Introduction to Servers

Last month we discussed how to network your Cirris testers together to centrally manage all of your data
and testing needs. This month we continue on the topic focusing on the "Server" piece of the networking
puzzle.

Server Basics
A server in its most simple form is just a PC running software that is responsible for coordinating some
form of communication between nodes on a network. There are four requirements for a server:

1. Computer Hardware
2. Operating System (OS)
3. Server Software
4. Connections between the devices on the network.

The hardware can be as simple as a standard desktop PC or as complex as a blade server rack mounted in a
large server farm. The minimum requirement for the OS is that it must support networking. This may be
accomplished by using Windows XP, or it may be a more complex OS that was specifically designed for
networking, like Windows 2008 Server or some versions of Linux. It must have a software program
running that "serves" something. The final requirement is a connection to the devices that are to use the
services provided by the server. This may be done through wired, or wireless, connections.

Types of Servers

There are many types of servers that provide

services to affect every aspect of your life in
our digital world. Here are a few of them:

Web Servers:
When you want to look at a web site on the
internet, you type in an address and the
requested site is displayed on your screen. This
is possible because there is a computer out on
the internet that is running a program that is
watching for web site requests and when it sees
one it understands, it retrieves the necessary
files and forwards them to your browser.

Mail Servers:

Example drawing of a Database server
Have you ever wondered how the email you
just sent to some strange email address knows
how to get to the desired destination? This is
also done with a server. A mail server
specializes in taking the email address,
translating it to a set of network directions, and
locating a destination computer that will
receive the email. Once the route has been
determined the message can be packaged up
and sent on its way.
Proxy Servers:
A proxy server is responsible for the behind the
scenes details that are required to make a
network function. Often, networks become so
complex it is difficult to keep track of all the
nodes that are connected. A proxy server keeps
track of the nodes near it in the network and
passes that information to other servers looking
for specific computers. This makes it possible
for us to retrieve a document from a history
department computer in the basement of a
building on the campus of Moscow State
University without ever knowing where the
document came from.
Database Servers:
This brings us to a server that makes
networking your easy-wire software possible.
A database server is a program that listens for
requests to retrieve data from, or store data to, a
particular database. This allows one central file
to contain information that can be used in
several locations eliminating duplication and
improving efficiency.
Why do I want Easy-Wire on
a Server?
Cirris easy-wire software has the ability to be
networked to a server. We do this by storing the
data needed to run all of your test equipment in
one central file called easywire.fdb. Using one file
allows any Easywire client station to centrally
manage the test programs, security settings
/logins, and data collection/reports from any
computer in the building with EasyWire installed
on it. The Cirris Server is responsible for
collecting all of this data and handing it out to all
of the stations who request it. The Cirris server
software is always listening for requests from the
easy-wire stations. When it receives a request, it
is processed by an application called Firebird and
the response is then generated and given back to
the end user or station. If the request is for a
specific set of test data, then Firebird will retrieve
the data and send it back for display at the
requesting station. If the request is to save a test
program, the server will gather the test data and

Real time data collection & reporting can provide
helpful information for production evaluations.
place it in the proper locations within the
database file.
Using a database server is a great way to share
data between machines, but a central database
can also pose some potential liabilities that must
be understood as you design your test solution.
As more and more stations are connected to the
server, the amount of data that is passed back
and forth between the stations and the server can
quickly grow. Requests for data from every
station need to be processed by the single
Firebird server running on one machine, so that
one machine must have the necessary
"horsepower" to handle all of these requests. The
operating system, disk access, and the data
speed that your network is capable of all come
into play. If you are connecting one or two Cirris
test stations, the server machine may just be a
desktop PC capable of storing a couple of
megabytes of data. If your needs grow to twenty
or thirty stations this solution will soon become
overworked and unable to keep up with the
demand of all thirty stations requesting data at
the same time.
For example, a test program that is storing
measured values on a 500 point device-under-
test can be expected to send between 3000 and
5000 bytes of data for each completed test. If this
is happening on each station in a 25 station
network, surges of network traffic could reach
125,000 bytes of data at a time. To process this
amount of data the server hardware should be
optimized for serving data. The computer
hardware needs to be capable of these loads. It
should have disk storage that can handle files
that are several hundred megabytes in size and
have quick disk access times. The operating
system also needs to be designed for this type of
work. We recommend Microsoft Windows 2003
server or newer. You may also benefit from
upgrading from PC hardware to server hardware
which is designed for continual use under heavy
loads.
The connections between the test stations on the
network will also need to be considered. If your
network is connected with cables that are only
capable of 10 megabit data speeds, it is probably
not going to be able to handle these data loads
without long delays (IE end user frustrations).
Perhaps you have noticed long pauses when you
are running easy-wire during a busy production
day. This may be caused by an overload
somewhere in your network setup. It may be the
server hardware, the operating system, or it may
be the connections between the stations on the
network.
As your testing needs continue to grow, it may
become necessary to break your easy-wire
network into smaller groups. For example all of
your build stations could be placed in one group,
while your final test stations can be placed in
another. It may make sense to divide things by
product lines or customers. By breaking things up
into smaller groups you can spread the network
load issues discussed above into manageable
 groups giving you the benefits of the network
while alleviating some of the scaling issues.

