Implementing, and Maintaining a Microsoft Windows Active
The objectives for exam 70-294 focus it more on the
theoretical aspects of Active Directory implementation
available with Windows Server 2003 than any other exam in
the new track. The objectives for it are:
Planning and Implementing an Active Directory
n Plan a strategy for placing global catalog
o Evaluate network traffic considerations when
placing global catalog servers.
o Evaluate the need to enable universal group
n Plan flexible operations master role
o Plan for business continuity of operations
o Identify operations master role dependencies.
n Implement an Active Directory directory
service forest and domain structure.
o Create the forest root domain.
o Create a child domain.
o Create and configure Application Data
o Install and configure an Active Directory
o Set an Active Directory forest and domain
functional level based on requirements.
o Establish trust relationships. Types of trust
relationships might include external trusts, shortcut
trusts, and cross-forest trusts.
n Implement an Active Directory site topology.
o Configure site links.
o Configure preferred bridgehead servers.
n Plan an administrative delegation strategy.
o Plan an organizational unit (OU) structure
based on delegation requirements.
o Plan a security group hierarchy based on
Managing and Maintaining an Active Directory
n Manage an Active Directory forest and domain
o Manage trust relationships.
o Manage schema modifications.
o Add or remove a UPN suffix.
n Manage an Active Directory site.
o Configure replication schedules.
o Configure site link costs.
o Configure site boundaries.
n Monitor Active Directory replication failures.
Tools might include Replication Monitor, Event Viewer, and
o Monitor Active Directory replication.
o Monitor File Replication service (FRS)
n Restore Active Directory directory services.
o Perform an authoritative restore operation.
o Perform a nonauthoritative restore operation.
n Troubleshoot Active Directory.
o Diagnose and resolve issues related to Active
o Diagnose and resolve issues related to
operations master role failure.
o Diagnose and resolve issues related to the
Active Directory database.
Planning and Implementing User, Computer, and Group
n Plan a security group strategy.
o Plan a user authentication strategy.
o Plan a smart card authentication strategy.
o Create a password policy for domain users.
n Plan an OU structure.
o Analyze the administrative requirements for an
o Analyze the Group Policy requirements for an OU
n Implement an OU structure.
o Create an OU.
o Delegate permissions for an OU to a user or to
a security group.
o Move objects within an OU hierarchy.
Planning and Implementing Group Policy
n Plan Group Policy strategy.
o Plan a Group Policy strategy by using Resultant
Set of Policy (RSoP) Planning mode.
o Plan a strategy for configuring the user
environment by using Group Policy.
o Plan a strategy for configuring the computer
environment by using Group Policy.
n Configure the user environment by using Group
o Distribute software by using Group Policy.
o Automatically enroll user certificates by using
o Redirect folders by using Group Policy.
o Configure user security settings by using Group
n Deploy a computer environment by using Group
o Distribute software by using Group Policy.
o Automatically enroll computer certificates by
using Group Policy.
o Configure computer security settings by using
Managing and Maintaining Group Policy
n Troubleshoot issues related to Group Policy
application. deployment. Tools might include RSoP and the
n Maintain installed software by using Group
o Distribute updates to software distributed by
o Configure automatic updates for network clients
by using Group Policy.
n Troubleshoot the application of Group Policy
security settings. Tools might include RSoP and the
The biggest difference with Active Directory between
Windows Server 2003 and earlier versions is that Microsoft
has tweaked it for greater speed and scalability. A
"Forest" was added to make transitive trust relationships
simpler for root domains in different forests.
Global Catalog Servers:
The Global Catalog can be thought of as a database, or
master directory, of all Active Directory objects in all
of the domains. The global catalog is used during the
logon process and to locate resources and objects in
different domains. Global Catalog Servers respond to
queries and thus it makes sense that response time can be
decreased by increasing the number of Global Catalog
Servers to include at least one in each large office
(allow computers to search locally and not have to cross
slow links). You have to be careful, though, because too
many GC servers in a network can cause excessive network
The Global Catalog is automatically created on the
first domain controller created in a forest, and other
domain controllers can be configured to act as GC serves
as well. To provide fault tolerance additional Global
Catalog servers should be created and available.
Special roles can be assigned to domain controllers to
act as single master roles. A single master role is not
permitted to occur simultaneously at different locations
on the network.
