Microsoft specifies global groups as the primary container for user and computer
objects.They call for grouping users according to role, function, responsibility, or depart-
ment into global groups. In a Windows 2000 mixed functional level domain, a global group
can contain users and computers from the same domain in which it exists.When the func-
tional level of the domain is raised to Windows 2000 native or Windows Server 2003, a GG
can also contain other global groups from its local domain.
Unlike global and domain local groups, universal groups (UGs) are stored in the Global
Catalog (GC).Adding or removing objects from a universal group triggers forest-wide
replication.To minimize this, Microsoft recommends that other groups, and not individual
user and computer accounts, be the primary members of a universal group. Universal secu-
rity groups do not exist in a Windows 2000 mixed functional level domain.When the
functional level of the domain is raised to Windows 2000 native or Windows Server 2003,
universal security groups can contain domain users, computer accounts, and global groups
from any trusted domain, as well as other universal groups.
An administrator can change an existing group’s scope. Universal groups can be con-
verted to global or domain local groups, and global and domain local groups can be con-
verted to universal groups. However, global groups cannot be converted directly to domain
local groups (and vice versa).You cannot convert from one group type to another if the
current membership of the group that is being converted is not compatible with the mem-
bership allowed for the target scope.
Microsoft has a number of acronyms that describe how groups should be used in dif-
ferent scenarios, including:
■
AGDLP Accounts (user and computer objects) are placed into Global groups,
which are placed into Domain Local groups, which are added to access control
lists (ACLs) and granted Permissions to a resource.This model is used in a single
or multiple domain environment, when the Windows 2000 mixed domain func-
tional level is in use.
■
AGGDLP Accounts are placed into Global groups that can be placed into other
Global groups and/or Domain Local groups, which are added to ACLs and

granted Permissions to resources.This model can only be used in domains that
have a Windows 2000 native or Windows Server 2003 functional level.
■
AGGUDLP (or AGUDLP) Accounts should be placed into Global groups that
can be placed into other Global groups and/or Universal groups, and then into
Domain Local groups, which are added to ACLs and granted Permissions to
resources.This model can only be used in domains that have a Windows 2000
native or Windows Server 2003 functional level. In addition, it is primarily used in
a multiple domain environment.
www.syngress.com
Creating User and Group Strategies • Chapter 3 231
256_70-294_03.qxd 9/5/03 1:07 PM Page 231
Exam Objectives Fast Track
Creating a Password Policy for Domain Users
 According to Microsoft, complex passwords consist of at least seven characters,
including three of the following four character types: uppercase letters, lowercase
letters, numeric digits, and non-alphanumeric characters such as & $ * and !.
 Password policies and account lockout policies are set at the domain level in
Group Policy.
 If a subset of your user base requires a different set of account policies and other
security settings, you should create a separate domain to meet their requirements.
 Be sure that you understand the implications of an account lockout policy before
you enable one in a production environment.
Creating User Authentication Strategies
 Within a domain, Kerberos v5 is the default communication method between
two machines that are running Windows 2000 or later.
 Pre-Windows 2000 computers use NTLM (or NTLMv2) authentication in an
Active Directory domain.
 To provide authentication for Web applications, you can implement either
SSL/TLS or Microsoft Digest.

Planning a Smart Card Authentication Strategy
 Microsoft Windows Server 2003 relies on its public key infrastructure (PKI) and
Certificate Services to facilitate smart card authentication.
 Smart card certificates are based on the following three certificate templates:
Enrollment Agent, Smartcard Logon, and Smartcard User.
 Several Group Policy settings are specific to smart card implementations; most
other account policy settings will also affect smart card users.
Planning a Security Group Strategy
 There are two types of groups in a Windows Server 2003 domain: distribution
and security.
 Only security groups can be used to assign permissions.
www.syngress.com
232 Chapter 3 • Creating User and Group Strategies
256_70-294_03.qxd 9/5/03 1:07 PM Page 232
 There are three group scopes in a Windows Server 2003 domain: domain local,
global, and universal.
 Additional group nesting and universal security groups are only available at the
Windows 2000 native and Windows Server 2003 domain functional levels.
 Existing groups can have their scopes changed in Windows 2000 native and
Windows Server 2003 functional level domains.
Q: How can I configure a smart card user to be able to temporarily log on to the network
if the user has forgotten his or her card?
A: In the Properties of the user’s account within Active Directory Users and
Computers, make the following changes on the Account tab:
1. Clear the check mark next to Smart card is required for interactive logon.
2. Place a check mark next to User must change password at next logon.
Finally, right-click the user object and select Reset Password. Inform the user of
the new password, and that it will need to be changed at next logon.
Q: What are the advantages of implementing a “soft lockout” policy versus a “hard
lockout”?

