272_70-296_01.qxd 9/25/03 4:55 PM Page 47 Implementing DNS in a Windows Server 2003 Network • Chapter The previous scenario is a very general yet very easy way to secure your DNS servers It’s also a very good baseline for adding security to your name resolution strategy In the sections to come, we discuss some of the concepts and features that Microsoft has put forth to relating specifically to DNS and DNS security within Windows Server 2003 In the next section, we discuss the three levels of security that Microsoft has defined for DNS Levels of DNS Security DNS security, like many other forms of security, is a relative term For some, simply implementing a firewall and placing their DNS server behind it is sufficient security For others, only the latest and greatest, top level of security will satisfy their needs.To assist you with your DNS security configurations for Windows Server 2003, Microsoft has broken security into three separate levels for comparison purposes: I Low level I Medium level I High level As you apply different security features to your Windows 2000 DNS namespace, you systematically move from a lower level of security to a higher level.To make a real-world analogy, you can compare it to security clearances that are in place in the U.S Government Classification of documents and material within the U.S Government falls into one of five categories: I Unclassified I Sensitive but classified (SBC) I Confidential I Secret I Top secret As you go from unclassified to top secret, the criticality of information security becomes more and more severe Obviously, knowing what the U.S.S Nimitz will be serving for lunch is (probably) much less a security risk than knowing what types of ammunition are stored on the ship Microsoft’s definition of security levels for DNS follows much of the same patterns.Things such as DNS access to the Internet, dynamic updates, zone transfer limitation, and root hint configurations take on different aspects as you increase in security level from low to high Let’s begin by running through the implementation and configuration settings for a DNS server with a low level of security www.syngress.com 47 272_70-296_01.qxd 48 9/25/03 4:55 PM Page 48 Chapter • Implementing DNS in a Windows Server 2003 Network Low-Level Security Low-level security, as defined by Microsoft, is basically using the default configuration settings when DNS for Windows Server 2003 is installed.Typically, you not want to run a DNS server under this configuration due to the fact that it is so wide open.The characteristics of a DNS server set for low-level security are as follows: I Full exposure to the Internet Your DNS namespace is completely exposed to the Internet, meaning that Internet users can perform DNS lookups on any PC within your infrastructure.Typically, port 53 is open bi-directionally on your firewall I Zone transfer Your DNS servers can transfer zone information to any server I DNS root hints Your DNS servers are configured with root hints that point to the root server on the Internet I DNS listener configuration Your DNS servers have been configured to listen to all and any IP addresses configured for the server For example, if you have a server running on two subnets, it will listen for requests on either subnet I Dynamic update Dynamic update is allowed on your DNS server.This means that users are allowed to update their resource records at will Medium-Level Security Typically, a medium-level configuration is what you will see and typically implement into an environment.The medium-level characteristics offer a higher level of protection than low-level security while not becoming so restrictive that it makes it difficult to operate.The characteristics of a DNS server set for medium-level security are as follows: I Limited exposure to the Internet Only certain DNS traffic is allowed to and from your DNS server.Typically, port 53 traffic is only allowed to and from certain external DNS servers.The external DNS servers typically sit on the outside of your firewall DNS lookups for external IP addresses are first forwarded to these external DNS servers I Zone transfer Your DNS servers can only transfer zone information to servers that have NS records in their zones I DNS root hints Internet DNS root hints are only present on the DNS servers on the outside of your firewall I DNS listener configuration Your DNS servers have been configured to listen only on specified IP addresses I Dynamic update Dynamic update is disabled on your DNS servers www.syngress.com 272_70-296_01.qxd 9/25/03 4:55 PM Page 49 Implementing DNS in a Windows Server 2003 Network • Chapter High-Level Security The high-level configuration characteristics are very similar to those of the medium level configuration However, one key difference between medium and high levels is that a high-level configuration contains a domain controller as well as a DNS server, and the DNS zone information is also stored within Active Directory.The other key differences between the medium-level configuration for DNS and the high-level configuration for DNS are as follows: I No exposure to the Internet Your DNS server does not communicate with the outside world under any circumstances I DNS root hints DNS root hints for your internal servers point exclusively to internal DNS servers that host root information for your internal namespace I Dynamic update Dynamic update is allowed, but only when your domain is configured for secure dynamic updates (We cover dynamic updates and secure dynamic updates in the “Using Secure Updates” section.) There is no management console in Windows Server 2003 to select whether your DNS server will function on a low, medium, or high level of security.These are simply guidelines that you can use in developing your DNS infrastructure.You should match your DNS configuration to the three levels to determine if the security of your DNS server meets the security needs of