possible for a user to have several layers of GPOs applied, it is very possible to have conflicting
policies.This section discusses how to evaluate which policy will ultimately apply.
The first concept that needs to be covered is the order in which policies are applied.
The first rule to remember is that a policy always overrides a profile setting.This becomes a
factor as users might be moved from one OU where they use roaming profiles that allow
the user a lot of liberty to configure their own settings.As these users are moved to another
OU where the users’ privileges are more controlled, they might notice that the user profile
settings are overwritten by the OU policies.
The next concept is the order of the application of polices. Group policy is applied in
this order:
■
Local computer policy
■
Site policy
■
Domain policy
■
OU policies, starting with the parent OU and working inward toward the secu-
rity object through the child OUs
As an administrator, you still have further control over the application of policies.
Windows Server 2003 Active Directory has two settings that help you with this control: No
Override and Block Inheritance.The No Override setting is set to prevent a child OU
policy setting from overwriting the policy setting of the parent. It does not apply if the
policy setting is not set in the parent GPO.
The Block Inheritance setting allows you to control the inheritance of a policy set-
ting in the parent by blocking it from being applied to the child. Even though you can set
Block Inheritance, if the No Override option is set, No Override will be the setting
that takes effect.
TEST DAY TIP
You might encounter questions on the exam that require you to evaluate a number
of different GPOs applied at site, domain, and OU level and determine the effective

policy for a particular user, computer, or OU. It is helpful, in these situations, when
there are multiple nested OUs, to draw a diagram of the OU structure to help you
see the relationships between parent and child containers.
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 411
256_70-294_05.qxd 9/4/03 4:30 PM Page 411
Summary of Exam Objectives
In this chapter, we covered several of the Microsoft exam objectives.The first of these
objectives is to establish trust relationships.Trust relationships are the relationships estab-
lished between domains, trees, and forests so users in one domain can access the resources
in another domain.This could be accomplished by creating new user accounts for the
people who need to access the resources, but doing so would add to the administrative
overhead of the domain. Microsoft developed a better solution: trust relationships.
Trusts come in many flavors to meet the needs of the situation where users in one
domain need access to the resources in another domain. First, there are the default trusts
created between parent and child domains.These trusts are automatically created to simplify
usage of resources in a tree.The network administrator can create additional types of trusts
such as external, shortcut, realm, and forest trusts. External trusts link two external domains.
Shortcut trusts simplify the authentication paths needed to authenticate users. Realm trusts
are created to connect a non-Windows network to a Windows Server 2003 domain. Forest
trusts link forests together in the enterprise.
As you create these additional trust types, you can determine whether the trust will
work in one direction only, or if it can work in both directions.When the trust works in
both directions, it is called a two-way or bidirectional trust, and users in both domains have
access to resources in both domains.
Another issue is whether the trust is transitive. A transitive trust ”passes” through one
trusted domain to another. A transitive trust implies a trust relationship when more than
two domains are involved. If Domain A trusts Domain B, and Domain B trusts Domain C,
then Domain A trusts Domain C.This is sometimes not the effect you want when creating
trusts.The administrator has control over the transitive nature of the trust. As a further pro-

tection, SID filtering helps to prevent against elevation of privelege attacks that could
potentially be launched by rogue users who have administrative access in the trusted
domain.
The second part of this chapter covered working with organizational units (OUs). An
OU is a container used to organize the resources and users of the domain. OUs can contain
computers, users, groups of users, printers, shared directories, and other OUs. As the corpo-
rate infrastructure shifts, it is easy to move objects inside the Active Directory structure
from one OU to another.
One of the major reasons for creating an OU is to apply policy settings that affect the
Windows environment, security, and applications to the members of the OU.This is accom-
plished using Group Policy Objects (GPOs). Another major reason for creating OUs is to be
able to delegate control to a local manager or supervisor.This empowers local supervisors
with the ability to manage the users and computers within their realm of control.
Trusts and OUs are both important components of a Windows Server 2003 network,
and thus it is important to understand both, not only to master the objectives of Exam 70-
294, but to perform the duties of a network administrator.
www.syngress.com
412 Chapter 5 • Working with Trusts and Organizational Units
256_70-294_05.qxd 9/4/03 4:31 PM Page 412
Exam Objectives Fast Track
Working with Active Directory Trusts
 Trusts allow users in one domain to access resources in another domain without
having to create additional accounts in the domain with the resources.
 Whenever a child domain is created, two-way transitive trusts are automatically
created between the parent and the child.
 Realm trusts are created to join a Windows Server 2003 domain to a non-
Windows Kerberos realm.
 Forest trusts are created between the root domains of two forests to allow users in
one forest to access resources in the other forest.
 SID filtering is a security device that uses the domain SID to verify each security