A: A hard lockout policy refers to an account that must be manually unlocked by an
administrator.This setting provides the highest level of security but carries with it the
risk that legitimate users will be unable to access network resources. In some circum-
stances, it can be used to effectively create a DoS attack against your own network.
Hard lockouts place a greater burden on account administrators, because at least one
must always be available for users to contact when they need their accounts unlocked.
A soft lockout expires after a set amount of time and helps limit the effectiveness of
password attacks against your network, while reducing the burden placed on adminis-
trators in a hard lockout environment.
www.syngress.com
Creating User and Group Strategies • Chapter 3 233
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
256_70-294_03.qxd 9/5/03 1:07 PM Page 233
Q: My organization is in the planning stages of a smart card rollout.What are the security
considerations involved in setting up a smart card enrollment station?
A: Since a smart card enrollment station allows you to create certificates on behalf of any
user within your Windows Server 2003 domain, you should secure these machines
heavily in terms of both physical location and software patches. Imagine the damage
that could be done if a malicious user were able to create a smart card logon certificate
for a member of the Domain Admins group and use it to log on to your network at
will.
Q: How can I convince my users that the company’s new smart card rollout is something
that is protecting them, rather than simply “yet another stupid rule to follow”?
A: One of the most critical components of any network security policy is securing “buy-
in” from your users. A security mechanism that is not followed is not much more useful

than one that doesn’t exist.Try to explain the value of smart card authentication from
the end-user’s perspective. If you work in a sales organization, ask your sales force how
they would feel if their client contacts, price quotes, and contracts fell into the hands of
their main competitor. In a situation like this, providing a good answer to “What’s in it
for me?” can mean the difference between a successful security structure and a failed
one.
Q: All of my workstations run Windows 95. I know that these don’t support Kerberos for
authentication. How can I configure the domain to use the NTLM protocol instead of
the default of Kerberos protocol?
A: You do not need to perform any configuration to support NTLM authentication.
Windows Server 2003 supports not only basic NTLM but also NTLM version 2, by
default, for pre-Windows 2000 computers. In addition, NTLMv2 is more secure than
NTLM, and will be automatically used if the domain controller is able to ascertain that
the client supports it.
Q: I have a three-domain environment. All three of my domains have the same global
groups. I’ve added the HR global group from two of the domains to an All_HR uni-
versal group. I’ve also added the All_HR universal group to domain local groups in
these same two domains.Why can’t I add the All_HR universal group to any domain
local groups in my third domain?
A: All three domains must be at a functional level that supports universal security groups.
It is possible to have a forest environment in which some domains are at the appro-
priate level and others are not. In this case, it sounds like two domains are at the
Windows 2000 native or Windows Server 2003 functional level, but the third is at the
Windows 2000 mixed functional level. Raise all domains to at least the Windows 2000
native level and try again.
www.syngress.com
234 Chapter 3 • Creating User and Group Strategies
256_70-294_03.qxd 9/5/03 1:07 PM Page 234
Q: I’m in a single domain environment. My domain functional level is Windows Server
2003. I’m trying to convert a group from a global scope to a domain local scope.The

group only contains users, but the option button is grayed out.What’s wrong?
A: You cannot convert directly from a global group scope to a domain local group scope.
You can only convert to and from a universal group scope.To accomplish this, you
must first convert the global group to a universal group. Once this completes success-
fully, convert the universal group to the domain local group scope.
Creating a Password Policy for Domain Users
1. What is a potential drawback of creating a password policy on your network that
requires user passwords to be 25 characters long?
A. Users will be more likely to write down a password that is so difficult to
remember.
B. User passwords should be at least 30 characters long to guard against brute-force
password attacks.
C. There are no drawbacks; this solution creates network passwords that will be
impossible for an unauthorized user to penetrate.
D. Windows Server 2003 will not allow a password of more than eight characters.
2. You have recently started a new position as a network administrator for a Windows
Server 2003 network. Shortly before the previous administrator left the company, the
syskey utility was used on one of your domain controllers to create a password that
needs to be entered when the machine is booted.You reboot the domain controller,
only to discover that the password the previous administrator documented is incor-
rect.You are unable to contact your predecessor to obtain the correct one. How can
you return this DC to service as quickly as possible?
A. Reformat the system drive on the server and reinstall Windows Server 2003.
B. Boot the server into Directory Services Restore Mode and restore the DC from a
point before the previous administrator ran the syskey utility.
www.syngress.com
Creating User and Group Strategies • Chapter 3 235
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other

chapters in this book, see the Self Test Appendix.
256_70-294_03.qxd 9/5/03 1:07 PM Page 235
C. Boot the server into Safe Mode and run syskey again to change the password.
D. Use ntdsutil to seize the PDC Emulator role and transfer it to another DC.
3. According to Microsoft, which of the following would be considered weak passwords
for a user account named jronick? (Choose all that apply.)
A. S#n$lUsN7
B. soprano
C. ronickrj
D. Oo!dIx2
E. new
4. You have implemented a password policy that requires your users to change their
passwords every 30 days and retains their last three passwords in memory.While sitting
in the lunch room, you hear someone advise his coworker that all she needs to do to
get around that rule is to change her password four times so that she can go back to
using the password that she is used to.What is the best way to modify your domain
password policy to avoid this potential security liability?
A. Increase the maximum password age from 30 days to 60 days.
B. Enforce password complexity requirements for your domain users’ passwords.
C. Increase the minimum password age to seven days.
D. Increase the minimum password length of your users’ passwords.
5. You are a new network administrator for a Windows Server 2003 domain. In making
user support calls, you have noticed that many users are relying on simplistic passwords
such as their children’s or pets’ names. Passwords on the network are set to never
expire, so some users have been using these weak passwords for years.You change the
default Group Policy to require strong passwords. Several weeks later, you notice that
the network users are still able to log on using their weak passwords.What is the most
likely reason why the weak passwords are still in effect?
A. You must force the users to change their passwords before the strong password
settings will take effect.