your organization One constant in computer networks is that now matter what type of security you implement in your environment, your environment will never be completely secure.There will always be someone out there who wants to see if he or she can penetrate the safeguards you have put into place in your network Knowing what threats exist and being diligent in keeping your network secure from known and recently discovered threats are your best bet for maintaining a secure environment Let’s take the next few pages to discuss threats to a DNS server and what you can to mitigate those threats Understanding and Mitigating DNS Threats Those who cannot remember the past are condemned to repeat it That famous quote has been repeated many times throughout history by many influential people It’s also a quote that applies itself well to network security If you are not aware of security threats (such as DNS spoofing, DoS attacks, or DNS footprinting) that already exist and not protect yourself against them, you are setting yourself up to be a victim of these threats In this case, understanding the known DNS security threats, how they are performed, and how to protect yourself against them will pay dividends in the end—even if you can’t see how right now In this section, we discuss some of the more common DNS attacks as well as some tips on how to protect against them www.syngress.com 49 272_70-296_01.qxd 50 9/25/03 4:55 PM Page 50 Chapter • Implementing DNS in a Windows Server 2003 Network DNS Spoofing DNS spoofing occurs when a DNS server uses information from a host that has no authority to pass along that information DNS spoofing is a form of cache poisoning, in which intentionally incorrect data is added to the cache of a DNS server Spoofing attacks can cause users to be directed to an incorrect Internet site or e-mail servers to route emails to mail servers other than that for which they were originally intended DNS query packets have a 16-bit ID associated with them that is used to determine the original query Although later revisions have worked around this issue, earlier versions of DNS sent out sequential ID numbers In other words, you could run a query that would generate an ID number.Then the next query to the DNS server would generate another ID number, which would be the previous ID number plus one.This made it easy for a would-be hacker to determine the next ID number in the series, making the request easier to predict and spoof Due to the nature of a DNS spoofing attack, it can carry on for a long time without being noticed.You can use tools such as DNS Expert (www.menandmice.com/2000/ 2100_dns_expert.html) to check for DNS spoofing and other DNS vulnerabilities If you don’t want to purchase software, you can easily test your DNS server to see if it is susceptible to DNS spoofing attacks.You can this by sending several queries to your DNS server.You can then analyze the results of the query to determine whether or not it is possible to guess the next ID number If you can successfully determine the next query ID, your server is vulnerable to DNS spoofing attacks, particularly DNS cache poisoning Cache poisoning occurs when a DNS server is sent an incorrect mapping with a high Time To Live (TTL).When a “poisoned” DNS server is queried for the address of a host, it returns the invalid IP information, misinforming the requestor.The good news is that Microsoft has implemented the functionality as a default to prevent your DNS servers from cache pollution.Within the properties of the DNS server, you can select (or remove) Secure cache against pollution to prevent a would-be attacker from polluting the cache of your DNS server with false resource records (see Figure 1.26) Basically, you would never want to remove this from your server options.We’ve made it a point to show you this detail because in Windows 2000 DNS servers, the option was not enabled by default Denial of Service A DoS attack occurs when a hacker attempts to “deny” the availability of domain name resolution by overloading a DNS server with multiple recursive queries A recursive query occurs when a DNS server is used as a proxy for DNS clients that have requested resource record information outside their domain.When a recursive query is sent to the DNS server, it issues additional queries to external DNS servers, acting on behalf of the client, and returns the query information to the client once it obtains the information As the attacker floods the www.syngress.com 272_70-296_01.qxd 9/25/03 4:55 PM Page 51 Implementing DNS in a Windows Server 2003 Network • Chapter DNS server with more and more queries, the CPU on the server eventually becomes overloaded with requests until it reaches its maximum capacity, causing the DNS Server service to become unavailable Once the DNS server becomes overwhelmed with these queries, it becomes unavailable to read DNS queries, causing the server to deny client requests Figure 1.26 Securing a Server Against Cache Pollution In Windows Server 2003, you can configure your DNS server to disable recursion Unlike cache pollution, recursion is not disabled for the DNS Server service by default.You can disable DNS recursion in the Advanced Properties dialog box of the DNS server (see Figure 1.27) Figure 1.27 Disabling DNS Recursion www.syngress.com 51 272_70-296_01.qxd 52 9/25/03 4:55 PM Page 52 Chapter • Implementing DNS in a Windows Server 2003 Network DNS Footprinting Unlike a DoS attack, DNS footprinting is a passive attack DNS footprinting occurs when a hacker obtains DNS zone information from your DNS server in order to gather naming and IP information for resources within your network.Typically, host names represent the type of function of a particular resource For instance, exchange.boston.us.na.widgets.home can easily be interpreted as the Microsoft Exchange e-mail server for the Boston office of Widgets Inc In a footprinting attack, the attacker begins to