principal.
Working with Organizational Units
 OUs are Active Directory containers that can have users, groups, printers, shared
folders, computers, and other OUs as members.
 OUs are created to help organize objects in the Active Directory; they are not
security principals.
 The smallest scope to which a GPO can be assigned is an OU.
 Control of the OU can be delegated to other users to simplify the task of
administration.
Planning an OU Structure and Strategy for Your
Organization
 Create separate domains when you need decentralization of administrative
functions and for GPOs that use different Password and Account Lockout
Policies.
 You must delegate control over an OU for others to be able to manage the OU.
 GPOs are applied first to the local computer, then to the site, then to the domain,
then to parent OUs, and finally to child OUs.
 You can control application of GPOs to child domains by using Block
Inheritance or by setting No Override.
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 413
256_70-294_05.qxd 9/4/03 4:31 PM Page 413
Q: What are the differences between external, realm, and shortcut trusts?
A: An external trust is created to establish a relationship with a domain outside your tree
or forest.A realm trust is created to establish a relationship with a non-Microsoft net-
work using Kerberos authentication. A shortcut trust is used to optimize the authenti-
cation process.
Q: What type of trust is needed to have users in a non-Windows Kerberos realm use
resources in a Windows 2003 domain?
A: A realm trust will allow users in the non-Windows Kerberos realm to have access to the

resources in a Windows 2003 domain.
Q: What type of trust needs to be created between the root domain and a domain that is
several layers deep inside the same tree?
A: None.Transitive two-way trusts are automatically created between the layers of the tree
structure.
Q: What is the difference between implied, implicit, and explicit trusts?
A: An implicit trust is one that is automatically created by the system. An example is the
trusts created between parent and child domains. An explicit trust is one that is manu-
ally created.An example is a forest trust between two trees. An implied trust is one that
is implied because of the transitive nature of trusts. An example is the trust between
two child domains that are in different trees, and a tree-root trust was created between
the roots of the tress.
Q: What exactly does SID filtering accomplish?
A: SID filtering is used to secure a trust relationship where the possibility exists that
someone in the trusted domain might try to elevate his or her own or someone else’s
privileges.
www.syngress.com
414 Chapter 5 • Working with Trusts and Organizational Units
Exam Objectives
Frequently Asked Questions
The following Frequently Asked Questions, answered by the authors of this book, are
designed to both measure your understanding of the Exam Objectives presented in
this chapter, and to assist you with real-life implementation of these concepts. You
will also gain access to thousands of other FAQs at ITFAQnet.com.
256_70-294_05.qxd 9/4/03 4:31 PM Page 414
Q: What is the difference between an OU, site, and domain.
A: All three are containers to which a GPO can be assigned.The domain is the basic
building block of the organization. It can contain the other container types, site and
OUs.The site is a container that will represent the physical layout of the organization.
An OU is a logical container that can be used to implement security policies, run

scripts, deploy applications, and delegate authority for granular administrative control.
Q: What is the difference between an OU and a security principal?
A: A security principal is a user, group, computer, or service that holds an account and can
be given access to resources. An OU is a container that is used to organize objects in
the Active Directory. OUs are also boundary units that are used to apply the security
settings from a GPO.
Q: How and why is control of an OU delegated?
A: Control over a GPO is delegated to put the responsibility for the OU in the appro-
priate hands. Control is often delegated to the manager or supervisor responsible for
the users and computers in the OU.You delegate control by right-clicking on the OU
In Active Directory Users and Computers and selecting Delegate Control from
the menu.This launches the Delegation of Control wizard.You can also set the user
account that has management responsibilities from the Managed By tab in the OU’s
properties.
Q: How are GPOs applied?
A: GPOs applied to user configuration are applied as part of the logon process, whereas
GPOs applied to computer configuration are applied as part of the boot process. First,
any GPOs linked to the local computer are applied, followed by the site, then the
domain, and finally the OUs. GPOs linked to the parent OU are applied first followed
by the GPOs linked to the child. If a conflict exists in the settings of the various GPOs,
the one applied last takes precedence.
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 415
256_70-294_05.qxd 9/4/03 4:31 PM Page 415
Working with Active Directory Trusts
1. You are administering two domains, mycompany.com and denver.hr.mycompany.com.
Users in denver.hr.mycompany.com need to access resources in mycompany.com.You
want to optimize the trust relationships.What type of trust should you create to
allow this?
A. Cross-domain trust

