPath, B-4 to B-5NewDomain, B-5

NewDomainDNSName, B-5ParentDomainDNSName, B-5Password, B-5RebootOnSuccess, B-6RemoveApplicationPartitions, B-6ReplicaDomainDNSName, B-6ReplicaOrMember, B-7ReplicaOrNewDomain, B-7ReplicationSourceDC, B-7ReplicationSourcePath, B-8SafeModeAdminPassword, B-8SetForestVersion, B-8SiteName, B-9Syskey, B-9SysVolPath, B-9TreeOrChild, B-9UserDomain, B-10UserName, B-10

antivirus software, 13-14application directory partitions, 5-48 to 5-58

adding/removing replica, 5-53 to 5-54creating or deleting, 5-53defined, 5-78defining, 5-4delegating creation of, 5-55 to 5-56displaying information, 5-54domain controller demotion and, 5-50 to 5-51forest and domain structure, 15-17managing, overview of, 5-52 to 5-53naming, 5-48 to 5-49overview of, 5-48Questions and Answers, answers, 5-82Questions and Answers, questions, 5-57replication and, 1-22, 5-49replication failure, 16-21security descriptor reference domain, 5-51 to 5-52setting reference domain, 5-56setting replication notification delays, 5-55summary, 5-58Windows Server 2003, A-4

application log, 13-45applications

assigning, 18-15installing, 18-17 to 18-18, 18-21publishing, 18-15

applications, deployingGpresult command-line tool, 19-1, 19-5 to 19-11overview, 19-5Questions and Answers, answers, 19-11 to 19-13Questions and Answers, questions, 19-5 to 19-11Resultant Set of Policy (RSoP), 19-1 to 19-13user logon and, 18-27, 18-31

application (.zap) files, 12-6 to 12-7Apply Group Policy permission, 10-39archiving, security log, 13-52 to 13-53assign, defined, 12-54assigned applications

overview of, 12-4

assigned applications


I-4

published vs., 12-7 to 12-8software deployment best practices, 12-28software deployment process, 12-9

assignmentapplications, 18-15software, 18-24user rights, C-6

attributeshiding Active Directory, 9-41site link, 5-28 to 5-30

auditing, 13-4, 13-30audit policies, 13-31 to 13-44

auditing and, 13-30best practices, 13-39 to 13-40Directory Service objects, 13-35 to 13-37files, folders and printers, 13-37 to 13-39guidelines, 13-32Local Policies security settings, 13-6passwords, 7-8practice exercises, 13-40 to 13-43Questions and Answers, answers, 13-87 to 13-88Questions and Answers, questions, 13-43specifying event categories, 13-33 to 13-35summary, 13-44understanding, 13-31

Audit Policy extensions, 13-31authentication

Active Directory features, 1-7defined, 7-3, 7-53forests and, 4-46, 17-2further reading, 17-4overview, 17-14password management, 17-15 to 17-19Questions and Answers, answers, 17-18Questions and Answers, questions, 17-15 to 17-17role of sites in, 5-3traffic, 15-7, 15-28 to 15-31between two domains joined by external trust, 4-43,

4-44 to 4-45user, computer, and group strategies, 17-1 to 17-2

authoritative restore, 3-61, 16-28authorization, 1-7author mode, MMC in, 3-21 to 3-22Autoenrollment settings, security certificates, 13-9automatic installation, 12-9automating user account creation, 7-16availability, sites

monitoring replication failure, 16-27monitoring replication monitoring, 16-24site management and, 16-14, 16-17 to 16-18, 16-20

available bandwidth, 15-7defined, 2-4, 5-3

Bbackup

Active Directory installation and, 2-27 to 2-29domain controller installation and, A-4

backup, Active Directory data, 3-30 to 3-43case scenario exercise, 3-55 to 3-56, 3-64 to 3-66creating, 3-30 to 3-36deleting scheduled operations, 3-39 to 3-40exam highlights, 3-60 to 3-61practice exercises, 3-41 to 3-42preliminary tasks, 3-30Questions and Answers, answers, 3-63 to 3-64Questions and Answers, questions, 3-42scheduling operations, 3-36 to 3-39summary, 3-42 to 3-43troubleshooting lab, 3-56 to 3-59

backup domain controllers (BDCs), 15-13, 15-15Backup Operators Group, 3-30, 8-9Backup Or Restore Wizard

backup with, 3-30 to 3-36deleting scheduled backups, 3-39 to 3-40scheduling backups, 3-37 to 3-39

bandwidth, available, 2-4, 5-3, 15-7baseline establishment, 14-41 to 14-42BDCs (backup domain controllers), 15-13, 15-15Berkeley Internet Name Domain (BIND), 2-5BIND (Berkeley Internet Name Domain), 2-5biometric authentication, 7-9Block Policy Inheritance

Group Policy setting, 10-19specifying, 10-38using sparingly, 10-43

.bmp files, 13-53bottlenecks, 14-41bridgehead servers

designating preferred, 5-31 to 5-33overview of, 5-8site management and, 16-15site topology and, 15-29 to 15-31

bridges, site linkcreating, 5-33 to 5-34overview of, 5-7 to 5-8site management and, 16-14 to 16-15

Builtin folder, for default groups, 8-8 to 8-10built-in local accounts, 8-13 to 8-14built-in user accounts, 7-4 to 7-6business and technical analyses, AD infrastructure

design, 1-37business function, in OU structure, 6-4 to 6-5

CCA (certification authority)

Public Key Policies security settings, 13-9replication transport protocols and, 5-26user authentication and, 17-14

caching. See universal group membership cachingcatalog services. See global catalogscentralized administrative control design, 10-26 to 10-27centralized GPO design, 10-25 to 10-26certificate rules

creating, 13-19 to 13-20

assignment


I-5

designating file types, 13-23 to 13-24rule precedence, 13-16 to 13-17software restriction policies, 13-15 to 13-16

certificatesautoenrolling, 18-28, 18-32managing, 18-15 to 18-16Public Key Policies security settings, 13-9user authentication and, 17-14

certificate trust lists (CTLs), 13-9certification authority. See CA (certification authority)change management, Active Directory, 1-27 to 1-28child domains

computer environment deployment, 18-25 to 18-26, 18-30 to 18-31

creating, 4-6 to 4-9, 4-16determining domain name, 2-9 to 2-11forest and domain structures, 15-20GPOs and, 10-5

Chkgrps.vbs, 8-23CIMOM (Common Information Management Object

Model) database, 11-3circular trace log file, 14-27client configuration, Active Directory, 1-6combination OU structure, 6-5 to 6-6Command Line Arguments, 14-30command-line tools

Gpresult, 19-1, 19-5 to 19-11monitoring performance, 14-30 to 14-31NETDOM, 16-6Windows Server 2003, A-3 to A-4, A-5

Common Information Management Object Model (CIMOM) database, 11-3

Compatws.inf (Compatible template), 13-57 to 13-58Computer Configuration node

Administrative Templates node in, 10-10 to 10-13computer environment deployment in, 18-24defining, 10-55disabling unused GPO parts in, 10-43disabling unused Group Policy settings in, 10-36Group Policy planning in, 18-5 to 18-6overview of, 10-8Software Settings node in, 10-8Window Settings node in, 10-9 to 10-10

computer environment, deployingapplication access, 18-28 to 18-29, 18-33application installation, 18-27, 18-31autoenrolling certificates, 18-28, 18-32child domains, 18-25 to 18-26, 18-30 to 18-31Computer Configuration node, 18-24Folder redirection, 18-26 to 18-27, 18-31further reading, 18-3 to 18-4GPO implementation, 18-25 to 18-26, 18-30 to 18-31kiosks, 18-25, 18-30overview, 18-24password management, 18-26 to 18-27, 18-31Questions and Answers, answers, 18-30 to 18-33

Questions and Answers, questions, 18-25 to 18-29restricted access desktop, 18-25, 18-27, 18-30, 18-32security, 18-26 to 18-27, 18-31software assignment, 18-24software installation, 18-25, 18-28, 18-30, 18-32

computersconfiguring Offline Files for, 11-41 to 11-44IntelliMirror settings, 1-28managing, 1-27RSoP options, 11-8 to 11-9, 11-11, 11-14

computer strategiesfurther reading, 17-4OU implementation, 17-28 to 17-34OU planning, 17-3, 17-20 to 17-28overview, 17-1security groups, 17-2, 17-5 to 17-13skills and suggested practices, 17-2 to 17-3user authentication, 17-2, 17-14 to 17-19

configuration containers, 4-13configuration management, 1-27 to 1-28Configuration Options page, Configure Your Server

Wizard, 2-29 to 2-31configuration partitions

defined, 5-4replication and, 1-21replication failure and, 16-21

Configure Your Server Wizard, 2-29 to 2-31connection objects

creating and configuring, 5-34 to 5-37defined, 5-5 to 5-6

console modes, 3-21console options, MMCs, 3-21 to 3-22console tree, of MMCs, 3-19 to 3-20container objects

containing other objects, 1-8defined, 9-4delegation of administration and, 9-36 to 9-40, 15-32OUs and, 17-20troubleshooting Group Policy settings, 11-56

Coordinated Universal Time (UTC), 5-6counter logs

creating, 14-21 to 14-26, 14-33 to 14-34logging options, 14-20logging requirements, 14-20 to 14-21overview of, 14-19

credentials, Run As program, 8-30cross-reference object, 5-55 to 5-56.csv files, 13-53CTLs (certificate trust lists), 13-9custom administrative templates, 10-14custom MMCs

creating, 3-23 to 3-25defining, 3-19modifying, 3-25 to 3-27practice exercises, 3-27 to 3-28for remote administration, 3-22 to 3-23

custom MMCs


I-6

Ddatabase, Active Directory installation, 2-11, 2-23data stores, centralized, 1-6Dcdiag.exe (Domain Controller Diagnostic tool)

defined, 5-59monitoring replication and security with, 5-66 to 5-67overview of, 16-21, 16-33 to 16-36troubleshooting Active Directory installation,

2-47 to 2-49dcpromo.exe

creating additional domains, 4-6creating additional forests, 4-14creating additional trees, 4-11forest and domain structure, 15-21, 15-25removing Active Directory, 2-32site topology, 15-30 to 15-31

Dcpromo log files, 2-49 to 2-50DCsecurity.inf (Default Security settings updated for

domain controllers) template, 13-58decentralized administrative control design, 10-27decentralized GPO design, 10-25 to 10-26dedicated forest root domain, 2-6dedicated setting GPO, 10-24default administrative templates, 10-13default domain controllers policy, 10-4default domain policy, 10-4Default-First-Site-Name, 5-12 to 5-13default groups

built-in local, 8-13 to 8-14special identity, 8-12 to 8-13

DEFAULTIPSITELINK, 5-14, 5-25 to 5-28default security levels

overview of, 13-14 to 13-15setting, 13-17 to 13-18

Default Security settings updated for domain controllers (DCsecurity.inf) template, 13-58

default security (Setup security.inf) template, 13-61 to 13-62

delegation of administration, for OUsdefined, 9-47hierarchy models for, 6-4 to 6-6overview of, 6-3 to 6-4types of responsibility, 6-6 to 6-7

delegation of controlcontainer objects, 15-32GPOs, 10-20, 10-32 to 10-35password management, 15-33 to 15-36planning, 15-32Questions and Answers, answers, 15-35 to 15-36Questions and Answers, questions, 15-33 to 15-34RSoP, 11-23 to 11-24Windows NT, 2-7, 15-32

Delegation of Control Wizard, 9-36 to 9-40, 17-28deleting

application directory partition replica, 5-53 to 5-54application directory partitions, 5-53

delegated permissions, 9-40GPOs, 10-42groups, 8-22OUs, 6-16trusts, 4-64 to 4-65

Deny permissions, 9-16design team, AD infrastructure design, 1-37details pane, MMCs, 3-20, 17-28details pane, RSoP query results, 11-16DFS (Distributed File System), 12-15Diagnostics subkey registry entries, 14-38 to 14-40diagnostic test, DNS, 2-24diagnostic tools