diagram, or footprint, the network based on the IP addresses and DNS names of the resources.Typically, footprinting is used for gathering information that will be used in further attacks on your network, such as a DNS spoofing attack.The best way to prevent your network from being a victim of a DNS footprinting attack is to keep your internal namespace separated from the Internet and secured behind a firewall If you must provide access to your internal namespace to external users or if you have untrusted users (vendors, partners, customers, etc.) who will be physically connecting to your internal network, consider using a naming convention that does not give obvious descriptions of a server For example, instead of using exchange boston.us.na.widgets.home, use ex001.boston.us.na.widgets.home Using Secure Updates Since you are a Windows 2000 MCSE, you should certainly familiar with the concept of dynamic DNS updates Dynamic DNS updates allow a computer on your network to register and update its DNS resource records whenever a change occurs, such as a change of computer name Dynamic DNS updates were intended to reduce the amount of administrative work in terms of updating DNS databases each time a machine was brought online, moved, or renamed In Windows Server 2003, Microsoft has taken the concept of dynamic DNS updates a step further.When a DNS zone is integrated with Active Directory, it has the added advantage of utilizing secure dynamic updates.When DNS is configured to use secure dynamic updates, only computers that have been authenticated to the Active Directory domain can perform dynamic updates In Windows Server 2003, dynamic DNS updates have been disabled by default when standard zones are used; however, when a zone becomes an Active Directory integrated zone, secure dynamic DNS updates are turned on by default If you want to allow clients to be able to use nonsecure DNS updates on an Windows Server 2003 DNS server (using either standard or Active Directory integrated zones), you need to turn this option on manually (see Figure 1.28) www.syngress.com 272_70-296_01.qxd 9/25/03 4:55 PM Page 53 Implementing DNS in a Windows Server 2003 Network • Chapter Configuring & Implementing Figure 1.28 Properties for Unsecured Dynamic DNS Updates Managing a DNS Access Control List To further enhance security for a Windows Server 2003 DNS server with Active Directory integrated zones, you can adjust the security settings in the discretionary access control list (DACL) The DACL can be accessed through the DNS Management console under the Security tab of the zone properties DACL properties for a DNS zone are similar to DHCP and sharing security properties, with which you should already be familiar You can use the DACL to specify full control, read, write, create all child objects, delete child objects, or special permissions for users and/or groups The default setting for authenticated users is Create All Child Objects, which is the minimum permission required for a user to use secure dynamic updates For more information on adjusting DACL security settings, visit www.microsoft com/technet/treeview/default.asp?url=/technet/ prodtechnol/windowsserver2003/proddocs/datacenter/sag_DNS_pro_ ModifySecurityZone.asp EXAM WARNING Remember that dynamic updates can only be configured as Secure Only for Active Directory integrated zones www.syngress.com 53 272_70-296_01.qxd 4:55 PM Page 54 Chapter • Implementing DNS in a Windows Server 2003 Network New & Noteworthy… 54 9/25/03 Using Unsecured Dynamic DNS Updates with Active Directory Integrated Zones Be mindful of turning on unsecured dynamic DNS updates on Windows Server 2003 servers that are configured with Active Directory integrated zones When a client attempts to update his or her resource record information using dynamic updates, the client will first attempt to connect to the DNS server via unsecured dynamic update Only when the client is able to connect using the unsecured method will it bother to try to use the secure dynamic update method For example, older clients such as Windows 95 and Windows NT, as well as third-party clients like Macintosh OS or Linux that not support Windows Server 2003 DHCP offers proxy dynamic registration for secure dynamic updates, as Windows 2000 did for proxy registration of unsecured dynamic DNS registration Therefore, there really is no overwhelming reason why unsecured dynamic DNS updates should be used The DNS Security Extensions Protocol The last topic that we discuss in this chapter is support for the DNS Security Extensions (DNSSEC) protocol DNSSEC is a set of extensions to DNS that adds the ability to authenticate resource records and was designed to protect the Internet from certain attacks DNSSEC uses public key cryptography with digital signatures to provide a process for a requestor of resource information to authenticate the source of the data DNSSEC offers reliability that a query response can be traced back to a trusted source, either directly or through a hierarchy that can extend all the way to the parent DNS server In DNSSEC, a DNS zone has its own public and private key pair, which is used to encrypt and decrypt digital signatures DNSSEC works by adding into DNS two additional record types, KEY and SIG, which will be used for authentication: I The KEY record stores the public key information for a host or zone I The SIG record stores a digital signature associated with each set of records When a resource record in a zone is signed using a private key, DNSSEC-aware resolvers containing the secured zone’s public key can authenticate whether resource information received from the zone is authentic If a resolver receives an unsigned record set when it expects a signed one, it can identify that there is a problem and will not accept the information that has been retrieved A typical DNSSEC-enabled query occurs as follows: First, the resolver must query the root servers using the root