Types of Trusts Two trusts, tree-root and parent and child, are created by default when running the Active Directory Installation Wizard.The other four trusts—shortcut, external, realm, and forest—can be created as needed with the New Trust Wizard or the Netdom.exe command-line tool. When creating those four trusts, you have the option of creating two one-way relationships, simulating bidirectional capabilities. As with any use of passwords, it is a security best practice to use long, random, and complex passwords in the establishment of trusts.The best option is to use the New Trust Wizard to create both sides simultaneously, in which case the wizard generates a strong password for you. Naturally, you must have the appropriate administrative credentials in both domains for this to work. Restructuring the Forest and Renaming Domains In Windows Server 2003, you can rename domains in an Active Directory forest after the forest struc- ture is in place.This was not true in the Windows 2000 Server family.You build your Active Directory forest structure one domain at a time, and the resulting relationships are the result of the order in which you create them and the DNS names you assign. Renaming domains allows you to change the forest structure. For example, you can raise a child domain to be a new tree-root domain, or lower a top-level domain to child status in another tree. In each case, you rename an existing domain to create a different forest structure. In cases where restructuring is not your goal, you can rename domains without affecting the trust relationships between domains. For example, you do not create a different domain-tree structure if you rename a root domain, although the names of all child domains below it are also changed. This is a complex and sweeping modification to the namespace of one or more domains. During the domain rename procedure, you can change DNS and NetBIOS names, but the true identity of a domain lies in its domain GUID and its domain SID. Creating new DNS or NetBIOS names will leave those attributes unchanged. Domain Rename Limitations Windows NT had no supported method for domain renaming, other than a complete rebuild of the new domain.The best option that Windows 2000 offers is only the first half of the solution—you still have to create a new domain from scratch. Microsoft released a support tool called the Active Directory Object Manager that can migrate users, computers, and groups into the new empty domain structure. Windows Server 2003 now supports the full solution. However, even with the new restructuring capability, certain types of structural changes are not supported, and many forests cannot be renamed due to limitations of the procedure.These limitations include the presence of Exchange 2000. Other problematic issues arise, such as the failure of enterprise certificates with certain types of embedded pointers, and network saturation due to the replication of sweeping changes to the directory. Domain Rename Limitations in a Windows 2000 Forest Windows Server 2003’s forest restructuring capabilities provide solutions to some of the problems that the Windows 2000 Server family did not address. In a Windows 2000 forest, renaming domains is not directly possible after the forest structure is in place.The only way to accomplish it is to move 486 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 486 or recreate the domain contents.These constraints make domain name changes or forest restruc- turing prohibitive in Windows 2000. ■ You cannot change the DNS name or the NetBIOS name of a domain.You can, however, achieve similar results by moving its contents into a new domain using the Active Directory Object Manager (MoveTree) in the Windows 2000 Support Tools. ■ Using the Active Directory Object Manager method, you cannot move a domain within a forest in a single operation. ■ Using the Active Directory Object Manager method, you cannot split a domain into two domains in a single operation. ■ Using the Active Directory Object Manager method, you cannot merge two domains into a single domain in a single operation. Domain Rename Limitations in a Windows Server 2003 Forest Windows Server 2003 Standard, Enterprise, and Datacenter Editions provide tools that you can use to safely rename domains. Since domain renaming is at the core of forest restructuring, you can leverage this capability with very powerful results. When considering restructuring an existing Windows Server 2003 forest, be sure to consider the limitations of domain renaming.Adding, removing, merging, and splitting domains are operations outside the scope of the domain rename process. ■ You cannot change which domain is the forest root domain, although you can still give it a new DNS or NetBIOS name. ■ You cannot remove or add domains to the forest.The number of domains before and after the restructuring must remain the same (you can, of course, add new domains after the name change). ■ You cannot move a domain name from one domain to another in a single operation. The resulting forest, no matter how sweeping the DNS and NetBIOS changes are, must result in a well-formed forest.A well-formed forest has the following