Moving all of the domains in the forest to the Windows 2000 native or Windows Server 2003 functional level greatly reduces the complexity. Just as we saw in the previous section, when a new benefits user joins the company, the only group his or her account needs to be made a member of is the Benefits global group in his or her regional domain. Again, this is because the Benefits global group is nested in the HR global group. The real power in a multiple domain environment, however, comes in the ability to use uni- versal security groups.You no longer have to add each HR global group into the Global_HR_Resources domain local group. Instead, you can add all of the HR global groups into a universal group called ALL_HR.You then add this group into the Global_HR_Resources DLG. These group memberships are shown in Figure 11.10. When universal groups enter the design, we are using the AGGUDLP model (sometimes abbre- viated AGUDLP), where U represents Universal group.This model means: Accounts should be placed into Global groups that can be placed into other Global groups and/or Universal groups, and then into Domain Local groups, which are added to ACLs and granted Permissions to resources. 446 Chapter 11 • Creating User and Group Strategies Figure 11.9 AGDLP in a Multiple Domain Forest NorthAmerica. Syngress.com HR global group Benefits global group Europe. Syngress.com HR global group Benefits global group New User Asia. Syngress.com HR global group Benefits global group Global_HR_ Resources domain local group Files 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 446 While this might look like a similar amount of work when compared with Figure 11.9, the real power of this design becomes evident when you attempt to grant all HR users access to another resource, such as a printer in Asia. In this case, you simply need to create a new DLG and grant the print permission for the printer in the Asia domain to that group. In Figure 11.11, the group is called HR_Print_Asia.You then simply add the All_HR universal group to the HR_Print_Asia domain local group. Imagine what the diagram would look like if you couldn’t use a universal group and how much more work would be involved.You would need to add each HR global group to the HR_Print_Asia domain local group. Now imagine that you have dozens of similar situations in your forest, and you’ll no doubt appreciate the simplicity and reduced management requirements that universal groups bring with them. Creating User and Group Strategies • Chapter 11 447 Figure 11.10 AGGUDLP in a Multiple Domain Forest NorthAmerica. Syngress.com HR global group Benefits global group Europe. Syngress.com HR global group Benefits global group New User Asia. Syngress.com HR global group Benefits global group Global_HR_ Resources domain local group Files All_HR universal group Figure 11.11 Using AGGUDLP to Grant Access to an Additional Resource NorthAmerica. Syngress.com HR global group Benefits global group Europe. Syngress.com HR global group Benefits global group New User Asia. Syngress.com HR global group Benefits global group Global_HR_ Resources domain local group Files All_HR universal group Printer HR_Print_ Asia domain local group 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 447 301_BD_W2k3_11.qxd 5/12/04 12:30 PM Page 448 Working with Forests and Domains In this chapter:  Understanding Forest and Domain Functionality  Creating the Forest and Domain Structure  Implementing DNS in the Active Directory Network Environment Introduction A Microsoft Active Directory network has both a physical and a logical structure. Forests and domains define the logical structure of the network, with domains organized into domain trees in which subdomains (called child domains) can be created under parent domains in a branching structure. Forests are collections of domain trees that have trust relationships with one another, but each domain tree has its own separate namespace. In this chapter, you will learn all about the functions of forests and domains in the Windows Server 2003 Active Directory infrastructure, and we will walk you through the steps of creating a forest and domain structure for a network.You’ll learn to install domain controllers (DCs), create the forest root domain and a child domain, find out how to name and rename domains, and how to set the functional level of a forest and domain. The Domain Name System (DNS) is an integral part of a Windows Server 2003 network, as it is used for providing name resolution within the network. We will discuss the role of DNS in the Active Directory environment, and you’ll learn about the rela- tionship of the DNS and Active Directory namespaces, how DNS zones are integrated into Active Directory, and how to configure DNS servers for use with Active Directory. Chapter 12 449 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 449 Understanding Forest and Domain Functionality Active Directory is composed of a number of components, each associated with a different concept, or layer of functionality.You should understand each of these layers before making any changes to the network.The Active Directory itself is a distributed database, which means it can be spread across multiple computers within the forest. Among the major logical components are: ■ Forests ■ Trees ■ Domains ■ The domain namespace Aspects of the physical structure include the following: ■ Sites ■ Servers ■ Roles ■ Links Administrative boundaries, network and directory performance, security, resource management, and basic functionality are all dependent on the proper interaction of these elements. Note that the differentiation between forests and trees is most obvious in the namespace. By its nature, a tree is one or more