server’s public key (which is well known) to find out the DNS server authoritative for a particular zone as well as the public key for that zone The resolver then sends a DNS query to the authoritative server for the zone for which it had requested the public key in Step www.syngress.com 272_70-296_01.qxd 9/25/03 4:55 PM Page 55 Implementing DNS in a Windows Server 2003 Network • Chapter The DNS server receives the query and responds to the resolver with the requested information as well as the SIG record that corresponds to the DNS zone The resolver receives the resource record as well as the SIG record and authenticates the resource record using the known public key (which was obtained in Step 1) If the resolver can authenticate the resource record and SIG, it will accept the resource record information If it cannot authenticate the information, it will discard it NOTE Public key encryption, key pairs, and digital signatures are all covered in depth in Chapter 4, “Implementing PKI in a Windows Server 2003 Network.” You might be asking yourself what happens if a DNS server does not have a resource record for a particular query in its database For this purpose, a third type of record has been added to DNS as part of the DNSSEC implementation—the NXT (next) record When a DNS server responds to a query that it does not have a matching record for, the DNS server sends a NXT record.The NXT record contains the name of the next DNS entity that exists in the zone as well as a list of the types of records (NS, SOA, MX, etc.) present for the current name.The purpose of the NXT record is to not only inform the requestor that a particular resource record does not exist, but it also prevents the DNS server from becoming a victim of a replay attack In a replay attack, a third party that is sitting in the middle of two separate parties replays information to the second party that it has previously received from one of the parties So, what does the NXT record in preventing a replay attack? As we mentioned, the NXT record contains the name of the next record that exists within a zone So, let’s say that the following records exist in the phoenix.us.na.widgets.home domain: I alpha.phoenix.us.na.widgets.home I beta.phoenix.us.na.widgets.home I delta.phoenix.us.na.widgets.home I omega.phoenix.us.na.widgets.home I zeta.phoenix.us.na.widgets.home Frank, who is a very unhappy mail clerk at Widgets Inc., is familiar with the concept of a DNS replay attack Frank makes a request to a DNSSEC-enabled DNS server for the resource record of kappa.phoenix.us.na.widgets.home Since this host does not exist in our www.syngress.com 55 272_70-296_01.qxd 56 9/25/03 4:55 PM Page 56 Chapter • Implementing DNS in a Windows Server 2003 Network table, Frank is sent a NXT record for delta.phoenix.us.na.widgets.home, since it is the record just prior to where kappa would exist.This NXT record contains the name of the next existing server in the zone, which is omega.phoenix.us.na.widgets.home Frank decides that he wants to cause a little havoc within the Phoenix office He performs a replay attack on his coworker Karen Karen sends a query to the same DNS server for the IP address of alpha.phoenix.us.na.widgets.home Before the DNS server can respond to Karen’s query, Frank sends his stored NXT record to Karen Since the NXT record was signed by the DNS server, Karen’s computer verifies the record as authentic However, when Karen’s computer views the NXT record, it sees that the NXT record is that of delta.phoenix.us.na.widgets.home, and since alpha does not fall between delta and omega, Karen’s computer can assume that the record is invalid and discard it To learn more about DNSSEC, visit www.dns.net/dnsrd/rfc/rfc2535.html, which is the original RFC on DNSSEC.You might also want to check out www.dnssec.net, which is a great portal for Web sites relating to DNSSEC Using DNSSEC As far as Windows Server 2003 support for DNSSEC, we have some good news and some bad news First, the bad news: It does not support all the features listed in RFC 2535.The good news is that it does cover “basic support” for DNSSEC as described in RFC 2535 The basic support functionality as described in the RFC states that a DNS server must possess the ability to store and retrieve SIG, KEY, and NXT resource records Any secondary or caching server for a secure zone must have at least these basic compliance features EXAM WARNING Expect at least two questions on the exam relating to DNSSEC Remember the new keys (SIG, KEY, and NXT) and the functions they perform Also remember that a Windows Server 2003 DNS server can only function as a secondary DNSSEC server Server Support Because Windows Server 2003 only meets the basic support functionality for DNSSEC, it can only be configured to operate as a secondary DNSSEC-enabled DNS server.This means that a Windows Server 2003 DNS server cannot perform such functionality as signing zones or resource records or validating SIG resource records.When a Windows Server 2003 DNS server receives a zone transfer from a DNSSEC-enabled DNS server that has resource records, it writes these records to the zone storage as well as the standard DNS resource records.When the Windows Server 2003 DNS server receives a request for a DNSSEC resource record, it does not verify the digital signatures; rather, it caches the response from the primary server and uses it for future queries www.syngress.com 272_70-296_02.qxd 9/25/03 4:57 PM Page 117 Planning and Implementing an Active Directory Infrastructure • Chapter You are designing an Active Directory network.There will be two forests in the final design Forest A will trust Forest B in the final configuration.You will have several member servers that will run Windows NT 4.0 and several that will run Windows Server 2000.Which forest functional level should you select? A None; you cannot configure this forest B Windows 2000 C Windows Server 2003 interim D Windows Server 