DCDIAG, 16-21, 16-33 to 16-36directory service log subkey, 16-33

directory objects, A-3directory partitions

defined, 5-4replication and, 1-21types of directory partition replicas, 5-4

Directory Service, 13-35 to 13-36directory service log

best practices, 14-13 to 14-14defined, 14-2increasing logging level in, 14-38 to 14-40troubleshooting Active Directory installation, 2-45troubleshooting performance, 14-37 to 14-40troubleshooting replication, 5-69troubleshooting scenarios, 14-14 to 14-16

Directory Service Remote Procedure Call (DS-RPC), 5-26directory services

configuring for auditing, 13-35 to 13-37further reading, 17-4OU implementation, 17-3, 17-28 to 17-34OU planning, 17-3, 17-20 to 17-28overview of, 1-4, 17-1reasons for, 1-5restoring. see restore, directory servicessecurity groups, 17-2, 17-5 to 17-13user authentication, 17-2, 17-14 to 17-19Windows Server 2003, 1-5

Directory Services Restore Mode boot option, 2-41 to 2-42directory tree, 5-4disabling, unused Group Policy settings, 10-36Disallowed default security level, 13-14 to 13-15, 13-26display options, System Monitor, 14-9, 14-11 to 14-13distinguished names (DNs), 1-32, 7-6Distributed File System (DFS), 12-15distribution groups, 8-4, 15-19DNs (distinguished names), 1-32, 7-6DNS (Domain Name Service)

configuring diagnostic test for AD installation, 2-24configuring for AD, 2-12 to 2-15domain trees vs. forests, 2-8integrating with AD, 1-6, 1-31, 2-5for new domains, 4-9 to 4-10

database, Active Directory installation


I-7

troubleshooting problems indicated by, 14-37verifying AD installation, 2-39verifying integration with AD, 2-40

DNS forwarderexternal trusts, 4-55 to 4-56forest trusts, 4-59 to 4-62

DNS Lookup Failure, 5-69DNS names

AD installation, 2-9 to 2-11for application directory partitions, 5-48 to 5-49creating child domains, 4-7creating multiple trees, 4-10creating shortcut trusts, 4-48forest and domain structure, 16-7online information, 2-9replication failure and, 16-25, 16-27for sites, 5-3

DNS servers, 5-43Domain Admins group

AD removed by, 2-31 to 2-32domain controllers renamed by, 4-19 to 4-21exempt from quotas, 9-19forest root domain and, 16-12security groups and, 17-7 to 17-8, 17-12

Domain Controller Diagnostic tool. See Dcdiag.exe (Domain Controller Diagnostic tool)

domain controllersbackup, 15-15configuring AD installation, 2-19 to 2-22, 2-27 to 2-28creating in site, 5-18creating multiple domains and, 4-5defined, 15-3, 15-7demoting, 5-50 to 5-51deploying, 18-24 to 18-33determining location of, 5-17 to 5-18forest/domain structure and, 15-18 to 15-27functions of, 1-15 to 1-16as global catalog servers, 15-8 to 15-11. see also global

catalog serversGroup Policy, 18-1 to 18-3, 19-1 to 19-3infrastructure, 15-4installing, 5-12 to 5-13, A-4moving into site, 5-18operations master roles and, 15-12 to 15-16. see also

operations master rolesprimary domain controller (PDC) emulators,

15-12 to 15-16removing, 2-51 to 2-52, 5-19removing AD services from, 2-31 to 2-32renaming, 4-19 to 4-22, 4-76, A-6replication and, 1-22, 16-21 to 16-27restoring directory services, 16-3, 16-28 to 16-32security groups, 17-5 to 17-6, 17-10seizing operations master role assignments, 4-34 to 4-36sites and, 15-28 to 15-31specifying event categories to be audited, 13-33

troubleshooting, 2-47 to 2-49, 16-33 to 16-37user authentication, 17-2user environment, 18-15 to 18-23verifying AD installation on, 2-38

domain functional levelin Active Directory Domains and Trusts, 3-4 to 3-7adding members to global group, 8-24defined, 1-11, 3-61four levels of, 15-16 to 15-17

domain GPOsapplying Group Policy settings to, 10-16creating, 10-30 to 10-31linking, 10-40 to 10-41planning, 10-25

domain local groupdefining, 8-5, 8-39determining group membership, 8-6planning, 8-15 to 8-16security groups, 17-5 to 17-13

domain mode, 1-11domain names. See DNS namesDomain Name Service. See DNS (Domain Name Service)domain naming master role

defined, 4-24, 4-26operations master role failures, 16-33placing for flexibility, 15-12 to 15-16seizing, 4-27transferring assignment, 4-32 to 4-33troubleshooting, 16-35, 16-37viewing assignment, 4-30

domain node, OU structure, 17-28domain partitions, 1-22, 5-4domains

child. see child domainsconfiguring AD installation, 2-21 to 2-22defined, 1-43, 15-3, 15-7delegating administration of, 9-36 to 9-40, 15-32 to 15-36domain local group. see domain local groupglobal catalog servers, 15-8 to 15-10OU implementation, 17-28 to 17-34OU planning, 17-20 to 17-28overview of, 1-10 to 1-11planning, 1-39 to 1-40renaming, A-6renaming and restructuring, 4-18 to 4-19, 4-22,

4-75 to 4-76root. see Root domainsspecifying event categories to be audited, 13-33 to 13-34trees vs. forests, 2-8Windows Server 2003, A-4, A-6 to A-7

Domains and Trusts Console, 16-6 to 16-7, 16-10, 16-23, 16-26

domains, multiple, 4-3 to 4-10administrative requirements, 4-4case scenario, 4-71 to 4-72, 4-77 to 4-78cost issues of creating, 4-5 to 4-6

domains, multiple


I-8

creating, 4-6 to 4-9DNS structure for new, 4-9 to 4-10exam highlights, 4-73optimizing replication using, 4-4 to 4-5overview of, 4-3practice exercise, 4-16Questions and Answers, answers, 4-75Questions and Answers, questions, 4-16 to 4-17retaining Windows NT domains using, 4-5security requirements, 4-3 to 4-4summary, 4-17troubleshooting lab, 4-69 to 4-71

domain structuredomain hierarchy, 2-7forest root domain, 2-6number of domains, 2-6 to 2-7physical environment, 2-3 to 2-5

domain structure, implementingapplication directory partitions, 15-17external trusts, 15-27logons, 15-24multimaster replication, 15-17overview, 15-2, 15-4, 15-17 to 15-19Questions and Answers, answers, 15-20 to 15-27Questions and Answers, questions, 15-18 to 15-20shortcut trusts, 15-27Sites and Services console, 15-25trust relationships, 15-17, 15-24, 15-27

domain structure, managingfurther reading, 16-4global catalog, 16-6logons, 16-7overview, 16-6 to 16-7Questions and Answers, answers, 16-11 to 16-13Questions and Answers, questions, 16-8 to 16-10schema extension, 16-6, 16-9, 16-12Schema snap-in, 16-6skills and suggested practices, 16-1 to 16-4trust relationships, 16-6, 16-8 to 16-9, 16-11UPN names, 16-7

domain user accountcreating, 7-13 to 7-16defined, 7-4modifying properties, 7-16 to 7-18naming conventions, 7-6 to 7-7overview of, 7-4 to 7-5

domain-wide authentication, 4-43Drag-and-drop functionality, 6-18 to 6-19, A-3Dsacls.exe, 9-18dsadd quota command, 9-19Dsastat.exe, 5-64 to 5-66dsmod quota command, 9-19Dsmove command, 6-20 to 6-21Dsquery command, 9-4, 9-6 to 9-7dsquery quota command, 9-19DS-RPC (Directory Service Remote Procedure Call), 5-26

Eediting

analysis database, 13-74GPOs, 10-33 to 10-34, 10-42

effective permissions, 9-22 to 9-23EFS (Encrypting File System)

controlling and disabling, 13-10network connectivity and, 11-38Public Key Policies, 13-9redirecting My Documents to home folders and, 11-31

e-mail systems, 7-7Encrypting File System. See EFS (Encrypting File System)encryption

LDAP traffic, 1-7network connectivity, 11-38not supported within roaming user profiles, 7-32Offline Files, 11-43redirecting My Documents to home folders and, 11-31

Enrollment Agent certificate, 7-9Enterprise Admins group

delegation of application directory partitions, 5-55 to 5-56

exempt from quotas, 9-19forest/domain structure, 16-6removing AD, 2-31 to 2-32

Enterprise Trusts, security certificates, 13-9event ID 2089, 3-31Event Log settings

best practices, 13-11configuring security log size, 13-51overview of, 13-6 to 13-7

eventsfiltering security log, 13-49 to 13-50finding in security log, 13-47 to 13-48viewing in security log, 13-46 to 13-47

events, audit policycategories in Audit Policy extensions, 13-31configuring objects for auditing, 13-35 to 13-39defined, 13-30guidelines, 13-32specifying event categories to be audited, 13-33 to 13-35

Event Viewerarchiving security log, 13-52 to 13-53clearing security log, 13-51 to 13-52filtering events in security log, 13-49 to 13-50finding events in security log, 13-47 to 13-48logs viewed in, 14-2overview, 16-21 to 16-22Questions and Answers, answers, 16-26 to 16-27Questions and Answers, questions, 16-23 to 16-24replication monitoring, 16-21, 16-23, 16-24, 16-26troubleshooting Group Policy with, 11-52 to 11-53viewing folder redirection errors, 11-34viewing logs in, 13-45

Everyone group, 8-13.evt files, 13-53

domain structure


I-9

exceptions, GPO processing, 10-18 to 10-19, 10-37 to 10-39expiration date, account, 7-21Explain tab, Properties dialog box, 10-10explicit trusts. See also external trustsexporting security templates, 13-76Extended tab, Group Policy Object Editor, 10-10extensibility, Active Directory, 1-6extensions

adding or removing to snap-in on existing MMC, 3-26 to 3-27

characteristics of, 3-20 to 3-21extension snap-ins. See extensionsexternal namespaces, 2-10external trusts, 4-44 to 4-45

AD supported trust relationships, 1-27creating, 4-55 to 4-59defined, 4-40deleting, 4-65forest and domain implementation, 15-20, 15-23,

15-24, 15-27forest and domain management, 16-8 to 16-9, 16-11when to create, 4-44

FFeature Controls, online resources, 10-14File Replication Service. See FRS (File Replication Service)file replication service logs, 14-3, 14-48File Replication Service Utility (Ntfresutil), 16-33files

audit policy guidelines, 13-32configuring for auditing, 13-37 to 13-39types, 13-23 to 13-24

File System security settings, 13-7filters/filtering

administrative template views, 10-12events in security log, 13-49 to 13-50GPO scope with security groups, 10-3, 10-20,

10-39 to 10-40GPO scope with WMI queries, 10-20security group policies, 10-43

Filter tab, Security Properties dialog box, 13-49 to 13-50Find option

Active Directory objects, 9-4 to 9-6security log events, 13-47 to 13-48

firewallsconfiguring for Active Directory replication, 14-36designating preferred bridgehead servers with,

5-31 to 5-33flexible single master operations (FSMO), 4-23. See also

operations master rolesfolder redirection

advantages of, 11-30best practices, 11-46 to 11-47case scenario exercise, 11-60 to 11-61, 11-70 to 11-71computer environment and, 18-26 to 18-27, 18-31

Group Policy and, 18-1, 18-6My Documents to home folders, 11-30 to 11-31overview of, 11-29 to 11-30troubleshooting Group Policy settings, 11-57 to 11-58troubleshooting lab, 11-61 to 11-65, 11-72user environment and, 18-18, 18-22in Windows Server 2003, A-6

folder redirection, and Offline Files, 11-39 to 11-46computer and servers configuration, 11-41 to 11-44overview of, 11-39setup, 11-40sharepoint configuration, 11-40 to 11-41synchronization, 11-44 to 11-46working offline, 11-39 to 11-40

