Rename Procedure STEP Task 10 11 12 Enterprise Administrator X (or Backup Operator) X X X X X X X X X X X X X X X X X Page 321 Back up all DCs Domain Domain Administrator Administrator on a Different Domain on the Local Domain 4:29 PM Backup, or thirdparty application Set up the control Copy, and Windows station Server 2003 Support tools setup Generate the current Copy, and rendom forest description /list Specify the new rendom /showforest, forest description and Notepad or other plain-text editor Generate domain rendom /upload rename instructions Push domain rename dsquery, repadmin instructions to All DCs and verify DNS readiness Verify readiness rendom /prepare of DCs Execute domain rendom /execute rename instructions Unfreeze the forest rendom /end configuration Re-establish external Active Directory trusts Domains and Trusts, or netdom Fix Distributed File DFS (MMC snap-in), System (DFS) topology or dfsutil Fix GPOs and links gpfixup, and repadmin Local Administrator on the Control Machine 9/4/03 Tool(s) 256_70-294_04.qxd Table 4.6 Required Authorization Levels for Each Step of the Domain 256_70-294_04.qxd 322 9/4/03 4:29 PM Page 322 Chapter • Working with Forests and Domains Domain Rename Conditions and Effects The domain rename procedure is complex, requires a great deal of care in planning and execution, and should always be tested in a lab environment before performing it on an operational forest.The time required to go through a complete domain rename operation varies; the number of domains, DCs, and member computers is directly proportional to the level of effort required NOTE There is a good reason for caution Read this entire procedure before attempting any part of it, including the pre- and post-procedure steps You might find limitations that preclude the procedure altogether on your network Consult Microsoft documentation, read Technet articles, and search for patches, hotfixes, and service packs that can affect domain renaming and forest restructuring Every attempt is made in this chapter to address all pertinent topics and concerns, but issues and conflicts continue to be exposed over time Search Microsoft.com for new “Q” articles detailing conditions that might have an affect on this procedure Most importantly, consider hiring a consultant who has recently and successfully performed a domain renaming operation Before undertaking a domain rename operation, you must fully understand the following conditions and effects.They are inherent in the process and must be dealt with or accommodated I Each DC requires individual attention Some changes are not replicated throughout the Active Directory.This does not mean that every DC requires a physical visit Headless management can greatly reduce the level of effort required, depending on the size and structure of the domain and the number of sites it contains I The entire forest will be out of service for a short period Close coordination is required with remote sites, especially those in other time zones During this time, DCs will perform directory database updates and reboot As with other portions of the procedure, the time involved is proportional to the number of DCs affected I Any DC that is unreachable or fails to complete the rename process must be eliminated from the forest for you to declare the procedure complete I Each client workstation requires individual attention After all DCs have updated and rebooted, each client running Windows 2000 or Windows XP must be rebooted two times to fully adapt to the renamed domain.Windows NT workstations must disjoin from the old domain name and rejoin the new domain name, a manual process that requires a reboot of its own www.syngress.com 256_70-294_04.qxd 9/4/03 4:29 PM Page 323 Working with Forests and Domains • Chapter I The DNS host names of your DCs are not changed automatically by the domain rename process.To make them reflect the new domain name, you must perform the domain controller rename procedure on each DC Having the host name of a DC decoupled from its domain name does not affect forest service, but the discrepancy will be confusing until you change the names I The DNS suffix of client workstations and member servers will automatically update through the domain renaming process, but not all computers will match the DNS name of the domain immediately As with most portions of this process, the period of time required is proportional to the number of hosts in the domain Domain Rename Preliminary Steps Prerequisites for the domain rename operation are not trivial.The preparation phase will ensure that these are in place Complete all of the preliminary steps in this section before beginning the rename procedure If these prerequisites are not taken care of, the domain rename cannot be successfully performed Setting Windows Server 2003 Forest Functionality The first step in preparing for a domain rename is to ensure that all DCs are running some edition of Windows Server 2003.This is a prerequisite to raising the forest to the Windows Server 2003 functional level, which is another preparatory step See the section Raising the Functional Level of a Domain and Forest for additional information on functional levels Creating Shortcut Trust Relationships Interaction between domains in your forest is based on the establishment of trusts among the domains.The Active Directory Installation Wizard creates most of these trusts automatically during the domain creation process.Through the manual creation of