B. The Group Policy settings have not replicated throughout the network yet.
C. Password policies need to be set at the organizational unit (OU) level, not the
domain level.
D. The users reverted back to their passwords the next time they were prompted to
change them.
www.syngress.com
236 Chapter 3 • Creating User and Group Strategies
256_70-294_03.qxd 9/5/03 1:07 PM Page 236
Creating User Authentication Strategies
6. You have created an e-commerce Web application that allows your customers to pur-
chase your company’s products via the Internet. Management is concerned that cus-
tomers will not feel comfortable providing their credit card information over the
Internet.What is the most important step to secure this application so that your cus-
tomers will feel confident that they are transmitting their information securely and to
the correct Web site?
A. Use IP restrictions so that only your customers’ specific IP addresses can connect
to the e-commerce application.
B. Issue each of your customers a smart card that they can use to authenticate to
your e-commerce Web site.
C. Place your company’s Web server behind a firewall to prevent unauthorized access
to customer information.
D. Install a Secure Sockets Layer (SSL) certificate on your Web server.
7. Your network environment consists of Windows 2000 Professional,Windows XP
Professional, and Windows NT 4.0 Workstation computers.You have just upgraded all
domain controllers to Windows Server 2003.The domain and forest functional levels
are both set to Windows Server 2003.The company does not use any Web applica-
tions or services.Which of the following authentication protocols will be used on the
network? (Choose all that apply.)
A. Digest
B. NTLM

C. Kerberos
D. SSL
8. You’ve decided to implement Web-based authentication.You have a wide range of
domains, domain controllers, and domain functional levels in your enterprise
Windows Server 2003 forest. Because you are a homogenous Windows environment,
you decide to implement digest authentication.Which of the following requirements
must you keep in mind when planning to implement digest authentication? (Choose
all that apply.)
A. Digest authentication requires IE 5 or later on the clients.
B. There must be at least one Windows Server 2003 DC in the IIS server’s domain.
C. User passwords must be stored with reverse encryption.
D. There must be at least one Windows 2000 or later DC in the IIS server’s domain.
www.syngress.com
Creating User and Group Strategies • Chapter 3 237
256_70-294_03.qxd 9/5/03 1:07 PM Page 237
Planning a Smart Card Authentication Strategy
9. Your network configuration includes a Terminal Server designed to allow users at
remote branches to access network applications.The Terminal Server often becomes
overloaded with client requests, and you have received several complaints regarding
response times during peak hours.You have recently issued smart cards for the users
located at your corporate headquarters and would like to prevent those users from
using their smart cards to access the Terminal Server. How can you accomplish this
goal in the most efficient manner possible?
A. Enable auditing of logon/logoff events on your network to determine which
smart card users are accessing the Terminal Server, and then speak to their super-
visors individually.
B. Create a separate OU for your Terminal Server. Create a global group containing
all smart card users, and restrict the logon hours of this group for the Terminal
Server’s OU.
C. Enable the “Do not allow smart card device redirection” setting within Group

Policy.
D. Create a global group containing all smart card users, and deny this group the
“Log on locally” right to the computers on your network.
10. You have attached a smart card reader to your Windows XP Professional workstation’s
serial port.The reader is not detected when you plug it in and is not recognized when
you scan for new hardware within Device Manager.The smart card reader is listed on
the Microsoft Web site as a supported device, and you have verified that all cables are
connected properly.Why is your workstation refusing to recognize the smart card
reader?
A. The manufacturer-specific installation routine is not compatible with Windows
Server 2003.
B. The workstation needs to be rebooted before it will recognize the card reader.
C. Smart card readers are only supported on machines running Windows Server
2003.
D. You are not logged on as a member of the Domain Admins group.
11. You have recently deployed smart cards to your users for network authentication.You
configured the Smartcard Logon certificates to expire every six months. One of your
smart card users has left the company without returning her smart card.You have dis-
abled this user’s logon account, but management is concerned that she will still be able
to use the smart card to access network resources. How can you be sure that the
information stored on the former employee’s smart card cannot be used to continue
to access network resources?
www.syngress.com
238 Chapter 3 • Creating User and Group Strategies
256_70-294_03.qxd 9/5/03 1:07 PM Page 238
A. Monitor the security logs to ensure that the former employee is not attempting to
access network resources.
B. Use the smart card enrollment station to delete the user’s Smartcard Logon
certificate.
C. Deny the Autoenroll permission to the user’s account on the Smartcard Logon

Certificate template.
D. Add the user’s certificate to the CRL on your company’s CA, and publish the CRL.
Planning a Security Group Strategy
12. One of your coworkers is trying to grasp the concept of distribution and security
group types. He asks you what the two primary benefits are for the security group
type.What do you tell him? (Choose two.)
A. You tell him that they can have permissions and user rights assigned to them.
B. You tell him that they can function for messaging just like a distribution group
type.
C. You tell him that they allow for quick and efficient delegation of administrative
responsibility in Active Directory.
D. You tell him that they can only be used for messaging and granting permissions
to Active Directory, file system, Registry, and printer objects.
13. Your boss has been looking over marketing material from Microsoft. She asks you
how you plan on using universal groups.You administer a single domain environment
that is about to be upgraded to Windows Server 2003.What do you tell her?
A. You tell her that because you will be using a Windows Server 2003 functional
level domain, you will be using only universal groups.
B. You tell her that because you will be using a Windows 2000 native functional
level domain, you will be using only universal groups.
C. You tell her that you will use universal groups to replace global groups, but will
still be using domain local groups for resource access.
D. You tell her that you will not be using universal groups.
14. Last night you finished configuring a complex set of groups for your new Windows
Server 2003 Active Directory environment.You spent this morning adding users to
their appropriate groups. Now that the Active Directory environment is configured,
you are trying to add the groups into ACLs in the file system. For some reason, they
aren’t showing up in the list of groups to select from.You can see all the default
groups that the operating system and Active Directory installed.Why can’t you see the
groups you created?