domains with a contiguous namespace. Each tree consists of one or more domains, while each forest consists of one or more trees. Because a forest can be composed of discrete multiple trees, a forest’s namespace can be discontiguous. By discontiguous, we mean that the namespaces anchor to different forest-root DNS domains, such as cats.com and dogs.com. Both are top-level domains and are considered two trees in a forest when combined into a single directory. The Role of the Forest An Active Directory always begins with a forest root domain, which is automatically the first domain you install.This root domain becomes the foundation for additional directory components. Certain forest objects and services are only present at the root (for example, the Enterprise Administrators and Schema Administrators groups, and the Schema Master and Domain Naming Master roles). These cannot be easily recreated, depending on the type of failure. New Forestwide Features Many of the new features offered by Windows Server 2003 are only available in a forest where you have raised the forest functional level to Windows Server 2003. For more information on functional levels and a breakdown of when these new features become available, see the section Forest and Domain Functional Levels later in the chapter. 450 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 450 Defunct Schema Objects In Windows 2000 Active Directory, you could deactivate a schema class or attribute. Now, once your forest has been raised to the Windows Server 2003 functional level, you can not only deacti- vate them, you can even rename and redefine them.This feature protects against the possibility of one application irreversibly claiming another application’s schema. It allows for the redefinition of classes and attributes without changing their unique identities.These items are called reused. If the class or attribute is left deactivated, it is called defunct. Domain Rename This is a complex and sweeping modification to the namespace of a domain. DNS names, and NetBIOS names of any child, parent, or forest-root domain can now be changed. As far as Windows Server 2003 Active Directory is concerned, the identity of a domain rests in its domain Globally Unique Identifier (GUID), and its domain SID. Creating new DNS or NetBIOS names will leave those attributes unchanged.The domain rename function is not able to promote a domain to the forest root role. Even if you rename the forest root domain, its role will remain unchanged. The renaming process will temporarily interrupt the functionality of the domain and its interac- tion with the forest, until the DCs are rebooted. Client workstations will not function properly until they are each rebooted twice. Due to the complexity of the operation, the risks of such a sweeping change, and the unavoidable domain and workstation service interruptions, domain renaming should not be considered a routine operation. Forest Restructuring Existing domains can now be moved to other locations within the namespace. During this restruc- turing, you will manually break and reestablish the appropriate trust relationships among the domains. A requirement for namespace changes, or a need to decrease administrative overhead, typi- cally drives forest restructuring.This reduction in overhead is accomplished by reducing replication traffic, reducing the amount of user and group administration required, and simplifying the adminis- tration of Group Policy.The smallest possible number of domains will provide the most efficient design. Minimizing the number of domains reduces administrative costs and increases the efficiency of your organization. Reasons to restructure include: ■ Decommissioning a domain that is no longer needed ■ Changing the internal namespace ■ Upgrading your network infrastructure to increase your bandwidth and replication capacity, which enables you to combine domains Before you begin restructuring Windows Server 2003 domains within your forest, make sure that the forest is operating at the Windows Server 2003 functional level. Working with Forests and Domains • Chapter 12 451 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 451 Universal Group Caching Universal Group caching is a new feature of the Windows Server 2003 DC, which caches a user’s complete Universal Group membership.The cache is populated at first logon, and subsequent logons use the cache, which is refreshed periodically. Some of the benefits of Universal Group caching include faster logon times and authenticating DCs no longer have to consult a GC to get Universal Group membership information. In addition, you can save the cost of upgrading a server to handle the extra load for hosting the GC. Finally, net- work bandwidth is minimized because a DC no longer has to handle replication for all of the objects located in the forest. Application Partitions Another DC enhancement allows for the creation of application-specific Active Directory partitions, also known as naming contexts. Active Directory stores the information in a hierarchy that can be populated with any type of object except for security principles such as users, groups, and com- puters.This dynamic body of data can be configured with a replication strategy involving DCs across the entire forest, not just a single domain. With application partitions, you can define as many or as few replicas as you want. Site topologies and replication schedules are observed, and the appli- cation objects are not replicated to the GC. Conveniently, application partitions can leverage DNS for location and naming.The Windows Server 2003 Web Edition cannot host application partitions because they do not support the DC role. Install from Backups The Install