Link: https://www.cirris.com/learning-center/product-articles/software/119-introduction-to-servers

https://www3.nd.edu/~cpoellab/teaching/cse40814_fall14/networks.pdf

Active Directory
From Wikipedia, the free encyclopedia

[hide]This article has multiple issues. Please help improve it or discuss these issues on the talk
page. (Learn how and when to remove these template messages)

This article may be too technical for most readers to understand. (November 2014)

This article needs additional citations for verification. (November 2014)

Active Directory (AD) is a directory service that Microsoft developed for Windows domain networks. It is
included in most Windows Server operating systems as a set of processesand services.[1][2] Initially, Active
Directory was only in charge of centralized domain management. Starting with Windows Server 2008, however,
Active Directory became an umbrella title for a broad range of directory-based identity-related services.[3]
A server running Active Directory Domain Services (AD DS) is called a domain controller.
It authenticates and authorizes all users and computers in a Windows domain type network—assigning and
enforcing security policies for all computers and installing or updating software. For example, when a user logs
into a computer that is part of a Windows domain, Active Directory checks the submitted password and
determines whether the user is a system administrator or normal user.[4] Also, it allows management and storage
of information, provides authentication and authorization mechanisms, and establishes a framework to deploy
other related services: Certificate Services, Federated Services, Lightweight Directory Services and Rights
Management Services.[5]
Active Directory uses Lightweight Directory Access Protocol (LDAP) versions 2 and 3, Microsoft's version
of Kerberos, and DNS.

Contents
[hide]

 1History
 2Active Directory Services
o 2.1Domain Services
o 2.2Lightweight Directory Services
o 2.3Certificate Services
o 2.4Federation Services
o 2.5Rights Management Services
 3Logical structure
o 3.1Objects
o 3.2Forests, trees, and domains
o 3.3Partitions
 4Physical structure
o 4.1Replication
 5Implementation
 6Database
 7Single server operations
 8Trusting
o 8.1Terminology
 9Management solutions
 10Unix integration
 11See also
 12References
 13External links

History[edit]
Active Directory, like many information-technology efforts, originated out of a democratization of
design using Request for Comments or RFCs. The Internet Engineering Task Force(IETF), which oversees the
RFC process, has accepted numerous RFCs initiated by widespread participants. Active Directory incorporates
decades of communication technologies into the overarching Active Directory concept then makes improvements
upon them.[citation needed] For example, LDAP underpins Active Directory. Also X.500 directories and
the Organizational Unit preceded the Active Directory concept that makes use of those methods. The LDAP
concept began to emerge even before the founding of Microsoft in April 1975, with RFCs as early as 1971. RFCs
contributing to LDAP include RFC 1823 (on the LDAP API, August 1995),[6] RFC 2307, RFC 3062, and RFC
4533. [7] [8] [9]
Microsoft previewed Active Directory in 1999, released it first with Windows 2000 Server edition, and revised it to
extend functionality and improve administration in Windows Server 2003. Additional improvements came with
subsequent versions of Windows Server. In Windows Server 2008, additional services were added to Active
Directory, such as Active Directory Federation Services.[10] The part of the directory in charge of management of
domains, which was previously a core part of the operating system,[10] was renamed Active Directory Domain
Services (ADDS) and became a server role like others.[3] "Active Directory" became the umbrella title of a broader
range of directory-based services.[11] According to Bryon Hynes, everything related to identity was brought under
Active Directory's banner.[3]

Active Directory Services[edit]

Active Directory Services consist of multiple directory services. The best known is Active Directory Domain
Services, commonly abbreviated as AD DS or simply AD.[12]
Domain Services[edit]
Active Directory Domain Services (AD DS) is the cornerstone of every Windows domain network. It stores
information about members of the domain, including devices and users, verifies their credentials and defines their
access rights. The server (or the cluster of servers) running this service is called a domain controller. A domain
controller is contacted when a user logs into a device, accesses another device across the network, or runs a
line-of-business Metro-style app sideloaded into a device.
Other Active Directory services (excluding LDS, as described below) as well as most of Microsoft server
technologies rely on or use Domain Services; examples include Group Policy, Encrypting File
System, BitLocker, Domain Name Services, Remote Desktop Services, Exchange Server and SharePoint
Server.
Lightweight Directory Services[edit]
Active Directory Lightweight Directory Services (AD LDS), formerly known as Active Directory Application
Mode (ADAM),[13] is a light-weight implementation of AD DS.[14] AD LDS runs as a service on Windows Server. AD
LDS shares the code base with AD DS and provides the same functionality, including an identical API, but does
not require the creation of domains or domain controllers. It provides a Data Store for storage of directory data
and a Directory Service with an LDAP Directory Service Interface. Unlike AD DS, however, multiple AD LDS
instances can run on the same server.
Certificate Services[edit]
Active Directory Certificate Services (AD CS) establishes an on-premises public key infrastructure. It can create,
validate and revoke public key certificates for internal uses of an organization. These certificates can be used to
encrypt files (when used with Encrypting File System), emails (per S/MIME standard), network traffic (when used
by virtual private networks, Transport Layer Security protocol or IPSec protocol).
AD CS predates Windows Server 2008, but its name was simply Certificate Services.[15]
AD CS requires an AD DS infrastructure.[16]
Federation Services[edit]
Main article: Active Directory Federation Services
Active Directory Federation Services (AD FS) is a single sign-on service. With an AD FS infrastructure in place,
users may use several web-based services (e.g. internet forum, blog, online shopping, webmail) or network
resources using only one set of credentials stored at a central location, as opposed to having to be granted a
dedicated set of credentials for each service. AD FS's purpose is an extension of that of AD DS: The latter
enables users to authenticate with and use the devices that are part of the same network, using one set of
credentials. The former enables them to use the same set of credentials in a different network.
As the name suggests, AD FS works based on the concept of federated identity.
AD FS requires an AD DS infrastructure, although its federation partner may not.[17]
Rights Management Services[edit]
Main article: Active Directory Rights Management Services

