ACTIVE DIRECTORY – DNS – FSMO – GROUP POLICY

What Is Active Directory?

Active Directory consists of a series of components that constitute both its logical structure and its
physical structure. It provides a way for organizations to centrally manage and store their user objects,
computer objects, group membership, and define security boundaries in a logical database structure.

Purpose of Active Directory

Active Directory stores information about users, computers, and network resources
and makes the resources accessible to users and applications. It provides a
consistent way to name, describe, locate, access, manage, and secure information
about these resources

Functions of Active Directory

Active Directory provides the following functions:

● Centralizes control of network resources
By centralizing control of resources such as servers, shared files, and printers,
only authorized users can access resources in Active Directory.
● Centralizes and decentralizes resource management

Administrators have Centralized Administration with the ability to delegate

administration of subsets of the network to a limited number of individuals giving
them greater granularity in resource management.

● Store objects securely in a logical structure

Active Directory stores all of the resources as objects in a secure, hierarchical
logical structure.
● Optimizes network traffic

The physical structure of Active Directory enables you to use network bandwidth
more efficiently. For example, it ensures that, when users log on to the network,
the authentication authority that is nearest to the user, authenticates them
reducing the amount of network traffic.

Sites within Active Directory

Sites are defined as groups of well-connected computers. When you establish sites, domain
controllers within a single site communicate frequently. This communication minimizes the
latency within the site; that is, the time required for a change that is made on one domain
controller to be replicated to other domain controllers. You create sites to optimize the use of
bandwidth between domain controllers that are in different locations

1
Operations Master Roles

When a change is made to a domain, the change is replicated across all of the
domain controllers in the domain. Some changes, such as those made to the schema,
are replicated across all of the domains in the forest. This replication is called

multimaster replication.

During multimaster replication, a replication conflict can occur if originating updates

are performed concurrently on the same object attribute on two domain controllers. To
avoid replication conflicts, Active Directory uses single master replication, which
designates one domain controller as the only domain controller on which certain
directory changes can be made. This way, changes cannot occur at different places in
the network at the same time. Active Directory uses single master replication for
important changes, such as the addition of a new domain or a change to the forest-
wide schema.

Operations that use single-master replication are arranged together in specific roles in
a forest or domain. These roles are called operations master roles. For each
operations master role, only the domain controller that holds that role can make the
associated directory changes. The domain controller that is responsible for a particular
role is called an operations master for that role. Active Directory stores information
about which domain controller holds a specific role.

Forest-wide Roles
Forest-wide roles are unique to a forest, forest-wide roles are:
● Schema master

Controls all updates to the schema. The schema contains the master list of object classes and attributes
that are used to create all Active Directory objects, such as users, computers, and printers.

● Domain naming master

Controls the addition or removal of domains in the forest. When you add a new domain to the forest,
only the domain controller that holds the domain naming master role can add the new domain.

There is only one schema master and one domain naming master in the entire forest.
Domain-wide Roles
Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:
● Primary domain controller emulator (PDC)

Acts as a Windows NT PDC to support any backup domain controllers (BDCs)

running Microsoft Windows® NT within a mixed-mode domain. This type of
domain has domain controllers that run Windows NT 4.0. The PDC emulator is the
first domain controller that you create in a new domain.
2
● Relative identifier master (RID)

When a new object is created, the domain controller creates a new security
principal that represents the object and assigns the object a unique security
identifier (SID). This SID consists of a domain SID, which is the same for all
security principals created in the domain, and a RID, which is unique for each
security principal created in the domain. The RID master allocates blocks of RIDs
to each domain controller in the domain. The domain controller then assigns a
RID to objects that are created from its allocated block of RIDs.

● Infrastructure master

when objects are moved from one domain to another, the infrastructure master
updates object references in its domain that point to the object in the other
domain. The object reference contains the object’s globally unique identifier
(GUID), distinguished name, and a SID. Active Directory periodically updates the
distinguished name and the SID on the object reference to reflect changes made
to the actual object, such as moves within and between domains and the deletion
of the object.