Folder Redirection node, 11-29 to 11-30folder redirection, setting up, 11-32 to 11-39

according to security group membership, 11-35 to 11-36My Pictures Preferences options, 11-35, 11-37overview of, 11-32Policy Removal options, 11-34 to 11-35, 11-37selecting Target tab, 11-32Settings tab options, 11-33 to 11-34, 11-37Target Folder Location list options, 11-33, 11-36

foldersaudit policy guidelines, 13-32configuring for auditing, 13-37 to 13-39managing with Group Policy. see Group Policy,

managing special folders withuser profiles, 7-28 to 7-29

forced removal, of applications deployed with Group Policy, 12-38 to 12-40

forest functional levelin Active Directory Domains and Trusts, 3-7 to 3-8defined, 1-14, 3-61trust relationships, 15-23, 15-27Windows versions, 15-17, 15-27

forestscross-forest support, A-6defined, 1-44, 15-3, 15-7delegation across, 10-35delegation of administration, 15-33 to 15-36domain trees vs., 2-8global catalog servers, 15-8 to 15-10Group Policy and, 19-1 to 19-3installing, 16-1 to 16-4interactive logon tasks across, 10-16logical structures, 1-13 to 1-14operations master role placement, 15-4, 15-13 to 15-16operations master roles, 4-24OU structure and, 17-22 to 17-23, 17-25 to 17-26planning, 1-38 to 1-39planning operations master roles for, 4-29 to 4-30restructuring domains within, 4-18 to 4-19root domain, 2-6schema objects, 15-18

forests


I-10

security groups, 17-5 to 17-13site topology, 15-28 to 15-31user authentication, 17-2Windows Server 2003, A-4, A-6 to A-7

forests, multiplecase scenario, 4-71 to 4-72, 4-77 to 4-78creating, 4-14 to 4-16exam highlights, 4-73implications of creating, 4-13 to 4-14overview of, 4-12Questions and Answers, answers, 4-75Questions and Answers, questions, 4-16 to 4-17reasons to create, 4-13summary, 4-17

forest trustsaccessing resources across forests joined by, 4-46Active Directory supported trust relationships, 1-27creating, 4-59 to 4-62defined, 4-40multiple forests and, 4-13one-way, 4-46overview of, 4-41requirements, 4-47two-way, 4-46

FRS (File Replication Service)Adprep.exe tool and, 3-5configuring firewalls to allow replication, 14-36defining, 14-2 to 14-3monitoring, 14-8 to 14-9monitoring with Ntfrsutl utility, 14-3, 16-33replication monitoring, 16-21 to 16-22

FSMO (flexible single master operations), 4-23. See also operations master roles

Full Control permissionadministrative control design, 10-27 to 10-28delegating of OUs, 6-6 to 6-7redirecting My Documents to home folders, 11-34required for creating or modifying logs, 14-20

Gglobal catalogs, 1-17 to 1-19

creating or removing, 5-44 to 5-45database, 15-7, 16-6, 16-12defined, 5-41functions of, 1-17 to 1-18overview of, 1-17queries, 1-18 to 1-19replication and, 1-22

global catalog serverscreating or removing global catalogs, 5-44 to 5-45defined, 5-41, 5-78domain controllers acting as, 5-4 to 5-5domain controllers and, 15-3, 15-7domain structure and, 15-20, 15-23 to 15-24, 15-27further reading, 15-5

overview, 1-17, 15-3 to 15-4, 15-7placing operations master roles, 15-12 to 15-16Questions and Answers, answers, 5-81 to 5-82,

15-10 to 15-11Questions and Answers, questions, 15-8 to 15-9replication monitoring, 16-21site topology, 15-29 to 15-31trust relationships, 15-7

global catalog servers, configuring, 5-41 to 5-47creating or removing, 5-44 to 5-45determining location of, 5-42 to 5-44enabling universal group membership caching,

5-45 to 5-46overview of, 5-41Questions and Answers, questions, 5-46 to 5-47summary, 5-47universal group membership caching, 5-42

global groupsdefining, 8-5, 8-39determining group membership, 8-6planning, 8-15 to 8-16security groups and, 17-5 to 17-13

globally unique identifiers (GUIDs), 1-32 to 1-33GPMC (Group Policy Management Console), 11-4GPO console, creating for software deployment, 12-15GPOs (Group Policy Objects)

administrative control of, 10-26 to 10-28application deployment, 19-5 to 19-14computer environment deployment, 18-24 to 18-33OU structure and, 17-20, 17-25 to 17-26overview of, 10-4 to 10-7planning, 10-23 to 10-26removing from redirected folders, 11-38 to 11-39RSoP queries and, 11-18software deployment, 12-15 to 12-20user environment configuration, 18-15 to 18-23Windows versions supporting, 10-5

GPOs (Group Policy Objects), implementing, 10-30 to 10-54

best practices, 10-43case scenario exercise, 10-48 to 10-51, 10-58 to 10-59configuring Group Policy settings, 10-35 to 10-36creating, 10-30 to 10-31creating MMCs for, 10-31 to 10-32delegating control, 10-32 to 10-35deleting, 10-42disabling unused settings, 10-36editing, 10-42exam highlights, 10-54 to 10-55filtering GPO scope with security groups, 10-39 to 10-40GPOs. see GPOs (Group Policy Objects), implementingindicating processing exceptions, 10-37 to 10-39linking, 10-40 to 10-41modifying, 10-41overview of, 10-30

forests, multiple


I-11

practice exercises, 10-44 to 10-46Questions and Answers, answers, 10-57 to 10-58Questions and Answers, questions, 10-46 to 10-48refreshing, 10-42 to 10-43removing link, 10-41 to 10-42summary, 10-48troubleshooting lab, 10-51 to 10-54

GPOs (Group Policy Objects), planningComputer Configuration node, 18-5 to 18-6further reading, 18-2, 18-3group policies, 18-9 to 18-10kiosk systems, 18-9, 18-13local v. group policies, 18-9, 18-13OU relocation issues, 18-6, 18-11overview, 18-1, 18-5 to 18-6password management, 18-8, 18-10, 18-12 to 18-14resource access, 18-7, 18-11security settings, 18-9 to 18-14software distribution, 18-7 to 18-8, 18-11 to 18-12user configuration, 18-5 to 18-6

Gpotool utility, 11-23Gpresult command-line tool

application deployment, 19-1 to 19-13exercise creating RSoP query, 11-26generating RSoP queries with, 11-20 to 11-23security settings, 19-24 to 19-30troubleshooting Group Policy with, 11-52

Gpupdaterefreshing GPOs with, 10-43specifying event categories to be audited, 13-35troubleshooting Group Policy with, 11-52, 19-24

grandchild domains, 2-9 to 2-11Group Policy, 1-28 to 1-31, 10-3 to 10-22

administrative templates, 10-10 to 10-14applying, 10-16 to 10-19Computer and User Configuration nodes, 10-8computer environment deployment, 18-24 to 18-33costs of creating multiple domains, 4-5defining, 10-55delegating control of GPOs, 10-20filtering GPO scope, 10-20functions of, 18-1further reading, 18-3 to 18-4, 19-3 to 19-4GPOs, 10-4 to 10-7hierarchical order in, 1-29 to 1-30OUs, 6-7, 17-20 to 17-21, 17-25overview of, 1-28 to 1-29, 10-3Questions and Answers, answers, 10-56Questions and Answers, questions, 10-21RSoP and, 1-30, 10-20security administration. see security administrationsettings options, A-5skills and suggested practices, 18-1 to 18-2, 19-1 to 19-3software deployment. see software deploymentsoftware maintenance. see software maintenance

Software Settings node, 10-8startup and logon and, 10-15 to 10-16summary, 10-21 to 10-22user environment configuration. see user environmentuser profiles, 7-31Windows Settings node, 10-9 to 10-10

Group Policy, administeringcase scenario exercise, 11-60 to 11-61exam highlights, 11-65 to 11-66managing special folders. see special folders, managing

with Group Policywith RSoP Wizard. see Resultant Set of Policy Wizardtroubleshooting lab, 11-61 to 11-65

Group Policy Management Console (GPMC), 11-4Group Policy, managing special folders with,

11-29 to 11-50Group Policy Object Editor

configuring Group Policy settings, 10-35 to 10-36Extended tab, 10-10Group Policy settings on, 10-23overview of, 10-5 to 10-7security settings, 19-24 to 19-30troubleshooting scenarios, 11-55

Group Policy Objects. See GPOs (Group Policy Objects)Group Policy, planning strategies, 10-23 to 10-29

administrative control of GPOs, 10-26 to 10-28GPOs, 10-23 to 10-26overview of, 10-23Questions and Answers, answers, 10-57Questions and Answers, questions, 10-28 to 10-29settings, 10-23summary, 10-29

Group Policy, troubleshooting, 11-51 to 11-60case scenario exercise, 11-60 to 11-61, 11-70 to 11-71with Event Viewer, 11-52 to 11-53exam highlights, 11-65 to 11-66with Gpupdate, 11-52lab, 11-61 to 11-65, 11-72with log files, 11-53 to 11-54overview of, 11-51 to 11-52Questions and Answers, answers, 11-69Questions and Answers, questions, 11-59 to 11-60with Resultant Set of Policy Wizard and Gpresult, 11-52scenarios, 11-55 to 11-58summary, 11-60

groups, 8-3 to 8-21access control and, 9-19 to 9-20built-in local, 8-13 to 8-14case scenario exercise, 8-34 to 8-36, 8-42 to 8-43default groups in Builtin folder, 8-8 to 8-10default groups in Users folder, 8-10 to 8-11exam highlights, 8-38 to 8-39group objects, 17-1Group Policy and, 10-3group scope, overview of, 8-4 to 8-6

groups


I-12

local, 8-7 to 8-8membership rules, 8-6nesting, 8-7overview of, 8-3 to 8-4planning, 8-15 to 8-16practice exercises, 8-17 to 8-20Questions and Answers, answers, 8-40 to 8-41Questions and Answers, questions, 8-20 to 8-21Restricted Groups security settings, 13-7special identity, 8-12 to 8-13summary, 8-21troubleshooting lab, 8-36 to 8-37types of, 8-4

groups, administering, 8-22 to 8-33adding members to groups, 8-24 to 8-25case scenario exercise, 8-34 to 8-36, 8-42 to 8-43changing group scope, 8-25 to 8-26creating groups, 8-22deleting groups, 8-22determining membership of, 8-23exam highlights, 8-38 to 8-39practice exercises, 8-26Questions and Answers, answers, 8-42Questions and Answers, questions, 8-27, 8-33summary, 8-27 to 8-28, 8-33 to 8-34troubleshooting lab, 8-36 to 8-37using Run As program, 8-29 to 8-33why you should not run your computer as

Administrator, 8-29group scope

changing, 8-25 to 8-26determining membership of group, 8-6group nesting using membership rules of, 8-7not applying to special identity groups, 8-12overview of, 8-4 to 8-6

Groups OU, 17-32groups, strategies for

further reading, 17-4OU implementation, 17-28 to 17-34OU planning, 17-3, 17-20 to 17-28overview, 17-1security groups, 17-2, 17-5 to 17-13skills and suggested practices, 17-2 to 17-3user authentication, 17-2, 17-14 to 17-19

Guest accounts, 7-6GUIDs (globally unique identifiers), 1-32 to 1-33

Hhardware failure, 16-30, 16-32hash rules

creating, 13-18 to 13-19designating file types, 13-23 to 13-24rule precedence, 13-16 to 13-17software restriction policies, 13-15 to 13-16

Help, Administrative Templates, 10-10

Help and Support Center windowdeploying smart cards, 7-19viewing RSoP queries in, 11-23

hidden objectscreating OUs for, 6-11 to 6-12defining OUs for, 6-7

Hierarchical Storage Manager (HSM), 3-33hierarchy

DNS name, 2-9domain, 2-8OU models for delegation of administration, 6-4

Hisecdc.inf template, 13-60Hisecws.inf template, 13-59home folders

creating on server, 7-40 to 7-41overview, 7-39 to 7-40practice exercise, 7-41 to 7-42Questions and Answers, answers, 7-55 to 7-56Questions and Answers, questions, 7-42 to 7-43redirecting My Documents to, 11-30 to 11-31, 11-34summary, 7-43

host (A) resource records, 2-13 to 2-15HSM (Hierarchical Storage Manager), 3-33

IIIS (Internet Information Services), 7-5Import Template dialog box, 13-71InetOrgPerson class, A-4Inetres.adm template, 10-14.inf file, 13-56infrastructure, managing

directory services, 16-28 to 16-32forest and domain structure, 16-6 to 16-13further reading, 16-4 to 16-5overview, 16-1replication, 16-21 to 16-27sites, 16-14 to 16-20skills and suggested practices, 16-1 to 16-4troubleshooting Active Directory, 16-33 to 16-37

infrastructure master rolefailure, 16-33overview of, 4-25 to 4-26placing for flexibility, 15-12 to 15-16planning operations master locations, 4-28 to 4-29seizing, 4-28transferring assignment, 4-31 to 4-32viewing assignment, 4-30

infrastructure, planning, 1-36business and technical analyses, 1-37delegation strategies, 15-32 to 15-36design team, 1-37domain controllers, 15-4domains, 1-39 to 1-40forests, 1-38 to 1-39, 15-17 to 15-28further reading, 15-5 to 15-7

groups, administering


I-13

global catalog servers, 15-7 to 15-11operations master roles, 15-12 to 15-16OUs, 1-40overview of, 1-36, 15-3Questions and Answers, answers, 1-46Questions and Answers, questions, 1-41 to 1-42site topology, 1-40 to 1-41, 15-28 to 15-31skills and suggested practices, 15-3 to 15-5summary, 1-42testing environment, 1-38

inheritanceof delegated control, 10-35group policies, 10-17 to 10-18

inherited permissionsaffect on access control, 9-20 to 9-22changing, 9-27setting, 9-25 to 9-27