characteristics: ■ All domains within the forest must form one or more DNS trees. ■ The forest-root domain must be the root of one of these trees. ■ A domain directory partition must not have an application directory partition as a parent. Domain Rename Dependencies Other conditions that must be eliminated, or prerequisites that must be met before you can attempt the domain rename procedure, include the following: Working with Forests and Domains • Chapter 12 487 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 487 ■ Domain rename is not supported in a domain where Exchange 2000 is installed. ■ All of your DCs must be running Windows Server 2003, and the Active Directory forest functional level must be raised to Windows Server 2003. ■ The domain rename procedure requires Enterprise Administrator privileges. ■ The control station for the domain rename operation must not be a DC.You must use a member server to perform the operation. ■ All domain-based DFSroot servers must be running Windows 2000 with Service Pack 3 or higher. Domain Rename Conditions and Effects The domain rename procedure is complex, requires a great deal of care in planning and execution, and should always be tested in a lab environment before performing it on an operational forest.The time required to go through a complete domain rename operation varies; the number of domains, DCs, and member computers is directly proportional to the level of effort required. Before undertaking a domain rename operation, you must fully understand the following condi- tions and effects.They are inherent in the process and must be dealt with or accommodated. ■ Each DC requires individual attention. Some changes are not replicated throughout the Active Directory.This does not mean that every DC requires a physical visit. Headless management can greatly reduce the level of effort required, depending on the size and structure of the domain and the number of sites it contains. ■ The entire forest will be out of service for a short period. Close coordination is required with remote sites, especially those in other time zones. During this time, DCs will perform directory database updates and reboot. As with other portions of the procedure, the time involved is proportional to the number of DCs affected. ■ Any DC that is unreachable or fails to complete the rename process must be eliminated from the forest for you to declare the procedure complete. ■ Each client workstation requires individual attention. After all DCs have updated and rebooted, each client running Windows 2000 or Windows XP must be rebooted two times to fully adapt to the renamed domain. Windows NT workstations must disjoin from the old domain name and rejoin the new domain name, a manual process that requires a reboot of its own. ■ The DNS host names of your DCs are not changed automatically by the domain rename process.To make them reflect the new domain name, you must perform the domain con- troller rename procedure on each DC. Having the host name of a DC decoupled from its domain name does not affect forest service, but the discrepancy will be confusing until you change the names. 488 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 488 ■ The DNS suffix of client workstations and member servers will automatically update through the domain renaming process, but not all computers will match the DNS name of the domain immediately.As with most portions of this process, the period of time required is proportional to the number of hosts in the domain. Rename a Windows Server 2003 Domain Controller As you know, renaming a DC is different than renaming a domain. Follow these steps to rename your Windows Server 2003 DC. 1. Log in as a domain administrator and open a command prompt. 2. Execute the rename command: Netdom Computername OldComputerNetBIOSname /add: NewComputerFQDN 3. Verify the secondary name with the following command: Netdom Computername OldComputerNetBIOSname /enumerate The command will report old and new DNS names.Allow some time for the com- puter account to be replicated throughout the domain, and the DNS resource records to be distributed to the authoritative DNS servers. 4. Select the new computername as the primary one: Netdom Computername OldComputerNetBIOSname /makeprimary: NewComputerFQDN The /enumerate option should have displayed both computer names.Type the new name exactly as shown by the command in step 3. Now that you have changed the pri- mary name, the /enumerate command will not work again until you reboot. 5. Reboot and log on as a domain admin. 6. Check the names again: Netdom Computername NewComputerNetBIOSname /enumerate 7. Delete the old computer name: Netdom Computername NewComputerNetBIOSname /remove: OldComputerFQDN Type the old name exactly as shown by the /enumerate command in step 6. 