Monday 14 January 2013

It Education and Certification At Oxford University

It Education and Certification At Oxford University
It Education and Certification At Oxford University
It Education and Certification At Oxford University
It Education and Certification At Oxford University
 It Education and Certification At Oxford University

It Education and Certification At Oxford University
It Education and Certification At Oxford University



Tuesday 29 March 2011

Group Strategy Facts



To make permission assignments easier, assign permissions to a group, then add the accounts that need to use the group's resources. You can add user accounts, computers, and other groups to groups. You should remember the following when assigning members to groups:
  • Adding a user account to a group gives that account all the permissions and rights granted to the group (the user must log off and log back on before the change takes effect).
  • The same user account can be included in multiple groups. (This multiple inclusion may lead to permissions conflicts, so be aware of the permissions assigned to each group.)
  • Nesting is the technique of making a group a member of another group. Using hierarchies of nested groups may make administration simpler--as long as you remember what permissions you have assigned at each level.
The following table shows the three basic recommended approaches to managing users, groups, and permissions.
Strategy
Use
Description
Application
ALP
Used on workstations and member servers.
A: Place user Accounts
L: Into Local groups
P: Assign Permissions to the local groups
Best used in a workgroup environment, not in a domain.
AGDLP
Used in mixed mode domains and in native mode domains (does not use universal groups, which are also not available in mixed mode).
A: Place user Accounts
G: Into Global groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups
  1. Identify the users in the domain who use the same resources and perform the same tasks. Group these accounts together in global groups.
  2. Create new domain local groups if necessary, or use the built-in groups to control access to resources.
  3. Combine all global groups that need access to the same resources into the domain local group that controls those resources.
  4. Assign permissions to the resources to the domain local group.
AGUDLP
Used in native mode domains, when there is more than one domain, and you need to grant access to similar groups defined in multiple domains.
A: Place user Accounts
G: Into Global groups
U: Into Universal groups
DL: Into Domain Local groups
P: Assign Permissions to domain local groups
Universal groups should be used when you need to grant access to similar groups defined in multiple domains. It is best to add global groups to universal groups, instead of placing user accounts directly in universal groups.

Designing Active Directory for Delegation

You should know the following facts about delegating control:
  • You should structure the OUs and user account location based on administrative needs.
  • When you delegate control of an OU, you assign a user or group the permissions necessary to administer Active Directory functions according to their needs.
  • In a small organization, you may have a single administrative group to manage the Active Directory objects.
  • In larger organizations, you may have OUs for several departments. In this case, you could delegate control to a user or group within each OU.
  • Use the Delegate Control wizard in Active Directory Users and Groups to delegate control.
  • You can verify permissions delegation two ways:
    • Select the Security tab in the container's Properties dialog box.
    • Open the Advanced Security Settings dialog box for the container.
Planning Guidelines

You should know the following guidelines for planning an Active Directory structure:
  • To begin planning a forest, you must decide how many forests you need.
  • You may need more than one forest because of the physical structure of the company, business unit autonomy, schema differences, or trust limitations.
  • Multiple forests require more administration. Additional administrative difficulties include:
    • Schema consistency.
    • Global catalog placement.
    • Trust configuration.
    • Resource access.
  • Every time you add a domain, you add administrative and hardware costs.
  • You should consider multiple domains if you need to
    • Configure separate security policies.
    • Separate administration.
    • Control replication traffic.
    • Support Windows NT.
    • Create distinct name spaces.
    • Configure password policies.
  • Create OUs for the following reasons:
    • Administrative purposes.
    • Corporate policies.
    • Administer Group Policies.


