The has been designed for professionals who analyze the business requirements. The autor devote herself to research the problems and knowledge of MCSE Certification.If you have any questions about MCSE,you can comments on the article the autor publiced.
A role seizure is controlled through the same perrole object permissions that controls role transfers, plus the Write fsmoRoleOwner property permission at the new role owner. To seize a role, you need both the perrole object permission and the Write fsmoRoleOwner property permission. By default, the Write fsmoRoleOwner property permission is granted to the same groups that are granted the per-role object permissions.
A role seizure is a two-step process. In the first step, you must determine whether the domain controller that seizes the role is fully up-to-date with the updates performed on the previous role owner by using the Repadmin command-line tool. After you have determined the status of the domain controller seizing the role, you can seize the operations master role by using the Ntdsutil utility.
The Configure Your Server Wizard provides a central location for you to install many services, including Active Directory, on a computer running Windows Server 2003. The Configure Your Server Wizard is available from the Manage Your Server screen, which opens automatically the first time you log on to a server by using administrative permissions. You can use the Configure Your Server Wizard to install Active Directory only if the computer is the first server on the network and has not yet been configured. Otherwise, if you attempt to use the Configure Your Server Wizard to install additional domain controllers on the network, the wizard simply accesses the Active Directory Installation Wizard to perform the actual installation.
If the computer is the first server on the network and has not yet been configured, the Configure Your Server Wizard provides the Configuration Options page to promote the server to a domain controller and install Active Directory. The Configuration Options page configures your server in the following ways:
Promotes the computer to domain controller.
Creates a full domain name for your network.
Assigns a static IP address.
Read more on Installing Active Directory Using the Configure Your Server Wizard…
As you learned in Chapter 1, the forest root domain is the first domain you create in an . The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy
decisions. When planning a domain structure, you should start with a dedicated forest root domain. A forest root domain is dedicated when it is set up exclusively to administer the forest infrastructure. A dedicated forest root domain is recommended for the following reasons:
You can control the number of administrators allowed to make forestwide changes. By limiting the number of administrators in the forest root domain, you
reduce the likelihood that an administrative error will impact the entire forest.
You can easily replicate the forest root across the enterprise. Because a dedicated root domain is small, it can be easily replicated anywhere on your network to provide protection against catastrophes.
The forest root never becomes obsolete. Because the only purpose of the forest root domain is to serve as the root, there is little chance of it becoming obsolete.
You can easily transfer ownership of the root. Transferring ownership of the root domain does not involve migrating production data or resources.
The role of a dedicated forest root domain is to define and manage the infrastructure. Therefore, when you plan domains, you should reserve the dedicated forest root domain for forest administration only. Avoid including users or resources not dedicated to forest administration in the forest root domain.
Determining the Number of Domains
After you’ve planned the dedicated forest root domain, you should begin planning your domain structure with a single child domain under the root, and add more domains only when the single child domain model no longer meets your needs. One domain can span multiple sites and contain millions of objects. Keep in mind that site and domain structures are separate and flexible. A single domain can span multiple geographical sites, and a single site can include users and computers belonging to mul?tiple domains. Planning your site structure is covered in Chapter 5, “Configuring Sites and Managing Replication.”
You should not create separate domains to reflect your company’s organization of divisions and departments. Because functional structures such as divisions, departments, or project teams are always subject to change, defining domains based on these structures in the organization is strongly discouraged. Within each domain, you can model your organization’s management hierarchy for delegation or administration using organizational units (OUs) for this purpose. You can then assign Group Policy and place users, groups, and computers into the OUs. Planning structure is covered in Chapter 6, “Implementing an OU Structure.”
Each computer must have the following minimum configuration. All hardware should be on the Microsoft Hardware Compatibility List,The default order of processing Group Policy settings can be subject to exceptions if the computer is a member of a workgroup or if any of the No Override, Block Policy Inheritance, or Loopback settings are invoked for a GPO.
The Resultant Set of Policy (RSoP) Wizard is provided to make policy implementation and troubleshooting easier. The RSoP Wizard is a query engine that works in two modes: logging mode and planning mode. In logging mode, the wizard polls existing policies and any applications associated with a particular user or computer, and then reports the results of the query. In planning mode, the wizard asks questions about a planned policy implementation, and then reports the results of the query.
As an administrator, you must be able to administer Group Policy to provide users with the access to resources they require. See Chapter 10, “Implementing Group Policy,” Chapter 11, “Administering Group Policy,” and , “Deploying Software with Group Policy,” for details about Group Policy administration.
DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) networks, such as the Internet, to locate computers and services through user-friendly names. DNS provides a method of naming computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name in an application, DNS services can resolve the name to other information associated with the name, such as an IP address. For example, it’s easy for most users who want to locate a computer on a network to remember and learn a friendly name such as example.microsoft.com. However, computers communicate over a network by using numeric addresses. DNS provides a way to map the user friendly name for a computer or service to its numeric address. If you have used a Web browser, you have used DNS.
Active Directory uses DNS as its domain naming and location service. DNS provides the following benefits:
DNS names are user friendly, which means they are easier to remember than IP addresses.
DNS names remain more constant than IP addresses. An IP address for a server can change, but the server name remains the same.
DNS allows users to connect to local servers using the same naming convention as the Internet.
An OU infrastructure alone -won’t provide security for client systems. The Group Policy policies that will link to the must be designed, and a strategy must he developed to harden client operating systems that are not member servers or to address security settings that cannot be maintained via Group Policy. To complete the design, you must use security templates, administrative templates, software restriction policies, and local computer tools. This lesson teaches you how.
Tracks use of domain account logon records. Also, records remote connections to the client. If file and print sharing is enabled to provide access for remote administration, records of administrators’ connections will be recorded here, as -will attempts at connection by others.
Records changes to accounts and group memberships. These changes can be checked against authorized changes. A change here in an environment where local accounts are not used might indicate a successful attack.
Logs domain account usage. Tracks local logon and use of local accounts.
Provides the opportunity to track usage or attempted usage of local files systems and registry objects. Audit settings must be made to the objects. However, if audit of object access is not configured in the audit policy, object access auditing will not be done.
Records changes to user rights, audit policy, and trust policy.
Certificate Rules and Software Restriction Policies Consider enabling the security option System Settings : Use Certificate Rules On Windows Executables For Software Restriction Policies when certificate software restriction policies will be used. Disabling this setting will result in certificates not being checked to see whether they are invalid because of revocation. Disabling this setting might improve performance. See the “Guidelines for Designing Software Restriction Pol?icies to Manage Application Usage” section for more information.
Security Event Log Settings Consider estimating what the proper size of the Security event log should be and monitoring log growth. If you find that a larger log is needed to accommodate the number of records, you can make it larger. Your objective should be to capture all records. To do this, schedule archiving of the log on a periodic basis and create a large enough file size to accommodate all records created between archives. If the log is filling faster than you anticipated, either archive logs more frequently or enlarge the log size.
Restricted Groups Consider using restricted groups to control management of local group management. Adding a group here allows you to maintain member?ship of a local group by policy. A user with local administrative privileges might be able to add members to a local group, but then, at the next policy refresh, membership will revert to the membership identified here.
Read more on Designing a Strategy for Hardening Client Operating Systems…
Recent Articles