8. Confirm the functionality of the new name. Using the DNS administrator, expand the DNS server icon. Click the forward lookup zone and check for an (A) record for the new computer name. Verify that it points to the correct IP address.There should not be a host record for the old name. If you find one, delete it. Working with Forests and Domains • Chapter 12 489 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 489 Implementing DNS in the Active Directory Network Environment Whatever implementation of DNS you use with your Active Directory, it must support DNS SRV records. Using the Windows implementation of DNS gives you additional features that make it easier to use. For example, when you install a new domain, the DNS zones are automatically created and configured for you, significantly reducing the time you must spend manually configuring each DNS server. If you do have problems, the Windows Server 2003 DNS service has configuration enhancements that simplify the debugging and logging of incorrect DNS configurations.This helps you solve problems faster by suggesting troubleshooting steps for you to take.Another way in which Active Directory helps you configure DNS is through Group Policy for DNS clients.This greatly simplifies the implementation of DNS changes. Windows 2000, Windows XP, and Windows Server 2003 are similar in their user interfaces for DNS, but Windows NT is significantly different.Table 12.6 shows a comparison of the administrative tools used in NT versus more recent versions. Table 12.6 Comparison of Administrative Tools in Windows NT vs. Windows Server 2003 Windows 2000, XP, DNS Task Windows NT 4.0 uses and Server 2003 use Installing the DNS Network control panel Windows Components wizard server service Starting the DNS Start | Administrative Tools | Start | Administrative Tools | Manager DNS Manager DNS Starting, stopping, or Services control panel Start | Administrative Tools | restarting the DNS DNS, then right-click service Computername | All Tasks and select Start, Stop, Pause, Resume, or Restart Adding a remote Server menu in DNS Manager In the DNS tool, right-click DNS | server to DNS Manager Connect to DNS Server…, The following computer: type Computername, click OK DNS and Active Directory Namespaces In Windows Server 2003,Active Directory supports multiple discontiguous interforest namespaces through the implementation of GCs, and multiple discontiguous extraforest namespaces through the use of routing hints.This means that multiple namespaces can coexist within the same Active Directory.You should, however, be aware that name collisions are possible using cross-forest trusts if namespaces overlap within the federated forest. 490 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 490 DNS Zones and Active Directory Integration Standard DNS zones are stored in text files in the %systemroot/System32/Dns folder. After DNS is integrated into the directory, it exists in a dnsZone container object identified by the name of the zone. DNS and Active Directory can use identical names for different namespaces. For this reason, it is important to understand that they are not the same namespace. DNS contains zones and records, while Active Directory contains domains and domain objects. Windows Server 2003 brings in a new feature that blurs the line between DNS and Active Directory, called application partitions. With this release of Windows, DNS zones and records can be contained within the Active Directory itself, and are subject to the same replication and authentication parameters. Some advantages of this include a reduction in the number of objects stored in the GC, and a finely tuned replication domain. Regular Active Directory integrated DNS zones are replicated in their entirety to the domain partition of every DC whether it needs it or not and to the GC. By contrast, application partition-integrated DNS zones only replicate to DNS servers, reducing replica- tion traffic and unused replicas.There are two automatically configured application partitions. One has a forestwide scope and resides on DCs running DNS in the forest root.The other application partition has a more limited domain scope, and resides on DCs running DNS in each domain. Some of the benefits to be gained by integrating DNS with Active Directory include: ■ An upgrade from the standard DNS single-master update model to the multi-master model. Updates can take place at any DNS server, not just the one that is authoritative for each zone.The multi-master model eliminates the single point of failure for dynamic updates. ■ Access control lists (ACLs) on directory-integrated zones, allowing you to specify who can delete, modify, or even who can read records within the zone. ■ Secure updates, which protect the integrity of your DNS zones by protecting against DNS poisoning and other malicious attacks. ■ The automatic replication and synchronization of DNS zones whenever you install a new DC. ■ A common replication topology for DNS zones and Active Directory domains.The non- integrated DNS requires the design, implementation, testing, and administration of two different replication topologies. ■ Added replication efficiency, since Active Directory replication is faster and more efficient than standard DNS replication. Configuring DNS Servers for Use with Active Directory It is a good practice to add additional DNS servers to eliminate concerns over a single point of failure.Traditionally, you would install a standard secondary DNS server. With Active Directory inte- gration, all you need to