Because Windows Server 2003 domains in a forest share a single schema, configuration container, and global catalog, and are linked by two-way transitive trusts, you should strive to have only for your organization. Ideally, the use of multiple forests should be temporary and reserved for situations such as a merger, acquisition, or partnership where two or more organizations must be joined. By defining multiple forests, you add substantial administrative and usability costs to your organization.
Reasons to Create Multiple Forests
Although you should strive to define only one forest for your organization, there are some situations that might warrant the creation of multiple forests. You might need to consider creating multiple forests if you need to:
Secure data Sensitive data can be protected so that only users within that forest
can access it, such as a situation where business units must be separately maintained or when there is a need to isolate the schema, configuration container, orglobal catalog.
Isolate directory replication Schema changes, configuration changes, and the addition of new domains to a forest affect only that forest. Accommodate development/lab environments New or test environments that may not yet be ready for production can be isolated from the rest of the organization.
If you plan to install Windows Server 2003 servers configured as domain controllers into an existing domain, you’ll have to run the Adprep.exe command line utility. This utility is located in the 1386 directory of the Windows 2003 Server installation CD-ROM, You’ll have to run the command adprep /forestprep on your existing Windows 2000 Server domain controller holding the schema operations master role. You’ll have to run adprep /domainprep on the Windows 2000 Server domain controller holding Infrastructure Operations Master role. Be sure to search for articles concerning ADPREP at http://sufport.microsqft.com before you actually run these commands.
When you convert from Windows 2000 mixed or Windows Server 2003 interim functional level to the Windows 2000 native or Windows Server 2003 functional level, keep in mind the following:
Support for pre-Windows 2000 replication ceases. Because preWindows 2000 replication is gone, you can no longer have any domain controllers in your
domain that are not running Windows 2000 Server or later.
You can no longer add new pre-Windows 2000 domain controllers to the domain.
The server that served as the primary domain controller during migration is no longer the domain master; all domain controllers begin acting as peers.
The change in domain functional level is one-way only; you cannot change from the Windows 2000 native or Windows Server 2003 functional level to the Windows 2000 mixed or Windows Server 2003 interim functional level.
The Configure Your Server Wizard provides a central location for you to install many services, including Active Directory, on a computer running Windows Server 2003. The Configure Your Server Wizard is available from the Manage Your Server screen, which opens automatically the first time you log on to a server by using administrative permissions. You can use the Configure Your Server Wizard to install Active Directory only if the computer is the first server on the network and has not yet been configured. Otherwise, if you attempt to use the Configure Your Server Wizard to install additional domain controllers on the network, the wizard simply accesses the Active Directory Installation Wizard to perform the actual installation.
If the computer is the first server on the network and has not yet been configured, the Configure Your Server Wizard provides the Configuration Options page to promote the server to a domain controller and install Active Directory. The Configuration Options page configures your server in the following ways:
Promotes the computer to domain controller.
Creates a full domain name for your network.
Assigns a static IP address.
As you learned in Chapter 1, the forest root domain is the first domain you create in an . The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy
decisions. When planning a domain structure, you should start with a dedicated forest root domain. A forest root domain is dedicated when it is set up exclusively to administer the forest infrastructure. A dedicated forest root domain is recommended for the following reasons:
You can control the number of administrators allowed to make forestwide changes. By limiting the number of administrators in the forest root domain, you
reduce the likelihood that an administrative error will impact the entire forest.
You can easily replicate the forest root across the enterprise. Because a dedicated root domain is small, it can be easily replicated anywhere on your network to provide protection against catastrophes.
The forest root never becomes obsolete. Because the only purpose of the forest root domain is to serve as the root, there is little chance of it becoming obsolete.
You can easily transfer ownership of the root. Transferring ownership of the root domain does not involve migrating production data or resources.
The role of a dedicated forest root domain is to define and manage the infrastructure. Therefore, when you plan domains, you should reserve the dedicated forest root domain for forest administration only. Avoid including users or resources not dedicated to forest administration in the forest root domain.
Determining the Number of Domains
After you’ve planned the dedicated forest root domain, you should begin planning your domain structure with a single child domain under the root, and add more domains only when the single child domain model no longer meets your needs. One domain can span multiple sites and contain millions of objects. Keep in mind that site and domain structures are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to mul?tiple domains. Planning your site structure is covered in Chapter 5, “Configuring Sites and Managing Replication.”
You should not create separate domains to reflect your company’s organization of divisions and departments. Because functional structures such as divisions, departments, or project teams are always subject to change, defining domains based on these structures in the organization is strongly discouraged. Within each domain, you can model your organization’s management hierarchy for delegation or administration using organizational units (OUs) for this purpose. You can then assign Group Policy and place users, groups, and computers into the OUs. Planning structure is covered in Chapter 6, “Implementing an OU Structure.”