2003 10 You have an Active Directory network with three domains Domain is at the domain functional level of Windows 2000 native Domain is at the domain functional level of Windows Server 2003 interim Domain is at Windows Server 2003 What is the highest level you can have for the forest functional level? A Windows 2000 B Windows Server 2003 interim C Windows Server 2003 D None; this forest cannot be configured 11 You are upgrading a Windows NT 4.0 domain and a Windows 2000 Active Directory forest with two domains to Windows Server 2003 In your final forest configuration, you will have domain controllers with either Windows 2000 server or Windows Server 2003 operating systems.Which domain functional levels are the highest you can reach? A Windows 2000 mixed B Windows 2000 native C Windows Server 2003 interim D Windows Server 2003 12 You have a network with four locations: NY, PHX, LA, SEA.You have three domains that contain both users and network resources.You install a new printer in the SEA location.The printer is in the root domain, which has most of its other resources in the NY location Several users in a child domain at the SEA location complain that it takes a long time to access the printer.What steps can you take to speed up access to the printer? A Create a shortcut trust to the root domain from the child domain B Add a global catalog server to the NY location C Add a global catalog server to the SEA location www.syngress.com 117 272_70-296_02.qxd 118 9/25/03 4:57 PM Page 118 Chapter • Planning and Implementing an Active Directory Infrastructure D Enable universal group membership caching at SEA 13 You have a network with five locations.You have configured four sites, one of which combines the offices at two locations and is named COMBO.There is one global catalog server at each site and domain controllers at all five locations At COMBO’s Office A, users are periodically complaining that they cannot log on However, at COMBO’s Office B, there have been no problems In what two ways can you fix this problem? (Select two answers.) A Install another domain controller at COMBO’s Office A B Enable a global catalog server at COMBO’s Office A C Enable a global catalog server at COMBO’s Office B D Enable universal group membership caching for the entire COMBO site 14 You have two forests Each of these forests is used across your five office locations.You have users who access resources in both forests.You have explicit external trust relationships between certain domains to allow access.These users often complain that they cannot query for resources in one of the forests in the same window that they browse the other forest.What can you to fix this problem? A Add a global catalog server B Enable universal group membership caching C Create a new trust D Nothing 15 You are designing a Windows Server 2003 forest.You will have a single domain in the forest.You will have three sites with over 400 users each.You will not be using UPN names How many global catalog servers should you plan for? A B C D www.syngress.com 272_70-296_02.qxd 9/25/03 4:57 PM Page 119 Planning and Implementing an Active Directory Infrastructure • Chapter Self Test Quick Answer Key For complete questions, answers, and explanations to the Self Test questions in this chapter as well as the other chapters in this book, see the Self Test Appendix B D B 10 A C 11 B D 12 C D 13 B, D A 14 D B 15 B D www.syngress.com 119 272_70-296_02.qxd 9/25/03 4:57 PM Page 120 272_70-296_03.qxd 9/26/03 11:00 AM Page 121 Chapter MCSA/MCSE 70-296 Managing and Maintaining an Active Directory Infrastructure Exam Objectives in this Chapter: 7.1 Manage an Active Directory forest and domain structure 7.1.1 Manage trust relationships 7.1.2 Manage schema modifications 7.1.3 Add or remove a UPN suffix 7.2 Restore Active Directory directory services 7.2.1 Perform an authoritative restore operation 7.2.2 Perform a nonauthoritative restore operation Summary of Exam Objectives Exam Objectives Fast Track Exam Objectives Frequently Asked Questions Self Test Self Test Quick Answer Key 121 272_70-296_03.qxd 122 9/26/03 11:00 AM Page 122 Chapter • Managing and Maintaining an Active Directory Infrastructure Introduction To pass the 70-296 exam, you not only need to know how to plan and configure an Active Directory structure—you also have to know how to manage it once it is in place Unfortunately, Active Directory is not something that can be implemented and then walked away from In your role as a networking professional, you will experience times when you must make some minor changes to your structure as well as some major changes There might come a time in your environment when you will add or remove domains from your Active Directory structure Events such as company mergers, branch closures, and other business-oriented events can trigger a need to reconfigure your structure to accommodate change In these types of events, you might need to add or remove trusts between domains, add OUs, or perform other administrative tasks that can have a huge impact on your structure In this chapter, you will learn how to manage your Active Directory structure, including handling tools at your disposal for these management tasks Along with these changes to your Active Directory structure, there might come a time when you realize a change that you made to your structure was incorrect Unfortunately, there is no Undo command in the Active Directory tools However, as it was with Windows 2000, Active Directory restore tools are your best friends when these types of problems occur In this chapter, you will learn the Active Directory restore types and how to properly restore Active Directory Let’s begin this chapter with a discussion of the different ways that you can manage your Active Directory structure Choosing a Management Method Microsoft has provided a number of tools to help you manage Active Directory.You can administer your Active Directory