Active Directory Rights Management Services (AD RMS, known as Rights Management
Services or RMS before Windows Server 2008) is a server software for information rights management shipped
with Windows Server. It uses encryption and a form of selective functionality denial for limiting access to
documents such as corporate e-mails, Microsoft Word documents, and web pages, and the operations
authorized users can perform on them.

Logical structure[edit]
As a directory service, an Active Directory instance consists of a database and corresponding executable
code responsible for servicing requests and maintaining the database. The executable part, known as Directory
System Agent, is a collection of Windows services and processes that run on Windows 2000 and later.[1] Objects
in Active Directory databases can be accessed via LDAP, ADSI (a component object
model interface), messaging API and Security Accounts Manager services.[2]
Objects[edit]

A simplified example of a publishing company's internal network. The company has four groups with varying permissions to
the three shared folders on the network.

Active Directory structures are arrangements of information about objects. The objects fall into two broad
categories: resources (e.g., printers) and security principals (user or computer accounts and groups). Security
principals are assigned unique security identifiers (SIDs).
Each object represents a single entity—whether a user, a computer, a printer, or a group—and its attributes.
Certain objects can contain other objects. An object is uniquely identified by its name and has a set of
attributes—the characteristics and information that the object represents— defined by a schema, which also
determines the kinds of objects that can be stored in Active Directory.
The schema object lets administrators extend or modify the schema when necessary. However, because each
schema object is integral to the definition of Active Directory objects, deactivating or changing these objects can
fundamentally change or disrupt a deployment. Schema changes automatically propagate throughout the
system. Once created, an object can only be deactivated—not deleted. Changing the schema usually requires
planning.[18]
Forests, trees, and domains[edit]
The Active Directory framework that holds the objects can be viewed at a number of levels. The forest, tree, and
domain are the logical divisions in an Active Directory network.
Within a deployment, objects are grouped into domains. The objects for a single domain are stored in a single
database (which can be replicated). Domains are identified by their DNS name structure, the namespace.
A domain is defined as a logical group of network objects (computers, users, devices) that share the same Active
Directory database.
A tree is a collection of one or more domains and domain trees in a contiguous namespace, linked in a transitive
trust hierarchy.
At the top of the structure is the forest. A forest is a collection of trees that share a common global catalog,
directory schema, logical structure, and directory configuration. The forest represents the security boundary
within which users, computers, groups, and other objects are accessible.

Domain-Dallas
Domain-Boston OU-Marketing
Domain-New York Hewitt
Domain-Philly Aon
Tree-Southern Steve
Domain-Atlanta OU-Sales
Domain-Dallas Bill
Ralph

Example of the geographical organizing of zones of interest

within trees and domains.

Organizational units[edit]
The objects held within a domain can be grouped into Organizational Units (OUs).[19] OUs can provide hierarchy
to a domain, ease its administration, and can resemble the organization's structure in managerial or geographical
terms. OUs can contain other OUs—domains are containers in this sense. Microsoft recommends using OUs
rather than domains for structure and to simplify the implementation of policies and administration. The OU is the
recommended level at which to apply group policies, which are Active Directory objects formally named Group
Policy Objects (GPOs), although policies can also be applied to domains or sites (see below). The OU is the level
at which administrative powers are commonly delegated, but delegation can be performed on individual objects
or attributes as well.
Organizational units do not each have a separate namespace; e.g. user accounts with an identical username
(sAMAccountName) in separate OUs within a domain are not allowed, such as "fred.staff-ou.domain" and
"fred.student-ou.domain", where "staff-ou" and "student-ou" are the OUs. This is because sAMAccountName, a
user object attribute, must be unique within the domain.[20] However, two users in different OUs can have the
same Common Name (CN), the name under which they are stored in the directory itself.
In general the reason for this lack of allowance for duplicate names through hierarchical directory placement, is
that Microsoft primarily relies on the principles of NetBIOS, which is a flat-file method of network object
management that for Microsoft software, goes all the way back to Windows NT 3.1 and MS-DOS LAN Manager.
Allowing for duplication of object names in the directory, or completely removing the use of NetBIOS names,
would prevent backward compatibility with legacy software and equipment. However, disallowing duplicate object
names in this way is a violation of the LDAP RFCs on which Active Directory is supposedly based.
As the number of users in a domain increases, conventions such as "first initial, middle initial, last name"
(Western order) or the reverse (Eastern order) fail for common family nameslike Li (李), Smith or Garcia.
Workarounds include adding a digit to the end of the username. Alternatives include creating a separate ID
system of unique employee/student id numbers to use as account names in place of actual user's names, and
allowing users to nominate their preferred word sequence within an acceptable use policy.
Because duplicate usernames cannot exist within a domain, account name generation poses a significant
challenge for large organizations that cannot be easily subdivided into separate domains, such as students in a
public school system or university who must be able to use any computer across the network.
Shadow groups[edit]