IntelliMirrorgroup policies and, 18-1management technology, 1-28software management, 12-3

internal namespaces, 2-10International Organization for Standardization (ISO), 2-11Internet DNS names, 2-10Internet Explorer, Windows Server 2003 settings, 13-13Internet standard characters, 2-10Internet zone rules

creating, 13-20 to 13-21designating file types, 13-23 to 13-24rule precedence, 13-16 to 13-17software restriction policies, 13-15 to 13-16

interoperability, Active Directory, 1-7Inter-Site Messaging-Simple Mail Transport Protocol

(ISM-SMTP), 5-26intersite replication

intrasite vs., 5-5 to 5-6overview of, 1-24 to 1-25process, 5-9replication transport protocols and, 5-26site links for, 5-6

intersite replication, configuring, 5-23 to 5-24creating connection objects, 5-34 to 5-37creating site link bridges, 5-33 to 5-34creating site links, 5-25 to 5-28designating preferred bridgehead server, 5-31 to 5-33overview of, 5-25practice exercises, 5-37 to 5-39Questions and Answers, answers, 5-80 to 5-81Questions and Answers, questions, 5-39 to 5-40site link attributes, 5-28 to 5-30summary, 5-40

Inter-Site Transports container, 5-12 to 5-13, 5-26intrasite replication

intersite vs., 5-5 to 5-6overview of, 1-22 to 1-24replication transport protocols and, 5-26

IP Security Policies, 13-10IP subnets. See subnetsisMemberOfPartialAttributeSet value, 5-5ISM-SMTP (Inter-Site Messaging-Simple Mail Transport

Protocol), 5-26ISO (International Organization for Standardization), 2-11IUSR_computername account, 7-5IWAM_computername account, 7-5

KKCC (knowledge consistency checker)

application directory partition replication and, 5-49connection objects, creating and configuring,

5-34 to 5-37intrasite replication and, 1-22 to 1-24, 5-5site management, 16-14 to 16-15site topology, 15-29, 15-31

KDC (Kerberos Key Distribution Center), 13-5Kerberos policy, 4-4, 13-5Kerberos v.5 protocol, 4-39 to 4-40keyboard symbols, in strong passwords, 7-8kiosks

computer environment deployment, 18-25, 18-30group policies and, 18-9, 18-13

knowledge consistency checker. See KCC (knowledge consistency checker)

LLANs (local area networks)

global catalog servers, 15-8, 15-10site management, 16-14

LDAP (Lightweight Directory Access Protocol)Active Directory and, 1-7costs of creating multiple trees, 4-10object naming and, 1-31Windows Server 2003 security, A-4

leaf objects, 9-4licenses, software, 12-14Licensing Site object, 5-12Lightweight Directory Access Protocol. See LDAP

(Lightweight Directory Access Protocol)links

GPO, 10-40 to 10-43traffic optimization, 4-4 to 4-5

local area networks (LANs)global catalog servers, 15-8, 15-10site management, 16-14

local GPOsapplying Group Policy settings to, 10-16opening MMC for, 10-6 to 10-7overview of, 10-4troubleshooting, 11-56

local groupsbuilt-in, 8-13 to 8-14domain, 8-15 to 8-16, 8-39

local groups


I-14

Group Policy strategy and, 18-5 to 18-10, 18-13overview of, 8-7 to 8-8security, 17-5 to 17-13

Local Policies, 13-6local security database, 7-4local user accounts

defined, 7-3naming conventions, 7-6overview of, 7-4

local user profiles, 7-29 to 7-30location

Active Directory database and log files, 2-11Active Directory objects. see Active Directory objects,

locatingdomain controllers, 5-17 to 5-18global catalog servers, 5-42 to 5-43operations masters, 4-28 to 4-30OU structure based on, 6-4shared system volume folder, 2-11 to 2-12special folders, 11-31users and computers, 11-6

Lodctr command, 14-31log file overhead, 14-32log files

Active Directory configuration and, 2-23Active Directory installation and, 2-11troubleshooting Group Policy with, 11-53 to 11-54

Log Files tab, System Monitor, 14-23 to 14-24logging level, directory services, 14-38 to 14-40Logging mode, RSoP

exercise in creating RSoP query, 11-25 to 11-26overview of, 11-5reusing saved queries generated in, 11-20

logical structures, Active Directory, 1-10 to 1-14domains, 1-10 to 1-11forests, 1-13 to 1-14OUs (organizational units), 1-11 to 1-12overview of, 1-10trees, 1-12 to 1-13

Logman command, 14-30logoff scripts, 10-9logon

avoiding cross-domain GPO assignments, 10-43domain account naming conventions, 7-7domain implementation and, 15-18 to 15-19, 15-24domain management and, 16-7, 16-10, 16-13global catalog servers, 15-8 to 15-11Group Policy affecting, 10-15 to 10-16infrastructure planning and, 15-3multiple forests and, 4-14OU planning and, 17-23roaming user profiles and, 7-31site management, 16-16 to 16-17, 16-19site topology, 15-29, 15-31synchronizing Offline Files at, 11-45user computers allowed, 7-20 to 7-21

user hours allowed, 7-19 to 7-20User Rights, C-5 to C-6

logon scripts, 10-9, 18-17, 18-21logs. See also security logs

creating counter logs, 14-21 to 14-26creating trace logs, 14-26 to 14-28defining counter logs, 14-19defining trace logs, 14-19 to 14-20directory service log, 14-12 to 14-16, 14-37 to 14-40file replication service logs, 14-3in Performance Logs and Alerts, 14-19 to 14-21system log, 13-45Windows Server 2003, 13-45

Loopback settingoverview of, 10-19RSoP Planning mode option, 11-6specifying, 10-38 to 10-39using only when necessary, 10-43

Mmaintenance OU, 17-23, 17-26management OU, 17-30, 17-32 to 17-33mandatory user profiles

assigning to user account, 7-36configuring, 7-36creating, 7-33defining, 7-35overview of, 7-30storage location for, 7-34

masks, subnet, 5-15 to 5-16Member Of tab, Properties dialog box, 8-25Member servers, 2-31, 17-5members, group

adding, 8-24 to 8-25rules, 8-6

Merge mode, Loopback setting, 10-19merging forests, 4-13metadata, 1-8, 2-51Microsoft Windows 2000. See Windows 2000Microsoft Windows Installer. See Windows Installer

packagesMicrosoft Windows NT. See Windows NTMicrosoft Windows Server 2003. See Windows Server 2003Microsoft Windows versions. See Windows versionsMMCs (Microsoft Management Consoles), 3-18 to 3-29

console options, 3-21 to 3-22console tree in detail pane, 3-19 to 3-20creating custom, 3-23 to 3-25creating for GPOs, 10-31 to 10-32creating RSoP query from Resultant Set of Policy Wizard,

11-7 to 11-8custom, 3-19defining, 3-18modifying custom, 3-25 to 3-27opening for local GPO, 10-6 to 10-7

Local Policies


I-15

practice exercises, 3-27 to 3-28preconfigured, 3-18 to 3-19Questions and Answers, answers, 3-62 to 3-63Questions and Answers, questions, 3-28 to 3-29remote administration using, 3-22 to 3-23snap-ins, 3-20 to 3-21summary, 3-29troubleshooting lab, 3-56 to 3-59

mobsync command, 11-44Mode Selection page, Resultant Set of Policy Wizard,

11-8, 11-11monitoring. See performance monitoringmonitoring overhead, 14-14.msi (Windows Installer) files, 12-5.mst (Transform) files, 12-6multihomed computer, 5-13multimaster replication, 15-17multiple forests. See forests, multiplemultiple setting GPO, 10-24My Documents, folder redirection, 11-30 to 11-31,

11-34, 11-47My Pictures Preferences, folder redirection, 11-35,

11-37 to 11-38, 11-47

Nnaming context, 1-21, 5-4naming conventions

Administrator account, 7-5 to 7-6application directory partitions, 5-48 to 5-49domain controllers, 4-19 to 4-21domains, 4-18 to 4-19domain user accounts, 7-6 to 7-7, 7-14 to 7-15folder redirection, 11-47GPOs, 10-43OUs, 6-15site links, 5-26 to 5-27Windows Installer packages, 12-21 to 12-22

Native Windows Installer package (.msi) files, 12-5nested groups, 8-7, 15-18 to 15-19nested OUs

defined, 6-28in domain structure, 1-11overview of, 6-8planning, 17-20

NetBIOS, 2-22 to 2-23Netdiag (Network Connectivity Tester), 2-45 to 2-47Netdom command

Computername command, 4-20 to 4-21listing domain objects, 9-8managing domain structure, 16-6managing trusts, 4-65 to 4-67renaming domain controllers, 4-19 to 4-21

Net Group command, 8-10Net Localgroup command, 8-10Netlogon.dns file, 2-39 to 2-40

Network Configuration Operators group, 8-9network connectivity

encrypted folders and, 11-38RSoP Planning mode option, 11-6troubleshooting, 2-45 to 2-47

Network Connectivity Tester (Netdiag), 2-45 to 2-47network installation, Active Directory, 2-27 to 2-28Network node, Administrative Templates, 10-11New Trust Wizard

administering trust relationships, 4-62 to 4-65configuring forest trusts, 4-59 to 4-62creating external trusts, 4-56creating realm trusts, 4-53 to 4-55creating shortcut trusts, 4-47 to 4-53

Nltest tool, 4-67nonauthoritative restore, 3-61, 16-28nonlocal GPOs, 10-4 to 10-5No Override

applying Group Policy settings to, 10-18specifying, 10-38using sparingly, 10-43

Normal backup type, 3-33nslookup, verifying DNS resource records, 2-14Ntds.dit, 2-11, 16-33NTDS Metadata Cleanup option, 2-51NTDS Settings object

defined, 5-12overview of, 2-51removing domain controller from site using, 5-19

Ntdsutildelegation of application directory partitions,

5-55 to 5-56demoting domain controllers, 5-50 to 5-51displaying directory partition information, 5-54 to 5-55domain structure, 15-21, 15-25managing application directory partitions, 5-52 to 5-53operations master role failures, 16-33seizing operations master roles, 4-35 to 4-36site topology, 15-29 to 15-31troubleshooting Active Directory installation,

2-50 to 2-52Ntfresutil (File Replication Service Utility), 16-33NTLM (NT LAN Manager) protocol, 4-39 to 4-40Ntuser.dat file, 7-29, 7-36 to 7-37Ntuser.man file, 7-36 to 7-37

Oobject links, GPOs, 10-34objects

Active Directory, 1-8creating OUs to hide, 6-11 to 6-12defining OUs to hide, 6-7delegating control for OU, 6-6 to 6-7OU structure based on types of, 6-5

objects, naming, 1-31 to 1-33

objects, naming


I-16

distinguished names (DNs), 1-32globally unique identifiers (GUIDs), 1-32 to 1-33LDAP and, 1-31relative distinguished names (RDNs), 1-32user principal names (UPNs), 1-33