Trust Types

The following table shows the types of trusts you can create in Active Directory.
Trust Type
Characteristics and Uses
Tree root
Automatically established between two trees in the same forest.
Trusts are transitive and two-way.
Parent/child
Automatically created between child and parent domains.
Trusts are transitive and two-way.
Shortcut
Manually created between two domains in the same forest.
Trusts are transitive, and can be either one-way or two-way.
Create a shortcut trust to reduce the amount of Kerberos traffic on the network due to authentication.
External
Manually created between domains in different forests.
Typically used to create trusts between Active Directory and NT 4.0 domains.
Trusts are not transitive, and can be either one-way or two-way.
Forest root
Manually created between the two root domains or two forests.
Transitive within the two forests.
Can be either one-way or two-way.
Realm
Manually created between Active Directory and non-Windows Kerberos realms.
Can be transitive or non-transitive.
Can be either one-way or two-way.
Trusts have a direction that indicates which way trust flows in the relationship.
  • The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Domain A is the trusting domain, and Domain B is the trusted domain.
  • Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A (remember that users in the trusted domain have access to resources in the trusting domain).
  • A two-way trust is the same as two one-way trusts in opposite directions.
Functional Level Types

The table below shows the domain functional levels.
Domain Functional Level
Domain Controller Operating Systems
Features
2000 Mixed
NT
2000
2003
The following features are available in 2000 Mixed:
  • Universal groups are available for distribution groups.
  • Group nesting is available for distribution groups.
2000 Native
2000
2003
The following features are available in 2000 Native:
  • Universal groups are available for security and distribution groups.
  • Group nesting.
  • Group converting (allows conversion between security and distribution groups).
  • SID history (allows security principals to be migrated among domains while maintaining permissions and group memberships).
2003
2003
The following features are available in 2003:
  • All features of 2000 Native domains.
  • Domain controller rename.
  • Update logon time stamp.
  • User password on InetOrgPerson object.
Forest functional levels depend on the domain functional levels. The table below shows the forest functional levels.
Forest Functional Level
Domain Functional Level
Features
2000
2000 Mixed
or
2000 Native
The following features are available in 2000:
  • Global catalog replication improvements are available if both replication partners are running Windows Server 2003.
2003
2003
The following features are available in 2003:
  • Global catalog replication improvements
  • Defunct schema objects
  • Forest trusts
  • Linked value replication
  • Domain rename
  • Improved AD replication algorithms
  • Dynamic auxiliary classes
  • InetOrgPerson objectClass change
Operation Master Types

The following table lists the operation masters at the domain and forest levels. Only one domain controller in the domain or forest performs each role.
Operation Master
Function and Characteristics
RID Master
Ensures domain-wide unique relative IDs (RIDs).
One domain controller in each domain performs this role.
The RID master allocates pools of IDs to each domain controller.
When a DC has used all the IDs, it gets a new pool of IDs.
PDC Emulator
Emulates a Windows NT 4.0 primary domain controller (PDC).
Replicates password changes within a domain.
Ensures synchronized time within the domain (and between domains in the forest).
One domain controller in each domain performs this role.
Infrastructure Master
Tracks moves and renames of objects.
Updates group membership changes.
One domain controller in each domain performs this role.
Domain Naming Master
Ensures that domain names are unique.
Must be accessible to add or remove a domain from the forest.
One domain controller in the forest performs this role.
Schema Master
Maintains the Active Directory schema for the forest.
One domain controller in the forest performs this role.
You should know the following facts about operation master roles:
  • Operation master role servers are also called flexible single master operation (FSMO) servers. These are domain controllers that perform operations on the network.
  • By default, the first domain controller in the forest holds all operation masters. When you create a new domain, the first domain controller holds the three domain operation masters (RID master, PDC emulator, infrastructure master).
  • Use Active Directory Users and Computers to transfer RID master, PDC emulator, and infrastructure masters.
  • Use Active Directory Domains and Trusts to transfer the domain naming master.
  • Use the Active Directory Schema snap-in to transfer the schema master.
  • Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to make it available for adding to a custom console.
  • Before transferring any role, you must connect to the domain controller that will receive the transferred role.
  • To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.
  • With a few exceptions, the infrastructure master should not be located on a global catalog server.
Troubleshooting Operation Masters