shortcut trusts, you can maintain that interaction after the domains are renamed It is only necessary if the forest structure will change as result of the manipulation of the namespace If you are renaming a domain in place without changing its relationship with other domains in the forest, then this step is not needed Refer to Chapter for the trust-creation procedures Pre-Creating a Parent-Child Trust Relationship While repositioning domains, the necessary shortcut trust relationships must be created between the domain you want to reposition and its new parent domain.These pre-created trust relationships substitute for the required parent-child trust relationships that will be missing in the restructured forest For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.46, so that the Cat.fish.zoo.net domain becomes a child of the Zoo.net domain.You must create two one-way, transitive shortcut trust relationships between Cat.fish.zoo.net and Zoo.net before you can rename the child domain Cat.fish.zoo.net to the child domain www.syngress.com 323 256_70-294_04.qxd 324 9/4/03 4:29 PM Page 324 Chapter • Working with Forests and Domains Catfish.zoo.net.This trust relationship pre-creates the two-way parent-child trust relationship required for the parent and child domains after the rename Figure 4.46 shows the before structure, and Figure 4.47 shows the after structure, illustrating the needed shortcut trust relationships for the new structure Figure 4.46 Pre-Creating a Parent-Child Trust Relationship Before the Forest Restructure Two one-way Shortcut trusts Root zoo.net Domain Child fish.zoo.net Domain Child Domain Cat.fish zoo.net Child Domain Guppy.fish zoo.net Child Domain Angel.fish zoo.net Figure 4.47 Parent and Child Trust After the Forest Restructure Parent-Child Trust Child Domain Catfish.zoo.net Root zoo.net Domain Child Domain Child Domain Guppy.fish zoo.net www.syngress.com fish.zoo.net Child Domain Angel.fish zoo.net 256_70-294_04.qxd 9/4/03 4:29 PM Page 325 Working with Forests and Domains • Chapter Pre-Creating Multiple Parent-Child Trust Relationships If you need to restructure a domain that is both a child domain and a parent domain, you will need to create shortcut trust relationships in two places For example, suppose you want to restructure the Zoo.net forest, shown in Figure 4.48, so that the Striped.angel.fish.zoo.net domain becomes a direct child of Fish.zoo.net, and the Angel.fish.zoo.net domain becomes a child of Catfish.net.This restructure operation calls for four shortcut trusts that will become the two parent-child trust relationships for the new forest Figure 4.48 shows the before structure, and Figure 4.49 shows the after structure, illustrating the needed shortcut trust relationships Figure 4.48 Pre-Creating Multiple Parent-Child Trust Relationships Before the Forest Restructure Tree Root Trust Root Domain zoo.net fish.zoo.net Domain Catfish.net Child Domain Angel.fish zoo.net Child Domain Striped.Angel fish.zoo.net Child Domain Pre-Creating a Tree-Root Trust Relationship with the Forest Root Domain When you restructure a domain to become a new tree root, you must pre-create two oneway, transitive trust relationships with the forest root domain For example, suppose you have a three-level deep tree and you want to shorten it by creating a new tree.This will move the lowest domain to become a new tree-root domain Figure 4.50 shows the two one-way shortcut trusts you create, and Figure 4.51 shows the tree-root trust relationship after the restructuring Stripedangel.fish.zoo.net becomes the tree-root domain Angelfish.net www.syngress.com 325 256_70-294_04.qxd 326 9/4/03 4:29 PM Page 326 Chapter • Working with Forests and Domains Figure 4.49 Multiple Parent and Child Trusts After the Forest Restructure Tree Root Trust Root zoo.net Domain Catfish.net Child Domain Domain Fish zoo.net Parent-Child Trusts Child Domain Striped catfish.net Renamed Domains Child Domain StripedAngel fish.zoo.net Figure 4.50 Pre-Creating a Tree-Root Trust Relationship Before the Forest Restructure Zoo.net Tree Root Trust Shortcut Trusts Root Domain Fish zoo.net Domain Catfish.net Child Domain Child Domain StripedAngel fish.zoo.net www.syngress.com 256_70-294_04.qxd 9/4/03 4:29 PM Page 327 Working with Forests and Domains • Chapter Figure 4.51 Tree-Root Trust Relationship After the Forest Restructure Zoo.net Tree Root Trust Root Domain Tree Root Trust Parent- Child Tru st Domain Angelfish.net Domain Catfish.net Child Domain Fish zoo.net Preparing DNS Any time a client requires access to Active Directory, it activates an internal mechanism called the DC locator for locating DCs through DNS It uses SRV records for this If no SRV records are found in DNS, the access fails.To prevent this failure, before renaming an Active Directory domain you need to be sure that the appropriate zones exist for the forest and for each domain After you create the DNS zones for the new domain name, your DCs will populate each zone through dynamic update.This is one of the reasons for the reboot after the execution of the renaming script Configure the zones to allow secure dynamic updates as a good security practice Repeat the zone creation for each domain you plan to rename Everything needed to support your existing Active Directory domain must be recreated to support the domain after renaming Usually, this is accomplished by mirroring your current DNS infrastructure As an example, say you want to rename an existing domain called