In Active Directory, organizational units cannot be assigned as owners or trustees. Only groups are selectable, and members
of OUs cannot be collectively assigned rights to directory objects.

In Microsoft's Active Directory, OUs do not confer access permissions, and objects placed within OUs are not
automatically assigned access privileges based on their containing OU. This is a design limitation specific to
Active Directory. Other competing directories such as Novell NDS are able to assign access privileges through
object placement within an OU.
Active Directory requires a separate step for an administrator to assign an object in an OU as a member of a
group also within that OU. Relying on OU location alone to determine access permissions is unreliable, because
the object may not have been assigned to the group object for that OU.
A common workaround for an Active Directory administrator is to write a custom PowerShell or Visual
Basic script to automatically create and maintain a user group for each OU in their directory. The scripts are run
periodically to update the group to match the OU's account membership, but are unable to instantly update the
security groups anytime the directory changes, as occurs in competing directories where security is directly
implemented into the directory itself. Such groups are known as Shadow Groups. Once created, these shadow
groups are selectable in place of the OU in the administrative tools.
Microsoft refers to shadow groups in the Server 2008 Reference documentation, but does not explain how to
create them. There are no built-in server methods or console snap-ins for managing shadow groups.[21]
The division of an organization's information infrastructure into a hierarchy of one or more domains and top-level
OUs is a key decision. Common models are by business unit, by geographical location, by IT Service, or by
object type and hybrids of these. OUs should be structured primarily to facilitate administrative delegation, and
secondarily, to facilitate group policy application. Although OUs form an administrative boundary, the only true
security boundary is the forest itself and an administrator of any domain in the forest must be trusted across all
domains in the forest.[22]
Partitions[edit]
The Active Directory database is organized in partitions, each holding specific object types and following a
specific replication pattern. Microsoft often refers to these partitions as 'naming contexts'.[23] The 'Schema'
partition contains the definition of object classes and attributes within the Forest. The 'Configuration' partition
contains information on the physical structure and configuration of the forest (such as the site topology). Both
replicate to all domains in the Forest. The 'Domain' partition holds all objects created in that domain and
replicates only within its domain.

Physical structure[edit]
Sites are physical (rather than logical) groupings defined by one or more IP subnets.[24] AD also holds the
definitions of connections, distinguishing low-speed (e.g., WAN, VPN) from high-speed (e.g., LAN) links. Site
definitions are independent of the domain and OU structure and are common across the forest. Sites are used to
control network traffic generated by replication and also to refer clients to the nearest domain
controllers (DCs). Microsoft Exchange Server 2007 uses the site topology for mail routing. Policies can also be
defined at the site level.
Physically, the Active Directory information is held on one or more peer domain controllers, replacing
the NT PDC/BDC model. Each DC has a copy of the Active Directory. Servers joined to Active Directory that are
not domain controllers are called Member Servers.[25] A subset of objects in the domain partition replicate to
domain controllers that are configured as global catalogs. Global catalog (GC) servers provide a global listing of
all objects in the Forest.[26][27] Global Catalog servers replicate to themselves all objects from all domains and
hence, provide a global listing of objects in the forest. However, to minimize replication traffic and keep the GC's
database small, only selected attributes of each object are replicated. This is called the partial attribute set (PAS).
The PAS can be modified by modifying the schema and marking attributes for replication to the GC.[28] Earlier
versions of Windows used NetBIOS to communicate. Active Directory is fully integrated with DNS and
requires TCP/IP—DNS. To be fully functional, the DNS server must support SRV resource records, also known
as service records.
Replication[edit]
Active Directory synchronizes changes using multi-master replication.[29] Replication by default is 'pull' rather than
'push', meaning that replicas pull changes from the server where the change was effected.[30] The Knowledge
Consistency Checker (KCC) creates a replication topology of site links using the defined sites to manage traffic.
Intrasite replication is frequent and automatic as a result of change notification, which triggers peers to begin a
pull replication cycle. Intersite replication intervals are typically less frequent and do not use change notification
by default, although this is configurable and can be made identical to intrasite replication.
Each link can have a 'cost' (e.g., DS3, T1, ISDN etc.) and the KCC alters the site link topology accordingly.
Replication may occur transitively through several site links on same-protocol site link bridges, if the cost is low,
although KCC automatically costs a direct site-to-site link lower than transitive connections. Site-to-site
replication can be configured to occur between a bridgehead server in each site, which then replicates the
changes to other DCs within the site. Replication for Active Directory zones is automatically configured when
DNS is activated in the domain based by site.
Replication of Active Directory uses Remote Procedure Calls (RPC) over IP (RPC/IP). Between Sites SMTP can
be used for replication, but only for changes in the Schema, Configuration, or Partial Attribute Set (Global
Catalog) GCs. SMTP cannot be used for replicating the default Domain partition.[31]