Offline Files, folder redirectionbest practices, 11-47computer and servers configuration, 11-41 to 11-44overview of, 11-39setup, 11-40sharepoint configuration, 11-40 to 11-41synchronization, 11-44 to 11-46troubleshooting Group Policy settings, 11-58working offline, 11-39 to 11-40

one-way forest trusts, 4-46one-way shortcut trusts, 4-42 to 4-43, 4-48 to 4-51online resources

Access-Based Enumeration, 11-30Active Directory development, 2-8Active Directory, hiding attributes, 9-41Active Directory schema, modifying, 3-11Active Directory Service Interfaces, 3-14ADPREP, 3-5applications, uninstalling, 12-18DFS configuration, 12-15DNS configuration, 2-12DNS name resolution, 2-9EFS, disabling, 13-10Feature Controls, 10-14FRS configuration, 14-37Group Policy Management Console, 11-4Internet Explorer settings in Windows Server 2003, 13-13Nltest tool, 4-67parsing tool, 14-20replication, forcing, 5-6RSoP, 11-4Security Configuration Wizard, 13-4SMS (Systems Management Server), 12-11user account creation, 7-16Windows Firewall, 7-13, 9-4, 10-14Windows Support Tools, 2-47Windows Time Service, 13-5WMI, 11-4WSUS, 10-14.zap files, 12-7

operations master roles, 4-23 to 4-38defined, 4-73, 15-7domain-wide, 4-24 to 4-26exam highlights, 4-73failures, 16-33, 16-36forest-wide, 4-24overview of, 4-23planning locations for, 4-28 to 4-30practice exercise, 4-36 to 4-37Questions and Answers, answers, 4-76 to 4-77Questions and Answers, questions, 4-37 to 4-38

seizing, 4-26 to 4-28, 4-34 to 4-36summary, 4-38transferring, 4-26, 4-31 to 4-34viewing current assignments, 4-30 to 4-31

operations master roles, planningdomain naming master role, 15-12 to 15-16further reading, 15-10overview, 15-4, 15-12Questions and Answers, answers, 15-15 to 15-16Questions and Answers, questions, 15-13 to 15-14

organizational units. See OUs (organizational units)Other Organization SID, 4-43OU GPOs

applying Group Policy settings to, 10-16creating, 10-30 to 10-31linking, 10-40 to 10-41planning, 10-25 to 10-26

OUs (organizational units), 6-3 to 6-14administering group policies with, 6-7application deployment, 19-5 to 19-13case scenario, 6-23 to 6-25, 6-30 to 6-31computer environment deployment, 18-24 to 18-33container objects, 17-20creating, 6-10 to 6-14defined, 1-44, 6-28delegation of administration, 6-3 to 6-7, 9-36 to 9-40,

15-32 to 15-36deleting, 16-30, 16-32directory services restoration, 16-3exam highlights, 6-27 to 6-28forests and, 17-3further reading, 17-4GPOs and, 17-20Group Policy security settings, 19-24 to 19-30Group Policy strategy, 18-5 to 18-14hiding objects within, 6-7, 6-11 to 6-12logical structures, 1-11 to 1-12maintaining, 17-23, 17-26nested, 17-20overview of, 6-3password management, 17-21planning, 1-40planning GPOs and, 18-1 to 18-4Questions and Answers, answers, 6-29 to 6-30Questions and Answers, questions, 6-8 to 6-9, 6-14securing systems through, 13-57security settings and, 19-24 to 19-30specifying event categories to be audited, 13-33 to 13-34structure, creating, 6-10 to 6-14structure, designing, 6-8summary, 6-9troubleshooting lab, 6-25 to 6-26user authentication, 17-15, 17-17 to 17-19user, computer, and group strategies, 17-1user environment configuration, 18-15 to 18-23

OUs (organizational units), administering, 6-15 to 6-31

Offline Files, folder redirection


I-17

case scenario, 6-23 to 6-25, 6-30 to 6-31deleting, 6-16exam highlights, 6-27 to 6-28moving, 6-15 to 6-16moving objects between, 6-18practice exercises, 6-21 to 6-22Questions and Answers, answers, 6-30Questions and Answers, questions, 6-22 to 6-23renaming, 6-15setting properties, 6-16 to 6-18summary, 6-23troubleshooting lab, 6-25 to 6-26using drag and drop, 6-18 to 6-19using Dsmove command-line tool, 6-20 to 6-21using Move option, 6-19

OUs (organizational units), structureAccounting OU, 17-23, 17-26Account Operators, 17-31, 17-34details pane, 17-28Exec OU, 17-29, 17-32Groups OU, 17-29, 17-32Management OU, 17-30, 17-32 to 17-33Operations OU, 17-31, 17-33overview, 17-28planning with Group Policy, 17-20 to 17-21Questions and Answers, answers, 17-32 to 17-34Questions and Answers, questions, 17-29 to 17-31Sales OU, 17-30, 17-32 to 17-33Service OU, 17-24, 17-27tree structures, 17-20, 17-29Users And Computers console, 17-29Users OU, 17-29, 17-32

Override Group Policy, 10-43ownership, object

overview, 9-18 to 9-19transferring, 9-30

PPAC (proxy autoconfiguration) file, 4-10parameters, Gpresult command, 11-20parent-child trusts, 1-26, 4-40parsing tools, 14-20Password policy, 4-4passwords

Account Policies security settings, 13-5Active Directory installation and, 2-25Administrator account, 7-6computer environment deployment, 18-26 to 18-27,

18-31delegation of administration and, 15-33 to 15-36domain user accounts and, 7-15 to 7-16Group Policy strategy and, 18-10, 18-12, 18-13 to 18-14OU structure and, 17-21, 17-24, 17-27realm trusts and, 4-55security groups, 17-6

shortcut trusts and, 4-50 to 4-51smart cards vs., 7-9user accounts and, 7-7 to 7-8user authentication, 17-14, 17-15 to 17-19

Patch (.msp) files, 12-6path rules

creating, 13-21 to 13-23designating file types, 13-23 to 13-24precedence, 13-16 to 13-17software restriction policies, 13-15 to 13-16

PC/SC (Personal Computer/Smart Card) compliant smart card readers, 7-10

PDC emulatorsfailure, 16-33placing, 15-12 to 15-16planning, 4-28 to 4-29role of, 4-25 to 4-26seizing, 4-28transferring assignment, 4-31 to 4-32viewing assignment, 4-30

PDC (primary domain controller), 2-7Perfmon command, 14-31Performance console, troubleshooting Active Directory

performance, 14-41 to 14-42performance counters

accumulative, 14-9FileReplicaSet, 14-8overview of, 14-4 to 14-9ratio, 14-9selecting for monitoring, 14-9 to 14-11statistic, 14-9troubleshooting, 14-14 to 14-16

Performance Logs and Alerts, 14-19 to 14-35best practices for monitoring performance,

14-31 to 14-32counter and trace logging requirements, 14-20 to 14-21creating alerts, 14-28 to 14-30creating counter logs, 14-21 to 14-26creating trace logs, 14-26 to 14-28defining counter logs, 14-19defining trace logs, 14-19 to 14-20logging options, 14-20practice exercises, 14-33 to 14-34Questions and Answers, answers, 14-49Questions and Answers, questions, 14-35troubleshooting, 14-32 to 14-33

Performance Monitor, 16-23, 16-26performance monitoring, 14-1 to 14-35

case scenarios, 14-44 to 14-45, 14-51 to 14-52from command-line, 14-30 to 14-31with directory service log, 14-12 to 14-16exam highlights, 14-48file replication service logs, 14-3with Performance Logs and Alerts. see Performance Logs

and Alerts

performance monitoring


I-18

Questions and Answers, answers, 14-49 to 14-50Questions and Answers, questions, 14-17, 14-35summaries, 14-17 to 14-18, 14-35with System Monitor. see System Monitor

performance monitoring, troubleshooting, 14-36 to 14-52with directory service log, 14-14 to 14-16, 14-37 to 14-40overview of, 14-36 to 14-37with Performance console, 14-41 to 14-42Questions and Answers, answers, 14-50 to 14-51Questions and Answers, questions, 14-42 to 14-43summary, 14-43with System Monitor, 14-14 to 14-16troubleshooting lab, 14-46

performance objects, 14-4 to 14-8permissions

Active Directory installation and, 2-25Active Directory objects. see Active Directory objects,

access controlAdministrator accounts, 7-5 to 7-6Allow permissions, 9-16defined, 9-15, 9-47delegated, 9-39 to 9-40Full Control permission, 6-6 to 6-7, 10-27 to 10-28,

11-34, 14-20GPOs, 10-5, 10-32GPO scopes, 10-40groups, 8-3inherited permissions, 9-20 to 9-22, 9-25 to 9-27resource, 4-43RSoP queries, 11-23 to 11-24special permissions. see special permissionsstandard permissions. see standard permissionsuser, computer, and group strategies, 17-1

Personal Computer/Smart Card (PC/SC) compliant smart card readers, 7-10

personal identification number (PIN), 7-8 to 7-9physical structures, Active Directory, 1-14 to 1-16

domain controllers, 1-15installing Active Directory and, 2-3 to 2-5overview of, 1-14sites, 1-14 to 1-15

PIN (personal identification number), 7-8 to 7-9PKI (public key infrastructure), 7-9, 13-8 to 13-10Planning mode, RSoP, 11-5 to 11-6, 11-10 to 11-15policy-based administration, 1-6Policy Removal options, folder redirection, 11-34 to 11-35,

11-37 to 11-39, 11-47ports, configuring firewalls for Active Directory replication,

14-36Power Users group, 8-29preferred bridgehead servers

defined, 5-78designating, 5-31 to 5-33overview of, 5-8replacing failed, 5-32site management and, 16-15

primary domain controller (PDC), 2-7primary domain controller (PDC) emulators. See PDC

emulatorsprimary restore, restoration methods, 16-28printers, auditing

configuring, 13-37 to 13-39guidelines, 13-32

propertiesdomain user accounts, 7-16 to 7-18OUs, 6-16 to 6-18roaming user profiles, 7-32smart card authentication, 7-18 to 7-19System Monitor, 14-9

protocolsreplication transport, 5-26 to 5-28trust, 4-39 to 4-40

proxy autoconfiguration (PAC) file, 4-10proxy client exclusion lists, 4-10public key infrastructure (PKI), 7-9, 13-8 to 13-10Public Key Policies, 13-8 to 13-10publishing application

assigned vs., 12-7 to 12-8defined, 12-54overview of, 12-5software deployment best practices, 12-28software deployment process, 12-8 to 12-9user environment configuration and, 18-15

pull model, for software deployment, 12-10push model, for software deployment, 12-10

Qqueries

global catalogs, 1-18 to 1-19multiple forests and, 4-14

query traffic, 15-28 to 15-31quotas, Active Directory, 9-19, A-5

Rratio counters, 14-9RDNs (relative distinguished names), 1-32, 7-6realm trusts

Active Directory supported trust relationships, 1-27creating, 4-53 to 4-55defined, 4-40when to create, 4-44

redeploying applications, 12-35refreshing GPOs, 10-42 to 10-43registered domain names, 2-10Registry

Diagnostics subkey, 14-38 to 14-40path rules, 13-22 to 13-23security settings, 13-7troubleshooting Group Policy with log files and,

11-53 to 11-54Registry Editor, 11-53 to 11-54relative distinguished names (RDNs), 1-32, 7-6

performance monitoring, troubleshooting


I-19

relative identifier (RID) masters. See RID (relative identifier) masters

Relog command, 14-31remote administration

using MMCs, 3-22 to 3-23viewing security log, 13-47

Remote Desktop for Administration, 11-42remote installation services, IntelliMirror, 1-28Rendom.exe, 4-18 to 4-19Repacked application (.msi) files, 12-6Repadmin.exe (Replication Diagnostics Tool)

checking status of domain controller updates, 4-34 to 4-35

replication failure and, 16-23, 16-24, 16-26troubleshooting access denied from, 5-69using, 5-62 to 5-64

Replace mode, Loopback setting, 10-19replicas, 5-4replication

Active Directory features, 1-6 to 1-7application directory partition, 5-49availability, 15-28, 16-20configuring site link attributes, 5-28 to 5-30creating domains to optimize traffic, 4-4 to 4-5creating multiple domains to optimize, 4-4 to 4-5defined, 16-21of domain user account information, 7-5frequency, 15-28 to 15-31, 16-14 to 16-20how universal groups affect, 8-6intersite, 1-24 to 1-25intrasite, 1-22 to 1-24multiple forests and, 4-13overview of, 1-21processes for, 16-21 to 16-22renaming domain controllers and, 4-19 to 4-20role of sites in, 5-3security settings and, 19-24 to 19-30shared system volume, 2-12what information is replicated, 1-21 to 1-22Windows Server 2003, A-7