An OU infrastructure alone -won’t provide security for client systems. The Group Policy policies that will link to the must be designed, and a strategy must he developed to harden client operating systems that are not member servers or to address security settings that cannot be maintained via Group Policy. To complete the design, you must use security templates, administrative templates, software restriction policies, and local computer tools. This lesson teaches you how.
Tracks use of domain account logon records. Also, records remote connections to the client. If file and print sharing is enabled to provide access for remote administration, records of administrators’ connections will be recorded here, as -will attempts at connection by others.
Records changes to accounts and group memberships. These changes can be checked against authorized changes. A change here in an environment where local accounts are not used might indicate a successful attack.
Logs domain account usage. Tracks local logon and use of local accounts.
Provides the opportunity to track usage or attempted usage of local files systems and registry objects. Audit settings must be made to the objects. However, if audit of object access is not configured in the audit policy, object access auditing will not be done.
Records changes to user rights, audit policy, and trust policy.
Certificate Rules and Software Restriction Policies Consider enabling the security option System Settings : Use Certificate Rules On Windows Executables For Software Restriction Policies when certificate software restriction policies will be used. Disabling this setting will result in certificates not being checked to see whether they are invalid because of revocation. Disabling this setting might improve performance. See the “Guidelines for Designing Software Restriction Pol?icies to Manage Application Usage” section for more information.
Security Event Log Settings Consider estimating what the proper size of the Security event log should be and monitoring log growth. If you find that a larger log is needed to accommodate the number of records, you can make it larger. Your objective should be to capture all records. To do this, schedule archiving of the log on a periodic basis and create a large enough file size to accommodate all records created between archives. If the log is filling faster than you anticipated, either archive logs more frequently or enlarge the log size.
Restricted Groups Consider using restricted groups to control management of local group management. Adding a group here allows you to maintain member?ship of a local group by policy. A user with local administrative privileges might be able to add members to a local group, but then, at the next policy refresh, membership will revert to the membership identified here.
The Microsoft Certified Professional (MCP) program provides the best method to prove your command of current Microsoft products and technologies. The exams and corresponding certifications are developed to validate your mastery of critical competencies as you design and develop, or implement and support, solutions with Microsoft products and technologies. Computer professionals who become Microsoft certified are recognized as experts and are sought after industry-wide. Certification brings a variety of benefits to the individual and to employers and organizations.
The Microsoft Certified Professional program offers multiple certifications, based on specific areas of technical expertise:
Microsoft Certified Professional (MCP). Demonstrated in-depth knowledge of at least one Microsoft Windows operating system or architecturally significant platform. An MCP is qualified to implement a Microsoft product or technology as part of a business solution for an organization.
Microsoft Certified Solution Developer (MCSD). Professional developers qualified to analyze , design, and develop enterprise business solutions with Microsoft
development tools and technologies including the Microsoft .NET Framework.
Microsoft Certified Application Developer (MCAD). Professional developers qualified to develop, test, deploy, and maintain powerful applications using Microsoft tools and technologies including Microsoft Visual Studio .NET and XML Web services.
Microsoft Certified Systems Engineer (MCSE). Qualified to effectively analyze the business requirements, and design and implement the infrastructure for business solutions based on the Microsoft Windows and Microsoft Server 2003 operating
system.
Microsoft Certified Systems Administrator (MCSA). Individuals with the skills to manage and troubleshoot existing network and system environments based on the Microsoft Windows and Microsoft Server 2003 operating systems.
Microsoft Certified Database Administrator (MCDBA). Individuals who design,implement, and administer Microsoft SQL Server databases.Microsoft Certified Trainer (MCT). Instructionally and technically qualified to deliver Official Curriculum through a Microsoft Certified Technical Education Center (CTEC).
A lot of individuals currently are trying to figure out exactly how to enlarge their penis. And most males have been wondering how to get a big penis for many reasons. It could be because numerous feel they just don’t measure up to the regular length which is 6 to 7 inches. But you can finally now improve your situation by now learning the best way on how to […]
This is one of the great show today. Watch Glee – Season 2 Episode 14 Blame It on the Alcohol in High Definition now! In order to watch for free, just find the link below for the stream details now! Read more on Watch Glee – Season 2 Episode 14 Free… No tags for this post. […]
How come Calories Important When Muscle building? The nutrients we consume are the foundations for the muscles. Lifting big names in the club isn’t what builds the muscles, lifting is merely that which you do to be able to break it down and prepare it for precisely what happens from the gym to make sure they grow larger and stronger. Without the proper quant […]