Labs.dog.com to Retrievers.dog.com If the zone containing your current SRV resource records is called Labs.dog.com, you will need to create a new DNS zone called Retrievers.dog.com To analyze and prepare DNS zones for domain rename, first compile a list of DNS zones that you need to create Second, create the forward lookup zones using the DNS tool and configure them to allow dynamic updates.The section Configuring DNS Servers for Use with Active Directory gives more detailed information www.syngress.com 327 256_70-294_04.qxd 4:29 PM Page 328 Chapter • Working with Forests and Domains Head of the Class… 328 9/4/03 What Happens to My Distributed File System When I Rename My Domain? First, those of you who are not using DFS should think seriously about it DFS allows you to redirect specific folders like My Documents out to a high-availability network location where each user’s files can be backed up and protected Folder redirection is a Group Policy extension that allows you to identify a connection between network servers or DFS roots and the local folders that you want to redirect What happens to DFS when you rename a domain all depends on how you have it configured Think about it If you use a domain-based DFS path like \\domainName\DFSRoot, then when the domainName goes away, what happens to the path? It goes dead, and everyone’s documents disappear, or become inaccessible As far as the users know, all of their data is gone Your telephone will ring by a.m the next day—guaranteed What does it depend on, and how can you keep your telephone from ringing? If your Folder Redirection policy specifies the NetBIOS name of the domain in your domain-based DFS path, and you keep the NetBIOS name of your domain the same instead of changing it along with the DNS name, then you’re okay What if you want to change your NetBIOS name along with your DNS name? You could push out a new group policy and move the files to another location Temporarily, you could point your folder redirection to a stand-alone DFS path, or even to a simple server-based share You should that a couple of days before the rename just to be sure it works before shaking things up again—you’ll be too busy renaming to worry about DFS at that point Since \\hostName\DFSRoot stays rock solid through a domain rename, your documents should still be available the next morning When things settle down, restore the user files back to your domainbased DFS root and push out the old DFS policy again That isn’t without risk, but it keeps things working What about home directories and roaming profiles? Same thing Look at the pathname you specify in your policy to determine whether they’ll break when you rename the domain Make sure to fix those beforehand Configuring Member Computers for Host Name Changes Because Active Directory is tightly integrated with DNS, member computers are designed to automatically change their primary DNS suffixes when the domain membership of the computer changes If you rename the domain, this is treated like a membership change and the fully qualified DNS host name changes automatically to match.This is the default behavior, and you can check for it by following the steps in Exercise 4.18 As an example, if you want to rename an existing domain called Labs.dog.com to Retrievers.dog.com, the full DNS host name of the member computers of this domain will also change from host.Labs.dog.com to host.Retrievers.dog.com if the default behavior is in effect www.syngress.com 256_70-294_04.qxd 9/4/03 4:29 PM Page 329 Working with Forests and Domains • Chapter NOTE You should check to see if this default behavior has been changed in your domain, because your rename will fail if you are not using the default setting The full DNS name and therefore the primary DNS suffix of a member computer changes when the domain is renamed if both of the following conditions are true: I The primary DNS suffix of the computer is configured to update when domain membership changes See Exercise 4.18 for instructions on how to check this setting I The member computer has no group policy applied that specifies a primary DNS suffix See Exercise 4.19 for instructions on how to check this setting EXERCISE 4.18 USING THE CONTROL PANEL TO CHECK FOR PRIMARY DNS SUFFIX CONFIGURATION On a member computer, open the System Control Panel Click Computer Name | Change Click More, and verify if Change primary domain suffix when domain membership changes is selected (as shown in Figure 4.52) If it is, then the computer will automatically adjust to the new primary DNS suffix Click OK until all dialog boxes are closed Figure 4.52 The System Control Panel, General Tab, More Button www.syngress.com 329 256_70-294_04.qxd 330 9/4/03 4:29 PM Page 330 Chapter • Working with Forests and Domains Determining Whether Group Policy Controls the Primary DNS Suffix for the Computer There are a few ways to determine whether Group Policy controls the primary DNS suffix for the computer Log on to a representative member computer and one of the following: I Open a command prompt and type gpresult Look in the output to see if Primary DNS Suffix is listed under Applied Group Policy objects I Open Active Directory Users and Computers, right-click the computer object you want to check, and click All Tasks | Resultant Set of Policy (Logging) I Perform the steps in Exercise 4.19 If a value is present in step 4, then the primary DNS suffix group policy is applied to the computer EXERCISE 4.19 USING THE REGISTRY TO CHECK FOR