Implementation[edit]
In general, a network utilizing Active Directory has more than one licensed Windows server computer. Backup
and restore of Active Directory is possible for a network with a single domain controller,[32] but Microsoft
recommends more than one domain controller to provide automatic failover protection of the directory.[33] Domain
controllers are also ideally single-purpose for directory operations only, and should not run any other software or
role.[34]
Certain Microsoft products such as SQL Server[35][36] and Exchange[37] can interfere with the operation of a domain
controller, necessitating isolation of these products on additional Windows servers. Combining them can make
configuration or troubleshooting of either the domain controller or the other installed software more difficult.[38] A
business intending to implement Active Directory is therefore recommended to purchase a number of Windows
server licenses, to provide for at least two separate domain controllers, and optionally, additional domain
controllers for performance or redundancy, a separate file server, a separate Exchange server, a separate SQL
Server,[39] and so forth to support the various server roles.
Physical hardware costs for the many separate servers can be reduced through the use of virtualization, although
for proper failover protection, Microsoft recommends not running multiple virtualized domain controllers on the
same physical hardware.[40]

Database[edit]
The Active-Directory database, the directory store, in Windows 2000 Server uses the JET Blue-based Extensible
Storage Engine (ESE98) and is limited to 16 terabytes and 2 billion objects (but only 1 billion security principals)
in each domain controller's database. Microsoft has created NTDS databases with more than 2 billion
objects.[41] (NT4's Security Account Manager could support no more than 40,000 objects). Called NTDS.DIT, it
has two main tables: the data table and the link table. Windows Server 2003 added a third main table for security
descriptor single instancing.[41]
Programs may access the features of Active Directory[42] via the COM interfaces provided by Active Directory
Service Interfaces.[43]

Single server operations[edit]

Flexible Single Master Operations Roles (FSMO, pronounced "fizz-mo") operations are also known as operations
master roles. Although domain controllers allow simultaneous updates in multiple places, certain operations are
supported only on a single server. These operations are performed using the roles listed below:

Role name Scope Description

Schema Master 1 per forest Schema modifications

Domain
1 per forest Addition and removal of domains if present in root domain
Naming Master

Provides backwards compatibility for NT4 clients for PDC operations (like
password changes). The PDC runs domain specific processes such as the Security
PDC Emulator 1 per domain Descriptor Propagator (SDP), and is the master time server within the domain. It
also handles external trusts, the DFS consistency check, holds current passwords
and manages all GPOs as default server.

Allocates pools of unique identifiers to domain controllers for use when creating
RID Master 1 per domain
objects

Synchronizes cross-domain group membership changes. The infrastructure

Infrastructure 1 per
master should not be run on a global catalog server (GCS) unless all DCs are also
Master domain/partition
GCs, or the environment consists of a single domain.

Trusting[edit]
To allow users in one domain to access resources in another, Active Directory uses trusts.[44]
Trusts inside a forest are automatically created when domains are created. The forest sets the default
boundaries of trust, and implicit, transitive trust is automatic for all domains within a forest.
Terminology[edit]
One-way trust
One domain allows access to users on another domain, but the other domain does not allow access to
users on the first domain.
Two-way trust
Two domains allow access to users on both domains.
Trusted domain
The domain that is trusted; whose users have access to the trusting domain.
Transitive trust
A trust that can extend beyond two domains to other trusted domains in the forest.
Intransitive trust
A one way trust that does not extend beyond two domains.
Explicit trust
A trust that an admin creates. It is not transitive and is one way only.
Cross-link trust
An explicit trust between domains in different trees or in the same tree when a descendant/ancestor
(child/parent) relationship does not exist between the two domains.
Shortcut
Joins two domains in different trees, transitive, one- or two-way.
 Forest trust
Applies to the entire forest. Transitive, one- or two-way.
Realm
Can be transitive or nontransitive (intransitive), one- or two-way.
External
Connect to other forests or non-AD domains. Nontransitive, one- or two-way.[45]
PAM trust
A one-way trust used by Microsoft Identity Manager from a (possibly low-level) production forest to a
(Windows Server 2016 functionality level) 'bastion' forest, which issues time-limited group
memberships.[46][47]
Forest trusts[edit]
Windows Server 2003 introduced the forest root trust. This trust
can be used to connect Windows Server 2003 forests if they
are operating at the 2003 forest functional level. Authentication
across this type of trust is Kerberos-based (as opposed
to NTLM).
Forest trusts are transitive for all the domains within the trusted
forests. However, forest trusts
are not transitive between forests.
Example: Suppose that a two-way transitive forest trust exists
between the forest root domains in Forest A and Forest B, and
another two-way transitive forest trust exists between the forest
root domains in Forest B and Forest C. Such a configuration
lets users in Forest B access resources in any domain in either
Forest A or Forest C, and users in Forest A or C can access
resources in any domain in Forest B. However, it does not let
users in Forest A access resources in Forest C, or vice versa.
To let users in Forest A and Forest C share resources, a two-
way transitive trust must exist between both forests.

