Академический Документы
Профессиональный Документы
Культура Документы
Active Directory consists of a series of components that constitute both its logical structure and its
physical structure. It provides a way for organizations to centrally manage and store their user objects,
computer objects, group membership, and define security boundaries in a logical database structure.
Active Directory stores information about users, computers, and network resources
and makes the resources accessible to users and applications. It provides a
consistent way to name, describe, locate, access, manage, and secure information
about these resources
The physical structure of Active Directory enables you to use network bandwidth
more efficiently. For example, it ensures that, when users log on to the network,
the authentication authority that is nearest to the user, authenticates them
reducing the amount of network traffic.
Sites are defined as groups of well-connected computers. When you establish sites, domain
controllers within a single site communicate frequently. This communication minimizes the
latency within the site; that is, the time required for a change that is made on one domain
controller to be replicated to other domain controllers. You create sites to optimize the use of
bandwidth between domain controllers that are in different locations
1
Operations Master Roles
When a change is made to a domain, the change is replicated across all of the
domain controllers in the domain. Some changes, such as those made to the schema,
are replicated across all of the domains in the forest. This replication is called
multimaster replication.
Operations that use single-master replication are arranged together in specific roles in
a forest or domain. These roles are called operations master roles. For each
operations master role, only the domain controller that holds that role can make the
associated directory changes. The domain controller that is responsible for a particular
role is called an operations master for that role. Active Directory stores information
about which domain controller holds a specific role.
Forest-wide Roles
Forest-wide roles are unique to a forest, forest-wide roles are:
● Schema master
Controls all updates to the schema. The schema contains the master list of object classes and attributes
that are used to create all Active Directory objects, such as users, computers, and printers.
Controls the addition or removal of domains in the forest. When you add a new domain to the forest,
only the domain controller that holds the domain naming master role can add the new domain.
There is only one schema master and one domain naming master in the entire forest.
Domain-wide Roles
Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:
● Primary domain controller emulator (PDC)
When a new object is created, the domain controller creates a new security
principal that represents the object and assigns the object a unique security
identifier (SID). This SID consists of a domain SID, which is the same for all
security principals created in the domain, and a RID, which is unique for each
security principal created in the domain. The RID master allocates blocks of RIDs
to each domain controller in the domain. The domain controller then assigns a
RID to objects that are created from its allocated block of RIDs.
● Infrastructure master
when objects are moved from one domain to another, the infrastructure master
updates object references in its domain that point to the object in the other
domain. The object reference contains the object’s globally unique identifier
(GUID), distinguished name, and a SID. Active Directory periodically updates the
distinguished name and the SID on the object reference to reflect changes made
to the actual object, such as moves within and between domains and the deletion
of the object.
catalog. If you search for an object that you do not have the appropriate
permissions to view, the object will not appear in the search results. Access
permissions ensure that users can find only objects to which they have been
assigned access.
A global catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. Taking a user object as an example, it would
by default have many different attributes such as first name, last name, phone
number, and many more. The GC will by default only store the most common of those
attributes that would be used in search operations (such as a user’s first and last
names, or login name, for example). The partial attributes that it has for that object
would be enough to allow a search for that object to be able to locate the full replica of
the object in active directory. This allows searches done against a local GC, and
reduces network traffic over the WAN in an attempt to locate objects somewhere else
in the network.
Domain Controllers always contain the full attribute list for objects belonging to their domain. If the
Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains
in the forest.
Active Directory uses DNS as the name resolution service to identify domains and
domain host computers during processes such as logging on to the network.
3
Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows
XP computer. It has replaced the secedit command. To use gpupdate, open a command
prompt and
type:
As with secedit, these parameters will only refresh any user or computer policies that have changed
since the last refresh. To force a reload of all group policies regardless of the last change, use:
gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no separation of
the two like there is with secedit
Q10. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than 500kbps. When a user logs into a
domain on a link under 500k some policies are not applied.
Windows 2000 will automatically detect the speed of the dial-up connection and make a
decision about applying Group Policies.
Q11. Which are the policies which get applied regardless of the speed of the dial-up
connection?
Some policies are always applied regardless of the speed of the dial-up connection. These
are:
Administrative Templates
Security Settings
EFS Recovery
IPSec
Q12. Which are the policies which do not get applied over slow links?
IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance
These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.
44
If the user connects to the domain using "Logon Using Dial-up Connection" from the logon
screen, once the user is authenticated, the computer policies are applied first, followed by the
user policies.
If the user connects to the domain using "Network and Dial-up Connections", after they
logon, the policies are applied using the standard refresh cycle.
Q13. Which are the two types of default policies?
There are two default group policy objects that are created when a domain is created. The
Default Domain policy and the Default Domain Controllers policy.