Replication Diagnostics Tool. See Repadmin.exe (Replication Diagnostics Tool)

replication, managing, 5-4 to 5-10bridgehead servers, 5-8case scenario, 5-74 to 5-76, 5-83 to 5-84configuring application directory partitions. see

application directory partitionsconfiguring global catalog servers. see global catalog

serversexam highlights, 5-77 to 5-78how information is replicated, 5-5 to 5-6information replicated, 5-4 to 5-5intersite replication configuration. see intersite

replication, configuringintersite replication process, 5-9

overview of, 5-4Questions and Answers, answers, 5-79 to 5-80Questions and Answers, questions, 5-9 to 5-10site links, 5-5 to 5-8sites, overview of, 5-3summary, 5-10triggers, 5-5

replication monitoringapplication directory partitions, 16-21configuration partition, 16-21domain controllers, 16-6FRS (File Replication Service), 16-21 to 16-22further reading, 16-4overview, 16-21 to 16-22Questions and Answers, answers, 16-26 to 16-27Questions and Answers, questions, 16-23 to 16-24schema partitions, 16-21skills and suggested practices, 16-3

replication traffic, 15-7, 15-28 to 15-31replication transport protocols, 5-26 to 5-28, 5-35replication, troubleshooting, 5-59 to 5-73

lab, 5-73 to 5-74overview of, 5-59practice exercises, 5-70 to 5-71Questions and Answers, answers, 5-83Questions and Answers, questions, 5-71 to 5-72scenarios, 5-67 to 5-69summary, 5-72 to 5-73troubleshooting delays, 16-34, 16-36using Dcdiag in Windows Server 2003, 5-66 to 5-67using Dsastat, 5-64 to 5-66using Repadmin (Replication Diagnostics Tool),

5-62 to 5-64using Replmon (Active Directory Replication Monitor),

5-60 to 5-61Replicator group, 8-10Replmon.exe (Active Directory Replication Monitor)

overview, 16-21 to 16-22troubleshooting global catalog servers, 16-23 to 16-24,

16-26 to 16-27using, 5-60 to 5-61viewing Group Policy Object Status, 10-4

resource access, audit policy guidelines, 13-32restore, Active Directory data, 3-44 to 3-55

authoritative restore, impact of, 3-52 to 3-53authoritative restore, overview of, 3-44 to 3-45authoritative restore, performing, 3-50 to 3-52case scenario exercise, 3-55 to 3-56, 3-64 to 3-66exam highlights, 3-60 to 3-61nonauthoritative restore, advanced settings, 3-49 to 3-50nonauthoritative restore, overview of, 3-44nonauthoritative restore, performing, 3-46 to 3-48overview of, 3-44practice exercise, 3-53preliminary tasks, 3-46

restore, Active Directory data


I-20

Questions and Answers, answers, 3-64Questions and Answers, questions, 3-53 to 3-54summary, 3-54 to 3-55troubleshooting lab, 3-56 to 3-59

restore, directory servicesdomain controller failure, 16-29, 16-31domain controller installation, 16-3further reading, 16-5hardware failure, 16-30, 16-32methods for, 16-28OU deletion, 16-30, 16-32overview, 16-28Questions and Answers, answers, 16-31 to 16-32Questions and Answers, questions, 16-29 to 16-30schema corruption, 16-29, 16-31Users And Computers console, 16-29, 16-31

Restricted Groups, 13-7, 13-11Resultant Set of Policy. See RSoP (Resultant Set of Policy)Resultant Set of Policy Wizard, 11-5 to 11-20

creating RSoP queries, 11-7 to 11-15Group Policy strategy, 18-5Logging mode, 11-5Planning mode, 11-5 to 11-6policy implementation, 1-30reusing RSoP queries generated with, 11-20saving RSoP queries and query data, 11-15 to 11-16troubleshooting Group Policy with, 11-52viewing RSoP queries, 11-16 to 11-20

RID (relative identifier) master roleoverview of, 4-24, 4-26planning operations master locations, 4-27 to 4-28seizing, 4-27 to 4-28transferring assignment, 4-31 to 4-32viewing assignment, 4-30

RID (relative identifier) mastersfailures, 16-33, 16-35planning placement, 15-12 to 15-16troubleshooting Active Directory and, 16-37

roaming user profilescreating, 7-31 to 7-32mandatory user profiles as read-only, 7-30overview of, 7-30

root domainsdelegation of administration, 15-32 to 15-36determining domain name, 2-9 to 2-11Domain Admins, 16-6forest and domain structure, 15-20 to 15-27forests and, 2-6Group Policy and, 19-1 to 19-3operations master roles and, 15-13 to 15-16

Rootsec.inf (system root security template), 13-60Rootsec.inf template, 13-60RSoP (Resultant Set of Policy)

application deployment, 19-1 to 19-13case scenario exercise, 11-60 to 11-61, 11-70 to 11-71delegating control of, 11-24 to 11-25

generating queries with Advanced System Information-Policy, 11-23 to 11-24

generating queries with Gpresult command-line, 11-20 to 11-23

generating queries with Wizard. see Resultant Set of Policy Wizard

Group Policy and, 18-5overview of, 10-20practice exercises, 11-25 to 11-26Questions and Answers, answers, 11-67Questions and Answers, questions, 11-27remote access to, 11-4security settings, 19-24 to 19-30summary, 11-27 to 11-28understanding, 11-3 to 11-4Windows Server 2003, A-5

Runas command, 8-31 to 8-32Run As program

defined, 8-39starting program as Administrator using, 8-32 to 8-33using Runas command, 8-31 to 8-32working with, 8-29 to 8-31

Ssampling parameters, System Monitor, 14-9, 14-11SAM (Security Accounts Manager), 2-7, 7-6saved queries, A-3

overview of, 9-14reusing saved RSoP, 11-20RSoP, 11-15 to 11-16working with, 9-8 to 9-10

scalability, Active Directory, 1-6Scheduled Synchronization Wizard, 11-47schedules

Active Directory backups, 3-36 to 3-40connection object, 5-35 to 5-36site link availability, 5-6site link replication, 5-29 to 5-30synchronization, 11-47

Schedule tab, Schedule Job dialog box, 3-37 to 3-39Schedule tab, System Monitor, 14-24 to 14-25schema

Active Directory objects, 1-8 to 1-9corruption, 16-29, 16-31extensions, 16-12multiple forests and, 4-13

Schema Adminsdomain structure and, 16-6schema corruption, 16-29, 16-31schema extensions, 16-12

schema attribute objects, 1-9schema class objects, 1-9Schema Console, 16-19schema master role

defined, 4-24, 4-26failure, 16-33

restore, directory services


I-21

forest and domain structure, 15-20, 15-24, 15-27placing, 15-13 to 15-16seizing, 4-27transferring assignment, 4-33 to 4-34viewing assignment, 4-30 to 4-31

schema objects, 1-8 to 1-9, 15-18, A-7schema partitions, 1-21, 5-4, 16-21Schema snap-in, 16-6, 16-12scope, group. See group scopeScripts extension, Windows Settings node, 10-9SCW (Security Configuration Wizard), 13-4SDCheck utility, 9-20SDPs (software distribution points), 12-4, 12-15, 12-54Search capabilities, Windows Server 2003, A-3second-level OUs, 6-4Securedc.inf template, 13-61Securews.inf template, 13-60 to 13-61security

computer environment deployment, 18-26 to 18-27, 18-31

costs of creating multiple domains, 4-5creating domains to meet requirements of, 4-3 to 4-4creating multiple domains for, 4-3 to 4-4creating multiple forests, 4-13Group Policy settings, 18-9, 18-12Group Policy standard policy, 18-10, 18-13 to 18-14integration with Active Directory, 1-7LDAP and, A-4password, 7-8Software Restriction Policies, A-6troubleshooting failures, 16-34, 16-36user environment configuration, 18-18, 18-20,

18-22 to 18-23Security Accounts Manager (SAM), 2-7, 7-6security administration, 13-1 to 13-92

Active Directory security. see Active Directory securityaudit policies. see audit policiescase scenario, 13-80 to 13-81, 13-91 to 13-92exam highlights, 13-85Security Configuration and Analysis. see Security

Configuration and Analysissecurity logs. see security logssoftware deployment. see software deploymentsoftware restriction policies. see software restriction

policiestemplates. see templatestroubleshooting lab, 13-82 to 13-84troubleshooting security settings, 19-2 to 19-4,

19-24 to 19-30security analysis log file, viewing, 13-73 to 13-74Security Configuration and Analysis, 13-69 to 13-80

accessing, 13-70analyzing system security, 13-71 to 13-72best practices, 13-76configuring system security, 13-75 to 13-76defined, 13-4editing database, 13-74

exporting security templates, 13-76importing additional security templates into database,

13-74 to 13-75practice exercise, 13-78 to 13-79Questions and Answers, answers, 13-90Questions and Answers, questions, 13-79 to 13-80resolving security discrepancies, 13-74setting database, 13-70 to 13-71summary, 13-80troubleshooting, 13-77 to 13-78understanding, 13-69viewing security analysis log file, 13-73 to 13-74viewing security analysis results, 13-72 to 13-73

Security Configuration Wizard (SCW), 13-4security descriptor reference domain, 5-51 to 5-52, 5-56security groups

Domain Admins, 17-7 to 17-8filtering GPO scope with, 10-20, 10-39 to 10-40forest and domain structure and, 15-18 to 15-19forests, 17-5 to 17-13further reading, 17-4local groups, 17-5overview of, 8-4, 17-5Questions and Answers, answers, 17-10 to 17-13Questions and Answers, questions, 17-6 to 17-9redirecting special folders according to, 11-35 to 11-36RSoP Planning mode options, 11-6troubleshooting Group Policy settings, 11-56universal groups, 15-18 to 15-19user, computer, and group strategies, 17-1 to 17-2

security identifiers. See SIDs (security identifiers)security logs, 13-45 to 13-55

archiving, 13-52 to 13-53clearing, 13-51 to 13-52configuring, 13-50 to 13-51configuring size of, 13-40, 13-50 to 13-51defined, 13-4, 13-45enabling, 14-2filtering events in, 13-49 to 13-50finding events in, 13-47 to 13-48practice exercise, 13-53 to 13-54Questions and Answers, answers, 13-88 to 13-89Questions and Answers, questions, 13-54 to 13-55summary, 13-55understanding, 13-45viewing, 13-46 to 13-47

security options, in Local Policies, 13-6security principals, 17-14

Active Directory quotas for, 9-19defined, 9-15how group membership affects access control,

9-19 to 9-20removing existing, 9-29 to 9-30

Security Properties dialog box, 13-7security settings, Group Policy

further reading, 19-4overview of, 13-8, 19-24

security settings, Group Policy


I-22

Questions and Answers, answers, 19-28 to 19-30Questions and Answers, questions, 19-25 to 19-27replication, 19-24skills and suggested practices, 19-2 to 19-3

Security Settings node, Windows Settings node, 10-9security templates, 13-56 to 13-68

accessing Security Templates console, 13-62 to 13-63best practices, 13-65 to 13-66Compatible (Compatws.inf), 13-57 to 13-58customizing predefined, 13-62 to 13-64default, 13-61 to 13-62Default Security settings updated for domain controllers

(DCsecurity.inf), 13-58defining new, 13-64highly secure (Hisecws.inf and Hisecdc.inf),

13-58 to 13-60importing into database, 13-74 to 13-75importing to GPO, 13-64 to 13-65overview of, 13-56practice exercises, 13-66predefined, 13-56 to 13-57Questions and Answers, answers, 13-89 to 13-90Questions and Answers, questions, 13-66 to 13-67secure (Seceuredc.inf and Securews.inf), 13-60 to 13-61summary, 13-67 to 13-68system root security (Rootsec.inf), 13-60