PRIMARY DNS SUFFIX DOMAIN RENAME COMPUTER READINESS Click Start | Run Type regedit and click OK Navigate to HKEY_LOCAL_MACHINE\Software\Policies\ Microsoft\System\DNSclient If the Primary DNS Suffix key contains a value, then the computer will not automatically adjust to the new primary DNS suffix Navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\Tcpip\Parameters Verify whether the value of REG_RWORD SyncDomainWithMembership is 0x1 This value indicates that the primary DNS suffix changes when the domain membership changes Any other value means that the computer will not automatically adjust to the new primary DNS suffix Because the replication effects of member computer names being updated is proportional to the number of computers within the renamed domain, large domains can generate a large amount of traffic.This replication “storm” is a problem for only the largest deployments If you think that the resulting replication traffic might pose a problem to your infrastructure, then consult the section entitled Avoiding Replication Effects of Domain Rename in Large Deployments later in this chapter www.syngress.com 256_70-294_05.qxd 396 9/4/03 4:30 PM Page 396 Chapter • Working with Trusts and Organizational Units when authenticating users.To optimize access, the network administrator can create an explicit shortcut trust directly to the target domain (see Figure 5.5) Figure 5.5 Shortcut Trust Forest Shortcut Trust These trusts are used when user accounts in one domain need regular access to the resources in another domain Shortcut trusts can be either one- or two-way One way shortcut trusts should be established when the users in one domain need access to resources in the other domain, but those in the second domain not need access to resources in the first domain Two-way trusts should be created when the users in both domains need access to the resources in the other domain.The shortcut trust will effectively shorten the authentication path, especially if the domains belong to two separate trees in the forest Realm Trust Realm trusts are explicit trusts that are created to join a Windows Server 2003 domain to a non-Windows Kerberos v5 realm.This allows you the flexibility of creating a trust for your non-Windows networks to interoperate with the security services based on other Kerberos v5 implementations, such as with UNIX.This extension of security can be switched from one-way or two-way trusts and from transitive to non-transitive External Trust An external trust is used when you need to create a trust between domains outside of your forest.These trusts can be one- or two-way trusts.They are always non-transitive in nature This means that you have created an explicit trust between the two domains, and domains outside this trust are not affected.You can create an external trust to access resources in a domain in a different forest that is not already covered by a forest trust (see Figure 5.6) EXAM WARNING You will always need to create an external trust when connecting to a Windows NT 4.0 or earlier domain These domains are not eligible to participate in Active Directory These trusts must be one-way trusts If you have worked with Windows www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 397 Working with Trusts and Organizational Units • Chapter NT 4.0, you will remember that the only trusts allowed were non-transitive oneway trusts Figure 5.6 External Trust Transitive Two-Way Trust Forest Forest Forest External Trust External Trust Windows NT 4.0 Domain After the trust has been established between a domain in a forest and a domain outside the forest, the security principals from the domain outside the forests will be able to access the resources in the domain inside the forest Security principals can be the users, groups, computers, or services from the external domain.They are account holders that are each assigned a security identifier (SID) automatically to control access to the resources in the domain The Active Directory in the domain inside the forest will then create foreign security principal objects representing each security principal from the trusted external domain.You can use these foreign security principals in the domain local groups.This means that the domain local groups can have members from the trusted external domain.You use these groups to control access to the resources of the domain The foreign security principals are seen in Active Directory Users and Computers Since the Active Directory automatically creates them, you should not attempt to modify them Forest Trust A forest trust can only be created between the root domains in two forests Both forests must be Windows Server 2003 forests.These trusts can be one- or two-way trusts.They are considered transitive trusts because the child domains inside the forest can authenticate themselves across the forest to access resources in the other forest www.syngress.com 397 256_70-294_05.qxd 398 9/4/03 4:30 PM Page 398 Chapter • Working with Trusts and Organizational Units EXAM WARNING Although the trust relationship is considered transitive, this only applies to the child domains within forests The transitive nature of the trust exists only within the two forests explicitly joined by a forest trust The transitivity does not extend to a third forest unless you create another explicit trust (see Figure 5.4) Forest trusts help manage the Active Directory infrastructure.They this by simplifying the management of resources between