The following table lists several problems that can be attributed to inaccessible or failed operation masters.
If you have this problem...
Check this operations master...
Unable to add Active Directory objects (either from one or many domain controllers).
RID master
Unable to move or rename an object.
Infrastructure master
Group membership information is not updated between domain controllers
Infrastructure master
Cannot add or remove a domain
Domain naming master
Non-Windows 2000/XP/2003 clients cannot authenticate.
PDC master
Password changes are not updated.
PDC master
Normally, you should transfer roles to other servers only if the server holding the original role is available. If the server holding the master has failed, you will need to seize the role (forcefully move the role to another server).
  • To seize an operations master role you must use the Repadmin tool to make sure the domain controller that is seizing the role is fully up-to-date with the updates on the former role owner.
  • Use the Ntdsutil tool to finish seizing the role:
    1. Enter ntdsutil at the command line.
    2. Enter roles.
    3. Enter connections.
    4. Enter connect to server [fully qualified domain name of the server].
    5. Enter quit.
    6. At the FSMO prompt, enter seize [master role name].
    7. Enter quit to exit.
  • After seizing the role, do not bring the old server back on line. If you repair the server, use Dcpromo to first remove Active Directory. Then bring it back on line, install Active Directory, and transfer the role back if desired.


Managing the Schema

You should know the following facts about schema management:
  • The schema is the database of object classes and attributes that can be stored in Active Directory.
  • Each object definition in the schema is stored as an object itself, so Active Directory can manage these definitions just as it does other objects.
  • The schema includes definitions for classes and attributes (the definitions are also called metadata).
  • Extending the schema allows Active Directory to recognize new attributes and classes.
  • Adding a component like Microsoft Exchange requires the Active Directory to be extended.
  • Only a member of the Schema Admins group has the permission to modify or extend the schema.
  • To perform schema management tasks, use the Active Directory Schema snap-in.
·         Default Active Directory Objects

·         When you install Active Directory, several objects and containers are automatically created. The following table lists the default containers and their contents.
Container
Contents
Builtin
Built-in domain local security groups.
These groups are pre-assigned permissions needed to perform domain management tasks.
Computers
All computers joined to the domain without a computer account.
Domain Controllers*
All domain controllers.
This OU cannot be deleted.
ForeignSecurityPrincipals
Proxy objects for security principals in NT 4.0 domains or domains outside of the forest.
LostAndFound**
Objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller. Administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
NTDS Quotas**
Objects that contain limits on the number of objects users and groups can own.
Program Data**
Application-specific data created by other programs.
This container is empty until a program designed to store information in Active Directory uses it.
System**
Configuration information about the domain including security groups and permissions, the domain SYSVOL share, Dfs configuration information, and IP security policies.
Users
Built-in user and group accounts.
Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
·         *Be aware that the Domain Controllers OU is the only default organizational unit object. All other default containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU.
**By default, these containers are hidden in Active Directory Users and Computers. To view these containers, click View/Advanced Features from the menu.

Object Management Tasks and Tools

You should know be familiar with the following object management tasks and tools:
  • The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets you migrate users and other objects between domains. The tool requires that the source domain trust the target domain.
  • You can use the ADMT to retain an object's SID.
  • Moving an object within a domain retains its permissions.
  • Deleting the object deletes existing permissions.
  • You should rename or move an object rather than delete and recreate the object.
  • The Ldp utility allows you to search for and view the properties of multiple Active Directory objects.
  • If a computer that does not have an account is joined to the domain, a computer object is created by default in the built-in Computers OU.
  • Use the Dsadd command to add an OU object to Active Directory from the command line.
  • The easiest way to create a single OU in Active Directory is to use the Active Directory Users and Computers snap-in in the MMC.
  • To view the LostAndFound folder, select Advanced Features from the View menu in the Active Directory Users and Computers snap-in.
  • The LostAndFound folder is used when, for example, a container is deleted on one replica, but objects are added or moved beneath the same container on another replica. In this case, the objects added or moved under the deleted container are stored in the LostAndFound container.
Group Policy Facts

Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects). You should know the following Group Policy facts:
  • GPOs contain hundreds of configuration settings.
  • GPOs can be linked to Active Directory sites, domain, or organizational units (OUs).
  • GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon.
  • A GPO only affects the users and computers beneath the object to which the GPO is linked.
  • Group policy settings take precedence over user profile settings.
  • A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network.
  • GPOs are applied in the following order:
    1. Local
    2. Site
    3. Domain
    4. OU
  • If GPOs conflict, the last GPO to be applied overrides conflicting settings.
  • The Computers container is not an OU, so it cannot have a GPO applied to it.
  • Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains.
  • You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.)
  • Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
Refreshing Group Policy
  • By default, Computer Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 5 minutes on domain controllers and every 90 minutes (plus a random offset between 0 and 30 minutes) for other computers.
  • By default, User Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 90 minutes (plus a random offset between 0 and 30 minutes).
  • You can modify refresh rates by editing the properties of the following settings in Group Policy:
    • Group Policy refresh interval for computers.
    • Group Policy refresh interval for Domain Controllers.
    • Group Policy refresh intervals for users.
  • Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall software or move files while users are using their computers.
To manually refresh group policy settings, use the Gpupdate command with the following switches:
Switch
Function
No switch
Refresh user and computer-related group policy.
/target:user
Refresh user-related group policy.
/target:computer
Refresh computer-related group policy.

Editing GPO Facts

You should know the following facts about editing a GPO:
  • Group Policy Object Editor has two nodes:
    • Computer Configuration to set Group Policies for computers.
    • User Configuration to set Group Policies for users.
  • You can extend each node's capabilities by using snap-ins.
  • Use an Administrative Template file (.adm) to extend registry settings available in the Group Policy Editor.
  • Use the Software setting to automate installation, update, repair, and removal of software for users or computers.
  • The Windows setting automates tasks that occur during startup, shutdown, logon, or logoff.
  • Security settings allow administrators to set security levels assigned to a local or non-local GPO.
Controlling GPO Application

You should know the following controlling GPO application:
  • All GPOs directly linked to or inherited by a site, domain, or OU apply to all users and computers within that container that have Apply Group Policy and Read permissions.
  • By default, each GPO you create grants the Authenticated Users group (basically all network users) Apply Group Policy and Read permissions.
  • To apply settings to computers, configure the Computer Configuration node of a GPO.
Edit Permissions

You can control the application of GPOs by editing the permissions in the GPO access control list (ACL). (When you deny an object the required permissions to a GPO, the object will not receive the GPO.)
  • To deny access to a GPO, add the user, group, or computer to the GPO permissions and deny the Apply Group Policy and Read permissions.
  • To apply a GPO to specific users, groups, or computers, remove the Authenticated Users group from the GPO permissions. Add the specific user, group, or computer and grant the Apply Group Policy and Read permissions.
Block Inheritance

You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent objects. To block GPO inheritance,
  1. Click the Group Policy tab for the domain or OU for which you want to block GPO inheritance.
  2. Select the Block Policy inheritance check box.
You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or OU (along with all the containers and objects beneath them) from inheriting GPOs.

No Override

You should know the following facts about the No Override option:
  • The no override option prevents a GPO from being overridden by another GPO.
  • When no override is set on more than one GPO, the GPO highest in the Active Directory hierarchy takes precedence.
  • No override cannot be set on a local GPO.
WMI Filtering
You should know the following facts about WMI filtering:
  • You can use WMI queries to filter the scope of GPOs.
  • WMI filtering is similar to using security groups to filter the scope of GPOs.
  • WMI queries are written in WMI query language (WQL).
Loopback Processing

By default, Group Policy configuration applies Computer Configuration GPOs during startup and User Configuration GPOs during logon. User Configuration settings take precedence in the event of a conflict.
You can control how Group Policy is applied by enabling loopback processing. Following are some circumstances when you might use loopback processing:
  • If you want Computer Configuration settings to take precedence over User Configuration settings.
  • If you want to prevent User Configuration settings from being applied.
  • If you want to apply User Configuration settings for the computer, regardless of the location of the user account in Active Directory.
Loopback processing is typically used to apply User Configuration settings to special computers located in public locations, such as kiosks and public Internet stations.
Keep in mind the following about how loopback processing works.
  • Loopback processing runs in Merge or Replace Mode.
  • Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on.
  • Replace mode prevents the User Configuration GPOs from being applied.
To enable loopback processing:
  1. Create or edit a GPO to distribute to computers on which you want to enable loopback processing mode.
  2. Choose Group Policy from the System node of Administrative Templates in Computer Configuration.
  3. Right-click Users Group Policy loopback processing mode and click Properties.
  4. Click Enabled.
  5. Choose Merge mode or Replace Mode.
Group Policy Tools

You should be familiar with the use of the following Group Policy tools:

Gpresult

  • Gpresult is a command line tool that allows you to examine the policy settings of specific users and computers.