Security Templates console, 13-62 to 13-63, 13-64seized operations master roles, 4-26 to 4-28, 4-34 to 4-36selective authentication

defined, 4-43, 4-74, 9-47between forests joined by forest trusts, 4-46overview of, 9-28setting, 9-29between two domains joined by external trust, 4-45

sequential trace log file, 14-28Server Operators group, 8-10servers

configuring Offline Files for, 11-41 to 11-44stand-alone server, 2-31

Servers container, 5-12Service OUs, 17-27service (SRV) resource record, 2-13 to 2-15, 2-39Settings tab, folder redirection, 11-33 to 11-34, 11-37Setup security.inf template, 13-61 to 13-62Shared location settings, 18-17, 18-21shared system volume

configuring Active Directory installation, 2-23 to 2-24determining location for folder, 2-11 to 2-12verifying Active Directory installation, 2-41

shared system volume (sysvol)Adprep.exe tool and, 3-5operations master role failures, 16-33replication monitoring, 16-21

sharepoint, 11-29, 11-40 to 11-41shortcut trusts

accessing resources across domains joined by, 4-43Active Directory supported trust relationships, 1-27

creating, 4-47 to 4-53in implementation of domain structure, 15-19 to 15-20,

15-24, 15-27in management of domain structure, 16-8 to 16-9, 16-11one-way, 4-42 to 4-43requirements, 4-44two-way, 4-43when to create, 4-42

shutdown scripts, 10-9SIDs (security identifiers)

defined, 9-15deleting groups and, 8-23forest and domain structure and, 15-18 to 15-19user authentication and, 17-14

Simple Mail Transfer Protocol. See SMTP (Simple Mail Transfer Protocol)

single setting GPO, 10-24single sign-on authentication, 7-3Site and Services Console, replication failure, 16-23, 16-26site GPOs

applying Group Policy settings to, 10-16creating, 10-30 to 10-31linking, 10-40 to 10-41planning, 10-25

site license servers, 5-19 to 5-20site link bridges

overview, 16-14 to 16-15replication and, 16-23site management and, 16-16

site link objects, 15-28, 15-31site links

adding site to existing, 5-28assigning to sites, 5-14attributes, 5-28 to 5-30availability, 16-14bridges, 5-7 to 5-8, 5-33 to 5-34configuring, 16-16 to 16-20creating, 5-25 to 5-28intersite replication using, 5-6 to 5-8managing, 16-14 to 16-20renaming, 5-26 to 5-27transitivity, 5-7

site managementavailability, 16-14, 16-17 to 16-18, 16-20cost of links, 16-14 to 16-20forest installation, 16-2 to 16-4further reading, 16-4IP subnets, 16-15logons, 16-16 to 16-17, 16-19overview, 16-14 to 16-15Questions and Answers, answers, 16-19 to 16-20Questions and Answers, questions, 16-16 to 16-18replication frequency, 16-14 to 16-20site links, 16-14 to 16-20

sitesdefined, 1-44, 5-3functions of, 1-14 to 1-15

Security Settings node, Windows Settings node


I-23

RSoP Planning mode options, 11-6specifying event categories to be audited, 13-33 to 13-34

Sites and Services consoleforest and domain structure, 15-25replication monitoring, 16-21site topology, 15-28 to 15-31

sites, configuring, 5-11 to 5-24Active Directory Sites and Services console, 5-11 to 5-12adding site to existing site link, 5-28application directory partitions. see application directory

partitionscase scenario, 5-74 to 5-76, 5-83 to 5-84creating, 5-12 to 5-15creating, moving, and removing domain controller

objects, 5-17 to 5-19creating subnets, 5-15 to 5-16designating site license server, 5-19 to 5-20exam highlights, 5-77 to 5-78global catalog servers, 5-41 to 5-47intersite replication. see intersite replication, configuringoverview of, 5-11practice exercises, 5-21 to 5-22Questions and Answers, answers, 5-79Questions and Answers, questions, 5-23replication and, 5-4 to 5-10summary, 5-23 to 5-24troubleshooting lab, 5-73 to 5-74

Sites container, 5-11 to 5-12site topology

overview, 15-28planning, 1-40 to 1-41Questions and Answers, answers, 15-31 to 15-36Questions and Answers, questions, 15-29 to 15-30subnets, 16-15

slow-network connection, RSoP Planning mode, 11-6smart card authentication

defined, 7-53deployment, 7-10implementing, 7-9multiple forests and, 4-14overview of, 7-8 to 7-9setting hours for, 7-19 to 7-20setting up user for, 7-18 to 7-19user environment configuration, 18-20, 18-23user strategies, 17-14 to 17-18

SMS (Systems Management Server), 12-10, 12-29SMTP (Simple Mail Transfer Protocol)

creating domains to optimize traffic and, 4-5intersite replication using, 5-26site management and, 16-14

snap-insconsole tree, 3-20creating, 3-23 to 3-25custom, 3-19defined, 3-18modifying, 3-25 to 3-27overview of, 3-20 to 3-21preconfigured, 3-18

for remote administration, 3-22 to 3-23software

assignment, 18-24distribution, 18-7 to 18-8, 18-11 to 18-12installation, 18-25, 18-30installation restrictions, 18-28, 18-32IntelliMirror and, 1-28Windows Server 2003 installation options, A-6

software deployment, 12-13 to 12-34Add or Remove Programs, 12-7application deployment, 19-1 to 19-3, 19-5 to 19-13approaches to, 12-7 to 12-8best practices, 12-28 to 12-29case scenario, 12-58 to 12-60defined, 12-3defined default settings in dialog box, 12-16exam highlights, 12-53 to 12-54GPO and GPO console, creating, 12-15GPO properties, specifying, 12-16 to 12-20IntelliMirror, 12-3overview of, 12-3 to 12-4package deployment method, selecting, 12-20 to 12-21planning and preparation, 12-13 to 12-14practice exercise, 12-29 to 12-33processes, 12-8 to 12-9pull model, 12-10Questions and Answers, answers, 12-55 to 12-58Questions and Answers, questions, 12-11, 12-29 to 12-34SDP, setup, 12-15Software Installation extension, 12-4 to 12-7summary, 12-12, 12-34, 12-52tasks for, 12-13troubleshooting lab, 12-60Windows Installer packages, 12-9 to 12-11

software deployment, troubleshooting, 12-42 to 12-50application management debugging, 12-46case scenarios, 12-48 to 12-50defined, 12-42Questions and Answers, answers, 12-57 to 12-58Questions and Answers, questions, 12-47 to 12-48scenarios, 12-42 to 12-46summary, 12-48troubleshooting lab, 12-50 to 12-51using advanced diagnostic information, 12-42 to 12-43

software distribution points (SDPs), 12-4, 12-15, 12-54Software Installation extension, 12-4 to 12-7

application (.zap) files, 12-6 to 12-7assigning applications, 12-4defined, 12-4, 12-54publishing applications, 12-5in Software Settings node, 10-8Windows Installer service, 12-5 to 12-7

Software Installation Properties dialog box, 12-16 to 12-20Advanced tab, 12-16, 12-18Categories tab, 12-16, 12-19 to 12-20File Extensions tab, 12-16, 12-19General tab, 12-16 to 12-18

software licenses, 12-14

software licenses


I-24

software maintenance, 12-35 to 12-41defined, 12-35further reading, 19-3overview, 19-14overview of, 19-2 to 19-3, 19-14 to 19-23Questions and Answers, answers, 19-20 to 19-23Questions and Answers, questions, 12-40 to 12-41,

19-14 to 19-19redeploying applications, 12-35removing applications, 12-38 to 12-40skills and suggested practices, 19-2summary, 12-41upgrading applications, 12-35 to 12-38

software restriction policies, 13-13 to 13-29best practices, 13-26creating certificate rule, 13-19 to 13-20creating hash rule, 13-18 to 13-19creating Internet zone rule, 13-20 to 13-21creating path rule, 13-21 to 13-23default security levels, 13-14 to 13-15designating file types, 13-23 to 13-24how they work, 13-15 to 13-17overview of, 13-10preventing from applying to local administrators,

13-24 to 13-25Questions and Answers, answers, 13-86 to 13-87Questions and Answers, questions, 13-28rule precedence, 13-16 to 13-17security area, A-6setting default security level, 13-17 to 13-18setting trusted publisher options, 13-25summary, 13-28 to 13-29troubleshooting, 13-27understanding, 13-13 to 13-14

Software Settings detail pane, RSoP query results, 11-16 to 11-17

Software Settings node, 10-8Source tab, System Monitor, 14-24special folders, managing Group Policy, 11-29 to 11-50special folders, managing with Group Policy

default locations for, 11-31folder redirection. see folder redirectionoverview of, 11-29policy removal, 11-38 to 11-39practice exercises, 11-47 to 11-48Questions and Answers, answers, 11-68Questions and Answers, questions, 11-48 to 11-49summary, 11-49 to 11-50

special identity groups, 8-12 to 8-13special permissions

administering, 9-24 to 9-25overview of, 9-17 to 9-18removing, 9-30setting inheritance for, 9-26 to 9-27

SRV (service) resource records, 2-13 to 2-15, 2-39stand-alone server, 2-31stand-alone snap-ins. See snap-ins

standard permissionsassigning, 9-23 to 9-24overview, 9-16 to 9-17setting inheritance for, 9-26 to 9-27special permissions, 9-17 to 9-18

startupavoiding cross-domain GPO assignments, 10-43Group Policy affecting, 10-15 to 10-16System Services security settings configuring, 13-7

startup scripts, 10-9, 18-17, 18-21static IP addresses, 2-13, 2-15 to 2-16statistic counters, 14-9storage, Active Directory installation requirements, 2-11storage location, mandatory user profile template, 7-34strong passwords, 7-7 to 7-8, 7-53subnet masks, 5-15 to 5-16subnets, 15-28 to 15-31

associating with sites, 5-16creating, 5-15defined, 5-3site management and, 16-2 to 16-3site topology and, 15-28 to 15-31, 16-15

Subnets container, 5-12Summary of Selections page, Resultant Set of Policy

Wizard, 11-10, 11-14 to 11-15support tools, replication monitoring, 16-21 to 16-27support URL, Windows Installer packages, 12-22synchronization

Offline Files and folders, 11-44 to 11-46troubleshooting Group Policy settings, 11-58

Synchronization Manager, 11-40system log, 13-45System Monitor

best practices, 14-13 to 14-14defined, 14-48display options, 14-9monitoring Active Directory performance, 14-9 to 14-13overview of, 14-3performance counters, 14-8 to 14-9performance objects, 14-4 to 14-8practice exercise, 14-16 to 14-17Questions and Answers, answers, 14-49Questions and Answers, questions, 14-17sampling parameters, 14-9summary, 14-17 to 14-18troubleshooting, 14-14 to 14-16

System node, Administrative Templates node, 10-11System Policy, 10-43system root security template (Rootsec.inf), 13-60System Services security settings, 13-7Systems Management Server (SMS), 12-10, 12-29system state data, 3-30 to 3-31sysvol (shared system volume)

Adprep.exe tool and, 3-5operations master role failures, 16-33replication monitoring, 16-21

software maintenance


I-25

TTAPI application directory partition, 5-51Tapicfg command-line tool, 5-51Target Folder Location list, folder redirection, 11-33, 11-36Target tab, folder redirection, 11-32task-based administrative control design, 10-28templates

creating mandatory user profile, 7-33customizing predefined, 13-62 to 13-64defining location for mandatory user profile, 7-34security. see security templates

temporary user profiles, 7-30Terminal Services, built-in account for, 7-5testing environment, AD infrastructure design, 1-38tombstone lifetime, extending, 3-10top-level OUs, 6-4trace logs

creating, 14-26 to 14-28logging options, 14-20logging requirements, 14-20 to 14-21overview of, 14-19 to 14-20

Tracerpt command, 14-31transferred operations master roles, 4-26, 4-31 to 4-34Transform (.mst) files, 12-6transitivity, site link, 5-7, 5-33 to 5-34tree root domains, 4-10tree-root trust, 1-26, 4-40trees

creating multiple, 4-9 to 4-12, 4-16 to 4-17logical structures, 1-12 to 1-13structures, 15-32 to 15-36, 17-20, 17-29

triggersActive Directory object events, 13-36files, folders and printers events, 13-37 to 13-38printer events, 13-39replication, 5-5

troubleshootingActive Directory. see Active Directory, troubleshootingActive Directory installation. see Active Directory

installation, troubleshootingGroup Policy. see Group Policy, troubleshootingperformance monitoring. see performance monitoring,

troubleshootingreplication. see replication, troubleshootingsoftware deployment. see software deployment,

troubleshootingtrusted publisher options, 13-25Trusted Root Certification Authorities, 13-9trust links, 4-6trust path, 4-42trust relationships, 4-39 to 4-69

