zero in on problem routers, or slow connections on a route. An example of the command pathping
destination address is shown in Figure 8.37. It is also possible to use pathping to trace the latency
from a different source to the same destination.This provides a means for you to troubleshoot a
connection on another machine, from a different client on the network.The command for speci-
fying a different source address is pathping –i<IP address of source> destination address. It can also
provide means for you to monitor a specific set of links in the route that may reduce the overall
time to perform the trace. Pathping command line options are case sensitive.
Network Access Quarantine Control
Internet Authentication Service (IAS), combined with Remote Authentication Dial-In User Service
protocol and RRAS, provide a new function called Network Access Quarantine Control (NAQC).
The primary function of NAQC is not to provide additional security, but to help protect your net-
work from improperly configured clients that access your network using Virtual Private Networking
(VPN). A perfect example of using NAQC would be ensuring that a client has the correct version
of virus scan software, with the latest virus definitions, and also enable the software if it is currently
disabled, all before allowing the client to access any other network resources.
The basic components involve all the services previously listed—RRAS, with MS Quarantine
IPFilter and remote access policies such as MS Quarantine Session Timeout, and RADIUS with
IAS.The client components to NAQC are a Connection Manager (CM) profile, which can be dis-
tributed with a CM policy from the RRAS servers, and a script using the client component
RQC.exe.The remaining server components consist of the resources necessary to provide name
resolution, script and file access, and the service component RQS.exe, which is installed on the
RRAS server.
Generally, NAQC would function basically by a client using a CM profile that has the quaran-
tine policy to connect to a RRAS server with quarantine capabilities and configured with the MS
Quarantine IPFilter and MS Quarantine Session Timeout policies.The RRAS server forwards the
RADIUS access request to the IAS server that will validate the user credentials and match the quar-
antine policy.The IAS server will provide a quarantine restricted access acceptance via RADIUS
that will allow the client limited access to network resources such as obtaining an IP address, DNS
access for name resolution, and the attributes that are part of the quarantine policies. Once the client
316 Chapter 8 • Monitoring and Troubleshooting Network Activity
Figure 8.37 Results of pathping

301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 316
has an IP address and policies, the client is restricted to accessing resources that match the quaran-
tine filters, and only for the time allotted in the MS Quarantine Session Timeout policy.
The script is executed on the client by the CM profile, and is used to verify that the client con-
figuration meets the requirements of the network policies. Once the verification is complete, the
script executes rqc.exe with the necessary command line settings, which will send an unencrypted,
unauthenticated notification to the RRAS server rqs.exe service.The rqs traffic is allowed to pass
through the RRAS filters, since it is defined in the RRAS IPFilter settings with the MS Quarantine
IPFilter attributes. Rqs then verifies the information and parameters passed from rqc, one of which
is the script version passed in the rqc command line. If the client meets the requirements, then
RRAS will get a notification from rqs that the client is valid, and subsequently RRAS will lift the
MS Quarantine IPFilter and MS Quarantine Session Timeout policy restrictions and allow the client
normal access to the LAN. Once this process is complete, the rqc component will write a message
to the System event log.
Unfortunately, due to the fact that NAQC requires RRAS and the post connect script in the
CM profile, it cannot be used on the LAN for regular clients.You can, however, implement similar
functionality in logon scripts and domain policies since the LAN clients are very likely to be using
domain accounts to access the network.
DHCP Issues
DHCP is an easy way to manage IP addressing schemes for larger networks. Some of the items to
consider when you implement and use DHCP include:
■
Lease time
■
Number of hosts in a scope
■
Network traffic
■
Scope options
■