www.syngress.com
Creating User and Group Strategies • Chapter 3 239
256_70-294_03.qxd 9/5/03 1:07 PM Page 239
A. You don’t have permission.
B. You didn’t activate the groups in Active Directory.
C. You created distribution groups.
D. You created security groups.
15. Your company has a single domain environment that will be upgraded to Windows
Server 2003. One of the company’s existing Windows NT 4.0 BDCs must remain in
place because a custom application requires it.This application will not be migrated
until sometime next year.The company has many departments, each of which has
sub-departments and teams.The company would like to take advantage of Windows
Server 2003’s new group nesting capabilities.Which of the following group models is
appropriate for this company?
A. AGDLP
B. AGGDLP
C. AGGUDLP
D. AGUDLP
www.syngress.com
240 Chapter 3 • Creating User and Group Strategies
256_70-294_03.qxd 9/5/03 1:07 PM Page 240
www.syngress.com
Creating User and Group Strategies • Chapter 3 241
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. A
2. B
3. B, C, E
4. C

5. A
6. D
7. B, C
8. A, C, D
9. C
10. B
11. D
12. A, C
13. D
14. C
15. A
256_70-294_03.qxd 9/5/03 1:07 PM Page 241
256_70-294_03.qxd 9/5/03 1:07 PM Page 242
243
Working with
Forests and Domains
Exam Objectives in this Chapter:
1.3.5 Set an Active Directory forest and domain functional level
based on requirements.
1.3 Implement an Active Directory directory service forest and
domain structure.
2.1 Manage an Active Directory forest and domain structure.
1.3.1 Create the forest root domain.
1.3.2 Create a child domain.
1.3.3 Create and configure Application Data Partitions.
Chapter 4
MCSA/MCSE 70-294
 Summary of Exam Objectives
 Exam Objectives Fast Track
 Exam Objectives Frequently Asked Questions

 Self Test
 Self Test Quick Answer Key
256_70-294_04.qxd 9/4/03 4:28 PM Page 243
Introduction
A Microsoft Active Directory network has both a physical and a logical structure. Forests
and domains define the logical structure of the network, with domains organized into
domain trees in which subdomains (called child domains) can be created under parent
domains in a branching structure. Domains are logical units that hold users, groups, com-
puters, and organizational units (OUs) (which in turn can contain users, groups, computers,
and other OUs). Forests are collections of domain trees that have trust relationships with
one another, but each domain tree has its own separate namespace.
In this chapter, you will learn all about the functions of forests and domains in the
Windows Server 2003 Active Directory infrastructure, and we will walk you through the
steps of creating a forest and domain structure for a network.You’ll learn to install domain
controllers (DCs), create the forest root domain and a child domain, find out how to name
and rename domains, and how to set the functional level of a forest and domain.
The Domain Name System (DNS) is an integral part of a Windows Server 2003 net-
work, as it is used for providing name resolution within the network.We will discuss the
role of DNS in the Active Directory environment, and you’ll learn about the relationship of
the DNS and Active Directory namespaces, how DNS zones are integrated into Active
Directory, and how to configure DNS servers for use with Active Directory.
Understanding Forest
and Domain Functionality
A Windows Server 2003 domain is group of networked computers that share a common
Active Directory database, and a common namespace.You can think of a domain as a lim-
ited boundary of network security and administrative control. A namespace is a hierarchical
collection of service and object names, typically stored within DNS and Active Directory.
There are some similarities between the Active Directory namespace and the DNS
namespace, both of which are required by Windows Server 2003. For example, the name of
an Active Directory tree is derived from the DNS name of the tree root, which means that

both namespaces share the same root.When you rename the root domain, you must auto-
matically rename all child domains in the tree to match; hence, all levels of both namespace
hierarchies.The Active Directory and DNS namespaces, by Microsoft definition, must have
the same name. Exceptions do exist, however, such as during a domain rename procedure.
www.syngress.com
244 Chapter 4 • Working with Forests and Domains
256_70-294_04.qxd 9/4/03 4:28 PM Page 244
www.syngress.com
Active Directory is composed of a number of components, each associated with a dif-
ferent concept, or layer of functionality.You should understand each of these layers before
making any changes to the network.The Active Directory itself is a distributed database,
which means it can be spread across multiple computers within the forest. Among the
major logical components are:
■
Forests
■
Trees
■
Domains
■
The domain namespace
Aspects of the physical structure include the following:
Working with Forests and Domains • Chapter 4 245
How Can I Tell the Difference between
the Active Directory Namespace and the DNS Namespace?
Among the differences in the two namespaces is the ability of DNS to split a
domain name into two separate zones. In split-DNS, one zone typically provides
name resolution for resources outside the firewall, while the other zone provides
name resolution for the inside. Inside users can locate and use external resources.
An Active Directory domain cannot be split in the same way and continue to fully