two forests by reducing the required number of external trusts Instead of needing multiple external trusts, a two-way forest trust between the two root domains will allow full access between all the affected domains Additionally, the administrator can take advantage of both the Kerberos and NTLM authentication protocols to transfer authorization data between forests Forest trusts can provide complete two-way trusts with every domain within the two forests.This is useful if you have created multiple forests to secure data within the forest or to help isolate directory replication within each forest Creating, Verifying, and Removing Trusts Trust relationships are created and managed using the Active Directory Domains and Trusts utility in the Administrative Tools menu.To create or manage trusts, you must be a member of the Domain Admins group or the Enterprise Admins group in the Active Directory, or have the appropriate authority delegated to you Most administrators will use the RunAs command to manage trusts.This is generally accepted as a security best practice EXERCISE 5.01 CREATING A TRANSITIVE, ONE-WAY INCOMING REALM TRUST Open Active Directory Domains and Trusts by clicking Start | Programs | Administrative Tools, and then selecting Active Directory Domains and Trusts In the console tree, right-click the domain node Select Properties in the context menu On the Trusts tab, click the New Trust button When the New Trust Wizard opens, click Next On the Trust Name page, enter the target realm’s name and click Next On the Trust Type page, select Realm Trust and click Next (see Figure 5.7) www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 399 Working with Trusts and Organizational Units • Chapter Figure 5.7 Trust Types On the Transitivity of the Trust page, click Transitive, and then click Next (see Figure 5.8) Figure 5.8 Transitivity of Trust On the Direction of Trust page, click One-way: incoming, and then click Next (see Figure 5.9) www.syngress.com 399 256_70-294_05.qxd 400 9/4/03 4:30 PM Page 400 Chapter • Working with Trusts and Organizational Units Figure 5.9 Direction of Trust On the Summary page, review the information, and then click Finish This wizard will allow you to also create non-transitive trusts and two-way and oneway outgoing realm trusts Alternatively, you can use the netdom command to create a realm trust Securing Trusts Using SID Filtering One security concern when using trusts is a malicious user who has administrative credentials in the trusted domain sniffing the trusting domain to obtain the credentials of an administrator account.With the credentials of the trusting domain administrator, the malicious administrator could add a spoofed SID to allow full access to the trusting domain’s resources.This type of threat is called an elevation of privilege attack The security mechanism used by Windows Server 2003 to counter an elevation of privilege attack is SID filtering SID filtering is used to verify that an authentication request coming in from the trusted domain only contains the domain SIDs of the trusted domain It does this by using the SIDHistory attribute on a security principal NOTE Security principal is a term used to describe any account that has a SID automatically assigned Examples of security principals are users, groups, services, or computers Part of each security principal is the domain SID to identify the domain in which the account was created SID filtering uses the domain SID to verify each security principal If a security principal includes a domain SID other than one from trusted domains, the SID filtering process www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 401 Working with Trusts and Organizational Units • Chapter removes the SID in question.This is done to protect the integrity of the trusting domain This will prevent the malicious user from being able to elevate his or her own privileges or those of other users There are some potential problems associated with SID filtering It is possible for a user whose SID contains SID information from a domain that is not trusted to be denied access to the resources in the trusting domain.This is can be a problem when universal groups are used Universal groups should be verified to contain only users that belong to the trusted domain SID filtering can be disabled if there is a high level of trust for all administrators in the affected domains, there are strict requirements to verify all universal group memberships, and any migrated users have their SIDHistories preserved.To disable SID filtering, use the netdom command EXAM 70-294 Working with Organizational Units OBJECTIVE 3.3.1 An OU is a frequently misunderstood unit inside Active Directory An OU is simply a con3.4.3 tainer in Active Directory that can contain any of the following: I Users I Groups of users I Printers I Shared folders I Computers I Other OUs OUs are security boundaries Many people confuse an OU with a security group.The key to understanding the difference begins with understanding what each is designed to accomplish A security group is used to control access to a resource In other words, permissions to a file, folder, or printer are set on security groups to manage the users as they try to access the object Policies are set on OUs, to control what users can see and on their computers, such as changing their wallpaper, accessing the Control Panel, what applications they can use, or whether they can shut down the computer Policies can control