Topology
When a machine acquires an IP address from a DHCP server, it acquires a lease.The request
for the lease is a message called a DHCPREQUEST, which is broadcast by the DHCP client looking
for DHCPOFFERs of a lease from a DHCP server.The lease duration for a DCHP address is specified
in the scope set on the server and defaults to eight days.At 50 percent of the lease duration, the
DCHP client sends a directed request to the DHCP server that issued the lease and requests a renewal
of the lease. If no DHCPACK (acknowledgement) is received from the server, the DHCP Client waits
until 87.5 percent of the lease time and makes a final request to renew the IP address. If no DHC-
PACK is received at this point, then the client waits until the lease is expired and starts the process
over. If a DHCP Client is unable to receive an IP address lease, then it will use an alternate configura-
tion if one is specified. If there is no alternate configuration, the client will use APIPA to start the
TCP/IP services and assign itself an address from the APIPA pool (169.254.0.0/16).
Monitoring and Troubleshooting Network Activity • Chapter 8 317
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 317
To determine the appropriate lease time for your network, consider the following:
■
Number of hosts If the number of hosts is close to the number of total IP addresses in
your DHCP server’s scope, then the lease should be shorter—about three days. If there are
a great deal more IP addresses than hosts, then a longer lease can be assigned.
■
Mobile Users If you have a small number of mobile users and the client machines do
not frequently move from one network to the other, then a longer lease duration is rec-
ommended; conversely, if you have more mobile users, then a shorter lease will be pre-
ferred so that the IP addresses will be released sooner and return to the available pool of
addresses.
■
Unlimited It is possible to set the lease duration to unlimited, but it presents a challenge
if you wish to change the DHCP settings, since this setting requires the client to initiate
the DHCPREQUEST.
Because they are broadcast, the DHCPREQUEST messages do not cross router boundaries,

unless the router is capable of forwarding DHCP broadcast messages, in compliance with RFC
2131.You can also configure a DHCP Relay Agent to forward the requests to a DHCP server.
Using DHCP can reduce IP address conflicts, by preventing the need for static IP addresses. It
also can eliminate invalid subnet masks, since they are assigned by the DHCP server as well. Another
advantage is the scope properties. By assigning scope properties, you can define default gateways,
DNS servers, WINS servers, and the type of name resolution that is preferred. By managing name
resolution settings, you can help eliminate broadcast traffic.
Monitoring IPSec Connections
The connections established using the IPSec protocol are end-to-end connections, and are sometimes
difficult to troubleshoot. Often the problems are related to connectivity of the networks over which
the IPSec connection is established.There are also many different policies that we can apply that could
have different effects depending on whether they are applied by the domain the machines are mem-
bers of, or the ones that exist on the local computer.The network traffic is also a challenge, since it is
responsible for delivering the data between the destinations. In this section, we are going to discuss the
different methods to obtain useful information about IPSec connections and their settings.
IPSec Monitor Console
Information about IPSec traffic can be obtained using several different methods. One of the simplest
methods is using the IPSec Monitor Console. IPSec monitor gives you information about domain
and computer polices that are applied to the machine you are monitoring. In addition, it gives you
information about main mode and quick mode statistics and filters. Most often, we may use IPSec
monitor on the machine we are troubleshooting; however, it is possible to connect to a remote
computer and view IPSec polices and settings using the IPSec Monitor snap-in.
IPSec Security Monitor allows us to watch for developing trends of security and authentication
failures.This will help you to identify policy conflicts for specific IPSec tunnels.You can also deter-
mine the volume of traffic, the policies and associations, and how they are distributed.You can also
318 Chapter 8 • Monitoring and Troubleshooting Network Activity
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 318
evaluate the ESP packets with the total packets to identify potential holes in the security of the
transmitted data and correct the security polices on the affected machines.
Network Monitor