  • Start Gpresult by entering Gpresult at the command line (use the /? switch for syntax help).

  • Gpresult can show the following:

    • Last application of Group Policy and the domain controller from which policy was applied.
    • Detailed list of the applied GPOs.
    • Detailed list of applied Registry settings.
    • Details of redirected folders.
    • Software management information, like information about assigned and published software.

    RSoP

    RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or computer. You should know the following facts about RSoP:
    • The RSoP wizard reports on how GPO settings affect users and computers. The wizard runs in two modes: logging and planning.
    • The RSoP wizard logging mode reports on existing group policies applied against computers or users.
    • The RSoP wizard planning mode simulates the effects policies would have if applied to computers or users.



    RSoP Access

    You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways:
    • Install the RSoP wizard as an MMC snap-in
    • Use the Start > Run sequence and run Rsop.msc.
    • You can also select an object in Active Directory Users and Computer and select Resultant Set of Policy (in planning or logging mode) from the All Tasks menu.
    Delegation Facts

    You should know the following facts about trust delegating control of group policies:
    • Decentralized administrative delegation means that administration is delegate to OU level administrators. In decentralized administrative delegation, assign full-control permission to the OU administrators for GPOs.
    • Centralized administrators only delegate full-control permissions to top level OU administrators. Those administrators are responsible for everything downward.
    • In task-based delegation, administration of specific group policies to administrators who handle specific tasks. For example, security administrators would get full-control of security GPOs, and application administrators would get full-control of application GPOs.
    Software Distribution Facts

    You should be familiar with the use of the following software distribution:
    • When you configure the option Uninstall this application when it falls out of the scope of management on a user assigned software application installed through a GPO, you force the software to uninstall automatically when an account is moved out of the OU to which the GPO was applied.
    • There are two default settings for software restriction policies: Unrestricted and Disallowed.
      • Unrestricted allows software to run according to the rights of the user who is accessing the software.
      • Disallowed does not allow software to run regardless of the logged on user's rights.
    • If the default restriction level is Disallowed then no software will be able to run unless there is an additional rule configured that explicitly makes the software unrestricted.
    • The Always wait for the network at computer startup and logon GPO setting forces a computer to wait for the network to fully initialize before attempting to refresh Group Policy settings.
    • The source path to the location of an MSI file must always be a UNC path: \\servername\sharename\filename.
    • To fix the source path for an existing software package you need to delete and recreate the package.
    • In order for users to run installation files from the software distribution point, they need to have Read and Execute permissions.
    Use software restriction policies to prevent users from running specific software. Configure rules to identify the method Windows uses to identify unique software packages.
    Restriction Option
    Characteristic
    Certificate Rule
    A certificate rule uses the software application's certificate. Windows locates the certificate of the software to identify allowed or restricted software.
    Hash Rule
    When you create a hash rule, Windows performs a hashing function on the executable file. When users try to run software, Windows compares the hash value of the executable with the hash value stored in group policy.
    Use a hash rule to restrict software regardless of its location.
    Internet Zone Rule
    The Internet Zone rule uses Internet Explorer zones to identify software based on zones.
    Path Rule
    With a path rule, Windows identifies restricted or allowed software by path and name. However, the same executable file in a different location will not be governed by the rule.
    Administrative Template Facts

