The A+ Exams are based on a industry-wide analysis of what a computer technician with at least 6 months experience should know about repairing and servicing computers to be recognized as competent. The results of the analysis were validated in a worldwide survey of thousands of professional A+ certified professionals.
Shortcut trusts are transitive one-way or two-way trusts that can be used to optimize the authentication process between domains that are logically distant from each other. In Windows Server 2003, authentication requests must travel an established trust path between domain trees. A trust path is a series of trust relationships that must be tra-versed in order to pass authentication requests between any two domains. In a com-plex forest, following the trust path can take time and affect query response performance; each time clients are referred to another domain controller, the chances of a failure or of encountering a slow link are increased. Windows Server 2003 provides a means for improving query response performance through shortcut trusts. Shortcut trusts help to shorten the path traveled for authentication requests made between domains located in two separate trees.
Shortcut trusts can be created only between Windows Server 2003 domains in the same forest. Figure 4-16 illustrates a shortcut trust created to shorten the trust path and improve query response performance between Domain M and Domain P. If the shortcut trust were not created, the client in Domain M would have to “walk” the trust path through domains L, K, J, N, and O before being able to communicate with the domain controller in Domain P to verify the authentication request.
One-Way Shortcut Trusts A one-way shortcut trust established between two domains located in separate domain trees can reduce the time needed to fulfill authentication requests, but from only one direction. If a one-way shortcut trust is established between Domain M and Domain P, authentication requests made in Domain M to Domain P can take full advantage of the new one-way trust path. However, when authentication requests from Domain P to Domain M are made, they cannot utilize the shortcut trust path that was created between Domain M and Domain P, and default to walking up the trust path hierarchy in order to find Domain M.
Two-Way Shortcut Trusts A two-way shortcut trust directly established between two domains located in separate domain trees can help optimize authentication requests made from users located in either domain. Therefore, authentication requests made from either Domain M to Domain P or from Domain P to Domain M can utilize the shortened shortcut trust path.
Explicitly created by a systems administrator between Windows Server 2003 domains that are in different forests or between a Windows Server 2003 domain and a domain whose domain controller is running Windows NT 4 or earlier. This trust provides backward compatibility with Windows NT environments and communications with domains located in other forests not joined by forest trusts. The trust is nontransitive and can be one- or two-way.
Windows Server 2003 allows you to rename any domain that has domain controllers running Windows Server 2003, move existing domains to other locations in the domain hierarchy, and rename domain controllers without first demoting them. This lesson shows you how to rename and restructure domains and how to rename domain controllers.
Designing incremental security templates for server roles consists of determining where security settings in the template need to be changed from those set in the baseline template. In general, this is not an onerous task because few settings need to be changed. However, security for server roles generally involves much more than modi fications made to the security templates. Settings specific to the role usually must be made to server applications running on the server. Application specific settings are not part of the security templates. Follow these guidelines when designing incremental security templates:
General guidelines:
Rename the Guest and Administrator accounts and their descriptions. Do not give them the same name for every server. By varying the name in this way, an attacker who discovers the name will not have the names for all servers.
Disable the Guest account, and disable the Administrators account if it will not be used.
Configure recommended services in the templates even if you configure them on the servers before templates are applied. Configuring them in the tem?plates ensures they are not disabled on the local server. Configuring them in the templates makes the Administrators group the only group that can change the startup mode of the service.
File server guidelines:
Set the DPS service to Automatic only if you are using file servers to provide services.
Set the File Replication Service (NTFRS) to Automatic only if you are using file servers to provide this service.
Print server guidelines:
Set the Print Spooler service to Automatic.
Infrastructure server guidelines:
Set the DHCP Server service to Automatic if DHCP servers are used on the network.
Set the WINS service to Automatic if WINS servers are used on the network.Set the DNS service to Automatic if DNS is used on the network.
IIS server guidelines:
Grant the user right “Deny access to this computer from the network” to the ANONYMOUS LOGON, Built-in Administrator, Support_388945aO, Guest, and all non-operating system service accounts.
The baseline policy included the Guests group in the user right “Deny access to this computer from the network”. However, IIS uses the ISUR_servername account as a member of the Guests group for anonymous access by Internet users.
Read more on Guidelines for Designing Incremental Security Templates…
If you’ve determined that your company requires more than one domain, you must organize the domains into a hierarchy that fits the needs of your organization. Recall that domains in a forest share the same configuration, schema, and global catalog. As domains are placed in a hierarchy, the two-way transitive trust relationship allows the domains to share resources.