The global catalog contains:

● The attributes that are most frequently used in queries, such as a user’s first
name, last name, and logon name.
● The information that is necessary to determine the location of any object in the
directory.
● The access permissions for each object and attribute that is stored in the global

catalog. If you search for an object that you do not have the appropriate
permissions to view, the object will not appear in the search results. Access
permissions ensure that users can find only objects to which they have been
assigned access.

A global catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. Taking a user object as an example, it would
by default have many different attributes such as first name, last name, phone
number, and many more. The GC will by default only store the most common of those
attributes that would be used in search operations (such as a user’s first and last
names, or login name, for example). The partial attributes that it has for that object
would be enough to allow a search for that object to be able to locate the full replica of
the object in active directory. This allows searches done against a local GC, and
reduces network traffic over the WAN in an attempt to locate objects somewhere else
in the network.
Domain Controllers always contain the full attribute list for objects belonging to their domain. If the
Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains
in the forest.

Active Directory uses DNS as the name resolution service to identify domains and
domain host computers during processes such as logging on to the network.
3

Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows
XP computer. It has replaced the secedit command. To use gpupdate, open a command
prompt and
type:

gpupdate /target:userto refresh the user policies

gpupdate /target:machineto refresh the machine (or computer) policies

As with secedit, these parameters will only refresh any user or computer policies that have changed
since the last refresh. To force a reload of all group policies regardless of the last change, use:

gpupdate /force
Notice the /force switch applies to both user and computer policies. There is no separation of
the two like there is with secedit
Q10. What is the Default Setting for Dial-up users?
Win2000 considers a slow dial-up link as anything less than 500kbps. When a user logs into a
domain on a link under 500k some policies are not applied.
Windows 2000 will automatically detect the speed of the dial-up connection and make a
decision about applying Group Policies.
Q11. Which are the policies which get applied regardless of the speed of the dial-up
connection?
Some policies are always applied regardless of the speed of the dial-up connection. These
are:

Administrative Templates
Security Settings
EFS Recovery
IPSec

Q12. Which are the policies which do not get applied over slow links?

IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance

These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.
44

If the user connects to the domain using "Logon Using Dial-up Connection" from the logon
screen, once the user is authenticated, the computer policies are applied first, followed by the
user policies.

If the user connects to the domain using "Network and Dial-up Connections", after they
logon, the policies are applied using the standard refresh cycle.
Q13. Which are the two types of default policies?
There are two default group policy objects that are created when a domain is created. The
Default Domain policy and the Default Domain Controllers policy.
Default Domain Policy - this GPO can be found under the group policy tab for that domain. It
is the first policy listed. The default domain policy is unique in that certain policies can only be
applied at the domain level.
If you double click this GPO and drill down to Computer Configuration, Windows Settings,
Security Settings, Account Policies, you will see three policies listed:

Password Policy
Acount Lockout Policy
Kerberos Policy

These 3 policies can only be set at the domain level. If you set these policies anywhere else- Site or
OU, they are ignored.How e ver, setting these 3 policies at the OU level will have the effect of setting
these policies for users who log onlocally to their PCs. Login to the domain you get the domain
policy, login locally you get the OU policy.

If you drill down to Computer Configuration, Windows Settings, Security Settings, Local
Policies, Security Options, there are 3 policies that are affected by Default Domain Policy:

Automatically log off users when logon time expires

Rename Adminsitrator Account - When set at the domain level, it affects the Domain
Administrator account only.
Rename Guest Account - When set at the domain level, it affects the Domain Guest account
only.

The Default Domain Policy should be used only for the policies listed above. If you want to
create additional domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not recommended.

Default Domain Controllers Policy - This policy can be found by right clicking the Domain

Controllers OU, choosing Properties, then the Group Policy tab. This policy affects all Domain
Controllers in the domain regardless of where you put the domain controllers. That is, no
matter where you put your domain controllers in Active Directory (whatever OU you put them
in), they will still process this policy.
Use the Default Domain Controllers Policy to set local policies for your domain controllers,
e.g. Audit Policies, Event Log settings, who can logon locally and so on.
45
Q14.How to restore Group policy setting back to default?