    You should be familiar with the following facts about Administrative templates:
    • Computer Configuration and User Configuration each have the following three nodes:
      • Windows Components: Use to administer Windows 2003 Server components. The Computer Configuration node has settings for IIS. The User Configuration node has settings for Internet Explorer.
      • System: Use to administer the functionality of the Windows 2003 OS.
      • Network: Use to control the functionality of the network.
    • In the Computer Configuration node, Administrative Templates contains a Print node for printer administration.
    • In the User Configuration node, Administrative Templates contains nodes of administering the Start menu, Taskbar, Desktop, Control Panel, and shared folders.
    Folder Redirection Facts

    You should know the following facts about folder redirection:
    • To put user profile data back to the local system, make sure the GPO is enabled and select the Redirect to the local userprofile location option.
    • Folder redirection works best by distributing a Group Policy, but you can redirect folders manually on the local system by modifying the folder's properties (not through a local GPO, though).
    • The following folders can be redirected:
      • My Documents
      • Application Data
      • Start Menu
      • My Pictures
      • Desktop
    • Redirected folders are made available offline automatically.
    Logon Facts

    You should know the following facts about managing logon:
    • Password policies are only effective in GPOs applied to the domain.
    • To create different password policies, you must create additional domains.
    • Each forest has a single alternate user principle name (UPN) suffix list that you can edit from the properties of the Active Directory Domains and Trusts node. After adding an alternate UPN suffix, you can configure all user accounts to use the same UPN suffix, thus simplifying user logon for users in all domains in the forest.
    You should be familiar with the following password and account lockout policy settings:
    Setting
    Description
    Enforce password history
    Keeps a history of user passwords (up to 24) so that users cannot reuse passwords.
    Minimum password length
    Configures how many characters a valid password must have.
    Minimum password age
    Forces the user to use the new password for whatever length of time you determine before changing it again.
    Password must meet complexity requirements
    Determines that user passwords cannot contain the user name, the user's real name, the company name, or a complete dictionary word. The password must also contain multiple types of characters, such as upper and lowercase letters, numbers, and symbols.
    Maximum password age
    Forces the user to change passwords at whatever time interval you determine.
    Account lockout threshold
    Configures how many incorrect passwords can be entered before being locked out.
    Account lockout duration
    Identifies how long an account will stay locked out once it has been locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of minutes before the account will be automatically unlocked.
    Reset account lockout after
    Specifies the length of time that must pass after a failed login attempt before the counter resets to zero.
    Automatic Certificate Enrollment Facts

    You should know the following facts about using Group Policy to configure automatic certificate enrollment:
    • Before you can add an automatic certificate request, you must have certificate templates configured on your system. Run Certtmpl.msc to install the certificate templates.
    • For a completely automatic certificate installation, set the Request Handling options of the certificate template to enroll the subject without requiring any user input.
    • Without the Request Handling option selected, the user will be prompted for input during the certificate enrollment phase.
    • An icon on the taskbar will also appear, which users can click to start the enrollment process.
    Managing Sites and Subnets

    You should know the following facts about managing sites and subnets:
    1. When a client attempts to find a domain controller for authentication, it receives a list of DC IP addresses from DNS.
    2. The client passes a query to the DCs to find a good match for authentication.
    3. Active Directory grabs the query and passes it to Net Logon.
    4. Net Logon looks for the client IP address in the subnet-to-site mapping table.
    5. If the client IP address isn't found in the subnet-to-site mapping table, the DC returns a NULL site value, and the client authenticates using the returned DC.
    Replication Facts

    You should know the following facts about replication:
    • Active Directory automatically decides which servers are the bridgehead servers (generally, the first domain controller in the site).
    • To force a specific server to be the bridgehead server, you must manually configure it as the bridgehead server.
    • To designate a preferred bridgehead server, edit the server object properties in Active Directory Sites and Services.
    • Replication between sites occurs only between the bridgehead servers.
    • To have different replication settings for different WAN links, you need to configure multiple site links.
    • For complete flexibility, you should create a site link for each network connection between sites.
    • The default link cost is 100.
    • A higher cost for a link is less desirable. To force traffic over one link, set a lower cost. For example, set a lower cost for high-speed links to force traffic over the high speed link. Configure a higher cost for dial-up links that are used as backup links.
    • Costs are additive when multiple links are required between sites.
    • Use SMTP replication for high latency links where RPC replication would probably fail.
    Managing Replication Facts

