Removing a Domain In a number of situations, you might need to remove an Active Directory domain:You might be restructuring your Active Directory environment, or reorganizing departments or locations within your company’s business structure.The process of removing an Active Directory domain is relatively straightforward; however, there are a number of considerations to keep in mind before you do so. First and most obvious, removing an Active Directory domain will permanently destroy any user, group, and computer accounts stored within that domain. Additionally, if you are removing the last domain in a forest, removing the domain will also automatically delete the entire forest. If you are certain that you are ready to remove an Active Directory domain, it’s also important to remember the following points: ■ If the domain in question has any child domains, the domain cannot be deleted. You must delete all child domains before proceeding. If you attempt to delete a domain that has a child domain, the procedure described in this section will fail. ■ In a multidomain environment, be certain that the domain controllers in the domain being removed do not hold the Domain Naming Master or Schema Master operations roles.These are operations master roles (See “Understanding Operations Masters” later in this section) that exist on only one machine in each forest.Therefore, if the controller in question is performing one of these func- tions, you’ll need to use the ntdsutil command to transfer these roles to another domain controller in another domain before continuing, in order to allow your Windows Server 2003 forest to continue to function properly. You’ll need to follow this procedure for every domain controller associated with the domain you want to remove: 1. Click Start | Run, then type dcpromo. Click Next from the opening screen of the Active Directory Installation wizard. 2. On the Remove Active Directory screen shown in Figure 3.10, place a check mark next to This server is the last domain controller in the domain and click Next to continue. 3. Follow the prompts until the wizard begins the removal process.The process will take several minutes, after which you’ll be prompted to reboot. www.syngress.com 132 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure Figure 3.9 Connecting to a Different Domain 272_70-296_03.qxd 9/26/03 11:00 AM Page 132 Deleting Extinct Domain Metadata If one of your Windows Server 2003 domain controllers suffers a catastrophic failure and you are unable to remove it from the domain in a graceful manner, you can use the fol- lowing steps to delete the Active Directory metadata associated with that domain controller. Metadata here refers to information within Active Directory that keeps track of the infor- mation that is housed on each one of your domain controllers. If a DC fails before you can remove it from the domain, its configuration information will still exist within the Active Directory database.This out-of-date information can cause data corruption or trou- bleshooting issues if it is not removed from Active Directory. It’s important that you only follow these steps to remove the metadata of a domain controller that could not be cleanly decommissioned; do not delete the metadata of any domain controllers that are still func- tioning on your Windows Server 2003 network. In order to delete the metadata associated with a failed Active Directory controller, you’ll use the ntdsutil command-line utility: 1. Click Start | Programs | Accessories | Command Prompt. 2. Type ntdsutil and press Enter.You’ll see the following prompt: ntdsutil: 3. At the ntdsutil prompt, type metadata cleanup and press Enter.You’ll see the following: metadata cleanup: 4. From this prompt, type connection and press Enter to go to the connection prompt: connection: www.syngress.com Managing and Maintaining an Active Directory Infrastructure • Chapter 3 133 Figure 3.10 Removing Active Directory 272_70-296_03.qxd 9/26/03 11:00 AM Page 133 5. Type connect to server Server, where Server is the name of a functioning con- troller in your domain. Press Enter, then type quit to return to the metadata cleanup prompt. metadata cleanup: 6. At the metadata cleanup command, type select operation target and press Enter to go to the associated prompt: select operation target: 7. From select operation target, type list sites and press Enter.You’ll see a list of available sites, each with a number next to it. 8. Type select site SiteNumber, where SiteNumber is the number next to the site in question. 9. Again from the select operation target prompt, type list domains in site. Repeat the process from Step 8 by typing select domain DomainNumber and selecting the appropriate domain number from the list of domains in the site you selected. 10. Type list servers in site. Select the number of the server whose metadata you want to remove, then type select server ServerNumber and press Enter. 