B. Shortcut trust
C. External trust
D. None
2. Your company, mycompany.com, is merging with the yourcompany.com company.
The details of the merger are not yet complete.You need to gain access to the
resources in the yourcompany.com company before the merger is completed.What
type of trust relationship should you create?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
3. Your boss just informed you that your company will be participating in a joint ven-
ture with a partner company. He is very concerned about the fact that a trust relation-
ship needs to be established with the partner company. He fears that an administrator
in the other company might be able to masquerade as one of your administrators and
grant himself privileges to resources.You assure him that your network and its
resources can be protected from an elevated privilege attack.Along with the other
security precautions that you will take, what will you tell your boss that will help him
rest easy about the upcoming scenario?
A. The permissions set on the Security Accounts Manager (SAM) database will pre-
vent the other administrators from being able to make changes.
www.syngress.com
416 Chapter 5 • Working with Trusts and Organizational Units
Self Test
A Quick Answer Key follows the Self Test questions. For complete questions, answers,
and explanations to the Self Test questions in this chapter as well as the other
chapters in this book, see the Self Test Appendix.
256_70-294_05.qxd 9/4/03 4:31 PM Page 416
B. The SIDHistory attribute tracks all access from other domains.Their activities can
be tracked in the System Monitor.

C. The SIDHistory attribute from the partner’s domain attaches the domain SID for
identification. If an account from the other domain tries to elevate its own or
another user’s privilege, the SID filtering removes the SID in question.
D. SID filtering tracks the domain of every user who accesses resources.The
SIDHistory records this information and reports the attempts to the Security log
in Event Viewer.
4. You recently completed a merger with yourcompany.com. Corporate decisions have
been made to keep the integrity of both of the original companies; however, manage-
ment has decided to centralize the IT departments.You are now responsible for
ensuring that users in both companies have access to the resources in the other com-
pany.What type of trust should you create to solve the requirements?
A. Forest trust
B. Shortcut trust
C. External trust
D. Tree Root trust
5. You recently created a trust relationship with a partner company for collaboration on
a joint project.This partner company has many such joint projects and has many trust
relationships with other companies.You created a share containing all the files needed
for the joint project.You worked with the partner company’s administrator and added
your project members to one of his existing universal groups that contains all of the
members in his domain who need access to the project files.You added them to the
permissions on the folder and the permissions on the share.You granted the universal
group Read access to the share permission and Read & Execute access to the folder
via NTFS permissions. SID Filtering has been enabled.The users in the universal
group are now complaining that they cannot gain access to the project’s files.What do
you need to do to fix the problem?
A. You need to upgrade the level of permissions on the folder to Modify so that the
universal group can have access.
B. You need to upgrade the level of permissions to Change on the share so that the
universal group can have access.

C. You need to break the trust relationship and recreate it; it has a corrupted file.
D. You need to have the domain administrator from the partner domain verify that
only members from his domain are in the universal group
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 417
256_70-294_05.qxd 9/4/03 4:31 PM Page 417
Working with Organizational Units
6. The development team of your company has started a new research project.They want
to ensure that only the members of their project team are allowed to see the new direc-
tories that they create.You created a new OU that contains the user accounts of the
development team, the computers they will be using, a shared folder where they are
going to place their research documents, and several printers that are to be isolated from
the rest of the company.They are concerned about who will have access to the new
directories. How will you protect the directories from unauthorized access?
A. Create a GPO that will limit access to the directories. Apply the GPO to the new
OU.
B. Create a GPO that will limit access to the directories. Apply the GPO to the
domain.
C. Create a security group that contains the members of the research group. Remove
the Everyone group from the ACL.Add the new group to the ACL and grant it
the appropriate permissions.
D. Do nothing. Since the directories and files are part of an OU, no one outside the
OU can access them.
7. You created three OUs for your domain: one called Corp, and two child OUs called
Sales and Te c h .You create two GPOs, one called Desktop the other called Network.The
Desktop GPO specifies the desktop settings for all users.The Network GPO specifies
the network and Registry policies.The Registry policy prohibits users from being
able to edit the Registry.You first apply the Desktop GPO to the Corp OU and then
apply the Network GPO to the Corp OU.You want the members of the Tech OU to
be able to modify Registry settings.What should you do?

A. Nothing; because the GPOs were not applied to the Tech OU, they will not affect
the users.
B. Nothing; because you applied the Desktop GPO first, the Desktop GPO will not
take effect.
C. You should set No Override on the Tech OU so that its settings are not over-
ridden.
D. You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU.
8. Your Active Directory domain has one site and five OUs. Marketing and Technical are
child OUs to the Corp OU.The Marketing OU is a parent to the Sales and PR OUs.
You are using GPOs to configure environment and security policies on the network.
The following restrictions are in place:
www.syngress.com
418 Chapter 5 • Working with Trusts and Organizational Units
256_70-294_05.qxd 9/4/03 4:31 PM Page 418
■
Corp OU Disable Registry editing tools for all users
■
Marketing OU Disable modification of network connections for all users
■
Technical OU Corporate logo as desktop wallpaper for all users
■
Sales OU 3D Pipes screensaver for all users
■
PR OU High Contrast #1 color scheme for all users
Which restriction or restrictions will be in place for users in the Sales OU? (Choose
all that apply.)
A. Disable Registry editing tools for all users.
B. Disable modification of network connections for all users.
C. Corporate logo as desktop wallpaper for all users.