either users or computers The means by which policies are applied is the Group Policy Object (GPO) GPOs can be applied to domains, sites, and OUs.The smallest scope that can have a GPO applied to it is the OU It is also the last unit to which the GPO is applied, as it is the closest unit to the security object (the user account or computer account).The GPO gives us the ultimate in control over users and computers Creating OUs inside a domain allows for two different types of hierarchies One hierarchy is the structure of the domain and child domains; the other hierarchy is the structure of the OU and its child OUs.The two hierarchies give you flexibility in how to manage www.syngress.com 401 256_70-294_05.qxd 402 9/4/03 4:30 PM Page 402 Chapter • Working with Trusts and Organizational Units the organization.The concept of placing one OU inside another is called nesting Although there are no limits to the number of nested OUs, Microsoft recommends that you not exceed 10 levels of nesting Understanding the Role of Container Objects OUs are not security principals Security principals are user accounts, group accounts, and computer accounts OUs are containers that are used to organize the Active Directory The purpose of creating OUs is to allow the administrator to create a container that can be used to implement security policies, run scripts, deploy applications, and delegate authority for granular administrative control TEST DAY TIP Domain local groups and global groups are used to manage users and control access to resources OUs are created to reflect the organizational structure, to manage security polices, and to delegate authority EXAM 70-294 Creating and Managing Organizational Units OUs are created and managed in the Active Directory Users and Computers tool in 3.4 the Administrative Tools.This tool allows you to add OUs to the domain After adding 3.4.1 an OU, you have the ability to delegate control, add members, and move the OU All of these activities can be accomplished by right-clicking on the OU that you want to manage and selecting the appropriate action from the context menu.The context menu will give you options to delete, rename, and enter the properties of the OU as well Configuring & Implementing OBJECTIVE Configuring and Implementing Organizational Units Active Directory provides us the potential to create multiple structures to represent our organizations The goal is to provide enough flexibility to accomplish our tasks in a fashion that makes the most sense The physical layout of the network is encompassed using sites, subnets, and site links The logical layout of the Active Directory uses OUs Remember to always note the differences between the physical and the logical layouts when designing the structure Often, administrators create the OU structure based on the departmental hierarchy This is not always the best practice You should create OUs for applying GPOs, hiding Active Directory objects or part of the Active Directory tree from a part of the organization, or for the delegation of authority Remember, if you have not clearly defined the purpose of the OU, then you probably shouldn’t create it Continued www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 403 Working with Trusts and Organizational Units • Chapter For each OU that you plan to create, you should be able to document its purpose, a list of the users who will have control over it, and how much and the type of control they will have The Properties window of an OU has three tabs: I General I Managed By I Group Policy The General tab allows you to enter a description of the OU, street, city, state/providence, zip/postal code, and country/region information The Managed By tab allows you to change the user account that manages the OU When a user account has been selected, the tab will display information about the account, such as office, address, and telephone numbers.This is read for the corresponding section of the user information stored about that user account.The Managed By tab has three buttons to manage this section of the OU Properties: Change,View, and Clear.The Change button opens a user window so you can select the account that will be used to manage the OU.The View button lets you see the user’s account Properties window.You have the opportunity of making any necessary changes to the user’s account.The Clear button removes the user account from the Managed By tab The Group Policy tab is discussed in the next section EXERCISE 5.02 CREATING AN ORGANIZATIONAL UNIT Open Active Directory Users and Groups by clicking Start | Control Panel | Performance and Maintenance | Administrative Tools, and then double-click Active Directory Users and Groups In the console tree, right-click on the domain node Select New in the context menu, and then select Organizational Unit In the New Organizational Unit window, type the name of the OU Click OK to create the OU Right-click on the new OU and select Properties from the menu On the General tab, enter a description to explain the purpose of the OU (see Figure 5.10) www.syngress.com 403 256_70-294_05.qxd 404 9/4/03 4:30 PM Page 404 Chapter • Working with Trusts and Organizational Units Figure 5.10 OU Properties Click on the Managed By tab (see Figure 5.11) Click the Change button Select a user account to manage the OU from the Users and Groups window Figure 5.11 Managed By Properties Click the Group Policy tab (see Figure 5.12) Click the New button to create a new GPO