interoperate.
Another difference is where the data is stored. Even given identical names,
and even with Active Directory integrated DNS, the two namespaces occupy dif-
ferent partitions within the directory. This gives them different logical addresses,
although replication of the two is accomplished in the same way. With non-Active
Directory-integrated DNS, the namespaces do not reside in the same directory and
do not need to reside on the same servers. Non-integrated DNS must also provide
its own replication topology. In either case, the data is always discretely separated.
DNS records and Active Directory objects work together, but never truly inter-
mingle.
One of the most distinct differences is the real-time nature of dynamic DNS.
When a server is shut down, dynamic DNS removes the resource records associated
with that server from its database. Unless you created static records, as you might
for an e-mail or web server, DNS retains no knowledge of the machine. Active
Directory, by contrast, requires the stability of constant knowledge for all hosts. If
a server were to be removed and re-added to Active Directory, the host would
receive a new Security Identifier (SID) and be treated as a new and unique system.
In Active Directory, hosts within the same domain are often subdivided into sites
and OUs, while DNS hosts are only differentiated by record types.
These distinctions help clarify the forest and domain structure, the names-
paces they define, and the interoperability between them.
Head of the Class…
256_70-294_04.qxd 9/4/03 4:28 PM Page 245
■
Sites
■
Servers
■
Roles
■

Links
Administrative boundaries, network and directory performance, security, resource man-
agement, and basic functionality are all dependent on the proper interaction of these
elements.
Figure 4.1 shows the logical view of a Windows Server 2003 Active Directory. Note
that the differentiation between forests and trees is most obvious in the namespace. By its
nature, a tree is one or more domains with a contiguous namespace. Each tree consists of
one or more domains, while each forest consists of one or more trees. Because a forest can
be composed of discrete multiple trees, a forest’s namespace can be discontiguous. By discon-
tiguous, we mean that the namespaces anchor to different forest-root DNS domains, such as
cats.com and dogs.com. Both are top-level domains and are considered two trees in a forest
when combined into a single directory as shown in Figure 4.1.
The Role of the Forest
An Active Directory always begins with a forest root domain, which is automatically the first
domain you install.This root domain becomes the foundation for additional directory com-
ponents. As the cornerstone of your enterprise-computing environment, you should protect
www.syngress.com
246 Chapter 4 • Working with Forests and Domains
Figure 4.1 The Forest Structure
Tree
Forest
Tree
Dogs.com
Labs.dogs.com
Cats.com
Yellow.labs
.dogs.com
Black.labs
.dogs.com
Calico.cats.com

Root
Domain
Domain
Child
Domain
Child
Domain
Child
Domain
Child
Domain
256_70-294_04.qxd 9/4/03 4:28 PM Page 246
it well. Fault tolerance and good backups are not optional—they are essential. If an admin-
istrative error or hardware failure results in the unrecoverable loss of this root structure, the
entire forest becomes inoperable. Certain forest objects and services are only present at the
root (for example, the Enterprise Administrators and Schema Administrators groups, and the
Schema Master and Domain Naming Master roles).These cannot be easily recreated,
depending on the type of failure.
New Forestwide Features
Many of the new features offered by Windows Server 2003 are only available in a forest
where you have raised the forest functional level to Windows Server 2003. For more infor-
mation on functional levels and a breakdown of when these new features become available,
see the section Forest and Domain Functional Levels later in the chapter
Defunct Schema Objects
In Windows 2000 Active Directory, you could deactivate a schema class or attribute. Now,
once your forest has been raised to the Windows Server 2003 functional level, you cannot
only deactivate them, you can even rename and redefine them.This feature protects against
the possibility of one application irreversibly claiming another application’s schema. It
allows for the redefinition of classes and attributes without changing their unique identities.
These items are called reused. If the class or attribute is left deactivated, it is called defunct.

Where this becomes important is where, for example, you make an error in the defini-
tion of an attribute. In Windows 2000, the best you can do is deactivate the attribute with
the incorrect syntax and create a new one with a different name. If you have an application
that requires a certain attribute name, there’s little you can do but operate with the incor-
rect definition, get by without it altogether, or find a different application. Restoring the
schema from a state backup is possible, but risky. Now, with the new functionality of
Windows Server 2003, you can deactivate the incorrect attribute and safely create a new
one that uses the same object identifier (OID) and Lightweight Directory Access Protocol
(LDAP) display name as the old one, but with the correct syntax.
Another case is when an object identifier collision occurs.This is where a needed OID
conflicts with an existing one, a situation usually created by mistyping a number. By deacti-
vating the first OID, the second can be created.There are several situations in which classes
and attributes cannot be deactivated, and it is an operation that should always be performed
with great care and planning.
Domain Rename
This is a complex and sweeping modification to the namespace of a domain. DNS names,
and NetBIOS names of any child, parent, or forest-root domain can now be changed. As far
as Windows Server 2003 Active Directory is concerned, the identity of a domain rests in its
domain Globally Unique Identifier (GUID), and its domain SID. Creating new DNS or
NetBIOS names will leave those attributes unchanged.The domain rename function is not
www.syngress.com
Working with Forests and Domains • Chapter 4 247
256_70-294_04.qxd 9/4/03 4:28 PM Page 247
able to promote a domain to the forest root role. Even if you rename the forest root
domain, its role will remain unchanged.
The renaming process will temporarily interrupt the functionality of the domain and
its interaction with the forest, until the DCs are rebooted. Client workstations will not
function properly until they are each rebooted twice. Due to the complexity of the opera-
tion, the risks of such a sweeping change, and the unavoidable domain and workstation ser-
vice interruptions, domain renaming should not be considered a routine operation.