Default Domain Policy - this GPO can be found under the group policy tab for that domain. It
is the first policy listed. The default domain policy is unique in that certain policies can only be
applied at the domain level.
If you double click this GPO and drill down to Computer Configuration, Windows Settings,
Security Settings, Account Policies, you will see three policies listed:
Password Policy
Acount Lockout Policy
Kerberos Policy
These 3 policies can only be set at the domain level. If you set these policies anywhere else- Site or
OU, they are ignored.How e ver, setting these 3 policies at the OU level will have the effect of setting
these policies for users who log onlocally to their PCs. Login to the domain you get the domain
policy, login locally you get the OU policy.
If you drill down to Computer Configuration, Windows Settings, Security Settings, Local
Policies, Security Options, there are 3 policies that are affected by Default Domain Policy:
The Default Domain Policy should be used only for the policies listed above. If you want to
create additional domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not recommended.
Default Domain Controllers Policy - This policy can be found by right clicking the Domain
Controllers OU, choosing Properties, then the Group Policy tab. This policy affects all Domain
Controllers in the domain regardless of where you put the domain controllers. That is, no
matter where you put your domain controllers in Active Directory (whatever OU you put them
in), they will still process this policy.
Use the Default Domain Controllers Policy to set local policies for your domain controllers,
e.g. Audit Policies, Event Log settings, who can logon locally and so on.
45
Q14.How to restore Group policy setting back to default?
The following command would replace both the Default Domain Security Policy and Default
Domain Controller Security Policy. You can specifyDoma in orDC instead ofBoth, to only
restore one or the other.
If you've ever made changes to the default GPOs and would like to revert back to the original
settings, thedcgpofi x utility is your solution.dcgpofix works with a particular version of
schema. If the version it expects to be current is different from what is in Active Directory, it
not restore the GPOs. You can work around this by using the/ignoreschema switch, which
restore the GPO according to the versiondcgpofi x thinks is current. The only time you might
experience this issue is if you install a service pack on a domain controller (dc1) that extends
schema, but have not installed it yet on a second domain controller (dc2). If you try to run
dcgpofix from dc2, you will receive the error since a new version of the schema and the
dcgpofix utility was installed on dc1.
Resolving GPOs from Multiple Sources
Because GPOs can come from different sources to apply to a single user or computer, there
must be a way of determining how those GPOs are combined. GPOs are processed in the
following order:
1. Local GPO The local GPO on the computer is processed and all settings specified in that
GPO are applied.
2. Site GPOs GPOs linked to the site in which the computer resides are processed. Settings
made at this level override any conflicting settings made at the preceding level. If multiple
GPOs are linked to a site, the site administrator can control the order in which those GPOs are
processed.
3. Domain GPOs GPOs linked to the domain in which the computer resides are processed
and any settings are applied. Settings made at the domain level override conflicting settings
applied at the local or site level. Again, the administrator can control the processing order
when multiple GPOs are linked to the domain.
4. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed.
Settings made at the OU level override conflicting settings applied at the domain, local, or site
level. It is possible for a single object to be in multiple OUs. In this case, GPOs linked to the
highest level OU in the Active Directory hierarchy are processed first, followed by the next
highest level OU, and so on. If multiple GPOs are linked to a single
46
Q15. What are the two exceptions to control the inheritance of the group policy?
■ No Override When you link a GPO to a container, you can configure a No Override option
that prevents settings in the GPO from being overridden by settings in GPOs linked to child
containers. This provides a way to force child containers to conform to a particular policy.
■ Block Inheritance You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent containers. However, if a
parent container has the No Override option set, the child container cannot block inheritance
from this parent.
By default, new user and computer accounts are created in the Users and Computers
containers, respectively. You cannot link a GPO to either of these built-in containers. Even
though the built-in containers inherit GPOs linked to the domain, you may have a situation that
requires user accounts and computer accounts to be stored in an OU to which you can link a
GPO. Windows Server 2003 includes two new tools that let you redirect the target location
for new user and computer accounts. You can use redirusr.exe to redirect user accounts and
redircomp.exe to redirect computer accounts. Once you choose the OU for redirection, new
user and computer accounts are created
directly in the new target OU, where the appropriate GPOs are linked. For example, you could
create an OU named New Users, link an appropriate GPO to the OU, and then redirect the
creation of new-users accounts to the New Users OU. Any new users created would
immediately be affected by the settings in the GPO. Administrators could then move the new
user accounts to a more appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows Server 2003. You can learn
more about using these tools in Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the Microsoft Knowledge Base
athttp: //support .microsof t.com.
■ Windows XP Professional, Windows XP 64-bit Edition, and Windows Server 2003 fully
support Group Policy.