installation using Windows graphical user interface (GUI) tools, various command-line utilities, and more advanced scripting functions Each method has certain advantages, so as we perform the many exercises in this chapter we’ll discuss both GUI and command-line procedures to accomplish each task.You’ll notice that we focus primarily on the GUI interface, since this will likely be your tool of choice in your day-to-day operations (not to mention on the 70-296 exam!) Using a Graphical User Interface The most common means of administering your Active Directory infrastructure is through the built-in GUI utilities that are added during the Active Directory installation process (dcpromo.exe).The Microsoft Management Console (MMC) centralizes the graphical tools that you will use to administer your Active Directory installation as well as most other Windows Server 2003 components into a single management console that can be run from an administrative workstation or the server itself Similar to Windows 2000, the MMC provides a common interface and presentation for Microsoft utilities as well as an increasing www.syngress.com 272_70-296_03.qxd 9/26/03 11:00 AM Page 123 Managing and Maintaining an Active Directory Infrastructure • Chapter number of third-party management tools.You’ll use a number of snap-ins to the MMC to manage your Windows Server 2003 Active Directory implementation The greatest advantage to using the GUI utilities to administer your network is one of simplicity: Microsoft has distilled the most common tasks into an easy-to-follow Wizard format, in which you are prompted for information at each step Trust relationships, a major component of this chapter, are managed using the Active Directory Domains and Trusts tool.This console is located in the Administrative Tools folder on your domain controller, or you can load the administrative tools onto your local workstation Administration of Active Directory objects such as users, groups, and OUs can be accomplished with the Active Directory Users and Computers tool, and tasks associated with the physical layout of your Active Directory infrastructure can be completed using the Active Directory Sites and Services tool In addition to the built-in utilities discussed here, there are any number of free and commercial GUI tools available from the Microsoft Web site and other third-party vendors Figures 3.1–3.3 illustrate each of the built-in tools we’ve just mentioned; we discuss these extensively throughout this chapter and the rest of the book Figure 3.1 Active Directory Domains and Trusts Figure 3.2 Active Directory Sites and Services www.syngress.com 123 272_70-296_03.qxd 124 9/26/03 11:00 AM Page 124 Chapter • Managing and Maintaining an Active Directory Infrastructure Figure 3.3 Active Directory Users and Computers Using the Command-line For more granular control of administrative functions, you should consider using Microsoft’s array of utilities that you can run from the command-line interface (CLI) to manage your Windows Server 2003 environment.You can choose from preinstalled utilities included in the Windows operating system as well as additional tools that you can install from the ~\Support\Tools folder of the server source media Command-line utilities can help streamline the administrative process in cases where you find yourself issuing the same command or making the same configuration change on a regular basis As we discuss in the “Using Scripting” section that follows, CLI utilities can be integrated into batch files, login scripts, and other automated scripting functions in order to speed the administrative process Some command-line utilities also not have an equivalent within the GUI environment, such as the CSVDE utility that allows you to import information from a comma-separated (.CSV) text file directly into the Active Directory database If you have large amounts of information to enter into Active Directory, the command-line utilities discussed here can make your administrative tasks far more efficient Defining Commands In Table 3.1, we’ve included a partial list of the command-line utilities available to Windows Server 2003 administrators.You can find a complete listing on the Microsoft Developer Network site at http://msdn.microsoft.com.You can see the syntax and optional parameters of most of these commands by typing utility /? at the Windows command prompt—for example, the ntdsutil /? command lists all possible parameters for the ntdsutil utility www.syngress.com 272_70-296_03.qxd 9/26/03 11:00 AM Page 125 Managing and Maintaining an Active Directory Infrastructure • Chapter Table 3.1 Windows Server 2003 Command-Line Utilities Utility Name Description CSVDE Allows information to be imported to and exported from Active Directory using a CSV format Creates users, groups, computers, contacts, and OUs within the Active Directory database Modifies the attributes of an existing object within Active Directory DSMOD can modify users, groups, computers, servers, contacts, and OUs Deletes objects from Active Directory Working from a single domain controller, DSMOVE either renames an object without moving it or moves it from its current location in the directory to a new location within the Active Directory tree (To move objects between domains, you’ll need to use the Movetree command-line tool.) Allows you to find a list of objects in Active Directory using specified criteria You can use this utility to search for computers, contacts, subnets, groups, OUs, sites, servers, and user objects Displays specific attributes of object types within Active Directory You can view attributes of any of the following object types: computers, contacts, subnets, groups, OUs, servers, sites, and users Creates, modifies, and deletes directory objects You can also use LDIFDE to extend the Active Directory schema, export user and group information to other applications or services, and populate Active Directory