Active Directory supported, 1-26 to 1-27administering, 4-62 to 4-65case scenario, 4-71 to 4-72, 4-77 to 4-78characteristics of trusts, 1-25 to 1-26

creating and administering using command line, 4-65 to 4-67

defined, 4-74, 15-7in domain structure implementation, 15-17, 15-19,

15-24, 15-27in domain structure management, 16-6,

16-8 to 16-9, 16-11exam highlights, 4-73external trust, creating, 4-55 to 4-59external trust, when to create, 4-44 to 4-45forest trust, creating, 4-59 to 4-62forest trust, overview of, 4-41forest trust, when to create, 4-45 to 4-47overview of, 1-25, 4-39practice exercise, 4-67 to 4-68protocols, 4-39 to 4-40Questions and Answers, answers, 4-77Questions and Answers, questions, 4-68 to 4-69realm trust, creating, 4-53 to 4-55realm trust, when to create, 4-44removing trusts, 4-64 to 4-65shortcut trust, creating, 4-47 to 4-53shortcut trust, when to create, 4-42 to 4-44site topology and, 15-29 to 15-31summary, 4-69types of, 4-40verifying, 4-62 to 4-64

TSInternetUser account, 7-5two-way forest trusts, 4-46two-way shortcut trusts, 4-43, 4-48 to 4-51.txt files, 13-53Typeperf command, 14-31

UUNC path, 12-20universal group membership caching

defined, 5-78enabling, 5-45 to 5-46global catalog servers, 15-9, 15-11overview of, 5-42Windows Server 2003, A-4

universal groupsdefined, 8-39defining, 8-5 to 8-6determining group membership, 8-6distribution groups, 15-19overview of, 17-5 to 17-13planning, 8-16security groups, 8-5 to 8-6, 15-18 to 15-19

Unlodctr command, 14-31Unrestricted default security level, 13-14Unsecapp.exe, 11-4updates

administrative template, 10-14checking status of domain controller, 4-34 to 4-35

updates


I-26

upgradesapplications, 12-35 to 12-38of applications deployed with Group Policy,

12-35 to 12-38from Windows NT, 2-7

UPN suffixadding/removing, 3-9 to 3-10defined, 3-61overview of, 3-9

UPNs (user principal names)domain management and, 16-7, 16-10in object naming, 1-33site management and, 16-13

user accounts, 7-3 to 7-12built-in user accounts, 7-5 to 7-6case scenario, 7-49, 7-57domain user account naming conventions, 7-6 to 7-7domain user accounts, 7-4 to 7-5exam highlights, 7-52 to 7-53home folders. see home folderslocal user accounts, 7-4overview of, 7-3password requirements and guidelines, 7-7 to 7-8Questions and Answers, answers, 7-54Questions and Answers, questions, 7-11summary, 7-11 to 7-12troubleshooting lab, 7-50 to 7-51types of, 7-3 to 7-4user profiles. see user profilesusing smart cards, 7-8 to 7-10

user accounts, creating, 7-13 to 7-26domain user accounts, 7-13 to 7-16modifying domain user account properties, 7-16 to 7-18practice exercises, 7-21 to 7-25Questions and Answers, answers, 7-54 to 7-55Questions and Answers, questions, 7-25setting account expiration date, 7-21setting computers from which users can log on,

7-20 to 7-21setting logon hours, 7-19 to 7-20setting up smart cards, 7-18summary, 7-26

user accounts, maintaining, 7-44 to 7-57deleting, 7-44 to 7-45disabling/enabling, 7-44 to 7-45practice exercise, 7-46 to 7-48Questions and Answers, answers, 7-56Questions and Answers, questions, 7-48resetting passwords, 7-46reusing, 7-44 to 7-45review, 7-48unlocking, 7-45

User Configuration nodeAdministrative Templates node, 10-10 to 10-13defining, 10-55disabling unused GPO parts, 10-43disabling unused Group Policy settings, 10-36

GPO, 10-8Group Policy strategy, 18-5 to 18-6Software Settings node, 10-8user environments, 18-15Window Settings node, 10-9 to 10-10

user data, IntelliMirror and, 1-28user environment, 18-11 to 18-23

application installation, 18-17 to 18-18, 18-21applications, assigning and publishing, 18-15certificate management, 18-15 to 18-16data access both on and off network, 18-19,

18-22 to 18-23Folder redirection, 18-16, 18-18, 18-22further reading, 18-3logon scripts, 18-17, 18-21overview, 18-15 to 18-16public user restrictions, 18-18 to 18-19, 18-22Questions and Answers, answers, 18-21 to 18-23Questions and Answers, questions, 18-17 to 18-20security breaches, 18-20, 18-23security settings, 18-18, 18-22shared location settings, 18-17, 18-21smart cards, 18-20, 18-23startup scripts, 18-17, 18-21User Configuration node, 18-15

Userenv.log, 11-53 to 11-54user mode

of preconfigured MMCs, 3-18saving MMC in, 3-22

user namescreating shortcut trusts, 4-51domain user account creation, 7-14

User objects, 15-20 to 15-21, 15-25, 18-24user principal names. See UPNs (user principal names)user profiles

best practices, 7-39contents of, 7-28 to 7-29defining, 7-27 to 7-43Group Policy settings affecting, 7-31local user profiles, 7-29 to 7-30mandatory, 7-30, 7-33 to 7-37practice exercises, 7-37 to 7-38Questions and Answers, answers, 7-55 to 7-56Questions and Answers, questions, 7-42 to 7-43roaming user profiles, 7-30roaming user profiles creation, 7-31 to 7-32settings saved in, 7-27 to 7-28summary, 7-43temporary user profiles, 7-30User Configuration node, 18-15

user rightsassigning, C-6Local Policies security settings, 13-6logon rights, C-5 to C-6privileges, C-1 to C-5

Users And Computers consoleapplication deployment, 19-1 to 19-3, 19-5 to 19-13

upgrades


I-27

directory services, restoring, 16-29, 16-31OU implementation, 17-29OU planning, 17-28

User Security Groups page, Resultant Set of Policy Wizard, 11-13

User Selection page, Resultant Set of Policy Wizard, 11-9user settings, IntelliMirror, 1-28Users folder, 8-10 to 8-11Users group

assigning yourself to, 8-29defined, 8-10

user strategiesfurther reading, 17-4OU implementation, 17-3, 17-28 to 17-34OU planning, 17-3, 17-20 to 17-28overview, 17-1security groups, 17-2, 17-5 to 17-13skills and suggested practices, 17-2 to 17-3user authentication, 17-2, 17-14 to 17-19

UTC (Coordinated Universal Time), 5-6

Vverbose logging, enabling, 11-53 to 11-54verification

delegated permissions, 9-40domain names, 2-10trusts, 4-62 to 4-64

viewing. See also Event Viewerfiltering administrative template, 10-12operations master role assignments, 4-30 to 4-31RSoP queries, 11-16 to 11-20security analysis results, 13-72 to 13-73security log, 13-46 to 13-47setting System Monitor display options, 14-11 to 14-13site license server, 5-19System Monitor display options, 14-9

WWANs (wide area networks)

global catalog servers, 15-3, 15-7 to 15-8, 15-10 to 15-11site management, 16-14site topology, 15-29, 15-31

Whoami utility, 9-15wide area networks. See WANs (wide area networks)Windows 2000

domain functional levels, 15-16 to 15-17forest and domain structure, implementing, 15-22,

15-26 to 15-27forest and domain structure, managing, 16-8 to 16-11forest functional levels, 15-17

Windows 2000 mixeddeleting external trusts, 4-65domain functional level, 3-4 to 3-7forest functional level, 3-7 to 3-8

Windows 2000 native, 3-4 to 3-7Windows 2000 Server, 11-33

Windows Components, Administrative Templates node, 10-11

Windows Firewallaffecting results of Dsquery command, 9-4configuring for RSoP, 11-4, 11-8, 11-22creating user accounts and, 7-13online resources, 10-14

Windows Installer packages, 12-21 to 12-28.msi files, 12-5adding to GPO, 12-20 to 12-21advanced deployment, 12-25best practices, 12-28 to 12-29categories, 12-25 to 12-26customizing, 19-14defined, 12-54deployment, 12-23 to 12-24installation user interface options, 12-25modifications, 12-26 to 12-27overview of, 12-9 to 12-11, 12-21 to 12-22renaming default package, 12-22security, 12-27 to 12-28support URL, 12-22

Windows Installer service, 12-5 to 12-6, 12-9 to 12-11Windows Management Instrumentation. See WMI

(Windows Management Instrumentation)Windows NT

consolidating domains when upgrading from, 2-7creating multiple domains in, 4-5deleting external trusts, 4-65trusts in, 4-39

Windows NT 4delegation of administration, 15-32domain structure, 15-21 to 15-23, 15-26 to 15-27

Windows Server 2003Active Directory features, A-3 to A-7adding preconfigured MMCs, 3-19application directory partitions, A-4backing up system state data, 3-30 to 3-31backup media, A-4change features, A-5 to A-7command-line tools, A-3 to A-4, A-5configuration features, A-5 to A-7cross-forest support, A-6delegation of administration, 15-33deleting external trusts, 4-65directory objects, A-3directory services, 1-5domain controllers, A-6domain functionality, A-4domain functional level, 3-5 to 3-7, 15-16 to 15-17domain names, A-6domain-wide features, A-6 to A-7drag-and-drop functionality, A-3dynamic auxiliary classes, A-7extending tombstone lifetime in, 3-10Folder redirection, A-5folder redirection in, 11-33

Windows Server 2003


I-28

forest and domain structure, implementing, 15-4, 15-21 to 15-23, 15-26 to 15-27

forest and domain structure, managing, 16-8 to 16-11forest functional level, 3-8forest functional levels, 15-17, A-4forest restructuring, A-7forest-wide features, A-6 to A-7Global Catalog replication, A-7global catalog servers, 15-8 to 15-10Group Policy and, A-5InetOrgPerson class, A-4integrating into existing domains, 3-5LDAP and, A-4operations master role placement, 15-13operations master roles and, 4-23OU implementation, 17-29OU planning, 17-23 to 17-24quotas, A-5replication enhancements, A-7RSoP and, A-5saved queries, A-3schema objects, A-7search capabilities, A-3security groups, 17-8site topology, 15-29software installation options, A-6software restriction policies, A-6trusts in, 4-39universal group membership caching, A-4user resource access control, A-7warning message about moving objects, 6-18Windows Firewall affecting creation of user

accounts, 7-13Windows Server 2003 interim

domain functional level, 3-5 to 3-7forest functional level, 3-7 to 3-8

Windows Server Update Services (WSUS), 10-14Windows Settings node, 10-9 to 10-10Windows Settings, RSoP query results, 11-17Windows Support Tools

Active Directory administration, 3-11 to 3-14installing, 2-46Netdom command, 4-67online resource, 2-47Repadmin.exe, 5-63Replmon.exe, 5-61

Windows versionssupporting Group Policy Objects, 10-5supporting redirected folders, 11-33

Winnt command, 15-21, 15-25Wireless Network Policy Wizard, 13-8WMI Filters For Computers page, Resultant Set of Policy

Wizard, 11-14WMI Filters For Users page, Resultant Set of Policy Wizard,

11-14

WMI (Windows Management Instrumentation)filtering GPO scope with, 10-20resources for, 11-4RSoP Planning mode options, 11-6

workgroups, applying Group Policy settings to, 10-18WSUS (Windows Server Update Services), 10-14Wuau.adm template, 10-14

Windows Server 2003 interim


MCSE Self-Paced Training Kit (Exam 70-294): Planning ... · using Dsquery command, 9-6 to 9-7 using...

Documents

Transcript of MCSE Self-Paced Training Kit (Exam 70-294): Planning ... · using Dsquery command, 9-6 to 9-7 using...