D. 3D Pipes screensaver for all users.
E. High Contrast #1 color scheme for all users.
9. You have an OU called Support.You have a GPO called RegEdit.The only setting in
the RegEdit GPO is that the use of the Registry editing tools has been disabled in
the User Configuration node. For performance reasons, the decision has been made to
limit the numbers of GPOs that are processed at logon.The decision has been made
to remove the requirement to disable the use of the Registry editing tools.What
should your course of action be to implement the new decisions?
A. Remove the RegEdit GPO from the Support OU.
B. Create a new GPO that enables the use of the Registry editing tools. Apply the
new GPO to the Support OU.
C. Edit the Registry on the computers used by the Support OU that will allow for
use of the Registry editing tools.
D. Configure a local GPO to allow the use of the Registry editing tools. Set the No
Override option to this policy.
10. You created three OUs for your domain: one called Corp, and two child OUs called
Sales and Te c h .You create two GPOs, one called Desktop and the other called Network.
The Desktop GPO specifies the desktop settings for all users.The Network GPO
specifies the network and Registry policies.The Desktop policy prohibits users from
being able to change their wallpaper.You first apply the Desktop GPO to the Corp
OU, and then apply the Network GPO to the Corp OU.You delegated control of the
OU to the senior member of the Tech group. Later, the Tech OU manager modifies
the Desktop GPO to allow his users to change their wallpaper.What should you do
to ensure that their changes will not take effect?
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 419
256_70-294_05.qxd 9/4/03 4:31 PM Page 419
A. Nothing, since the GPOs were not applied to the Tech OU, they will not affect
the users.
B. You should set No Override on the Tech OU so that its settings are not over-

ridden.
C. You should set No Override on the Corp OU so that its settings are not over-
ridden.
D. You should set Block Inheritance on the Tech OU so that the settings from the
parent OU are not applied to the child OU.
11. Your network consists of a single domain and five OUs.The parent OU is named Corp.
Corp has two child OUs, First Floor and Second Floor.The First Floor OU has one child
OU, Sales.The Second Floor OU has one child OU, Administration. All of the company’s
DCs are members of the Corp OU.The First Floor and Second Floor OUs contain the
resources that belong to their respective floors.The Sales OU has nonadministrative
computers, users, and groups.The Administration OU has the administration computers,
users, and groups.You need to design a domainwide security policy that will accomplish
the following goals:
■
All users need to have the same password and lockout policy.
■
Audit policies are required for only the DCs.
■
The nonadministrative computers do not need the same level of security applied
to them as is required for the administrative computers.
■
The number of group policies to be processed at logon needs to be minimized.
You take the following actions:
■
Create a single GPO.
■
Import a security template for the DCs.
■
Link the GPO to the domain.
Which of the desired results are achieved by your actions?

A. All users have the same password and lockout policy.
B. Audit policies implemented only on the DCs.
C. The nonadministrative computers have the same level of security applied to them
as is required for the administrative computers.
D. The number of group policies to be processed at logon is minimized.
www.syngress.com
420 Chapter 5 • Working with Trusts and Organizational Units
256_70-294_05.qxd 9/4/03 4:31 PM Page 420
Planning an OU Structure
and Strategy for Your Organization
12. Your Active Directory domain consists of one site.You have three OUs.The Corp OU
is a parent OU to the Sales OU and Training OU.You have specified restrictions in var-
ious group policies and included them in GPOs. On the Corp OU, there is a linked
GPO, which prevents users from using Registry editing tools.The Sales OU has a linked
GPO that specifies a company logo as the desktop for all users.The Training OU has a
linked GPO that disables users from modifying network connections.All other group
policy settings are set to defaults.What restrictions (if any) will users in the Sales OU be
under when they log on to the network? (Choose all that apply.)
A. They cannot edit the Registry.
B. They have the company logo as their desktops.
C. They cannot modify network connections.
D. They will have no restrictions.
13. You have been tasked to ensure that network security policies are in place, and standards
are implemented for users’ configurations.The network is a single Active Directory
domain network.There are five OUs: Corp, Sales, Marketing, Development, and
Technical.The Corp OU is a parent OU to all other OUs.You are given the following
list of objectives to meet:
■
All users must be prohibited from editing their Registries.
■