The Network Monitor software that is part of Windows Server 2003 includes all the necessary pro-
tocol parsers for Internet Key Exchange (IKE) Internet Security Association and Key Management
Protocol (ISAKMP), IP Authentication Header (AH), and IP Encapsulating Security Payload (ESP)
protocols.The ESP parsers only function if null-encryption is being used and the entire ESP packet
is captured. Network Monitor cannot parse the encrypted portions of ESP traffic that is encapsu-
lated by IPSec unless encryption is being performed by an IPSec hardware offload network adapter.
This implies that the packets are decrypted by the hardware and as a result, the ESP packets are
decrypted when Network Monitor captures them.This allows Network Monitor parsers to parse
and interpret the data for the upper-layer protocols.
Netsh
IPSec packet event logging can be enabled using netsh command line utility.The command is netsh
ipsec dynamic set config ipsecdiagnostics Level, where level is a whole value between 1 and 7.
The option values are listed in Table 8.2.To see dropped packet events, you must set the logging
level to 7.The change will be written to the registry and will not take effect until the next reboot,
when the IPSec driver reads the registry on start up.The registry key that contains the logging level
value is HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\
EnableDiagnostics, and the value is a valid whole number in the DWORD registry setting
between 1 and 7. All the events that are defined for the specified log level are written to the System
event log once every hour or when the event buffer is full and must be written to the log.
Table 8.2 Log Level Options for IPSec Driver Using Netsh
Log level Effective logging
1 Total number of incorrect Security Parameters Index (SPI) packets
2 Inbound only per-packet drop events
3 Combined effect of level 1 and 2 logging is enabled, as well as any unex-
pected plaintext packets (clear-text events) inbound or outbound
4 Outbound only per-packet drop events
5 Combined effect of level 1 and 4 logging is enabled
6 Combined effect of level 2 and 4 logging is enabled
7 All logging levels are enabled
The logging occurs at regular intervals based on the LogInterval setting in the registry, located

in HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\IPSec\. You can set
this value by using the registry, or by the preferred method of using netsh ipsec dynamic set
config ipsecloginterval Interval, where Interval is the number of seconds between event log
writes.The recommended value of the Interval parameter for troubleshooting is 60 seconds, which
Monitoring and Troubleshooting Network Activity • Chapter 8 319
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 319
is also the minimum value.You can set the interval as high as 86400 seconds, which is equal to 1440
minutes or 24 hours.You can view information about IPSec policies using either the netsh ipsec
static show command or the netsh ipsec dynamic show command.
Ipseccmd
The command line tool Ipseccmd is used to script the creation of IPSec policy, and display active
SAs and policy assignments. Ipseccmd is no longer supported on Windows Server 2003 and its
functionality is replaced by netsh.All IPSec-specific functionality is present in the netsh utility.You
can view information about IPSec policies using either the netsh ipsec static show command or
the netsh ipsec dynamic show command.
Netdiag
Although Netdiag.exe can still be used to obtain information about networking, Windows Server
2003 no longer uses the netdiag /test:ipsec option; it has been removed and replaced with the
netsh commands for IPSec. All IPSec-specific functionality is present in the netsh utility.You can
view information about IPSec policies using either the netsh ipsec static show command or the
netsh ipsec dynamic show command.
Event Viewer
To view Internet Key Exchange (IKE) events in the security log, you must enable success or failure
auditing for the Audit logon events policy for your domain or workgroup, although these events are
not exclusive to IPSec services. Enabling success or failure auditing will cause IPSec to record the
success or failure of the negotiation, establishment, and termination of each main mode and quick
mode connection as events.
You should be very cautious when enabling IKE events, especially if the server is exposed to the
Internet, or provides IPSec services to lots of clients. Hack attempts on the IKE protocol could
cause the security log to fill very quickly. IKE events can also fill the security log for servers that use

IPSec to secure traffic to many clients.To avoid this, you can disable auditing for IKE events in the
security log by modifying the registry.
To view IPSec policy change events in the Security log, enable success or failure auditing on the
Audit policy node Audit Policy Change policy for your domain or local computer.
320 Chapter 8 • Monitoring and Troubleshooting Network Activity
301_BD_W2k3_08.qxd 5/11/04 5:06 PM Page 320
Active Directory
Infrastructure Overview
In this chapter:
■
Introducing Directory Services
■
Understanding How Active Directory Works
■
Using Active Directory Administrative Tools
■
Implementing Active Directory Security and Access Control
■
What’s New in Windows Server 2003 Active Directory?
Introduction
The Active Directory is the foundation of an enterprise-level Windows network, and
Windows Server 2003 includes a number of improvements and enhancements to its
directory services that will make a network administrator’s job easier. Windows Server
2003 administrators must understand the basics of how directory services work and the
role they play in the network, and specifically how the directory services concept is
implemented in Microsoft’s Active Directory.
In this chapter, we start with the basics by defining directory services and providing
a brief background of the directory services standards and protocols.You’ll learn how
the Active Directory works, and be introduced to the terminology and concepts
required to understand the Active Directory infrastructure.