with data from other directory services Installed from the ~\Support\Tools directory on the Windows Server 2003 CD, this tool is used primarily in creating, verifying, and removing trust relationships on a Windows network You’ll see this tool mentioned several times in the “Managing Trusts” section of this chapter This is the “Swiss Army knife” of Active Directory management tools Among other things, ntdsutil can perform database maintenance of Active Directory, manage single operation masters, and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled DSADD DSMOD DSRM DSMOVE DSQUERY DSGET LDIFDE NETDOM NTDSUTIL Using Scripting You can extend the usefulness of Windows Server 2003 command-line utilities even further by including them in various scripting utilities.The applications that you can use to apply scripting to your network administration tools are virtually endless, but two of the more readily available are Windows Scripting Host and the Active Directory Services Interface (ADSI) ADSI provides an interface for most common scripting languages to query for and www.syngress.com 125 272_70-296_03.qxd 126 9/26/03 11:00 AM Page 126 Chapter • Managing and Maintaining an Active Directory Infrastructure manipulate directory service objects, allowing you to automate such tasks as creating users and resetting passwords Just like individual command-line utilities, scripting allows you to increase the efficiency of your administrative tasks even further by allowing you to automate processes that would otherwise be tedious and time-consuming For example, a university administrator might create a batch file to automatically create new user accounts for each semester’s batch of incoming students, which would prove much more efficient than manually entering each object’s information into the MMC GUI.The flexibility of the command-line utilities allows you to integrate them into any number of scripting applications, including VBScript, Perl, and Windows logon scripts.These scripts can be launched manually, scheduled to run at regular intervals, or integrated into a Web or intranet application to be run on demand—for example, by a user needing to reset her password Although an in-depth discussion of Windows scripting is beyond the scope of this book, you can find a wide variety of information and reference material on the MSDN site at http://msdn.microsoft.com EXAM 70-296 Managing Forests and Domains OBJECTIVE 7.1 As an MCSE, you’ll be expected to have the skills necessary to manage forests and domains 7.1.1 with your Active Directory infrastructure.You’ll need to be familiar with performing such 7.1.2 familiar tasks as creating new forests, domains, and child domains, as well as with the new 7.1.3 functionality offered by Windows Server 2003 In this section we cover the tasks associated with managing Active Directory at the domain and forest levels EXAM 70-296 Managing Domains OBJECTIVE 7.1 Active Directory domains are the cornerstone of a well-formed Active Directory implementation; they provide the most common framework for managing your Active Directory environment.You’ll perform some of the tasks described in this section only when your network environment changes—for example, creating a new domain tree or a child domain after creating a new department or merging with another company Other tasks, including creating and managing organizational units, managing domain controllers, and assigning and managing permissions on Active Directory objects, will be a part of your daily life.The following pages detail the steps necessary to perform a wide array of domain management functions Knowing how to perform these tasks will not only help you on the 70-296 exam but also in the real world of network administration Remember from your Windows 2000 studies that Active Directory domains are used to organize objects within Windows Server 2003, whereas Active Directory sites map to the physical layout of your network infrastructure.You can have a single domain that includes multiple sites, or you can have a single site that contains many domains Domains allow you to manage your Active Directory environment in the way that best meets your needs without locking you into matching your administrative layout to your company’s physical structure.Windows Server 2003 domains can contain any combination of Active Directory objects, including servers, OUs, users, groups, and other resources.Windows Server 2003 www.syngress.com 272_70-296_03.qxd 9/26/03 11:00 AM Page 127 Managing and Maintaining an Active Directory Infrastructure • Chapter computers can function as standalone servers that house shared resources as well as domain controllers that handle user authentication and authorization functions Creating a New Child Domain Active Directory is designed to remain flexible enough to meet the changing and growing needs of a company’s organizational structure For example, let’s say that you administer the airplanes.com Active Directory domain As the company has grown, the board of directors has decided to subdivide the production team into two halves, fixed-wing.airplanes.com and biplanes.airplanes.com, both of which will ultimately report to the main airplanes.com management office As the IT manager, you decide to create a child domain for each production subdivision.This will allow you to subdivide network resources between the two new divisions as well as delegate IT management functions of each child domain while still maintaining overall administrative authority on the airplanes.com network.Your new domain structure will resemble the one shown in Figure 3.4 Exercise 3.01 goes through the steps needed to create a new child domain Figure 3.4 Parent and Child Domains domainDNS airplanes.com domainDNS2 domainDNS3 fixed-wing.airplanes.com biplanes.airplanes.com www.syngress.com 127 272_70-296_03.qxd 128 9/26/03 11:00 AM Page 128 Chapter • Managing and Maintaining an Active Directory