All users must have a password of at least eight characters.
■
Users in the Sales and Marketing OUs must not be able to store more than
50MB of data on any server.
■
Users in the Development OU must change their passwords every 30 days.
■
All policy settings should only affect their intended targets.
Which of the following solutions will accomplish all of your objectives?
A. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the Corp OU.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Sales
OU and to the Marketing OU. Create a GPO called Password, making users
change their passwords every 30 days. Link Password to the Development OU.
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 421
256_70-294_05.qxd 9/4/03 4:31 PM Page 421
B. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the domain.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp
OU. Create a GPO called Password, making users change their passwords every
30 days. Link Password to the Development OU.
C. Create a GPO called Policy, with settings prohibiting users from using Regedit,
and requiring passwords of at least eight characters. Link Policy to the Corp OU.
Create a GPO called Data, with disk quotas set at 50MB. Link Data to the Corp
OU. Create a GPO called Password, making users change their passwords every
30 days. Link Password to the Corp OU.
D. Create a GPO called Policy. In Policy, define settings prohibiting users from using
Regedit, requiring passwords of at least eight characters, setting disk quotas at
50MB, and a maximum password age of 30 days. Link Policy to the Corp OU.

14. Your Active Directory domain has two OUs.The Corp OU is a parent OU to the
Technical OU.You have implemented a GPO linked to the Corp OU.You do not
want those settings affecting the users in the Technical OU. How can you accomplish
this with minimal effort?
A. On the GPO linked to the Technical OU, select Block Policy inheritance.
B. On the GPO linked to the Corp OU, select Block Policy inheritance.
C. On the GPO linked to the Technical OU, negate any options set in the Corp OU
by choosing Disabled for those options.
D. On the GPO linked to the Technical OU, select No Override.
15. John Smith is a junior network administrator for your company. His user account is
JSmith.You want him to take charge of linking all network group policies to the
appropriate OUs. Because of his experience level, you do not want him to have addi-
tional controls over the OUs.What is the easiest way to accomplish this?
A. Use the Delegation of Control Wizard. Select JSmith, and check Create, delete,
and manage groups.
B. Use the Delegation of Control Wizard. Select JSmith, and check Manage Group
Policy links.
C. Use the Delegation of Control Wizard. Select JSmith, and check Create and
Modify Group Policy.
D. Use the Delegation of Control Wizard. Select JSmith, and check Apply Group
Policy.
www.syngress.com
422 Chapter 5 • Working with Trusts and Organizational Units
256_70-294_05.qxd 9/4/03 4:31 PM Page 422
www.syngress.com
Working with Trusts and Organizational Units • Chapter 5 423
Self Test Quick Answer Key
For complete questions, answers, and explanations to the Self Test questions in this
chapter as well as the other chapters in this book, see the Self Test Appendix.
1. D

2. C
3. C
4. A
5. D
6. C
7. D
8. A, B, D
9. A
10. C
11. A, D
12. A, B
13. A
14. A
15. B
256_70-294_05.qxd 9/4/03 4:31 PM Page 423
256_70-294_05.qxd 9/4/03 4:31 PM Page 424
425
Working with
Active Directory Sites
Exam Objectives in this Chapter:
1.4 Implement an Active Directory site topology.
2.2 Manage an Active Directory site.
2.2.3 Configure site boundaries.
1.4.1 Configure site links.
2.2.2 Configure site link costs.
2.2.1 Configure replication schedules.
2.5.1 Diagnose and resolve issues related to Active Directory
replication.
1.4.1 Configure site links.
2.3 Monitor Active Directory replication failures. Tools might

include Replication Monitor, Event Viewer, and support
tools.
2.3.1 Monitor Active Directory replication.
2.3.2 Monitor File Replication service (FRS) replication.
Chapter 6
MCSA/MCSE 70-294
256_70-294_06.qxd 9/5/03 3:29 PM Page 425
Introduction
In the previous chapter, we saw the logical structure of the network as defined by forests
and domains. Sites and the subnets, of which sites are comprised, define the physical struc-
ture of an Active Directory network. Sites are important in an enterprise-level multiple
location network for creating a topology that optimizes the process of replicating Active
Directory information between domain controllers (DCs). Sites are used for replication and
for optimizing the authentication process by reducing authentication traffic across slow,
high-cost WAN links. Site and subnet information is also used by Active Directory-enabled
services to help clients find the nearest service providers.
In this chapter, we discuss the role of sites in the Active Directory infrastructure, and
how replication, authentication, and distribution of services information work within and
across sites.We explain the relationship of sites with domains and subnets, and how to create
sites and site links.
You’ll also learn about site replication and how to plan, create, and manage a replication
topology.We’ll walk you through the steps of configuring replication between sites, and dis-
cuss how to troubleshoot replication failures.
Understanding the Role of Sites
In today’s distributed network environment, the communication must always be rapid and
reliable. Geographical and other restrictions resulted in the need to create smaller networks,
known as subnets.These subnets provide rapid and reliable communication between loca-
tions, which can also be attained in larger networks by using Microsoft Windows Server
2003 Active Directory Sites.They ensure rapid and reliable communication by using the
methods offered by Microsoft Windows Server 2003 Active Directory Sites to regulate