Management solutions[edit]
Microsoft Active Directory management tools include:

 Active Directory Users and Computers,

 Active Directory Domains and Trusts,
 Active Directory Sites and Services,
 ADSI Edit,
 Local Users and Groups,
 Active Directory Schema snap-ins for Microsoft
Management Console (MMC),
These management tools may not provide enough functionality
for efficient workflow in large environments. Some third-party
solutions extend the administration and management
capabilities. They provide essential features for a more
convenient administration processes, such as automation,
reports, integration with other services, etc.

Unix integration[edit]
Varying levels of interoperability with Active Directory can be
achieved on most Unix-like operating systems
(including Unix, Linux, Mac OS X or Java and Unix-based
programs) through standards-compliant LDAP clients, but these
systems usually do not interpret many attributes associated
with Windows components, such as Group Policy and support
for one-way trusts.
Third parties offer Active Directory integration for Unix-like
platforms, including:

 Fox Technologies and the product FoxT ServerControl

(software) implements AD Bridging capabilities that allows
Unix-like systems to join Active Directory and enables the
use of the Kerberos for authentication of users
  Centrify DirectControl (Centrify) – Active Directory-
compatible centralized authentication and access control[48]
 Centrify Express (Centrify) – A suite of free Active
Directory-compliant services for centralized authentication,
monitoring, file-sharing and remote access
 UNAB (Computer Associates)
 TrustBroker (CyberSafe Limited) – An implementation of
Kerberos
 PowerBroker Identity Services,
formerly Likewise (BeyondTrust, formerly Likewise
Software) – Allows a non-Windows client to join Active
Directory[48]
 Quest Authentication Services (Now part of Dell) (Formerly,
Quest, Vintela) - AD authentication, Group Policy
management, User/Group Migration tools, Auditing and
Reporting
 ADmitMac (Thursby Software Systems)[48]
 Frostale - A Ruby gem that allows Ruby applications to be
accessed via Active Directory.
 Samba – Can act as a domain controller[49][50]
The schema additions shipped with Windows Server 2003
R2 include attributes that map closely enough to RFC 2307 to
be generally usable. The reference implementation of RFC
2307, nss_ldap and pam_ldap provided by PADL.com, support
these attributes directly. The default schema for group
membership complies with RFC 2307bis
(proposed).[51]Windows Server 2003 R2 includes a Microsoft
Management Console snap-in that creates and edits the
attributes.
An alternate option is to use another directory service as non-
Windows clients authenticate to this while Windows Clients
authenticate to AD. Non-Windows clients include 389 Directory
Server (formerly Fedora Directory Server, FDS), ViewDS
Identity Solutions - ViewDS v7.2 XML Enabled Directory and
Sun Microsystems Sun Java System Directory Server. The
latter two both being able to perform two-way synchronization
with AD and thus provide a "deflected" integration.
Another option is to use OpenLDAP with its translucent overlay,
which can extend entries in any remote LDAP server with
additional attributes stored in a local database. Clients pointed
at the local database see entries containing both the remote
and local attributes, while the remote database remains
completely untouched.[citation needed]
Administration (querying, modifying, and monitoring) of Active
Directory can be achieved via many scripting languages,
including PowerShell, VBScript, JScript/JavaScript, Perl, Pytho
n, and Ruby.[52][53][54][55] Free and non-free AD administration tools
can help to simplify and possibly automate AD management
tasks.
https://en.wikipedia.org/wiki/Active_Directory

Active Directory (AD)

Definition - What does Active Directory (AD) mean?
Active Directory (AD) is a Windows OS directory service that facilitates working with interconnected, complex and
different network resources in a unified manner.
Active Directory was initially released with Windows 2000 Server and revised with additional features in Windows
Server 2008. Active Directory provides a common interface for organizing and maintaining information related to
resources connected to a variety of network directories. The directories may be systems-based (like Windows
OS), application-specific or network resources, like printers. Active Directory serves as a single data store for
quick data access to all users and controls access for users based on the directory's security policy.
 [WEBINAR] Better to Ask Permission? Best Practices for Privacy and Security

Techopedia explains Active Directory (AD)

Active Directory provides the following network services:

 Lightweight Directory Access Protocol (LDAP) – An open standard used to access other directory
services
 Security service using the principles of Secure Sockets Layer (SSL) and Kerberos-based authentication
 Hierarchical and internal storage of organizational data in a centralized location for faster access and
better network administration
 Data availability in multiple servers with concurrent updates to provide better scalability