The role can be Active Directory related (Domain
controllers) or purely service-oriented. Within those that
are Active Directory related, there are five FSMOs
(Flexible Single Master Operations) roles:
1. PDC (Primary Domain Controller) emulator
for backward compatibility
2. RID (Relative ID) Master - holds the pool of
ID numbers to be used
3. Infrastructure Master
- handles updates and
4. Domain Naming Master - by default the first
domain controller in a forest
5. Schema Master - oversees all schema operations
The primary domain controller performing one of these
roles is known as the role master. Microsoft recommends
the PDC emulator and RID master be kept on the same domain
controller, and the Domain Naming Master be stored on a
Global Catalog server.
The five operations master roles are responsible for
keeping track of and originating replication and are
divided into two categories: forestwide and domainwide.
Note: Both Schema and Domain naming should be the same
Only one schema master in forest (can have
Controls schema updates and modifications
Failure of the schema master can go unnoticed
until a change is made to the schema
If schema master role is seized permanently
the server must not be brought back online without
formatting it and reinstalling the operating system
Domain naming master
Only one domain naming master in forest (can
The only server responsible for controlling
the addition or removal of domains to the forest
Failure of the domain naming master can go
unnoticed until a domain is added or removed from the
If the current Domain Naming Master server is
to become unavailable, its role should be seized. If
domain naming master role is seized permanently the server
must not be brought back online without formatting it and
reinstalling the operating system
Relative ID (RID) master
Each domain will have one relative ID master
Responsible for management of relative ID's
RID will be generated for each domain object
that includes the domain security ID (same for all domain
objects) and a unique relative ID
Responsible for initiating the move when
moving objects between domains (MOVETREE is a utility used
to move objects between domains).
Failure of the relative ID master can go
unnoticed until an administrator attempts to create domain
objects and the domain runs out of available relative
If relative ID master role is seized
permanently the server must not be brought back online
without formatting it and reinstalling the operating
Primary Domain Controller PDC emulator
Each domain will have only one PDC emulator
Provides support for client systems
Receives preferential replication of any
If logon authentication fails at any domain
controller, the request is forwarded to the PDC emulator
Acts as a Windows NT PDC providing updates to
any Windows NT BDCs during a migration to Active Directory
Failure of PDC emulator can immediately affect
If PDC emulator role is seized permanently the
server can be brought back online and returned to the PDC
Each domain will have only one infrastructure
Updates group or user references when
supporting group members from a different domain and group
If placed on a Global Catalog server
infrastructure master will not be able to do its job
properly because out-of-date data will not be detected,
therefore replication will not occur; because of this, the
Infrastructure Master should not be located on a global
Failure of the infrastructure master can go
unnoticed unless a number of changes have been made.
If infrastructure master is seized the server
can be returned to the original infrastructure master when
brought back online
The Domain Naming master allows additions, removals,
and some modifications of all domains in the forest. It
also generates the unique SID for every domain in the
forest. The Infrastructure master updates group-to-user
references when changes occur. It is recommended that the
Infrastructure master be placed on a domain controller
that is not the global catalog server to even the load and
separate the burden of each role.
The PDC Emulator master is used for interoperability
with older clients. The RID master and PDC Emulator roles
should be placed on the same domain controller (if it is
not overloaded)-or, if not, on separate primary operations
master domain controllers (making sure they both have
direct connection objects to the standby PDC emulator and
RID master servers).
The RID (Relative ID) master issues IDs to domain
controllers, as needed (10,000 at a time). The Schema
master controls all updates to the schema. The Schema
master and Domain Naming master are forest-wide in nature,
whereas the RID, Infrastructure, and PDC Emulator masters
are domain-based. (Only one server in each domain is
needed for these operations.)
Active Directory Structure:
Active Directory is a database that stores information
about objects in the network-such as users, computers,
printers, and shared folders-in a central location. The
Active Directory naming scheme follows the path: forest, tree(s), domains. Active Directory depends on DNS (Domain
Name System) for it to work. In the absence of DNS, there
is - effectively - no Active Directory. Active Directory
is created to be scalable and interoperate with other name
Active Directory names are equivalent to DNS names and
use the SRV records of DNS to store information about
services, thereby creating "dynamic DNS." To refer to a
host in a domain, you use a fully qualified domain name (FQDN).
It is recommended that the registered DNS name your
company already has, if they are connected to the
Internet, be used as the Active Directory root domain.
A forest can consist of either a single domain or
multiple domains. (Therefore, by definition, a single
domain can also be a tree). A tree is a contiguous
namespace, meaning the child has the parent as part of its
name. Each tree has its own identity within the forest.