inter-subnet traffic.
A site defines the network structure of a Windows Server 2003 Active Directory. A site
consists of multiple Internet Protocol (IP) subnets linked together by rapid and reliable con-
nections.The primary role of sites is to increase the performance of a network by eco-
nomic and rapid transmission of data.The other roles of sites are replication and
authentication.The Active Directory physical structure manages when and how the authen-
tication and replication must take place.The Active Directory physical structure allows the
management of Active Directory replication scheduling between sites.The performance of
a network is also based on the location of objects and logon authentication as users log on to
the network.
TEST DAY TIP
As a network administrator, you must be familiar with the various roles and services
offered by the Active Directory Sites. You needn’t worry about memorizing every
detail for this particular exam. What you do have to know are the basics of how each
role and services of Active Directory Sites works, and how Active Directory Sites can
be used efficiently in terms of data transmission as part of a large network.
www.syngress.com
426 Chapter 6 • Working with Active Directory Sites
256_70-294_06.qxd 9/5/03 3:29 PM Page 426
www.syngress.com
Replication
Replication is defined as the practice of transferring data from a data store present on a
source computer to an identical data store present on a destination computer to synchronize
the data. In a network, the directory data must live in one or more places on the network
to be equally available to all users.The Active Directory directory service manages a replica
of directory data on one or more DCs, ensuring the availability of directory data to all
users.The Active Directory works on the concept of sites to perform replication efficiently,
and uses the Knowledge Consistency Checker (KCC) to choose the best replication topology
for the network automatically.
NOTE

The KCC is a process that runs on a DC, and identifies the most efficient replication
topology for the network automatically, based on the data provided by the net-
work in Active Directory Sites and Services.
Authentication
Authentication is a process by which a system validates users, using the logon information
provided.The authentication process includes the confirmation of the source and integrity
of information, such as verifying the identity of a user or computer.The information such
as user’s name and password are verified with the data available in the system. If the system
finds a match, access is granted and an access token is generated that is used to subsequently
determine the user’s level of access to objects according to the DACLs on those objects.
The granting of the level of access based on permissions is called authorization.
An important characteristic of authentication in the Windows Server 2003 family is its
support for single sign-on.The single sign-on feature allows a user to log on to the network
once, using a single password, and authenticate to any computer in a network.
The single sign-on feature offers the following security advantages:
■
For a user, the use of a single password reduces ambiguity and increases the work
efficiency of the system.
■
For administrators, the level of administrative support needed for authenticating
the domain users is reduced, since the administrator needs only to maintain one
account per user.
EXAM
WARNING
Make sure you are familiar with the advantages of the single sign-on feature and
how it works.
Working with Active Directory Sites • Chapter 6 427
256_70-294_06.qxd 9/5/03 3:29 PM Page 427
Windows Server 2003 uses two methods to carry out authentication:
■

Interactive logon authentication
■
Network authentication
TEST D
AY TIP
As a network administrator, you must be familiar with the various authentication
mechanisms offered by Active Directory Sites. You needn’t worry about memo-
rizing every detail for this particular exam. What you do have to know are the
basics of how each of the authentication mechanisms of the Active Directory Sites
works, and how Active Directory Sites can be used efficiently in terms of user
authentication in a network.
Interactive Logon Authentication
Interactive logon authentication verifies the user’s logon information to either a domain
account or to a local computer.This process of authentication is based on the type of user
account, such as a domain account or a local computer account:
■
With a domain account, a user logs on to the network by providing logon infor-
mation such as a password or smart card, using single sign-on data stored in the
Active Directory directory service.When a user logs on to the network with a
domain account, the user can access resources both in the domain to which he or
she logs on and any other trusted domains.
■
With a local computer account, a user logs on to a local computer by providing
logon information stored in the Security Accounts Manager (SAM) on the local
machine.
NOTE
SAM is a local security account database for local computer accounts. Local user
accounts are usually stored on workstations or servers, and can only be used to
access the local computer, not resources on any other computer on the network.
Network Authentication