Active Directory is internally structured with a hierarchical framework. Each node in the tree-like structure is
referred to as an object and associated with a network resource, such as a user or service. Like the database
topic schema concept, the Active Directory schema is used to specify attribute and type for a defined Active
Directory object, which facilitates searching for connected network resources based on assigned attributes. For
example, if a user needs to use a printer with color printing capability, the object attribute may be set with a
suitable keyword, so that it is easier to search the entire network and identify the object's location based on that
keyword.
A domain consists of objects stored in a specific security boundary and interconnected in a tree-like structure. A
single domain may have multiple servers – each of which is capable of storing multiple objects. In this case,
organizational data is stored in multiple locations, so a domain may have multiple sites for a single domain. Each
site may have multiple domain controllers for backup and scalability reasons. Multiple domains may be
connected to form a Domain Tree, which shares a common schema, configuration and global catalog (used for
searching across domains). A Forest is formed by a set of multiple and trusted domain trees and forms the
uppermost layer of the Active Directory.
Novell's directory service, an Active Directory alternative, contains all server data within the directory itself, unlike
Active Directory.
https://www.techopedia.com/definition/25/active-directory

Group Policy is a feature of the Microsoft Windows NT family of operating systems that controls the working
environment of user accounts and computer accounts. Group Policy provides centralized management and
configuration of operating systems, applications, and users' settings in an Active Directory environment. A
version of Group Policy called Local Group Policy ("LGPO" or "LocalGPO") also allows Group Policy Object
management on standalone and non-domain computers

Operation[edit]
Group Policy, in part, controls what users can and cannot do on a computer system: for example, to enforce a
password complexity policy that prevents users from choosing an overly simple password, to allow or prevent
unidentified users from remote computers to connect to a network share, to block access to the Windows Task
Manager or to restrict access to certain folders. A set of such configurations is called a Group Policy Object
(GPO).
As part of Microsoft's IntelliMirror technologies, Group Policy aims to reduce the cost of supporting users.
IntelliMirror technologies relate to the management of disconnected machines or roaming users and
include roaming user profiles, folder redirection, and offline files.

Enforcement[edit]
To accomplish the goal of central management of a group of computers, machines should receive and enforce
GPOs. A GPO that resides on a single machine only applies to that computer. To apply a GPO to a group of
computers, Group Policy relies on Active Directory (or on third-party products like ZENworks Desktop
Management) for distribution. Active Directory can distribute GPOs to computers which belong to a Windows
domain.
By default, Microsoft Windows refreshes its policy settings every 90 minutes with a random 30 minutes offset.
On Domain controllers, Microsoft Windows does so every five minutes. During the refresh, it discovers, fetches
and applies all GPOs that apply to the machine and to logged-on users. Some settings - such as those for
automated software installation, drive mappings, startup scripts or logon scripts - only apply during startup or
user logon. Since Windows XP, users can manually initiate a refresh of the group policy by using
the gpupdate command from a command prompt.[3]
Group Policy Objects are processed in the following order (from top to bottom):[4]
 1. Local - Any settings in the computer's local policy. Prior to Windows Vista, there was only one local
group policy stored per computer. Windows Vista and later Windows versions allow individual group
policies per user accounts.[5]
2. Site - Any Group Policies associated with the Active Directory site in which the computer resides. (An
Active Directory site is a logical grouping of computers, intended to facilitate management of those
computers based on their physical proximity.) If multiple policies are linked to a site, they are processed
in the order set by the administrator.
3. Domain - Any Group Policies associated with the Windows domain in which the computer resides. If
multiple policies are linked to a domain, they are processed in the order set by the administrator.
4. Organizational Unit - Group policies assigned to the Active Directory organizational unit (OU) in which
the computer or user are placed. (OUs are logical units that help organizing and managing a group of
users, computers or other Active Directory objects.) If multiple policies are linked to an OU, they are
processed in the order set by the administrator.
The resulting Group Policy settings applied to a given computer or user are known as the Resultant Set of Policy
(RSoP). RSoP information may be displayed for both computers and users using the gpresult command.[6]

Inheritance[edit]
A policy setting inside a hierarchical structure is ordinarily passed from parent to children, and from children to
grandchildren, and so forth. This is termed inheritance. It can be blocked or enforced to control what policies are
applied at each level. If a higher level administrator (enterprise administrator) creates a policy that has
inheritance blocked by a lower level administrator (domain administrator), this policy will still be processed.
Where a Group Policy Preference Settings is configured and there is also an equivalent Group Policy Setting
configured, then the value of the Group Policy Setting will take precedence.

Filtering[edit]
WMI filtering is the process of customizing the scope of the GPO by choosing a Windows Management
Instrumentation (WMI) filter to apply. These filters allow administrators to apply the GPO only to, for example,
computers of specific models, RAM, installed software, or anything available via WMI queries.

Local Group Policy[edit]

Local Group Policy (LGP, or LocalGPO) is a more basic version of Group Policy for standalone and non-domain
computers, that has existed at least since Windows XP Home Edition,[when?] and can be applied to domain
computers.[citation needed] Prior to Windows Vista, LGP could enforce a Group Policy Object for a single local
computer, but could not make policies for individual users or groups. From Windows Vista onward, LGP allow
Local Group Policy management for individual users and groups as well,[1] and also allows backup, importing and
exporting of policies between standalone machines via "GPO Packs" – group policy containers which include the
files needed to import the policy to the destination machine.[2]

Group Policy preferences[edit]

Group Policy Preferences are a way for the administrator to set policies that are not mandatory, but optional for
the user or computer. There is a set of group policy setting extensions that were previously known as
PolicyMaker. Microsoft bought PolicyMaker and then integrated them with Windows Server 2008. Microsoft has
since released a migration tool that allows users to migrate PolicyMaker items to Group Policy Preferences.[7]
Group Policy Preferences adds a number of new configuration items. These items also have a number of
additional targeting options that can be used to granularly control the application of these setting items.
Group Policy Preferences are compatible with x86 and x64 versions of Windows XP, Windows Server 2003, and
Windows Vista with the addition of the Client Side Extensions (also known as CSE).[8][9][10][11][12][13]
Client Side Extensions are now included in Windows Server 2008, Windows 7, and Windows Server 2008 R2.