11. Once you have selected the appropriate site, domain, and server, type quit to return to the following prompt: metadata cleanup: 12. Type remove selected server and press Enter to begin the metadata cleanup process. Raising the Domain Functional Level You probably recall that in Windows 2000, you were able to configure your Active Directory domains in either mixed mode or native mode. Mixed-mode operation provided backward compatibility for any remaining NT 4.0 BDCs still existing on your network. Mixed-mode domains could contain Windows NT 4.0 BDCs and were unable to take advantage of such advanced Windows 2000 features as universal security groups, group nesting, and security ID (SID) history capabilities.When you set your domain to native mode, these advanced functions became available for your use. Windows Server 2003 takes this concept of domain functionality to a new level, allowing you to establish four different levels of domain functionality with differing feature sets available, depending on your network environment.The four domain functional levels available in the new release of Windows Server are as follows: www.syngress.com 134 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure 272_70-296_03.qxd 9/26/03 11:00 AM Page 134 ■ Windows 2000 mixed ■ Windows 2000 native ■ Windows Server 2003 interim ■ Windows Server 2003 The default domain functional level is still Windows 2000, mixed mode, to allow you time to upgrade your domain controllers from Windows NT 4.0 and Windows 2000 to Windows Server 2003. Just as in the previous release of Windows, however, when you raise the functional level, advanced domainwide Active Directory features become available. Just as NT 4.0 controllers were not able to take advantage of the features available in Windows 2000 native mode,Windows 2000 domain controllers will not be aware of the features pro- vided by the Windows Server 2003 level of domain and forest functionality. In Table 3.2, you can see the four levels of domain functionality available in Windows Server 2003 and the types of domain controllers that are supported by each. Table 3.2 Domain Functional Levels within Windows Server 2003 Domain Functional Level Domain Controllers Supported Windows 2000 mixed (default) Windows Server 2003 family Windows 2000 Windows NT 4.0 Windows 2000 native Windows Server 2003 family Windows 2000 Windows Server 2003 interim Windows Server 2003 family Windows NT 4.0 Windows Server 2003 Windows Server 2003 TEST DAY TIP The Windows Server 2003 interim domain functional level is a special level that’s available if you’re upgrading a Windows NT 4.0 PDC to become the first domain controller in a new Windows Server 2003 domain. When you upgrade the domain functional level of your Windows Server 2003 domain, new administrative and security features will be available for your use. Similarly to setting Windows 2000 to either mixed or native mode, specifying the domain functional level is a one-way operation; it cannot be undone.Therefore, if you still have domain controllers that are running Windows NT 4.0 or earlier, you shouldn’t raise the domain functional level to Windows 2000 native. Likewise, if you haven’t finished migrating your Windows 2000 www.syngress.com Managing and Maintaining an Active Directory Infrastructure • Chapter 3 135 272_70-296_03.qxd 9/26/03 11:00 AM Page 135 domain controllers to Windows Server 2003, you should leave the domain functional level lower than Windows Server 2003. To raise the functional level of your Windows Server 2003 domain, use the steps that follow: 1. Open Active Directory Domains and Trusts. 2. Right-click the domain that you want to manage and select Raise Domain Functional Level. On the screen shown in Figure 3.11, you’ll see the current functional level of your domain as well as the following two options to choose from: ■ To raise the domain functional level to Windows 2000 native, select Windows 2000 native and then click Raise. ■ For Windows Server 2003, select the appropriate option and then click Raise to complete the operation. Managing Organizational Units OUs in Windows Server 2003 are basically identical to their function in Windows 2000: They serve as Active Directory containers that you can use to organize resources within a single domain.You can use OUs to organize users, groups, printers, computers, and other objects as long as they are within the same domain. (OUs cannot contain objects located in other domains.) You can use OUs to delegate administrative control over a specific group of users and resources without needing to grant administrative access to the rest of the objects within the domain. Using OUs in this manner will allow you to create a distributed administrative model for your network, at the same time minimizing the number of domains needed. www.syngress.com 136 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure Figure 3.11 Raising the Domain Functional Level 272_70-296_03.qxd 9/26/03 11:00 AM Page 136 Delegating administration tasks allows you to assign a range of responsibilities