Network authentication verifies the user’s identification to a network service to which the
user tries to gain access.To offer this type of authentication, the security system of Windows
Server 2003 supports authentication mechanisms:
www.syngress.com
428 Chapter 6 • Working with Active Directory Sites
256_70-294_06.qxd 9/5/03 3:29 PM Page 428
■
Kerberos V5
■
Secure Socket Layer/Transport Layer Security (SSL/TLS)
When a domain account is used, network authentication occurs transparently and in
the background via Kerberos or TLS/SSL. Users who use a local computer account must
give user credentials such as a username and password while trying to gain access to a net-
work resource.
EXAM W
ARNING
Make sure you know the differences between interactive logon authentication and
network authentication in Windows Server 2003.
Distribution of Services Information
Active Directory distributes a wide range of service information.The DCs are also used to
distribute directory information and generate responses for each service request.The Active
Directory distributes service-centric information such as configurations and bindings.The dis-
tribution of this type of information enables the services to be more accessible by clients
and is easily manageable for administrators.
The distribution of services information in Active Directory enables the client and
applications to get information from the directory.This information is then used to access
the services offered by the servers present on the network. Figure 6.1 shows how the ser-
vices information is accessed between the client, server, and a DC in a network.
www.syngress.com
Working with Active Directory Sites • Chapter 6 429

Figure 6.1 Services Information Shared between a Client, Server, and
a Domain Controller
Client
Server
Domain
Controller
2
1
3
256_70-294_06.qxd 9/5/03 3:29 PM Page 429
In Figure 6.1, the client shares the services information between a client, server, and a
DC in three steps:
1. The client makes a request.
2. The client receives the services information from a DC as a response.
3. The clients available on the network server then use the services information.
TEST D
AY TIP
Make sure you know the wide range of services information offered by the Active
Directory Sites. Be aware of how the services information is accessed between the
client, server, and a DC on a network.
Certain sets of services are distributed by the directories by default, including file and
print services, storage management, Active Directory, and management services.These sets
of services can be modified in the directories to meet the needs of your network environ-
ment.The distribution of services to the directory provides the following benefits:
■
Resource availability This Active Directory model is a service-centric model
that enables the client to provide access to the distributed network services. Since
the services information is distributed to the directory, clients needn’t store the
resource’s location.
■

Administration Distributing services in Active Directory enables the adminis-
trator to resolve configuration-related problems in a network centrally, instead of
having to visit individual computers.This feature ensures that all the services
employ the latest configuration information.
■
Publishing services This process enables the data or operations available to the
network users. Publishing a service in Active Directory enables users and adminis-
trators to move from a machine-centric view of the network to a service-centric
view.
EXAM WARNING
Make sure you are familiar with the benefits of distribution of services to the direc-
tory, and how it works to provide them for you.
www.syngress.com
430 Chapter 6 • Working with Active Directory Sites
256_70-294_06.qxd 9/5/03 3:29 PM Page 430
Relationship of Sites to Other
Active Directory Components
A site is as a collection of inter-connected computers that operates over IP subnets.A site is
also a place on a network having high bandwidth connectivity.The relationship of sites to
Active Directory components is based on the following network operations performed
by sites:
■
Control of replication occurrences
■
Changes made with the sites
■
How efficiently DCs within a domain can communicate
Relationship of Sites and Domains
A site can contain one or more domains, and a domain can be part of one or more sites.
Sites and domains do not have to maintain the same namespace. Sites and domains are inter-

related to each other because sites control replication of the domain information.
www.syngress.com
Working with Active Directory Sites • Chapter 6 431
The Relationship of Sites and Domains
Domains are also defined as units of replication. Through the use of SRV records,
the DNS server provides information regarding the location of domain controllers
in various sites. A Domain Name System (DNS) server recognizes each domain that
is present in a particular site. If your network requires more than one domain, you
can easily create multiple domains. Figure 6.2 illustrates the relationship between
sites and domains in a network, and helps us to understand that a site can have
one or more domains, and a domain can have one or more sites.
In Figure 6.2, we see how multiple sites reside in a single domain, and how a
single site can consist of multiple domains. A domain provides the following benefits:
■
Organizing domain objects.
■
Publishing of resources and information about domain objects.
■
Applying Group Policy Objects (GPOs) to the domain to perform
resource and security management
■
Delegating authority eliminates the need for administrators with broad
administrative authority.
■
Security policies and settings such as user rights and password policies
do not change from one domain to another.
■
Each domain stores only the information about the objects located in
that domain.
Head of the Class…