We discuss how the directory is structured into sites, forests, domains, domain trees,
and organizational units (OUs), and you’ll learn about the components that make up
the Active Directory, including both logical and physical components.These include the
schema, the Global Catalog (GC), domain controllers (DCs), and the replication service.
You’ll learn to use the Active Directory administrative tools, and we discuss directory
security and access control. Finally, we provide an overview of what’s new for Active
Directory in Windows Server 2003.
Chapter 9
321
301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 321
This chapter lays the groundwork for the specific Active Directory-related administrative tasks
that you will learn to perform throughout the rest of the book. Even if you’re very familiar with AD
concepts, this chapter may still serve as a good refresher.
Introducing Directory Services
As anyone familiar with networking knows, a network can be comprised of a vast number of ele-
ments, including user accounts, file servers, volumes, fax servers, printers, applications, databases, and
other shared resources. Because the number of objects making up a network increases as an organi-
zation grows, finding and managing these accounts and resources becomes harder as the network
gets bigger.To make a monolithic enterprise network more manageable, directory services are used
to store a collection of information about users and resources, so they are organized and accessible
across the network.
A directory allows accounts and resources to be organized in a logical, hierarchical fashion so that
information can be found easily. By searching the directory, users can find the resources they need, and
administrators are able to control and configure accounts and resources easily and effectively. Keeping
this information in a centralized location ensures that users and administrators don’t have to waste time
looking at what’s available on each server, they only have to refer to the directory.
Any directory is a structured source of information, consisting of objects and their attributes.
Those who have access to the directory can look up an object, and then view its attributes. If they
have sufficient rights (as in the case of an administrator), the object can be modified.These attributes
can be used to provide information that’s accessible to users, or control security at a granular level.

Because a user can access account information from anywhere on the network, directory ser-
vices allow a user to log on to multiple servers using a single logon. A single logon is an important
feature to directory services, because without it, a user must log on to each server that provides
needed resources.This is common on Windows NT networks, where the administrator must create
a different account on each server the user needs to access.The user then needs to log on to each
server individually.This is significantly different from the way Windows 2000/2003’s directory ser-
vices work, where a user logs on to the network once and can use any of the resources to which he
or she has been given access.
Sophisticated directory services give administrators the ability to organize information, control
security, and manage users and resources anywhere on the network. Information resides in a central
repository that’s replicated to different servers on the network. It allows the data to be accessed
when needed and saves the administrator from having to visit each server to manage accounts.This
lowers the amount of work needed to manage the network, while providing granular control over
rights and permissions.The administrator only needs to modify a user account or other object once,
and these security changes are replicated throughout the network.
Directory services have been used on different network operating systems for years, and have
proven to be a useful and powerful technology. Following suit, Microsoft created its own implemen-
tation of directory services on Windows NT called NTDS, and then followed with Active Directory
on newer versions of servers. NTDS used a flat namespace, which provided limited functionality in
comparison with Active Directory’s hierarchical structure and feature set. Active Directory was first
introduced in Windows 2000, and continues to provide directory services to the Windows Server
2003 family of servers. It can be installed on the Standard, Enterprise, and Datacenter Editions of
Windows Server 2003, and provides a necessary foundation for any network using these servers.
322 Chapter 9 • Active Directory Infrastructure Overview
301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 322
NOTE
Installation of Active Directory on a Windows 2000 or Windows Server 2003 server
makes that computer a DC. Windows Server 2003 Web Edition cannot function as a
DC, and thus cannot have Active Directory installed.
Terminology and Concepts