Infrastructure TEST DAY TIP When you create a child domain, a two-way transitive trust is automatically created between the parent and child domains Remember the transitive property from your high school mathematics class: If A equals B and B equals C, A must therefore equal C It works the same way in a trust relationship: If Domain A trusts Domain B and Domain B trusts Domain C, Domain A automatically trusts Domain C (This is different from the NT 4.0 trust environment in which you would have needed to manually create another trust between Domain A and Domain C.) EXERCISE 3.01 CREATING A CHILD DOMAIN From a Windows Server 2003 machine, click Start | Run, then type dcpromo to launch the Active Directory Installation Wizard If the Operating System Compatibility page appears, read the information presented and click Next On the Domain Controller Type screen, shown in Figure 3.5, select Domain controller for a new domain Click Next to continue Figure 3.5 Creating a Domain Controller On the Create New Domain page, select Child domain in an existing domain tree, and then click Next www.syngress.com 272_70-296_03.qxd 9/26/03 11:00 AM Page 129 Managing and Maintaining an Active Directory Infrastructure • Chapter The next screen, shown in Figure 3.6, prompts you for the username, password, and domain of the user account with the necessary rights to create a child domain Enter the appropriate information and click Next Figure 3.6 Creating a Child Domain EXAM WARNING In order to create a child domain in a Windows Server 2003 network, you must be a member of the Enterprise Admins group in the parent domain The Enterprise Admins group exists only in the root domain of the forest; by default members of this group have administrative authority to every domain within a Windows Server 2003 forest On the Child Domain Installation screen, verify the name of the parent domain and enter the new child domain name, in this case fixedwing.airplanes.com Click Next to continue The NetBIOS Domain Name page, shown in Figure 3.7, will suggest a default NetBIOS name that down-level clients will use to connect to this domain Accept the suggested default or type in a NetBIOS domain name of your choosing, then click Next On the Database and Log Folders screen, shown in Figure 3.8, enter the location in which you want to install the database and log folders, or else click Browse to navigate to the location using Windows Explorer Click Next when you’re ready to continue www.syngress.com 129 272_70-296_03.qxd 130 9/26/03 11:00 AM Page 130 Chapter • Managing and Maintaining an Active Directory Infrastructure Figure 3.7 Specifying the NetBIOS Domain Name Figure 3.8 Database and Log Folder Locations From the Shared System Volume page, type or browse to the location where you want to install the SYSVOL folder and then click Next 10 The DNS Registration Diagnostics screen will prompt you to verify that the computer’s DNS configuration settings are accurate Click Next to move to the next step 11 From the Permissions screen, select one of the following options: I Select Permissions compatible with pre-Windows 2000 server operating systems if your network still contains Windows NT 4.0 domain controllers www.syngress.com 272_70-296_03.qxd 9/26/03 11:00 AM Page 131 Managing and Maintaining an Active Directory Infrastructure • Chapter I Choose Permissions compatible only with Windows 2000 or Windows NET server operating systems if your domain controllers are running exclusively Windows 2000 or later 12 The Directory Services Restore Mode Administrator Password screen will prompt you to enter the password that you want to use if you ever need to start the computer in Directory Services Restore Mode Click Next when you’ve entered and confirmed the password 13 Review the Summary page If you are satisfied with your selections, click Next to begin the Active Directory installation The installation will take several minutes and will require you to reboot the machine when you’re finished This server will be the first domain controller in the new child domain EXAM WARNING Windows Server 2003 Web Edition cannot run Active Directory It can participate on a Windows network as a member server only Your Windows Server 2003 domain controller must be running Standard Edition, Enterprise Edition, or Datacenter Edition Managing a Different Domain If you have administrative rights to multiple Windows Server 2003 domains, you can manage all of them from a single desktop For example, if you are the administrator for the airplanes.com domain, you can perform administrative functions for the fixed-wing.airplanes.com domain to cover for someone who is on vacation or on sick leave.You can also use the steps described in this section to manage any Windows 2000 domains that still exist within your Active Directory forest To manage a different domain in Active Directory Users and Computers, for example, right-click the current domain name and click Connect to Domain.You’ll see the dialog box shown in Figure 3.9, where you can specify a new domain name and optionally set this as the default domain name for the current console.You can use this functionality to create customized Management Consoles that will allow you to quickly access all the Windows Server 2003 domains that you administer www.syngress.com 131 ... A 10 B A 11 D D 12 C D 13 A B 14 B A 15 A, C, D C www.syngress.com 67 27 2 _70 -29 6_ 01.qxd 9 /25 /03 4:55 PM Page 68 27 2 _70 -29 6_ 02. qxd 9 /25 /03 4:57 PM Page 69 Chapter MCSA/ MCSE 70 -29 6 Planning and... configured as shown in Figure 2. 2 www.syngress.com 71 27 2 _70 -29 6_ 02. qxd 72 9 /25 /03 4:57 PM Page 72 Chapter • Planning and Implementing an Active Directory Infrastructure Figure 2. 2 General Layout of the... Hierarchy example.local example.local Forest www.syngress.com 27 2 _70 -29 6_ 02. qxd 9 /25 /03 4:57 PM Page 83 Planning and Implementing an Active Directory Infrastructure • Chapter EXAM 70 -29 6 Child