Continued
256_70-294_06.qxd 9/5/03 3:29 PM Page 431
EXAM WARNING
Make sure you are familiar with the benefits provided by a domain, and how it
works to provide them for you.
For more information on the working of domains, see Chapter 4,“Working with
Forests and Domains.”
www.syngress.com
432 Chapter 6 • Working with Active Directory Sites
Figure 6.2 The Relationship of the Sites and Domains Present
in a Network
Domain
Site
Domain
Site
Site
Domain
256_70-294_06.qxd 9/5/03 3:29 PM Page 432
Physical vs. Logical Structure of the Network
The sites present in an Active Directory denote the physical structure of a network.The phys-
ical structure information is available as site and site link objects in the directory.This infor-
mation is used to build the most efficient replication topology. Generally, Active Directory
Sites and Services are used to define sites and site links.
Sites represent the physical structure of the network, and domains represent the logical
structure of the organization. In Active Directory, sites map the physical structure of a net-
work, while domains map the logical or administrative structure of an organization.This par-
titioning of physical and logical structure offers the following advantages:
■
You can develop and manage the logical and physical structures of your network
independently.

■
You do not have to base domain namespaces on your physical network.
■
You can deploy DCs for multiple domains within the same site.
■
You can deploy DCs for the same domain in multiple sites.
T
EST DAY TIP
Make sure you know and understand the differences between the physical and the
logical structure of the network. Be aware of how each is used to build the most
efficient replication topology.
The Relationship of Sites and Subnets
In Active Directory, a site consists of a set of computers that are inter-connected in a local
area network (LAN). Computers within the same site typically exist in the same building,
or on the same campus network. A single site consists of one or more IP subnets.These
subnets are a section of an IP network, with each subnet having a unique network address.
A subnet address consists of a cluster of neighboring computers in much the same way
as the postal codes group neighboring postal addresses. Figure 6.3 shows one or more
clients residing within a subnet that defines an Active Directory site.
The subnet created through Active Directory Sites and Services are sections of an IP
network, with each subnet having a unique network address. In Figure 6.3,
172.16.224.0/19 is a unique network address of the Active Directory site.
Sites and subnets are represented in Active Directory by site and subnet objects, which
we create through the Active Directory Sites and Services administrative tool. Each site
object is associated with one or more subnet objects.
www.syngress.com
Working with Active Directory Sites • Chapter 6 433
256_70-294_06.qxd 9/5/03 3:29 PM Page 433
Creating Sites and Site Links
In the previous sections, we discussed the concepts of sites and subnets.To review, sites and

the subnets define the physical structure of an Active Directory network.A site is a collec-
tion of inter-connected computers that operate over subnets, sharing a network with high
bandwidth connections.The high bandwidth connection is represented by the difference
between the highest and lowest frequencies in a given range. Site links represent physical
connections between sites, which enables communication between sites.
NOTE
The Windows Server 2003 Active Directory consists of the default site link, named
DEFAULTIPSITELINK, which is created automatically when the first domain in the
network is created. This link is assigned to the Default-First-Site-Name site. These
are the names assigned automatically when you create the first site. You should
change the default names to something more descriptive.
Site Planning
You should plan thoroughly before creating and deploying an Active Directory. Site plan-
ning enables you to optimize the efficiency of the network and reduce administrative over-
www.syngress.com
434 Chapter 6 • Working with Active Directory Sites
Figure 6.3 Active Directory Site with One or More Client Computers
Client
Active Directory site
EXAM
70-294
OBJECTIVE
1.4
2.2
2.2.3
256_70-294_06.qxd 9/5/03 3:29 PM Page 434
head. High-performance sites are developed based on the proper planning of the physical
design of your network. Site planning enables you to determine exactly which sites you
should create and how they can be linked using site links and site link bridges. Site informa-
tion is stored in the configuration partition, which enables you to create sites and related infor-

mation at any point in your deployment of Active Directory.
Site planning enables you to publish site information in the directory for use by appli-
cations and services. Generally, the Active Directory consumes the site information.You’ll
see how replication impacts site planning later in the chapter.
Criteria for Establishing Separate Sites
When you initially create a domain, a single default Active Directory site called Default-Site-
First-Name is created.This site represents your entire network. A domain or forest consisting
of a separate site can be highly efficient for a LAN connected by high-speed bandwidth.
NOTE
A forest is defined as multiple Active Directory domains that share the same class,
site, attribute definitions, and replication information (but not necessarily the same
namespace). The domains present in the same forest are linked with two-way tran-
sitive trust relationships.
When a network consists of a single subnet or multiple subnets joined by reliable, high-
speed links, a single site topology offers the following advantages:
■
Simplified replication management
■
Regular directory updates between all DCs
Establishing a single site topology enables all replication to occur as intrasite replication,
which requires no manual replication configuration. A single site topology design enables
DCs to receive updates with respect to directory changes.
www.syngress.com
Working with Active Directory Sites • Chapter 6 435
256_70-294_06.qxd 9/5/03 3:29 PM Page 435