The following command would replace both the Default Domain Security Policy and Default
Domain Controller Security Policy. You can specifyDoma in orDC instead ofBoth, to only
restore one or the other.

> dcgpofix /target:Both

Note that this must be run from a domain controller in the target domain where you want to
reset the GPO

If you've ever made changes to the default GPOs and would like to revert back to the original
settings, thedcgpofi x utility is your solution.dcgpofix works with a particular version of
schema. If the version it expects to be current is different from what is in Active Directory, it
not restore the GPOs. You can work around this by using the/ignoreschema switch, which
restore the GPO according to the versiondcgpofi x thinks is current. The only time you might
experience this issue is if you install a service pack on a domain controller (dc1) that extends
schema, but have not installed it yet on a second domain controller (dc2). If you try to run

dcgpofix from dc2, you will receive the error since a new version of the schema and the
dcgpofix utility was installed on dc1.
Resolving GPOs from Multiple Sources

Because GPOs can come from different sources to apply to a single user or computer, there
must be a way of determining how those GPOs are combined. GPOs are processed in the
following order:

1. Local GPO The local GPO on the computer is processed and all settings specified in that
GPO are applied.
2. Site GPOs GPOs linked to the site in which the computer resides are processed. Settings

made at this level override any conflicting settings made at the preceding level. If multiple
GPOs are linked to a site, the site administrator can control the order in which those GPOs are
processed.

3. Domain GPOs GPOs linked to the domain in which the computer resides are processed

and any settings are applied. Settings made at the domain level override conflicting settings
applied at the local or site level. Again, the administrator can control the processing order
when multiple GPOs are linked to the domain.

4. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed.

Settings made at the OU level override conflicting settings applied at the domain, local, or site
level. It is possible for a single object to be in multiple OUs. In this case, GPOs linked to the
highest level OU in the Active Directory hierarchy are processed first, followed by the next
highest level OU, and so on. If multiple GPOs are linked to a single

46

Q15. What are the two exceptions to control the inheritance of the group policy?

■ No Override When you link a GPO to a container, you can configure a No Override option
that prevents settings in the GPO from being overridden by settings in GPOs linked to child
containers. This provides a way to force child containers to conform to a particular policy.
■ Block Inheritance You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent containers. However, if a
parent container has the No Override option set, the child container cannot block inheritance
from this parent.

Q16. How to Redirect New User and Computer Accounts?

By default, new user and computer accounts are created in the Users and Computers
containers, respectively. You cannot link a GPO to either of these built-in containers. Even
though the built-in containers inherit GPOs linked to the domain, you may have a situation that
requires user accounts and computer accounts to be stored in an OU to which you can link a
GPO. Windows Server 2003 includes two new tools that let you redirect the target location
for new user and computer accounts. You can use redirusr.exe to redirect user accounts and
redircomp.exe to redirect computer accounts. Once you choose the OU for redirection, new
user and computer accounts are created
directly in the new target OU, where the appropriate GPOs are linked. For example, you could
create an OU named New Users, link an appropriate GPO to the OU, and then redirect the
creation of new-users accounts to the New Users OU. Any new users created would
immediately be affected by the settings in the GPO. Administrators could then move the new
user accounts to a more appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows Server 2003. You can learn
more about using these tools in Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the Microsoft Knowledge Base
athttp: //support .microsof t.com.

Q17. What permissions should a administrator have to manage GPOs?

Editing GPOs linked to sites requires Enterprise Administrative permissions.

Editing GPOs linked to domains requires Domain Administrative
Editing GPOs linked to OUs requires permissions for the OU.

Q18. What is the client requirement for supporting GPOs?

For client computers to accept Group Policy settings, they must be members of Active
Directory. Support for Group Policy for key operating systems includes the following:
■ Windows 95/98/Me do not support Group Policy.
■ Windows NT 4.0 and earlier versions do not support Group Policy.
■ Windows 2000 Professional and Server support many of the Group Policy settings available
in Windows Server 2003, but not all. Unsupported settings are ignored.

■ Windows XP Professional, Windows XP 64-bit Edition, and Windows Server 2003 fully
support Group Policy.