to spe- cific users and groups while still maintaining control over domain- and forestwide adminis- trative functions on your network. For example, you can create an OU containing all user and computer accounts within the airplanes.com accounting department and then assign a power user within the department the ability to reset user passwords for accounting depart- ment users only. Another potential use is to allow an administrative assistant the ability to edit user information to update telephone and fax information for the users he supports. If your administrative model is a decentralized one, delegating control will allow users to take more responsibility for their local network resources. Delegation of authority also creates added security for your network by minimizing the number of user accounts that you need to add to the powerful Domain Admin and Enterprise Admin users groups.You can delegate a wide range of tasks within Windows Server 2003, including the following: ■ Create, delete, and manage user accounts ■ Reset user passwords ■ Create, delete, and manage groups ■ Read user account information ■ Modify group memberships ■ View and edit Group Policy information In Exercise 3.02 we’ll create a new OU within a Windows Server 2003 domain, then delegate the ability to manage user accounts to a user within the OU. EXERCISE 3.02 C REATING AN ORGANIZATIONAL UNIT AND DELEGATING CONTROL TO A LOCAL ADMINISTRATOR 1. Open Active Directory Users and Computers. 2. Right-click the domain, then select New | Organizational Unit. Enter a descriptive name for the OU and click OK. 3. From the MMC console, right-click the OU that you just created. (Press F5 to refresh the console if you don’t see the new OU listed.) 4. Click Delegate Control to start the Delegation of Control Wizard. 5. Click Next to bypass the introduction screen. 6. On the Users or Groups screen, click Add to specify the users who should have the administrative rights you specify for this OU. Click Next when you’re ready to continue. www.syngress.com Managing and Maintaining an Active Directory Infrastructure • Chapter 3 137 272_70-296_03.qxd 9/26/03 11:00 AM Page 137 7. In the Tasks to Delegate screen, shown in Figure 3.12, you can either select one or more preconfigured tasks to delegate or create a custom task. In this example, we delegate the ability to create, delete, and manage user accounts. Make the appropriate selection and click Next to continue. 8. On the Summary screen, review the selections you’ve made and click Finish to complete the delegation process. Assigning, Changing, or Removing Permissions on Active Directory Objects or Attributes Your life as an administrator becomes much simpler when you can assign permissions to groups or OUs rather than to individual objects. For example, if Andrew from the mar- keting department needs to manage the printers in his department, you can set the neces- sary permissions on the individual printers in the Marketing OU or on the Marketing OU itself. In the case of the former, you’ll need to manually specify Andrew’s permissions every time you add a new printer to the Marketing OU. However, if you give Andrew rights at the OU level, any new printer objects created within the Marketing OU will automatically be assigned the same rights as the existing printers. Along with using the Delegation of Control wizard discussed in the previous section, you can manually assign permissions to any object within the Active Directory database, including users, groups, printers, and OUs.You’ll assign these permissions using the Active Directory Users and Computers interface, as shown in the following steps: www.syngress.com 138 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure Figure 3.12 Using the Delegation of Control Wizard 272_70-296_03.qxd 9/26/03 11:00 AM Page 138 1. Open Active Directory Users and Computers.Within the console window, click View | Advanced Features to access the Security property page for the Active Directory objects within your domain. 2. Right-click the object that you want to assign permissions to (in this case, the Human Resources OU), click Properties and select the Security tab.You’ll see the screen shown in Figure 3.13. 3. Click Add to create a new entry in the object’s access control list (ACL), or click Remove to delete an existing permission assignment. Select the user or group that you want to grant permissions to, then click OK. 4. You can grant or deny any of the basic permissions listed in the bottom half of Figure 3.10, or click the Advanced button, select the user you want to modify permissions for, and click Edit for a detailed list of other assignable permissions. 