www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 405 Working with Trusts and Organizational Units • Chapter Figure 5.12 Group Policy Properties Rename the GPO by typing the new name 10 Right-click on the GPO, and select No Override from the menu Notice the check mark by the GPO in the No Override column (see Figure 5.13) Figure 5.13 No Override Option 11 Click the Edit button From the GPO window, double-click User Configuration | Administrative Templates | Start Menu & Taskbar Double-click Remove Favorites menu from Start Menu In the window that opens, click Enable to remove favorites from the Start menu www.syngress.com 405 256_70-294_05.qxd 406 9/4/03 4:30 PM Page 406 Chapter • Working with Trusts and Organizational Units 12 Click the Explain tab This defines what the impact of your actions will be 13 Click OK to close the Remove Favorites menu from Start Menu window 14 Close the GPO window 15 Check the Block Inheritance option 16 Right-click on the GPO and select Disable from the menu 17 Close all windows Applying Group Policy to OUs One of the fundamental reasons for creating an OU is to apply a GPO to it After creating the OU, you can then create a new GPO or apply an existing GPO.The Group Policy tab found in the OU Properties window is the most important tab of the OU properties This is where you create, associate, and edit the GPOs that will affect the OU.This tab has the following buttons: I New I Add I Edit I Options I Delete I Properties The New button will create a new GPO.When it is clicked, you need to supply the name for the new GPO After the GPO is created, use the Edit button to edit its configuration settings.The GPO is broken into two sets of configuration settings, Computer and User Each of these settings is further defined by three categories of settings: Software, Windows, and Administrative Templates.These are the settings you use to control the OU (or other unit to which the GPO is applied) The Add button lets you create a Group Policy Object Link.The link lets you apply an existing GPO to the OU.You will have the ability to navigate through the domain to locate the existing GPO and link it to the new OU The Options button gives you two options: No Override and Disable Disable is very intuitive; it will disable the GPO.The No Override option is used by a parent OU’s GPO to ensure that the settings in the GPO are not overridden by a child OU’s GPO.These options can be accessed by right-clicking the GPO and selecting the option from the context menu www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 407 Working with Trusts and Organizational Units • Chapter The Properties button opens the Properties window for the GPO.The Properties window has three tabs: General, Links, and Security.The General tab displays a Summary section and a Disable section.The Summary section displays GPO information such as the date created, date last modified, revision versions, domain name, and the unique name of the GPO.The Disable section allows you to disable either or both sets of configuration settings.You can disable the Computer Configurations Settings and/or the User Configuration Settings Disabling unused parts of the GPO increases performance.The Links tab displays all of the sites, domains, or OUs found that use the GPO It has a Find button to assist you in locating where the GPO has been applied.The Security tab sets the permissions for the GPO The permissions that are set via the Security tab control the level of access that a user or group of users has over the GPO.The levels of permissions are: I Full Control I Read I Write I Create Child Objects I Delete Child Objects I Apply Group Policy The last button is Delete, which is used to delete a GPO At the bottom of the Group Policy tab is the option to Block Inheritance Block Inheritance will block settings from the GPOs that would otherwise be inherited from a parent OU.This gives the child OU the ability to control which settings to accept from the parent OUs However, if the parent has set the No Override and the child sets Block Inheritance, the No Override setting takes precedence TEST DAY TIP The relationship between GPOs and OUs is one that makes for easy test questions Pay particular attention to the effects of the No Override setting and the Block Inheritance setting EXAM 70-294 Delegating Control of OUs Delegation of control over an OU is done to alleviate the tasks of the network administra3.4.2 tors from performing the routine functions of an OU Often, a manager or supervisor whose account is in the OU will have a better understanding of the daily tasks associated with the users and computers that belong to the OU, and is thus well positioned to take care of the OU Delegation is a simple process A wizard will walk you through the process The Delegation of Control Wizard is discussed later in the chapter OBJECTIVE www.syngress.com 407 256_70-294_05.qxd 408 9/4/03 4:30 PM Page 408 Chapter • Working with Trusts and Organizational Units After you have decided to whom you want to delegate control, decide on which tasks to delegate.You have the ability to delegate management control over users and groups as well as the Group Policy Links.You can pass control of different activities to different people in the organization Specifically, the levels of delegations are: I Create, delete, and manage user accounts I Reset passwords on user accounts I Read all user information I Create, delete, and manage groups I Modify the membership of a group