Domains are partitions; that is, entities that can be
combined into trees and forests, but that operate with
some autonomy. Domains contain objects, and/or
organizational units (OUs). An OU is a container for
organizing objects within a domain into logical
sub-groupings. A domain is an administrative as well as
security boundary since administrative privileges do not
extend past domain boundaries. The Active Directory root
domain has to be unique within the DNS realm it works
Reasons for creating OUs (organizational units)
include: to control access to resources, to create group
policy objects, to delegate administration, and/or to
group common objects.
The simplest network is a network with one domain.
Reasons for creating additional domains include: to
isolate replication traffic, to retain existing NT domain
structures, to support decentralized administration, to
support international boundaries, and/or to support more
than one domain policy. Factors to consider when deciding
to create more than one domain include replication,
security, and overhead.
Objects are organized in a hierarchical structure
rather than physical location and can include:
Active Directory key concepts to focus on are:
Objects: Object classes such as users,
groups, computers, services, printers, security policies,
etc. are a collection of object attributes.
Schema: A database structure made up of
attribute definitions and object definitions known as
schema objects or metadata (data about data). Adding new
attributes can extend a schema, however once an object is
created it can be disabled but not deleted. Write access
to the schema is restricted to the Administrators group.
Active Directory Schema
stored in Active Directory
arranged in a logical hierarchy - Directory
Information Tree (DIT)
includes a preconfigured database
- base DIT
- that contains the information that is required to
install and run the operating system and Active Directory
one section of the base DIT holds the base
schema objects are located in the Schema
Active Directory Schema
a special purpose object class
the topmost object of the schema directory
(cn=schema,cn=configuration,dc=< forest root
contains all of the class and attribute
definitions that are required to locate objects in Active
Directory and to create new objects
Active Directory DIT
DIT = Directory Information Tree
divided into directory partitions
directory partition is a tree of directory
directory partition forms a unit of
replication in Active Directory.
Site link bridges are used to connect sites together
and to model the routing behavior of a network. Within a
site, replication traffic is carried out via Remote
Procedure Calls over IP, while between sites it is done
through either RPC or SMTP.
The purpose of the Knowledge Consistency Checker (KCC)
is to generate a replication topology for both intra-site
and inter-site replication. Windows Server 2003 uses a
different calculation that was used with Windows 2000 in
order to speed intersite replication.
The REPADMIN command-line utility allows you to
do such things as check the KCC status, see when the last
partner replication took place, and disable compression on
A forest is a collection of Active Directory domains.
All trees within a forest have different naming structures
but share common schema.
Trees are groupings of domains that share contiguous
namespaces and a hierarchical naming structure.
Single Domain: One domain that is the first
and only tree's root domain as well as the forest's root. OU's are used to build Active Directory and should be kept
to a minimum.
Tree with Multiple Domains: Used when
implementing different security policies in remote
offices, or limit administrative control between different
Forest with Multiple Trees: Each tree has its
own unique namespace and are all part of the same Active
Directory. Its root domain DNS name identifies each tree.
The trees share a common schema, configuration information
and Global Catalog
Naming of objects in Active Directory is a critical
Each Active Directory object must be uniquely
Domain Name System (DNS) is required for
Active Directory. NETLOGON.DNS is the file that holds DNS
entries for Active Directory. It resides beneath the
Object names must follow an established naming
The following are common name formats:
LDAP Distinguished Name (DN). A DN exists for
every object in Active Directory. The values cannot be
duplicates; they must be unique.
LDAP Relative Distinguished Name (RDN). RDNs
need not be unique if they exist in separate OUs.
User Principal Name (UPN).
These are often referred to as "friendly names."
LDAP functionality is a key component of Active
Directory, employing similar naming standards. LDAP
functionality makes Active Directory compatible with other
naming strategies (such as BIND). LDAP is a derivative of
X.500. LDAP uses four different name types: 1)
Distinguished name, 2) Relative Distinguished name, 3)
User Principal name, and 4) Canonical name.
The Distinguished name, in LDAP, is the full path,
including containers, of the object. The Relative
Distinguished name (RDN), in LDAP, is the portion of the
name that's unique within its container. The User
Principal name, in LDAP, is the user-friendly name. The
Canonical name, in LDAP, is a top-down notation of the
Real-time LDAP is now supported, also known as LDAPv3,
and security for digest authentication is now available
for secure queries to a domain controller.
Groups of subnets and domain controllers
connected through a reliable high-speed connection used
to partition Active Directory into logical groups.