5. Click OK when you’re done. Repeat Steps 3 and 4 for each additional user or group to which you want to assign permissions. Managing Domain Controllers Windows Server 2003 has introduced a simplified mechanism to rename a domain controller if you need to restructure your network’s organizational or business needs.This new function- ality, available only if the domain functional level is Windows Server 2003, works to ensure that your clients will suffer no interruptions in their ability to authenticate against the renamed domain controller or locate any resources hosted on it.When you rename a domain controller, its new name is automatically updated within Active Directory as well as dis- tributed to the dynamically updatable DNS servers on your network and Active Directory. www.syngress.com Managing and Maintaining an Active Directory Infrastructure • Chapter 3 139 Figure 3.13 Assigning Permissions to Active Directory Objects 272_70-296_03.qxd 9/26/03 11:00 AM Page 139 The amount of time it will take for this propagation to take place will depend on the specific configuration of your network. Replication over a WAN link will be significantly slower than over a LAN, for example. During any latency in replication, your clients might not be able to access the newly renamed domain controller; however, this should not pose a barrier to client authentication since there should be other domain controllers available. Renaming a Domain Controller To rename a domain controller on your Windows Server 2003 network, use the following steps: 1. Open a command prompt. 2. Type netdom computername CurrentComputerName /add:NewComputerName. 3. Ensure that the computer account updates and DNS registrations are completed, then type netdom computername CurrentComputerName /makeprimary:NewComputerName. 4. Restart the computer. 5. From the command prompt, type netdom computername NewComputerName /remove:OldComputerName. EXAM WARNING Both NewComputerName and OldComputerName need to be in FQDN format, such as controller2.airplanes.com rather than just controller2. Understanding Operations Masters Windows Server 2003, like its predecessor, supports multimaster replication to share direc- tory data between all domain controllers in the domain, thus ensuring that all domain con- trollers within a domain are essentially peers; the concept of the PDC and the BDC are long gone. However, some domain and forest changes need to be performed from a single machine to ensure consistency of the Active Directory database.As an administrator, you’ll designate a single domain controller, called an operations master, to perform these changes. The number and description of operations masters in a Windows Server 2003 domain are identical to those that existed under Windows 2000. Each Windows Server 2003 forest must contain one and only one of the following: www.syngress.com 140 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure 272_70-296_03.qxd 9/26/03 11:00 AM Page 140 ■ The schema master, which controls all updates and modifications to the Windows Server 2003 Active Directory schema ■ The domain naming master, which controls the addition and removal of domains within a Windows Server 2003 forest Likewise, each Windows Server 2003 domain must contain one of each of the fol- lowing operations masters: ■ The relative ID (RID) master allocates a sequence of unique relative ID numbers to each domain controller to allow for the creation of objects (such as users, groups, and computers) with unique SIDs.The RID master also assists with the move- ment of these types of objects bewtween domains. ■ The primary domain controller (PDC) emulator master provides logon services to any down-level Windows clients, mimicking the role of an NT 4.0 PDC. If any NT 4.0 BDCs remain on the network, the PDC emulator will replicate directory information to the BDCs as well. ■ The infrastructure master coordinates references to any objects from other domains within the forest. Responding to Operations Master Failures If a Windows Server 2003 server domain controller that holds an operations master role suffers a hardware or software failure, you have the option of forcibly seizing the role and assigning it to another domain controller. In most cases, this is a drastic step that shouldn’t be undertaken if the cause of the failure is a simple network or hardware issue that can be resolved in a relatively short time.We discuss the potential impact of seizing the various operations roles in this section. The following operations master roles should not be seized unless you are completely unable to return the original holder of these roles to the Windows network: ■ Schema master ■ RID master ■ Domain naming master A temporary loss of any of these three roles will not affect the operations of your users or the availability of your network under most circumstances. (If the schema master has failed, you will not be able to install a new application that is needed to extend the schema, for example.) A domain controller whose schema master, RID master, or domain naming master role has been seized must never be brought back online.The domain controller in question must be reformatted and reinstalled before returning to the network or your Active Directory database will become completely corrupted. If this happened, you would be forced to restore the entire Active Directory structure from backup rather than simply rebuilding a single server. www.syngress.com Managing and Maintaining an Active Directory Infrastructure • Chapter 3 141 272_70-296_03.qxd 9/26/03 11:00 AM Page 141 [...]