to that DC, and transfer a copy of the Active Directory database, making a new DC. If this fails, you have a great opportunity to determine why. Use the hints just mentioned and verify that all is in place. We requested a Retry more than once before noticing the we misspelled administrator—sometimes, it’s the simplest answer. Review the Summary and click Next. 12. After the transfer is complete, which should take several minutes, you will see the Complete dialog box—a sign that all went well. Again, note the location of the DC in the Default-First-Site-Name site, and click Finish. 13. The last step is to restart the machine.Click Restart Now.This obviously reboots the server, which then comes back online as a DC in your existing domain. Upgrading Domain Controllers to Windows Server 2003 If you administer an existing domain and are looking to upgrade to Windows Server 2003, your best bet is to upgrade the DCs one by one until they are all at the same level. Server 2003 can co- exist with Server 2000 and NT, as long as you are aware of the caveats associated with such an envi- ronment. Even if you plan to upgrade all of the DCs, you must still temporarily run the network as a mixed environment. Upgrading your existing domain can be done in one of two ways: in-place upgrade or migration. An in-place upgrade means that you take your existing DC and install Windows Server 2003 right over the top of it.Your existing domain structure with all of its user, group, and computer accounts will be migrated into the new Windows Server 2003 Active Directory.The advantages are clear: ■ It’s simple and quick. ■ You don’t need a new computer. ■ No new SIDs or trusts have to be created, which keeps all your existing member servers and resource domains happy. ■ Everyone gets to keep his or her password. ■ Migrating from Windows 2000 to Windows Server 2003 in this manner works well. Why would you upgrade any other way? Experts suggest that you avoid the in-place upgrade in the following situations: ■ If you are trying to get an NT 4 PDC to become an Active Directory DC in an existing Active Directory domain, you can’t do it this way. Upgrading an NT 4 PDC will always create a new Active Directory domain. ■ Upgrading an NT 4 DC allows you to create a new Active Directory domain name, but you are forced to keep the NetBIOS name. ■ You cannot merge your NT 4 domain into your Active Directory domain. ■ All accounts are upgraded and there is no way to roll this back. We suggest that you take one of your BDCs in NT or one of your Active Directory DCs in 2000 and move it 536 Chapter 15 • Working with Domain Controllers 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 536 offline in case there are any problems.You can then bring the DC back online, and your original domain will still exist. ■ All the extra “stuff,” such as unused groups and users, in the NT SAM is there in your new Active Directory domain. A migration is accomplished by creating a new pristine Active Directory on a new server.Then, you use a migration tool to copy the domain information from your old domain to your new one. Here are some of the advantages of this method: ■ Migration is gradual.You can migrate one department at a time. ■ Accounts are copied rather than moved, so you can return to the old domain if necessary. ■ You avoid the complexity of taking existing database bugs and moving them into your new Active Directory. ■ You can re-evaluate your existing domain structure and consolidate or expand your domains, as you deem necessary. There are also disadvantages to migration: ■ You need new computers to install your new domain. ■ Generally, users have to create new passwords. ■ A migration tool might have to be purchased. Microsoft has a free migration tool, Active Directory Migration Tool (ADMT), but it is designed for the small to medium domains. You can purchase other tools for enterprise-level migrations. At around $10 per user, this can get expensive. ■ You cannot use the same NetBIOS name that exists in your old domain. ■ Migration is more work.You might have to go to every member server and re-do all of the groups (some migration tools provide ways to avoid this by using Security ID histories (SIDHistory). Whether to upgrade or to migrate is an important decision.You must understand the differences and know the pros and cons involved. Either choice will produce issues to consider and plan for. Placing Domain Controllers within Sites Sites were discussed earlier in this book, in Chapter 12,“Working with Active Directory Sites.” Remember that you don’t need more than the default site unless you have a network with subnets that are connected by slower WAN links. If you have multiple sites, you need to put your DCs in the right places; otherwise, you will “span the WAN”; in other words, your DCs will replicate con- tinuously over your WAN, eating up the bandwidth needed by your users. Here is a brief review of what you need to manage your sites.The tool of choice is the Active Directory Sites and Services console. Working with Domain Controllers • Chapter 15 537 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 537 ■ Create a site name ■ Create subnets to match your actual IP subnets ■ Move the servers listed in ADSS to their respective assigned sites First, you define the site itself. We suggest at least renaming the Default-First-Site-Name to something befitting your company location, such as CorpHQ. Next, you need to define subnets. Your physical and logical IP subnets should already exist, but you need to define them in the site tool, by specifying the subnet address and assigning it to your site.To place your DC in a site, open the Servers folder and move the DC into the appropriate site. Remember that all servers within a site will automatically determine the replication process, but you must configure the