The primary difference between domain trees and forests is in their DNS name structure. All domains in a domain tree have a contiguous DNS namespace. Unless your organization operates as a group of several entities, such as a partnership or conglomerate, your network probably lends itself to a contiguous DNS namespace and you should set up multiple domains in a single domain tree in a forest. If you need to combine organizations with unique domain names, create an additional forest. You can also create additional forests to separate zones. Each tree in the forest has its own unique namespace.
In the example, the Contoso Pharmaceuticals physical structure maps to a group of domains in a domain tree. Contoso Pharmaceuticals is not a part of any other entity, nor are there any known plans for creating multiple entities in the future. There is one dedicated root domain. Therefore, Contoso Pharmaceuticals will set up its multiple domains in a single tree in a single forest, as shown in Figure 2-2.
The Active Directory infrastructure design process consists of four stages: (1) creating a forest plan, (2) creating a domain plan, (3) creating an OU plan, and (4) creating a site topology plan.
Active Directory directory service provides a single point of network resource management, allowing you to add, remove, and relocate users and resources easily. This chapter introduces you to Active Directory concepts and administration tasks and walks you through the steps involved in planning an Active Directory infrastructure.
Note In this book, the use of “Windows Server 2003 family” and “Windows Server 2003″ refers to the family of four products: Microsoft Windows Server 2003, Standard Edition; Microsoft Windows Server 2003, Enterprise Edition; Microsoft Windows Server 2003,and Microsoft Windows Server 2003, Web Edition. However, Windows Server 2003, Web Edition only partially supports the use of Active Directory. Windows Server 2003, Web Edition can participate as a member server in an Active Directory-enabled network but cannot be used as an Active Directory domain controller.
1.Insert the Microsoft Windows Server 2003, Enterprise Edition CD-ROM into the CD-ROM drive.
2.On the Welcome to Microsoft Windows Server 2003 screen, select Install Windows Server 2003, Enterprise Edition.
3.On the Welcome to Windows Setup page on the Windows Setup dialog box, select New Installation in the Installation Type list, and then click Next.
4.On the License Agreement page on the Windows Setup dialog box, read the license agreement. To proceed, you must select I Accept This Agreement.Click Next.
5.On the Your Product Key page, type the product key that appears on the sticker attached to the installation CD-ROM case, and then press Next.
6.On the Setup Options page, select the appropriate setup options for your organization, and then click Next.
7.On the Upgrade To The Windows NTFS File System page, select the appropriate file system for your setup, and then click Next.
8.On the Get Updated Setup Files, select No, Skip This Step and Continue Installing Windows, and then click Next. The installation procedure copies setup files and restarts your computer in text mode.
9.On the Setup Notification screen, press Enter.
10.On the Welcome to Setup screen, press Enter. Setup searches for previously-installed versions of Windows.A new screen appears if Setup finds previously installed versions of Windows.
A maximum of three replication hops between domain controllers, due to the addition of connection objects by the KCC Intersite Replication To ensure replication between sites, you must connect them manually by creating site links. Site links represent network connections and allow replication to occur. A single KCC per site generates all connections between sites. Active Directory uses the network connection information to generate connection objects that provide efficient replication and fault tolerance, as shown in Figure 1-12.
You provide information about the replication transport used, cost of a site link, times when the link is available for use, and how often the link should be used. Active Directory uses this information to determine which site link is used to replicate information. Customizing replication schedules so replication occurs during specific times, such as when network traffic is light, makes replication more efficient.
As an administrator, you must configure sites and replication to ensure that the most up-to-date information is available to users. Replication and site link configuration are discussed in more detail in Chapter 5, “Configuring Sites and Managing Replication.”
A domain controller stores and replicates:
The schema partition data for a forest.
The configuration partition data for all domains in a forest.
The domain partition data (all directory objects and properties) for its domain.
This data is replicated to additional domain controllers in the domain. For the purpose of finding information, a partial replica containing commonly used attributes of all objects in the domain is replicated to the global catalog.
A global catalog stores and replicates:
The schema partition data for a forest
The configuration partition data for all domains in a forest
A partial replica containing commonly used attributes for all directory objects in the forest (replicated between global catalog servers only)
A full replica containing all attributes for all directory objects in the domain in which the global catalog is located
A second CD-ROM contains a 180-day evaluation edition of Microsoft Windows Server 2003, Enterprise Edition.
Caytion The 180-day Evaluation Edition provided with this training is not the full retail product and is provided only for the purposes of training and evaluation. Microsoft Technical Support does not support this evaluation edition.
Recent Articles