from backups feature provides the capability to install a DC using backup media rather than populating the Active Directory through a lengthy replication period.This is especially useful for domains that cross-site boundaries using limited WAN connectivity.To do this, back up your directory store using Windows Backup, restore the files at the remote site’s candidate DC, and run dcpromo using the source replication from files option.This also works for GC servers. Active Directory Quotas The new Active Directory quotas (not to be confused with disk quotas) are defined as the number of objects that can be owned by a given user in a given directory partition. Fortunately, Domain Admins and Enterprise Administrators are exempt from the quota, and they do not apply at all to the schema partition. Replicated operations do not count toward the quota; only the original opera- tions do. Quota administration is performed through a set of command-line tools, including dsadd, dsmod, dsget, and dsquery. No graphical interface exists for quota administration. Linked Value Replication Linked value replication provides an answer to Windows 2000’s limit of 5000 direct group members. Instead of treating a large group as a single replication unit, linked value replication allows a single member to be added or removed from the group during replication, thereby reducing network traffic. Without it, for example, any changes to a 10,000-member distribution group will trigger a complete replication. With a group that large, this would be likely to occur many times in a typical day. 452 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 452 Improved Knowledge Consistency Checker The Windows 2000 Knowledge Consistency Checker (KCC) would not operate properly within a forest containing more than 200 sites due to the complexity of the inter-site replication topology generator algorithms.The service had to be turned off in that case, and the replication topology had to be managed manually.The Windows Server 2003 KCC can automatically manage replication among up to 5000 sites due to new, more efficient algorithms. In addition, it uses greatly improved topology generation event logging to assist in troubleshooting. Reduced NTDS.DIT Size The Windows Server 2003 directory takes advantage of a new feature called Single Instance Store (SIS).This limits the duplication of redundant information.The new directory store is about 60 per- cent smaller than the one in Windows 2000. Forest Trusts In Windows NT 4.0, there were few options for the interoperability of business units; for example, either Calico.cats.com trusted Labs.dogs.com or they didn’t.There were no other real options. In addi- tion, if trust existed at all, it tended to be complete. When Windows 2000 introduced the Active Directory, many more options became available so that partnerships and integrated project teams could form on the network just as they did in real life.The problem with that approach was that there always had to be a dominant partner at the root— the playing field could never be completely even. Understanding the politics of business, Microsoft stepped in with a solution called multiple-forest trusts in Windows Server 2003, which, when used, result in a configuration called federated forests. Without the forest trust, Kerberos authentication between forests would not work. Remember that having two forests means two Active Directory databases and two completely distinct sets of direc- tory objects, such as user accounts. Accessing resources across the federated forest boundary requires a more complex trust path than the one between domains within a single forest. Routing Hints for Forest Trusts Routing hints are a new feature of GCs.The problem with creating trusts between forests is that all traditional authentication channels stop at the forest boundary. DCs and traditional GCs are some- times not enough. When these fail to produce a Service Principal Name (SPN) describing the location of the service being requested, routing hints from the Windows Server 2003 GC help guide the workstation toward the correct forest within the Federated Forest boundary.The GC server does this by checking the forest trust’s Trusted Domain Object (TDO) for trusted name suffixes that match the one found in the destination SPN.The routing hint always goes back to the originating device so that it can resume its search for the SPN location in the other forest.This new functionality has some limitations. If the TDO contains outdated or incorrect information, the hint might be incor- rect since the GC does not actually check for the existence of the other forests. Cross-Forest Authentication Although some types of data access are supported, Windows Server 2003 does not support NetBIOS name resolution or Kerberos delegation across forests. NTLM authentication for down-level clients Working with Forests and Domains • Chapter 12 453 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 453 continues to be fully supported, however.A Universal Group in one forest might contain global groups from one or more additional forests across any available forest trusts. Federated Forest, or cross-forest, authentication takes two forms. In the default forest-wide authentica- tion, an “allow-all deny-some” approach is used. In other words, external users have the same level of access to local resources as the local users do.The other form of access control takes the security con- scious approach of “deny-all allow-some.”This optional method is called selective authentication, and requires more administrative overhead by granting explicit control over the outside use of local resources.You must set a control access right called allowed to authenticate