Forest Restructuring
Existing domains can now be moved to other locations within the namespace. During this
restructuring, you will manually break and reestablish the appropriate trust relationships
among the domains. A requirement for namespace changes, or a need to decrease adminis-
trative overhead, typically drives forest restructuring.This reduction in overhead is accom-
plished by reducing replication traffic, reducing the amount of user and group
administration required, and simplifying the administration of Group Policy.The smallest
possible number of domains will provide the most efficient design. Minimizing the number
of domains reduces administrative costs and increases the efficiency of your organization.
Reasons to restructure include:
■
Decommissioning a domain that is no longer needed
■
Changing the internal namespace
■
Upgrading your network infrastructure to increase your bandwidth and replica-
tion capacity, which enables you to combine domains
Before you begin restructuring Windows Server 2003 domains within your forest, make
sure that the forest is operating at the Windows Server 2003 functional level.
Universal Group Caching
Before Windows Server 2003, some sites had to make a decision to deploy a Global Catalog
(GC) at each remote site regardless of the number of users at that location, because each
DC contacts a GC server during a Windows 2000 native mode logon.The problem was
that a GC generated a lot of replication traffic and required a lot of disk space, memory, and
WAN bandwidth.The solution in Windows Server 2003 is Universal Group caching.
Universal Group caching is a new feature of the Windows Server 2003 DC, which caches
a user’s complete Universal Group membership.The cache is populated at first logon, and
subsequent logons use the cache, which is refreshed periodically.
Some of the benefits of Universal Group caching include faster logon times.
Authenticating DCs no longer have to consult a GC to get Universal Group membership

information. In addition, you can save the cost of upgrading a server to handle the extra
load for hosting the GC. Finally, network bandwidth is minimized because a DC no longer
has to handle replication for all of the objects located in the forest.
www.syngress.com
248 Chapter 4 • Working with Forests and Domains
256_70-294_04.qxd 9/4/03 4:28 PM Page 248
Application Partitions
Another DC enhancement allows for the creation of application-specific Active Directory
partitions, also known as naming contexts. Active Directory stores the information in a hier-
archy that can be populated with any type of object except for security principles such as
users, groups, and computers.This dynamic body of data can be configured with a replica-
tion strategy involving DCs across the entire forest, not just a single domain.With applica-
tion partitions, you can define as many or as few replicas as you want. Site topologies and
replication schedules are observed, and the application objects are not replicated to the GC.
Conveniently, application partitions can leverage DNS for location and naming.The
Windows Server 2003 Web Edition cannot host application partitions because they do not
support the DC role.
www.syngress.com
Working with Forests and Domains • Chapter 4 249
Active Directory Application
Partitions Can Exist on a Non-DC
Another new type of application partition is the Active Directory in Application
Mode (ADAM) stand-alone product that allows Windows Server 2003 web edition
and other member servers and workstations to participate in a form of application
partitions without being DCs. It is maintained and replicated independent of the
central Active Directory, although it interfaces with directory-enabled Kerberos and
NTLM for authentication services. One advantage with this configuration is that
schema changes made to support Web-based applications do not have to clutter
up the core operating system’s (OS’s) schema. It gives you local control and naming
flexibility in addition to the autonomous schema, and can be run on Windows XP

or Windows Server 2003. ADAM is sometimes referred to as Active Directory
“Light.”
ADAM runs as a non-OS service. This means that multiple instances can run
concurrently on a single server, with each instance being independently config-
urable. It is an extended capability that allows you to deploy Active Directory as a
lightweight directory service for the rapid and flexible implementation of directory-
enabled applications.
ADAM can be particularly helpful in the following areas:
■
Application-specific directories, where you can store “private” direc-
tory data relevant only to the application.
■
Application developer activities, where ADAM uses the same pro-
gramming model and administration as Active Directory. This enables
the developer to work with a local instance on the developer worksta-
tion and then later move the application to Active Directory.
■
Extranet Access Management (EAM) solutions, such as hosting user
objects that are not Active Directory security principals. This allows you
to use LDAP to authenticate non-Windows or external users.
New & Noteworthy
Continued
256_70-294_04.qxd 9/4/03 4:28 PM Page 249
Install from Backups
The Install from backups feature provides the capability to install a DC using backup media
rather than populating the Active Directory through a lengthy replication period.This is
especially useful for domains that cross-site boundaries using limited WAN connectivity.To
do this, back up your directory store using Windows Backup, restore the files at the
remote site’s candidate DC, and run dcpromo using the source replication from files
option.This also works for GC servers.

Active Directory Quotas
The new Active Directory quotas (not to be confused with disk quotas) are defined as the
number of objects that can be owned by a given user in a given directory partition.
Fortunately, Domain Admins and Enterprise Administrators are exempt from the quota, and
they do not apply at all to the schema partition. Replicated operations do not count toward
the quota; only the original operations do. Quota administration is performed through a set
of command-line tools, including dsadd, dsmod, dsget, and dsquery. No graphical interface
exists for quota administration.
Linked Value Replication
Linked value replication provides an answer to Windows 2000’s limit of 5000 direct group
members. Instead of treating a large group as a single replication unit, linked value replica-
tion allows a single member to be added or removed from the group during replication,
thereby reducing network traffic.Without it, for example, any changes to a 10,000-member
distribution group will trigger a complete replication.With a group that large, this would
be likely to occur many times in a typical day.
Improved Knowledge Consistency Checker
The Windows 2000 Knowledge Consistency Checker (KCC) would not operate properly
within a forest containing more than 200 sites due to the complexity of the inter-site repli-
cation topology generator algorithms.The service had to be turned off in that case, and the
replication topology had to be managed manually.The Windows Server 2003 KCC can
automatically manage replication among up to 5000 sites due to new, more efficient algo-
rithms. In addition, it uses greatly improved topology generation event logging to assist in
troubleshooting.
www.syngress.com
250 Chapter 4 • Working with Forests and Domains
■
Migration scenarios, where an organization has an established X.500
directory that must be maintained to serve legacy applications.
256_70-294_04.qxd 9/4/03 4:28 PM Page 250
Reduced NTDS.DIT Size