Before delving too far into the specifics of Active Directory, it is important to discuss a number of
concepts and terms to appreciate the features and functionality of a directory service. As with any-
thing dealing with technology, certain words and phrases associated with Active Directory and
Windows Server 2003 are useful in identifying and defining specific components of the network.
Whether you’re new to Active Directory or experienced from using previous versions, the informa-
tion provided here will help you to understand other topics that follow in this book.
In reading this section, it is important to realize that this is an overview of topics that we discuss
later in greater detail. We define some of the terms used throughout this book, and look at concepts
that we’ll build on in later sections.
Some of the terms and concepts we discuss in the following subsections include:
■
Directory data store
■
Directory partitions
■
Policy-based administration
■
DAP and LDAP
■
Naming schemes used in Active Directory
Directory Data Store
Active Directory isn’t just a service that provides access to directory services; it’s also a method of
storing data about network elements. If you didn’t have a place where configurations and directory
data are saved, you’d lose this information every time you shut down your server.The data store
contains a vast amount of information, including data dealing with users, groups, computers, the
resources they can access, and other components of the network. Because the Active Directory data
store is a database of all directory information, it is also referred to as the directory.
When you install the directory on a Windows Server 2003 server, the Active Directory data
source is placed on the server’s hard disk.The file used to store directory information is called
NTDS.DIT, and is located in the NTDS folder in the systemroot (for example, C:\WINDOWS).

Any changes made to the directory are saved to this file.
The presence of Active Directory’s data store on a Windows Server 2003 server has a major
impact on that server’s role in the network. As shown in Figure 9.1, the directory is stored on DCs,
which are servers with writable copies of the data store.A DC is used to manage domains, which
are groups of computers, users, and other objects that share (or are included in) the same directory.
Active Directory Infrastructure Overview • Chapter 9 323
301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 323
Domains that use different Active Directory data sources can still communicate with one another,
but (as we’ll see later in this chapter) secure relationships between them must be configured.
Each DC retains its own copy of the directory, containing information on the domain in which it
is located. If one DC becomes unavailable, users and computers can still access the Active Directory
data store on another DC in that domain.This allows users to continue logging on to the network
even though the DC that’s normally used is unavailable. It also allows computers and applications that
require directory information to continue functioning while one of these servers is down.
Because a domain can have more than one DC, changes made to the directory on one DC
must be updated on others.The process of copying these updates is called replication, and is used to
synchronize information in the directory. Without replication, features in Active Directory would
fail to function properly. For example, if you added a user on one DC, the new account would be
added to the directory store on that server.This would allow the user to log on to that domain con-
troller, but he or she still couldn’t log on to other DCs until these changes to the directory were
replicated. When a change is made on one DC, the changes need to be replicated quickly so that
each DC continues to have an accurate duplicate copy of Active Directory.
Because replication is so important to making the directory consistent across the network, the
data source is organized in a way to make replication more efficient. Not every piece of data is saved
in the same location of the data source.As shown in Figure 9.2, information resides in different areas
of the directory, called directory partitions. Because Active Directory is a logical, hierarchical struc-
ture, it has a treelike structure similar to that of the Windows Registry or folders on a hard disk.
324 Chapter 9 • Active Directory Infrastructure Overview
Figure 9.1 Relationship Between Active Directory, Domain Controllers, Member Servers,
and Clients

Domain Controller
Domain Controller
Domain Controller
Member Server
Client
Client
Member Server
Client
Active
Directory
Active Directory is installed
on all domain controllers
Member Servers are
Windows 2000 or 2003
Servers that don’t have AD
installed on them
Clients log on to domain
through domain
controllers.
Domain controllers use AD
to authenticate users and
determine access to
resources
Active Directory
information is replicated
between domain
controllers, so all have a
duplicate copy of AD
Unavailable
Domain Controller

If a domain controller isn’t
available, clients can log
on to other DCs in the
domain
301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 324
Data is stored within subtrees of the directory, much like data on your hard disk is stored within
folders that are nested within one another. Each contiguous subtree in the directory is a partition.
Any data that changes within a directory partition is replicated as a single unit to other DCs.
In Active Directory, three partitions exist on any DC and must be replicated, as these contain
data that the Microsoft network needs to function properly:
■
Domain partition
■
Configuration partition
■
Schema partition
Active Directory Infrastructure Overview • Chapter 9 325
Figure 9.2 Active Directory Is a Hierarchical Structure
Forest Root Domain
Directory Partition
Configuration Partition
Schema Directory Partition
Directory Root
Domain Trees
301_BD_W2k3_09.qxd 5/12/04 9:00 AM Page 325