on an object for the users and groups that need access from another forest. If selective authentication is enabled, an Other Organization SID is associated with the user.This SID is then used to differentiate the external user from local users and determines if an attempt can be made to authenticate with the destination service. For reliable authentication using Kerberos, system time must be accurate across every worksta- tion and server. Servers are best synchronized with the same time source, while workstations are synchronizing time with the servers. In an upgraded Active Directory domain, this is usually not a problem. New Domainwide Features There are many new features in Windows Server 2003 related to domainwide features, the most sig- nificant of which we discuss next. Domain Controller Rename Not to be confused with domain renaming, domain controller rename is the ability to rename a DC without following the Windows 2000 procedure of demoting, renaming, and promoting again. In a large domain, this saves considerable time, especially over a slow WAN link, since the process of re- promoting the DC requires a replication of the Active Directory. Universal Groups and Group Conversions Universal Groups are able to contain members from any domain in any forest, and they replicate to the GC.They are particularly useful for administrative groups. One of the best uses for groups with universal scope is to consolidate groups above the domain level.To do this, add domain user accounts to groups with global scope and nest these Global Groups within Universal Groups. Using this strategy, changes to the Global Groups do not directly affect the membership of groups with universal scope.Taking it one step further, a Universal Group in one forest can contain Global Groups from one or more additional forests across any available forest trusts. Here is an example.You have two domains in different forests with NetBIOS names of CATS and DOGS. Each domain contains a Global Group called Birdwatchers.To take advantage of this new capability, you add both of the Global Groups, CATS\Birdwatchers and DOGS\Birdwatchers, to a Universal Group you create called ALLBirdwatchers.The second step is to create an identical Universal Group in the other forest as well.The ALLBirdwatchers group can now be used to authenticate users anywhere in both enterprises. Any changes in the membership of the individual Birdwatchers groups will not cause replication of the ALLBirdwatchers group. 454 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 454 Table 12.1 Summary of Universal Group Capabilities by Domain Functional Level Functional Level Universal Group Members Universal Group Nesting Windows 2000 mixed None None Windows 2000 native User and computer accounts, Universal Groups can be Global Groups, and Universal added to other groups and Groups from any domain assigned permissions in any domain Windows Server 2003 None None interim Windows Server 2003 User and computer accounts, Universal Groups can be Global Groups, and Universal added to other groups and Groups from any domain assigned permissions in any domain Security Group Nesting Security Groups are used to grant access to resources. Using nesting, you can add a group to a group. This reduces replication traffic by nesting groups to consolidate member accounts.A Security Group can also be used as an e-mail distribution list, but a Distribution Group cannot be used in a discre- tionary access control list (DACL), which means it cannot be used to grant access to resources. Sending e-mail to a Security Group sends the message to all members of the group. Distribution Group Nesting Distribution Groups are collections of users, computers, contacts, and other groups.They are typi- cally used only for e-mail applications. Security Groups, on the other hand, are used to grant access to resources and as e-mail distribution lists. Using nesting, you can add a group to a group. Group nesting consolidates member accounts and reduces replication traffic. Windows NT did not support Distribution Groups within the OS, but they are supported in all versions of Active Directory. Distribution Groups cannot be listed in DACLs in any version of Windows, which means they cannot be used to define permissions on resources and objects, although they can be used in DACLs at the application layer. Microsoft Exchange is a common example. If you do not need a group for security purposes, create a Distribution Group instead. Number of Domain Objects Supported In Windows 2000, group membership was stored in Active Directory as a single multivalued attribute. When the membership list changed, the entire group had to be replicated to all DCs. So that the store could be updated in a single transaction during the replication process, group mem- berships were limited to 5000 members. In Windows Server 2003, Linked Value Replication removes this limitation and minimizes network traffic by setting the granularity of group replication to a single principle value, such as a user or group. Working with Forests and Domains • Chapter 12 455 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 455 . routing hints from the Windows Server 2003 GC help guide the workstation toward the correct forest within the Federated Forest boundary .The GC server does this by checking the forest trust’s. Moving all of the domains in the forest to the Windows 2000 native or Windows Server 2003 functional level greatly reduces the complexity. Just as we saw in the previous section, when. Forestwide Features Many of the new features offered by Windows Server 2003 are only available in a forest where you have raised the forest functional level to Windows Server 2003. For more information