I Manage Group Policy Links As you can see, delegation can reduce the amount of daily management tasks required by the network administrator TEST DAY TIP The administrative task of delegating control to others is one that is likely to be covered on the exam It is likely to be a straightforward scenario that will ask you to delegate control to another user or group of users Pay attention to the levels of control that can be delegated EXAM 70-294 OBJECTIVE Planning an OU Structure and Strategy for Your Organization 1.5 1.5.1 1.5.2 The OU structure can make your life easier—or it can the opposite If you spent time 3.3 planning the structure and the implementation, the chances improve that your life will 3.3.2 become easier and that you will be able to focus on the many facets of network administration without having to perform daily maintenance on the OUs and user issues such as resetting passwords.Your strategy should include the following: I What OUs to create I What policies need to be applied to cover the security requirements of the OU I Who needs to be in charge of the OU (so you can delegate control to that user) As with any structure, you will be faced with many decisions that need to be addressed; for example, whether a domain or OU is more appropriate for a given scenario.When making these decisions, remember to factor in the ease with which growth and changes can be accommodated www.syngress.com 256_70-294_05.qxd 9/4/03 4:30 PM Page 409 Working with Trusts and Organizational Units • Chapter Head of the Class… Domains or Organizational Units One of the challenges that you will face when planning your domain and OU structure is whether to create an OU or create a new domain when you need to split off part of the organization There are some basic guidelines to help you determine which is the appropriate choice for a given scenario You will want to create new domains when the organization is decentralized and uses administrators for each of the sets of users and resources Another reason to create multiple domains is when you need to create a GPO that will require different Password or Account Lockout Policies That’s because account policies can only be applied at the local or domain level, not at the OU level You should create OUs for everything else Specifically, create OUs to reflect the organization’s structure, especially if the organizational structure is likely to change Create OUs so you can delegate control over users, groups, and resources Domains are not easy to modify after they are created, so it is best to create OUs instead of domains, except when you have a specific reason to create separate domains that cannot be satisfied by the creation of OUs EXAM WARNING You might have a question where you will need to apply GPOs to containers that have different Password or Account Lockout Policies requirements Remember that Password and Account Lockout Policies can only be applied to domains Otherwise, you would create OUs for the different GPOs Delegation Requirements Delegation of control over an OU is frequently a necessity for many organizations.The delegation allows a local manager or IT staff member to control the OU.To delegate the control, you must be a member of the Enterprise Admins or Domain Admins global groups, or you must have been granted the privilege of delegating control From a security standpoint, when you delegate control, you should first determine the level of control that you want to grant Just because you delegate basic administrative control over the OU does not mean that you fully relinquish control of the OU TEST DAY TIP As you perform Exercise 5.03, pay attention to the levels of authority that you can delegate The exam might ask questions concerning the various levels of control that can be granted www.syngress.com 409 256_70-294_05.qxd 410 9/4/03 4:30 PM Page 410 Chapter • Working with Trusts and Organizational Units EXERCISE 5.03 DELEGATING AUTHORITY Click Start | Programs | Administrative Tools | Active Directory Users and Computers In the console tree, right-click the OU to be delegated Select Delegate Control in the context menu This invokes the Delegation of Control Wizard In the Delegation of Control Wizard, click Next to continue In the User or Groups window, click Add and then select the user who will receive the delegated control Click Add and then click OK Click Next to continue In the Tasks to Delegate window (see Figure 5.14), select the tasks that you want to delegate Click Next to continue Figure 5.14 Delegation Tasks In the Completing Delegation of Control window, review the information and click Finish Security Group Hierarchy One of the issues that will need to be evaluated as you deploy Active Directory is the answer to this question:What is the effective policy that will be applied to a specific user? Because it is www.syngress.com ... remote Server menu in DNS server to DNS Manager Manager DNS and Active Directory Namespaces Active Directory uses the DNS standard for naming objects Like DNS, Active Directory is a hierarchical arrangement... command Updating Domain Controller Certificates Any authentication mechanism based on certificates, such as replication and smart cards, requires an update to the DC certificates If template-based autoenrollment... Active Directory domain, you might have application partitions for the TAPI application data There is normally one TAPI-specific application directory partition for each domain When you rename an Active