replication between sites. Backing Up Domain Controllers Every Windows server has a system state that includes the Registry of that server (among other things). On a DC, the system state also includes Active Directory. Since replication of Active Directory occurs automatically, you only need to back up the system state of one of your DCs to back up Active Directory. However, your other DCs might run other applications or have files that only exist on that machine, so be sure that those are included in your routine backup. If you have multiple sites, consider backing up the system state of one DC per site to facilitate easier access to the Active Directory backup data should you need to restore it. To back up the system state of any computer, you must be connected locally. In other words, the computer that you are logged on to, and are running the backup application from, is the only system state you can back up. If you are using a tape drive and you want to back up the Active Directory, you will have to connect the tape drive to a DC directly.The local computer rule applies to a restore as well: you must be directly connected to the computer on which you want to restore the system state. Backup media options have been increased from the limited Windows 2000 Backup to include removable media (CD, DVD) or a shared resource. Restoring Domain Controllers To restore a DC from backup, you must determine which part needs to be restored.The first ques- tion to ask is, does the Active Directory need to be restored authoritatively or non-authoritatively? ■ Non-authoritative restore means that you just restore the Active Directory to whatever point it was at when you backed it up, and then let the new changes from the other DCs automatically replicate to this DC to bring it up to the most current state. ■ Authoritative restore means that the Active Directory that you restore is the master, and even though the data on it is “old” compared to the other DCs, its data is to be taken as the authority or final word on the Active Directory. Use the non-authoritative restore when you have lost the DC but the data on the other DCs is accurate; in other words, there is nothing the “downed” DC knows that no other DC knows. Authoritative restore is used when the “downed” server does know something the other DCs don’t. 538 Chapter 15 • Working with Domain Controllers 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 538 For example, suppose you delete the user account Hannah on Monday. On Friday, you learn that Hannah was not supposed to be deleted.You can’t just create a new user called Hannah because the new account takes on a new SID, and all the permissions, rights, and privileges that were associated with the first Hannah are lost.You must restore the original account, which by now is removed from all the DCs. Fortunately, you can perform an authoritative restore from Sunday night’s backup to get Hannah’s account back.This forces all the other DCs to re-accept Hannah’s original account. That is a simplified version of what the backup and restore capabilities can do. When you restore authoritatively, you can restore the entire Active Directory or select different levels of the domain hierarchy, even down to the single object restore, as was needed in the previous scenario. As long as you know the exact FQDN for the object to be restored, you can recover it. The steps to restore Active Directory start with a good recent backup. Remember that your restore is only as good as your backup. Spend the time, effort, and money to ensure that you have good valid backups. With the backup in hand, you are ready. On which DC should you run the restore? See Chapter 19,“Ensuring Active Directory Availability,” for more information about backing up and restoring the Active Directory.Also remember that you can now use a backup from a DC running Windows Server 2003 to create additional DCs. Managing Operations Masters Flexible Single Master Operations (FSMO, pronounced fizz-moe) are certain roles assigned to DCs that need only exist on one DC and not all DCs.They are also called operations masters. These oper- ations are critical in managing such objects as the schema and determining uniqueness among a forest, tree, and domain. Earlier in the chapter we declared all Windows Server 2003 DCs equal— that was not entirely accurate. FSMOs make some DCs more important than others, at least in regard to certain domain tasks, and it is your job to know which DCs perform these roles and what to do if a role needs to be switched to another DC.You must also know how to seize a role should you lose one.Those various roles, as well as how to seize and transfer roles, were discussed in detail in Chapter 12. Working with Domain Controllers • Chapter 15 539 301_BD_w2k3_15.qxd 5/12/04 1:24 PM Page 539 301_BD_w2k3_15.qxd 5/12/04 1:25 PM Page 540 Working with Global Catalog Servers and Schema In this chapter:  Working with the Global Catalog and GC Servers  Working with the Active Directory Schema Introduction In previous chapters, we’ve discussed forests, domains, trusts, sites, and organizational units. In this chapter, we’re going to take a closer look at the Global Catalog and Global Catalog servers. We’ll also look at the Active Directory schema. Understanding the structure of AD is important in order to be an efficient Windows Server 2003 administrator. Active Directory uses the Global Catalog (GC), which is a copy of all the Active Directory objects in the forest, to let users search for directory information across all the domains in the forest.The GC is also used to resolve user principal names (UPNs) when the domain controller (DC) that is authenticating logon isn’t aware of the account (because that account resides in a different domain). When the DC can’t find the user’s account in its own domain database, it then looks in