A set of one or more IP Subnetwork
Controls how replication is managed, logon
traffic and DFS topology
Active Directory Sites
Domain controllers get added to
Default-First-Site-Name object which is automatically
Intersite replication occurs between two or
more sites over manually created links based on a
To minimize network traffic data is
compressed to about 10-15% of its volume before intersite
replication is transmitted
Active Directory domains are defined by the
network's logical structure
Sites are based on the network's physical
Sites can include:
o All Active Directory domain controllers
o Some of Active Directory domain controllers
o Domain controllers from different Active
Site links specify how Active Directory will connect
sites within the network and inform Active Directory of
favorable replication links. "Active Directory Sites and
Services" is used to create sites and site links.
When Active Directory is installed a
default site link (DEFAULTIPSITELINK) is created
The transport used for transferring data
o Remote Procedure Call (RPC) over TCP/IP [seen
as IP] - required for File Replication Services
o Simple Mail Transfer Protocol (SMTP)
for schema partition, configuration partition and Global
Catalog replication. Does not support replication between
domain controllers in the same domain. SMTP is
asynchronous, whereas RPC is synchronous.
Cost value determines which site link to
use when multiple paths are available
o Lower the cost, higher the priority
o Based on bandwidth and priority
o Default cost is 100
Scheduling controls when replication occurs
o Set through the link schedule
o Replicate every property determines how
long a connection waits before checking for updates
o By default a link is always available
Active Directory Infrastructure:
LDAP is the main access protocol for Active
Directory. LDAP is an Internet standard used to exchange
information between applications and directories.
n Replication: automatic updates of
active directory between servers. The Knowledge
Consistency Checker (KCC) is responsible for generating
replication information within a forest. The KCC runs on
each domain controller automatically. REPLMON is used to
show replication topology and monitor status. It can also
be used to force replication or KCC recalculation.
Replication to all domain controllers occurs
every 15 minutes by default but can be forced through
Active Directory Sites and Services.
When the domain controller is expanded under
Sites\Default-First-Site-Name\Servers, select NTDS
Settings. Right-click and select Replicate Now.
Compression is used when replication is between sites.
Multimaster replication is employed by Active Directory to
keep all domain controllers as peers.
Active Directory Connector (ADC) is used for
replication between Exchange and Active Directory.
Active Directory Replication
Changes made to Active Directory need to be
propagated to all Domain Controllers
Uses a multiple-master replication model whereby
all domain controllers are equal
Automatic replication between domain
controllers in the same site
Uses Remote Procedure Calls (RPC)
communication to control notification
RPC is used for replication traffic within a site, and
the data it sends is uncompressed.
o Replication latency is the delay
between when a change is made to one domain controller
then replicated to other domain controllers.
o Replication convergence occurs after
replication has taken place, all domain controllers are up
to date and no new changes are to be sent.
Event Viewer is the primary tool used for
viewing log files. In addition to the three log files that
have always existed (Application, System - which contains
information about services and drivers that fail to start
- and Security), there are now log files for: Directory
Services, File Replication Service, and DNS, if those
services are in use.
It is highly recommended to put users into groups and
give permissions to the groups. In Windows Server 2003,
the following types of groups exist:
n Machine local
n Domain local
- these are Domain local groups that
exists for compatibility with Windows NT. Be default, the
following groups are found on all Windows Server 2003
systems: Administrators, Backup Operators, Guests, Network
Configuration Operators, Power Users, Print Operators,
Remote Desktop Users, Replicator, and Users. These
built-in users and groups cannot be deleted.
By default, the Everyone group is given read permission
when a file is shared. This differs from earlier
operating systems in which Everyone was assigned full
control permissions on all new shares.
Distribution groups are used for nonsecurity-related
purposes. Security groups are used to assign permissions
to a grouping of users for accessing one or more objects.
Active Directory Structures:
When deciding whether to implement Active Directory in
an existing or planned network, it is important to detail
the possible impact of so doing.
Access patterns need to be taken into account during an
analysis: Are all the resources centralized, or are they
disbursed? When users need to access a resource, is it
within their LAN 80% of the time, or only 20% (meaning
they access the WAN 80% of the time)? What are the
implications of the resources being centralized versus
being disbursed? What are the implications of the resource
being within the LAN 80% of the time versus 20%?
The geographic scope as well as the owner or
organization responsible for the company fall beneath
company size analysis.
When doing user and resource distribution analysis, the
main question is: Where are the users? How are they
serviced? How do they reach the resources (servers,
printers, etc.)? Do they reach them via hubs, switches,
routers, or bridges? Via modems or proxy servers?