The Windows Server 2003 directory takes advantage of a new feature called Single Instance
Store (SIS).This limits the duplication of redundant information.The new directory store is
about 60 percent smaller than the one in Windows 2000.
Forest Trusts
In Windows NT 4.0, there were few options for the interoperability of business units; for
example, either Calico.cats.com trusted Labs.dogs.com or they didn’t.There were no other
real options. In addition, if trust existed at all, it tended to be complete.When Windows
2000 introduced the Active Directory, many more options became available so that partner-
ships and integrated project teams could form on the network just as they did in real life.
The problem with that approach was that there always had to be a dominant partner at the
root— the playing field could never be completely even.
The idyllic utopia of a single forest cannot handle certain situations.The root owner
employs Administrators, Domain Admins, and Enterprise Admins, any of which can gain
access to any resource in the forest with nothing more than a little persistence. Domains
make good administrative boundaries, and domains and sites make good replication bound-
aries, but only a forest can provide a viable security boundary.
Understanding the politics of business, Microsoft stepped in with a solution called mul-
tiple-forest trusts in Windows Server 2003, which, when used, result in a configuration called
federated forests.Without the forest trust, Kerberos authentication between forests would not
work. Remember that having two forests means two Active Directory databases and two
completely distinct sets of directory objects, such as user accounts. Accessing resources
across the federated forest boundary requires a more complex trust path than the one
between domains within a single forest. See Figure 4.2 for an example of a multiple-forest
trust path.
NOTE
Note that “federated forest” is not a term you’ll find in the Windows Server 2003
Help files. However, this terminology has been used in TechNet articles on Windows
Server 2003. For more information on the concept and implementation, see
Planning and Implementing Federated Forests in Windows Server 2003: www.
microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/

windowsserver2003/maintain/security/fedffin2.asp.
www.syngress.com
Working with Forests and Domains • Chapter 4 251
256_70-294_04.qxd 9/4/03 4:28 PM Page 251
www.syngress.com
252 Chapter 4 • Working with Forests and Domains
Figure 4.2 The Forest Trust Path
Child
Domain
Child
Domain
Forest
Trust
Dogs.com
Labs.dogs.com
Cats.com
Yellow.labs
.dogs.com
Black.labs
.dogs.com
Calico.cats.com
Tabby
Onyx
Tree-Root
Trust
Tree-Root
Trust
Parent-Child
Trust
Root

Domain
Root
Domain
Child
Domain
Child
Domain
How Can I Share Resources between Two Active
Directories?
Here’s how sharing resources between two Active Directories works. Say that Tabby,
a user in the Windows 2000 Calico.cats.com domain, tries to access the public
folder on a file server called Onyx in the Windows Server 2003 Black.labs.dogs.com
domain as shown in Figure 4.2.
First, Tabby logs on to her workstation using Kerberos authentication and tries
to access a public folder on Onyx. Her workstation naïvely contacts one of the
Calico.cats.com DCs, which hosts the Kerberos KDC, requesting a service ticket for
the server principle name (SPN) of Onyx.black.labs.dogs.com. Naturally, the DC’s
database doesn’t contain that information, so it queries the Cats.com GC to see if
any of the other domains in its forest contain such a machine. As it turns out, the
GC isn’t so global, and Tabby gets an error.
This is because the Windows 2000 GC is limited to its own forest. Tabby wisely
purrs and convinces her manager to upgrade their forest to Windows Server 2003.
Being very catty, the Enterprise Administrators in Cats.com quickly take care of the
Head of the Class…
Continued
256_70-294_04.qxd 9/4/03 4:28 PM Page 252
Routing Hints for Forest Trusts
Routing hints are a new feature of GCs.The problem with creating trusts between forests is
that all traditional authentication channels stop at the forest boundary. DCs and traditional
GCs are sometimes not enough.When these fail to produce an SPN describing the loca-

tion of the service being requested, routing hints from the Windows Server 2003 GC help
guide the workstation toward the correct forest within the Federated Forest boundary.The
GC server does this by checking the forest trust’s trusted domain object (TDO) for trusted
name suffixes that match the one found in the destination SPN.The routing hint always
goes back to the originating device so that it can resume its search for the SPN location in
the other forest.This new functionality has some limitations. If the TDO contains outdated
or incorrect information, the hint might be incorrect since the GC does not actually check
for the existence of the other forests.
www.syngress.com
Working with Forests and Domains • Chapter 4 253
prerequisites for the establishment of a forest trust with Dogs.com as soon as the
upgrade is complete.
This time, instead of generating an error, Tabby’s newly upgraded GC checks
its database for forest trusts. When it finds one, it looks at the forest trust trusted
domain object to see if its listed name suffixes correspond with the target SPN. Sure
enough, a match is found, and it generates a routing hint back to the
Calico.cat.com DC, which in turn hints to Tabby’s workstation that it needs to go
climb a different tree.
Undaunted, the workstation asks a forest-root DC at Cats.com for a referral to
one of the DCs at the forest root of Dogs.com, based on the routing hint just
received. This generates more electronic red tape. Now the Calico workstation has
to make a request to the Dogs.com KDC for a service ticket to Onyx. Not the
brightest bulb in the pack, the KDC has to ask its own GC server in the Dogs.com
domain to see if it knows this file server. Being as global as needed this time, a
match is found and the SPN goes back to the Dogs.com forest-root KDC, which
sends it off to Tabby’s workstation back in the Calico child domain.
Success! Well, almost. Starting all over again, this time with a resolved SPN,
the workstation negotiates with the KDC in Calico.cats.com for Tabby to access
Onyx, and receives the appropriate server service ticket. Finally, sending the service
ticket directly to Onyx through a trust path of one forest trust, two tree-root