the GC.The GC also stores infor- mation about membership in Universal Groups. Because the GC performs all these functions for the multidomain network, it is important for administrators to understand how it works and how to create, manage, and place the GC servers that hold the GC. In this chapter, we look at this special type of domain controller: the Global Catalog Server.You’ll learn about the role the GC plays in the network, and how to customize the GC using the Schema Microsoft Management Console (MMC) snap-in. We show you how to create and manage GC servers, and we’ll explain how GC replication works.You’ll learn about the factors to consider when placing GC servers within sites. Next, we address the Active Directory schema itself.You’ll learn about schema com- ponents: classes and attributes, and the naming of schema objects. We show you how to install and use the Schema management console, and you’ll learn how to extend the schema and how to deactivate schema objects. Chapter 16 541 301_BD_W2k3_16.qxd 5/12/04 1:28 PM Page 541 Working with the Global Catalog and GC Servers The GC is a vital part of Active Directory functionality. Given the size of enterprise-level organiza- tions, on many networks, there will be multiple domains and at times, multiple forests.The GC helps in keeping a list of every object without holding all the details of those objects; this optimizes network traffic while still providing maximum accessibility. Whenever a user is searching for an object in the directory, the GC server is used in the querying process for multiple reasons.The GC server holds partial replicas of all the domains in a forest, other than its own (for which it holds a full replica).Thus, the GC server stores the following: ■ Copies of all the objects in the domain in which it resides ■ Partial copies of objects from other domains in the forest The key point is that the GC is designed to have the details that are most commonly used for searching for information.This allows for efficient response from a GC server.There is no need to try to find one item out of millions of attributes, because the GC has the important search-related items only.This makes for quick turnaround on queries. Functions of the GC The GC serves various purposes, which we discuss later in the chapter. GC servers are important for the UPN functionality of Active Directory. Universal Groups are also a responsibility of the GC server. The scope of Directory Services has changed from the days of Windows NT 4.0 Directory Services. With Active Directory, a user record holds more than just a username for an individual. The person’s telephone number, e-mail address, office location, and so forth can be stored in Active Directory. With this type of information available, users will search the directory on a regular basis. This is especially true when Microsoft Exchange is in the environment. Whether a person is looking for details on another user, looking for a printer, or simply trying to locate another resource, the GC will be involved in the final resolution of the object. As mentioned previously, the GC server holds a copy of every object in its own domain and a partial copy of objects in other domains in the forest.Therefore, users can search outside their own domains as well as within, something that could not be done with the old Windows NT Directory Services model. UPN Authentication The UPN is meant to make logon and e-mail usage easier, since the two (your user account and your e-mail address) are the same.An example of a UPN is Brian@syngress.com.The GC provides assistance when a user from a domain logs on and the DC doesn’t know about the account. When the DC doesn’t know the account, it generally means that the account exists in another domain. The GC will help in finding the user’s account in Active Directory.The GC server will help resolve the user account so the authenticating DC can finalize logon for the user. 542 Chapter 16 • Working with Global Catalog Servers and Schema 301_BD_W2k3_16.qxd 5/12/04 1:28 PM Page 542 Directory Information Search With Active Directory, users have the ability to search for objects such as other users or printers.To help a user who is searching the database for an object, the GC answers requests for the entire forest. Since the complete copy of every object available is listed in the GC, searches can be com- pleted quickly and with little use of network bandwidth. When you search the entire directory, the request is directed to the default GC port 3268.The GC server is also known to other computers on the network because of SRV records in DNS.That is how a node on the network can query for a GC server.There are SRV records specifically for GC services.These records are created when you create the domain.The DNS entry for a GC server uses the mnemonic Gc and the record type SRV. When users search for information in Active Directory, their queries can cross WAN links, depending on the network layout. Each organization is different. Figure 16.1 shows an example layout with GC servers in the corporate office in Chicago and a branch office in Seattle.The other two sites do not have GC servers. When queries are initiated at the Chicago branch office, the queries use the corporate office GC server. With a high-speed fiber connection, bandwidth isn’t an issue. The branch office in New York has a slow link but less than 10 users.These users will use the GC in Chicago as well. Even though the pipe between these locations is only 56K, the minimal amount of users doesn’t warrant having a GC server in New York.The Seattle office has a T1, which is decent connectivity, but there are over 100 users in this location. Considering that, searches will be more efficient with a GC server locally. We will look at sites later in the chapter, but Figure 16.1 will help you get a basic