... the global catalog 3 Select Properties.You’ll see the screen shown in Figure 3. 16 www.syngress.com 151 272 _70-296_ 03. qxd 152 9/26/ 03 11:00 AM Page 152 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure Figure 3. 16 Replicating an Attribute to the Global Catalog 4 Place a check mark next to Replicate this attribute to the Global Catalog, and then click OK EXAM 70-296 Managing Trusts... 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 167 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Figure 3. 23 Beginning the Restore Process 3 On the screen shown in Figure 3. 23, select the radio button next to Restore files and settings, then click Next to continue to Figure 3. 24 Figure 3. 24 Selecting the Files and Information to Restore 4 Place a check mark next to the files and data that you... Enter the trust password on the screen shown in Figure 3. 21 9 Click Next and then Finish to complete the creation of the new realm trust www.syngress.com 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 157 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Figure 3. 21 Creating a Trust Password Managing Forest Trusts Windows Server 20 03 has introduced a new feature that will allow administrators... 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 149 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Table 3. 4 NTDSUTIL Parameter Definitions Variable Name Definition ServerName The full DNS name of the domain controller to which you want to connect—for example, controller1 airplanes.com The distinguished name of the application directory partition that you want to create or delete For example,... mulwww.syngress.com 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 1 43 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 tiple locations within your Active Directory infrastructure, allowing for fault tolerance and improved performance because clients will be able to access application data from multiple locations If all the domain controllers in a forest are running Windows Server 20 03, you now... that you need to maintain For example, you may create a separate forest for application testing so that any test changes to the schema will not replicate throughout your entire Active Directory forest OBJECTIVE www.syngress.com 149 272 _70-296_ 03. qxd 150 9/26/ 03 11:00 AM Page 150 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure The Windows Server 20 03 schema comes preloaded with... MMC console Figure 3. 15 Adding the Schema Management Snap-In 5 Save the console in the system32 directory as schmmgmt.msc (You can add a shortcut to this tool in the Documents and Settings\All Users\Programs\ Administrative Tools folder if you wish.) www.syngress.com 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 151 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Securing the Schema... tree.Windows Server 20 03 will automatically create a two-way transitive trust relationship between the new domain and the root domain of the Active Directory forest www.syngress.com 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 145 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Raising the Forest Functional Level Similar to the domain functional level,Windows Server 20 03 has created differing... relationships that Windows 2000 and Server 20 03 create automatically.) In this section, we cover the various types of trust relationships that you can create to allow your users to quickly and easily access the resources they require www.syngress.com 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 1 53 Managing and Maintaining an Active Directory Infrastructure • Chapter 3 Head of the Class… Trusted and Trusting... long; personalizing a concept in this way makes it more real for you (and hence easier to remember) www.syngress.com 1 53 272 _70-296_ 03. qxd 154 9/26/ 03 11:00 AM Page 154 Chapter 3 • Managing and Maintaining an Active Directory Infrastructure Creating a Realm Trust Windows Server 20 03 allows you to create a trust relationship with an external Kerberos realm, allowing cross-platform interoperability with . Maintaining an Active Directory Infrastructure • Chapter 3 133 Figure 3. 10 Removing Active Directory 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 133 5. Type connect to server Server, where Server is the. Infrastructure • Chapter 3 135 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 135 domain controllers to Windows Server 20 03, you should leave the domain functional level lower than Windows Server 20 03. To raise. Active Directory Infrastructure • Chapter 3 139 Figure 3. 13 Assigning Permissions to Active Directory Objects 272 _70-296_ 03. qxd 9/26/ 03 11:00 AM Page 139 The amount of time it will take for this