Connectivity between sites must be factored in. What
bandwidth is employed? Are there leased lines or dial-up
connections (with or without multilink)?
Speeds employed on WANs differ by technologies. The
most common technologies are modems (analog, ISDN, DSL,
and cable) and leased lines (T1, T3, E1, E3). An
analog/traditional modem requires a single phone line for
a connection and is limited in speed to approximately
57,600bps. ISDN (Integrated Services Digital Network)
requires two phone lines and can reach a speed of
approximately 128,000bps. DSL (Digital Subscriber Line)
uses existing phone lines (copper) and is available only
in certain areas. You must be within a short distance of a
switching station, and speeds can reach 9Mbps. The closer
you are to the central office, the faster the speed which
is possible (and the different the type of DSL available -
ADSL, HDSL, etc.) Cable modems work with the coaxial from
the cable television company. The speed, though reduced
with the number of users, is approximately 2Mbps. T1 is a
dedicated line that operates across 24 channels at
1.544Mbps. T3 is a dedicated line of 672 channels able to
run at speeds of 43Mbps. E1 is the European counterpart to
T1; it uses 32 channels and can run at 2.048Mbps. E3 is
the European counterpart to T3.
Connectivity can include hubs, switches, bridges,
routers. You must determine which topologies are employed
(star versus mesh, etc.).
Security groups are groups listed in DACLs
(Discretionary Access Control Lists) for the purpose of
setting permissions for access to resources and objects.
According to AccessingResources_Domains.asp in TechNet:
It is important to understand the following security
group concepts before you begin the planning process:
Security groups. User rights can be applied to groups
in Active Directory while permissions can be assigned
to security groups on member servers hosting a
Group nesting. The ability to nest security groups is
dependent on group scopes and domain functionality.
Group scope. Group scope helps determine the
domain-wide and forest-wide access boundaries of
Domain functionality. The domain functional level of
the trusting and trusted domains can affect group
functionality such as group nesting.
Once you have gained a thorough understanding of
security group concepts, determine the resource needs of
each department and geographical division to assist you
with the planning effort.
Best practices for controlling access to shared
resources across domains
By carefully using domain local, global, and
universal groups, administrators can more effectively
control access to resources located in other domains.
Consider the following best practices:
Organize domain users based on administrative needs,
such as their locations or departments, and then
create a global group, and add the appropriate user
accounts as members.
Create a domain local group, and add all global groups
from the other domain that need the same access to a
resource in your domain.
Assign the required permissions on the shared resource
to the domain local group.
RSoP (Resultant Set of Policy) is a new tool included
with Windows Server 2003 that shows how permissions and
policies overlap. It factors in inheritance and other
factors and shows what the resulting policy will be that
applies to the user or computer in an Active Directory
tree. Gpresult is a command-line utility that can
perform the same function as RSoP.
Windows Server 2003 includes GPUPDATE - a new
utility that replaces SECEDIT switches for group policy
updates. SECEDIT still exists in 2003, but it is now used
only for applying changes and reporting on them.
Group Policy is a component of Active Directory used to
restrict users and enforce limitations. Operating systems
prior to Windows 2000 must utilize system policies,
created with the POLEDIT utility.
Reduces Total Cost of Ownership (TCO)
Implemented through Group Policy Objects (GPOs)
and applied to User and Computer Configurations
Three possible settings for policies include
Not Configured, Enable and Disabled
Group Policies can be used to assign and publish
software. Assigning software causes the software to be
installed regardless of whether it is used. Published
software is available to the users/machines, but it is not
installed automatically. Software can be assigned to a
user or computer, but published only to users (not
Disk quotas can be assigned via group policies to
restrict how much space a user is allowed to have in
Group policies are implemented by Site, Domain, and
then Organizational Unit (OU).
Creating and Modifying Group Policies
Group policy settings are refreshed throughout
the network, on average every 90 minutes
Domain Controllers refresh on average every 5
Refresh interval for Domain Controllers can be
modified through Group Policy settings
When deleting a GPO any links are
automatically dropped without warning
Filtering GPO's allows Group Policies to be
applied to individual users rather than all users and
computers in an OU
Used to check GPO's
Used to view information about specific GPO's
Checks GPO consistency
Check GPO replication
Used to determine if problem is related to group
Analyzes group policies that are applied for the
current user or computer
Report displays which policy settings are
applied for the user
Limit the number of users allowed to modify
GPO's to a minimum
Keep it as simple as possible