understanding of how the query process works. Working with Global Catalog Servers and Schema • Chapter 16 543 Figure 16.1 Example GC Search Query Chicago Branch Office 25 users Branch Office 100 Users Seattle Branch Office <10 Users New York Fiber connection 56 K Frame T1 Global Catalog Server Corporate Headquarters Global Catalog Server 301_BD_W2k3_16.qxd 5/12/04 1:28 PM Page 543 Universal Group Membership Information When setting up your network, you will have certain features available based on the Forest Functional Level and Domain Functional Level. Universal Groups is one of these features that will or will not be available depending on your functional level. If your Domain Functional Level is set to at least Windows 2000 Native or later, you will have Universal Groups available on your network. Universal Groups can have members belonging to various domains in the forest. Without a GC server, Universal Groups could not exist.That is because Universal Group membership is stored in the GC only.This means that every DC will not have a copy of Universal Group membership; only the DCs serving as GC servers have this information. When users log on, their Universal Group membership is checked.The GC provides this information to the authenticating DC. Universal Group membership information is stored in all GC servers, so you need to consider the design of your GC server layout when adding to or changing the GC server configuration.The number of users at a location will help determine when you need a GC server. A large number of queries of the GC information over slow links isn’t recommended; placing a GC at each site is a better design. With sites with a small number of users, you can get away with not having a GC server at each site. We discuss this in more detail later in the section Placing GC Servers within Sites. Customizing the GC Using the Schema MMC Snap-In There might be occasions when you need to make a modification to the GC.You might want to include more attributes than were originally set up.You have to be careful, though, and consider the replication of data.The more attributes there are for the GC servers to replicate, the more network traffic is generated. To modify the GC, use the Schema snap-in within the MMC. Before you can run the console, you must install it.You complete the installation by registering a .dll.To install the Active Directory Schema snap-in, open a command prompt and type Regsvr32 schmmgmt.dll. You should then see a message that the dll was registered (“DllRegisterServer in schmmgmt.dll succeeded”). Now you can run the Active Directory Schema snap-in as shown in Figure 16.2. 544 Chapter 16 • Working with Global Catalog Servers and Schema Figure 16.2 Active Directory Schema Snap-In 301_BD_W2k3_16.qxd 5/12/04 1:28 PM Page 544 Now that the .dll is registered, you can create a custom MMC. If you click Start and select Run, you can start a blank console by typing MMC in the Run window and clicking OK.You have to add the snap-in to the blank MMC.The following procedure walks you through the steps of registering and running the Active Directory Schema snap-in. Remember that you must be a Schema Admin member to make changes to the schema. If you are not, you will be able to run the Schema Admin snap-in and view properties of classes and attributes, but you won’t be able to makes changes. Setup Active Directory Schema MMC Snap-in You need to be logged on as an Enterprise Administrator in Active Directory. 1. Log on to your server with an Enterprise Administrator account. 2. Open a command prompt by Clicking Start, and then select Run. 3. In the Run box, type cmd and press Enter. 4. At the command prompt, type regsvr32 schmmgmt.dll. 5. You should see a box that shows registration if the dll was successful. 6. Click OK in the dialog box confirming that the registration succeeded. 7. Now, click Start, type mmc /a, and press the Enter. 8. In the MMC window, click on File and select Add/Remove Snap-in. 9. In the Add/Remove Snap-in window, click Add. 10. Find the Active Directory Schema snap-in listed in the Add Standalone Snap-in window. 11. Select the snap-in and then click Add. 12. Now, click Close in the Add Stand Alone Snap-in dialog box. 13. Click OK in the Add/Remove Snap-in dialog box. 14. You should now have a console that you can use for modifying the schema or GC.You can save this as a .msc file to easily click on it next time versus adding a custom snap-in. Creating and Managing GC Servers When you initially install Active Directory, the first DC created is also the first GC server. As your network changes, you might require additional GC servers to help manage network traffic.To specify whether a server is a GC server, use the Active Directory Sites and Services console. Open the Active Directory Sites and Services console, expand Sites, and then expand the site with the DC you want to be a GC server. Next, expand Servers and find the Domain Controller object. In the details pane you should see NTDS Settings. If you right-click NTDS Settings and select Properties, you will have the option to enable or disable the GC on the DC you select, as Figure 16.3 shows. Working with Global Catalog Servers and Schema • Chapter 16 545 301_BD_W2k3_16.qxd 5/12/04 1:28 PM Page 545 . Controllers to Windows Server 2003 If you administer an existing domain and are looking to upgrade to Windows Server 2003, your best bet is to upgrade the DCs one by one until they are all at the same. have lost the DC but the data on the other DCs is accurate; in other words, there is nothing the “downed” DC knows that no other DC knows. Authoritative restore is used when the “downed” server. replica).Thus, the GC server stores the following: ■ Copies of all the objects in the domain in which it resides ■ Partial copies of objects from other domains in the forest The key point is that the GC