do is convert your standard primary DNS server to an Active Directory integrated primary DNS server. Once that is done, simply configure additional DCs to take on the DNS role for redundancy. Working with Forests and Domains • Chapter 12 491 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 491 There are a few things to be acquainted with when you integrate your DNS into the directory. For one thing, there are no more secondary DNS servers. Once integrated into Active Directory, all DNS servers are primary. Zone transfers no longer take place; instead, Active Directory replication is used to distribute changes as they occur. With legacy DNS systems, Standard DNS zones are admin- istered using a text editor. DNS zones stored in Active Directory are administered using the DNS console or the dnscmd command-line tool only—no more text editing. The following sections take you through the Windows Server 2003 versions of common DNS administrative procedures related to Active Directory and application partition integration. By default, the DNS Server service will attempt to discover and build the standard DNS application directory partitions in Active Directory. Depending on how DNS was originally implemented, these default partitions might already exist. If necessary, you can manually create them as shown in the fol- lowing steps. Some DNS procedures require the Windows support tool’s dnscmd utility, which you can install by double-clicking suptools.msi on the Windows Server 2003 CD in the \Support\Tools folder. Integrating an Existing Primary DNS Server with Active Directory To integrate an existing primary DNS server with Active Directory, follow these steps: 1. On the current DNS server, click Start | Programs | Administrative Tools | DNS to start the DNS Administrator console. 2. Expand the server name. 3. Right-click your primary DNS zone, click Properties, click the General tab, and note the Type value.This will be Primary zone, Secondary zone, or Stub zone. 4. Click Change. 5. In the Change Zone Type box, click the check box for Store the zone in Active Directory. 6. Click Ye s to verify, and then click OK. 7. In the Domain properties, the type should now read Active Directory-Integrated.You can add as many additional DNS servers as you want. To force replication to occur immediately instead of waiting for the regular replication cycle, follow these steps: 1. Click Start | Administrative Tools | Active Directory Sites and Services. 2. Expand the sites. If no additional sites are configured, you will use the one called default- first-site-name. 3. Expand the following folders: your site, Servers, your Computer, NTDS Settings. One or more DC objects are listed in the right pane. Right-click each entry to see its “friendly” name. Right-click an entry, and select Replicate Now to begin replication immediately.The time it takes to update the target controller depends on network performance and the amount of data replicated. 492 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 492 Creating the Default DNS Application Directory Partitions To create the default DNS application directory partitions, follow these steps: 1. Log on to your DNS server as an Enterprise Administrator. 2. To open DNS, click Start | Administrative Tools, and double-click DNS. 3. In the console tree, expand and right-click the DNS server and select Create Default Application Directory Partitions. Follow the instructions to create the DNS applica- tion directory partitions.The options are: ■ Would you like to create a single partition that stores DNS zone data and replicates that data to all DNS servers in the Active Directory domain DnsDomainName. Yes, or No. This option creates one DNS application directory partition for each domain in the forest. DNS zones stored in this partition are repli- cated to all Active Directory-integrated DNS servers in the domain. Depending on your domain structure and the context of the command, you might get this question multiple times for different domains. ■ Would you like to create a single partition that stores DNS zone data and replicates that data to all DNS servers in the Active Directory forest DnsForestName? Yes, or No. This option creates one DNS partition named for your forest. It contains all the DNS servers running on the DCs in the forest, and replicates the DNS data to all DNS servers. DNS zones stored in this application directory parti- tion are replicated to all Active Directory-integrated DNS servers in the forest. Using dnscmd to Administer Application Directory Partitions There are some differences between standard DNS and the Active Directory-integrated version of DNS. For example, when you uninstall a DNS server hosting Active Directory-integrated zones, these zones will either be saved or deleted. Since the zone data is stored on other DNS servers, it will not be deleted unless the DNS server that you uninstall is the last one hosting that zone. Windows gives you a warning if this is the case. Only Enterprise Admins can create a DNS application directory partition. Most other DNS tasks can be handled by the DnsAdmins or Domain Admins group. 