domain trusts, and one parent and child domain trust, the file server examines
Tabby’s credentials and sends her an access token.
Windows Explorer opens and displays the filenames in the \\Onyx\public
folder. Tabby, unaware of the complex chain of events set off by her request,
accesses the files.
256_70-294_04.qxd 9/4/03 4:28 PM Page 253
Cross-Forest Authentication
Although some types of data access are supported,Windows Server 2003 does not support
NetBIOS name resolution or Kerberos delegation across forests. NTLM authentication for
down-level clients continues to be fully supported, however.A Universal Group in one
forest might contain global groups from one or more additional forests across any available
forest trusts.
Federated Forest, or cross-forest, authentication takes two forms. In the default forest-wide
authentication, an “allow-all deny-some” approach is used. In other words, external users have
the same level of access to local resources as the local users do.The other form of access con-
trol takes the security conscious approach of “deny-all allow-some.”This optional method is
called selective authentication, and requires more administrative overhead by granting explicit
control over the outside use of local resources.You must set a control access right called
allowed to authenticate on an object for the users and groups that need access from another
forest. If selective authentication is enabled, an Other Organization SID is associated with the
user.This SID is then used to differentiate the external user from local users and determines if
an attempt can be made to authenticate with the destination service.
For reliable authentication using Kerberos, system time must be accurate across every
workstation and server. Servers are best synchronized with the same time source, while
workstations are synchronizing time with the servers. In an upgraded Active Directory
domain, this is usually not a problem.The Windows Server 2003 W32Time service provides
time synchronization for all Windows XP and Windows 2003 OSs. Kerberos version 5 is
particularly time sensitive and might falsely interpret logon requests as intrusion attempts if
the time is off. In that case, user access will be denied. Earlier versions of Windows might
need some assistance with the net time command in a logon script to stay current. In a fed-

erated forest, individual enterprises can choose to attune with different time sources. If
these sources diverge, although each forest is chronologically homogenous, they might not
agree with each other, resulting in a failure of all cross-forest authentications.
The Role of the Domain
The domain is the starting point of Active Directory. It is the most basic component that
can functionally host the directory. Simply put, Active Directory uses the domain as a con-
tainer of computers, users, groups, and other object containers. Objects within the domain
share a common directory database partition, replication boundaries and characteristics,
security policies, and security relationships with other domains.
Typically, administrative rights granted in one domain are only valid within that
domain.This also applies to Group Policy Objects (GPOs), but not necessarily to trust rela-
tionships, which you will learn more about later in the book. Security policies such as the
password policy, account lockout policy, and the Kerberos ticket policy are defined on a
per-domain basis.The domain is also the primary boundary defining your DNS and
www.syngress.com
254 Chapter 4 • Working with Forests and Domains
256_70-294_04.qxd 9/4/03 4:28 PM Page 254
NetBIOS namespaces.The DNS infrastructure is a requirement for an Active Directory
domain, and should be defined before you create the domain.
There are several good reasons for a multiple domain model, although the best overall
practice consists of an empty root domain with a single user domain. Do not install addi-
tional domains unless you have a specific reason for them. Some of the more common rea-
sons include:
■
Groups of users with different security policy requirements, such as strong
authentication and strict access controls.
■
Groups of users requiring additional autonomy, or administrative separation for
security reasons.
■

A requirement for decentralized administration due to political, budgetary, time
zone, or policy pressures.
■
A requirement for unique namespaces.
■
Controlling excessive directory replication traffic by breaking the domain into
smaller, more manageable pieces.This often occurs in an extremely large domain,
or due to a combination of geographical separation and unreliable WAN links.
■
Maintaining a pre-existing NT domain structure.
The primary Active Directory partitions, also called naming contexts, are replicated
among all DCs within a domain.These three partitions are the schema partition, the con-
figuration partition, and the domain partition.
■
The schema partition contains the classSchema and the attributeSchema objects
that make up the directory schema.These classes and attributes define all possible
types of objects and object properties within the forest. Every DC in the entire
forest has a replica of the same schema partition.
■
The configuration partition, replicated identically on all DCs throughout the
forest, contains Active Directory’s replication topology and other configuration
data.
■
The domain partition contains the local domain objects, such as computers,
users, and groups, which all share the same security policies and security relation-
ships with other domains. If multiple DCs exist within a domain, they contain a
replica of the same domain partition. If multiple domains exist within a forest,
each domain contains a unique domain partition.
Since each domain contains unique principles and resources, there must be some way
for other domains to locate them. Active Directory contains objects that adhere to a

naming convention called the DN, or distinguished name.The DN contains enough detail to
locate a replica of the partition that holds the object in question. Unfortunately, most users
and applications do not know the DN, or what partition might contain it.To fulfill that
www.syngress.com
Working with Forests and Domains • Chapter 4 255
256_70-294_04.qxd 9/4/03 4:28 PM Page 255