    You should know the following facts about managing replication:
    • Use Replication Monitor (Replmon) or Active Directory Sites and Services to force replication.
    • Replmon has an Update Automatically feature that allows you to specify the how often replication reports are refreshed.
    • The Sysvol share replicates using the File Replication Service (this includes things like group policy and logon scripts).
    • Replication uses port 135.
    • DCs must be able to contact each other for replication. This means they need to have a valid network connection, valid IP address configuration, and DNS must be available so the servers can locate each other.
    • You can use the Directory Service and the File Replication Service logs in Event Viewer to monitor replication services.
    You should also know the following facts about Replmon:
    • Replmon allows you to perform the following administrative tasks:
      • force synchronization between domain controllers.
      • monitor domain controller replication.
      • perform simultaneous monitoring of domain controllers in different forests.
    • Replmon gives a graphical view of the topology.
    • Replmon must run on a computer running Windows Server 2003.
    • You can start Replmon by entering Replmon at the command line.
    Tombstones and Garbage Collection

    You should know the following facts about tombstones and garbage collection:
    • When an object is removed from the Active Directory database, it is moved to a hidden Deleted Objects container. Objects in the Deleted Objects container are called tombstones.
    • The default storage time for tombstones is 60 days.
    • Every 12 hours (default setting) a domain controller examines its Deleted Objects folder for tombstones that have exceeded the storage period.
    • Objects beyond the storage period are removed in a process called garbage collection.

    Global Catalogs and Universal Group Membership Caching

    You should know the following facts about global catalogs and universal group membership caching:
    • A global catalog server needs to be contacted during logon. Place a global catalog server in each site to speed up logon.
    • A global catalog server also maintains universal group membership. Group membership needs to be consulted during resource access.
    • Only one server per site needs to be a global catalog server.
    • Enabling the universal group membership caching feature for a site will let users who are members of a universal group log on in the event of a WAN link failure. If the only need is to obtain universal group membership information, enabling this feature for a site is a better solution than creating a global catalog server in the site.
    • All servers in a site must be running Windows Server 2003 for universal group membership caching to work.
    Site License Facts

    You should know the following facts about site licensing:
    • Set up a site license servers to monitor license
      • Purchases.
      • Deletions.
      • Usage.
    • The license logging service runs on each server within a site, collecting information to send to the site license server.
    • The information in the site license server database can be viewed using the Licensing tool in Administrative Tools.
    • By default, the site license server is the first domain controller created for a site.
    • The site license server does not have to be a domain controller.
    Application Directory Partitions

    Application directory partitions are used to store dynamic objects. Most information stored in Active Directory is relatively static, meaning that it changes infrequently enough to allow it to be replicated across a domain with a high degree of regularity. Dynamic objects, however, changes more frequently than they can be efficiently and effectively replicated. (Dynamic objects are created with a time-to-live (TTL) value, which, when it expires, allows Active Directory to delete the object.)
    Application directory partitions allow you to configure replication and replicas to accommodate the unique requirements of dynamic objects. Where domain partitions must replicate to all domain controllers in a domain, application directory partitions do not have to meet this requirement.
    For example, if DNS service is configured to use AD, the DNS zone data will be replicated across a domain (because zone data will be stored in a domain partition) even if the DNS server is not configured to run on the domain controller. However, if you put the DNS zone data in an application directory partition, you can limit the scope of replication.
    Application directory partitions are not limited, however, in the types of data they can hold. They can hold, for instance, user, computer, and group objects--every object type, in fact, but security principals. However, objects in an active directory partition operate under certain limitations including the following:
    • They cannot maintain DN-value references to objects in other application directory or domain partitions. Neither can objects in other partitions maintain DN-value references to objects in an application directory partition.
    • They are not replicated to the Global Catalog. (However, a global catalog server can be configured to replicate an application directory partition.)
    • They cannot be moved to other application directory partitions outside the partition in which they were created.