1. Log on to your DNS server with the credentials needed for the given task. 2. Open a command prompt. Click Start | All Programs | Accessories | Command Prompt, or click Start | Run and type cmd. 3. Use the following dnscmd.exe options. See the example following for assistance: ■ Type the following command as an Enterprise Administrator to create a DNS applica- tion directory partition: dnscmd ServerName /CreateDirectoryPartition FQDN. ■ Type the following command as a member of the DnsAdmins or DomainAdmins group to enlist a DNS server in a DNS application directory partition: dnscmd ServerName /EnlistDirectoryPartition FQDN. Working with Forests and Domains • Chapter 12 493 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 493 ■ Type the following command as a member of the DnsAdmins or DomainAdmins group to n-enlist a DNS server in a DNS application directory partition: dnscmd ServerName /UnenlistDirectoryPartition FQDN. In this case, ServerName specifies the DNS host name or IP address of the DNS server, and FQDN specifies the name of the target DNS application directory partition. Here is an example. Note the “.” at the end of the FQDN: D:\SupportTools>dnscmd DC4.Fish.com /CreateDirectoryPartition Fish.com. DNS Server DC4.Fish.com created directory partition: Fish.com. Command completed successfully. Securing Your DNS Deployment DNS is full of information. It helps users find services, and services find resources. Unfortunately, it sometimes provides malicious users with that same wealth of information about your network.To help keep this from happening, use the following guidelines as a minimum approach to your DNS security architecture. ■ Use a split DNS design with internal DNS servers protected by your firewall and external DNS servers on the outside.Your internal namespace can be a child domain of your external namespace, or be completely different. ■ Use your internal DNS servers to host your internal namespace and your external DNS servers to host your external namespace.The external servers should not be able to for- ward name lookups from the Internet to your internal network, but internal servers can forward queries to the outside. ■ Use a packet-filtering firewall to lock down DNS port 53 so that only external DNS servers under your control can communicate with your internal DNS servers. ■ Configure secure dynamic updates. With this setting, only computers joined to the Active Directory can authenticate with DNS; hence, register their service locator records. Computers that are unable to authenticate cannot make changes to DNS data. ■ Carefully monitor and contril who has the ability to control DNS zones through the DACL in Active Directory 494 Chapter 12 • Working with Forests and Domains 301_BD_W2k3_12.qxd 5/12/04 12:38 PM Page 494 Working with Trusts and Organizational Units In this chapter:  Working with Active Directory Trusts  Working with Organizational Units  Planning an OU Structure and Strategy for your Organization Introduction Trust relationships define the ways in which users can access network resources across domains and forests. Without a trust between the domain to which a user belongs and the domain in which a resource resides, the user won’t be able to access that file, folder, printer, or other resource. Hence, it is important for network administrators to under- stand how the built-in (implicit) trusts in the Active Directory network function, and how to create explicit trusts to provide access (or faster access) between domains. Organizational units (OUs) are container objects within the directory structure that can be used, as the name implies, to organize resources, including (but not limited to) users, groups, and computers. Group policies can be applied to OUs, and administration of an OU can be delegated, making it easy to perform tasks that need to apply to only select objects. This chapter addresses these two important components of Active Directory: trust relationships and OUs.You’ll learn about the different types of trusts that exist in the Active Directory environment, both implicit and explicit, and you’ll learn to create shortcut, external, realm, and cross-forest trusts.You’ll also learn to verify and remove trusts, and how to secure trusts using SID filtering. Next, we discuss the creation and management of OUs and you learn to apply group policy to OUs and how to delegate control of an OU. We show you how to plan an OU structure and strategy for your organization, considering delegation requirements and the security group hierarchy. Chapter 13 495 301_BD_W2k3_13.qxd 5/12/04 12:42 PM Page 495 . running Windows Server 2003, and the Active Directory forest functional level must be raised to Windows Server 2003. ■ The domain rename procedure requires Enterprise Administrator privileges. ■ The. to the number of hosts in the domain. Rename a Windows Server 2003 Domain Controller As you know, renaming a DC is different than renaming a domain. Follow these steps to rename your Windows Server. clients.This greatly simplifies the implementation of DNS changes. Windows 2000, Windows XP, and Windows Server 2003 are similar in their user interfaces for DNS, but Windows NT is significantly different.Table 12.6