Group Policy Management Console[edit]

Originally, Group Policies were modified using the Group Policy Edit tool that was integrated with Active Directory
Users and Computers Microsoft Management Console (MMC) snap-in, but it was later split into a separate MMC
snap-in called the Group Policy Management Console (GPMC). The GPMC is now a user component
in Windows Server 2008 and Windows Server 2008 R2 and is provided as a download as part of the Remote
Server Administration Tools for Windows Vista and Windows 7.[14][15][16][17]

Advanced Group Policy Management[edit]

Microsoft has also released a tool to make changes to Group Policy called Advanced Group Policy
Management[18] (a.k.a. AGPM). This tool is available for any organization that has licensed the Microsoft Desktop
Optimization Pack (a.k.a. MDOP). This advanced tool allows administrators to have a check in/out process for
modification Group Policy Objects, track changes to Group Policy Objects, and implement approval workflows for
changes to Group Policy Objects.
 AGPM consists of two parts - server and client. The server is a Windows Service that stores its Group Policy
Objects in an archive located on the same computer or a network share. The client is a snap-in to the Group
Policy Management Console, and connects to the AGPM server. Configuration of the client is performed via
Group Policy.

Security[edit]
Group Policy settings are enforced voluntarily by the targeted applications. In many cases, this merely consists of
disabling the user interface for a particular functions of accessing it.[19]
Alternatively, a malevolent user can modify or interfere with the application so that it cannot successfully read its
Group Policy settings, thus enforcing potentially lower security defaults or even returning arbitrary values.[20]

Windows 8 enhancements[edit]
Windows 8 has introduced a new feature called Group Policy Update. This feature allows an administrator to
force a group policy update on all computers with accounts in a particular Organizational Unit. This creates a
scheduled task on the computer which runs the GPUPDATE command within 10 minutes, adjusted by a random
offset to avoid overloading the domain controller.
Group Policy Infrastructure Status was introduced, which can report when any Group Policy Objects are not
replicated correctly amongst domain controllers.[21]
Group Policy Results Report also has a new feature that times the execution of individual components when
doing a Group Policy Update.[22

Group Policy Objects: The Secret Weapon for Controlling a Windows Environment

Hidden under the hood of Microsoft Windows is a remarkable tool for centrally controlling the settings used on the
computers throughout your law office. From managing security to deploying applications, it’s worthwhile knowing
what Group Policy Objects can do.

First off, you’re probably wondering what the heck a Group Policy Object is. Basically, in a Windows environment
you can define user and computer configurations for an entire group using what’s called a group policy, and then
those configurations are stored in a Group Policy Object, or GPO. GPOs can be configured at the site, domain or
organizational unit level. They work by forcibly setting user and computer registry values—and because almost all
of a Windows computer system is controlled through the registry, there are all kinds of ways to put GPOs to use.

If reading paragraph one has already caused your eyes to glaze over, be forewarned that GPOs are not a sexy
topic. But they are doggone useful, so get yourself a double shot of espresso and read slowly to get information of
real use in your law office. The following covers some common uses for GPOs and even some standard controls
that should be implemented in law firms. The focus here is on using GPOs in a domain environment—which means
you are running Windows Server software on your network. However, many of the things that will be mentioned
are options for stand-alone computers running XP, or Windows 7, too.

What to Do with GPOs: Types of Control

Obviously, if you have a server-based environment, the preference is to centrally manage users, computers and
applications. And it’s much more time- and cost-effective to do that using Group Policies through Windows Active
Directory rather than running around to set the local policy on every computer. These Active Directory-based GPOs
are also known as nonlocal GPOs. They are created in Active Directory and stored on your domain controller, such
as a Windows 2000, 2003 or 2008 server. GPOs can do a lot to automate activity and control configurations of your
computers. These are some of the things that can be achieved:
 Configuring users’ desktops. This could include all sorts of things like device installations (e.g., printers or
scanners), setting display colors and the like.

 Configuring local security on computers. For example, you can restrict access to specific folders on a computer
or whether the last logon name appears on the machine.

 Installing applications. This is a great option for deploying new applications or sending out updates to multiple
computers simultaneously. GPOs can also be configured to remove the ability to run certain programs, like the
built-in games that come with Windows.

 Running startup/shutdown or logon/logoff scripts. You can have certain activities occur when the machine is
started or shut down by configuring a corresponding GPO. As one example, each user’s temporary files can be
cleared when the user logs off the computer.

 Configuring Internet Explorer settings. A prime example is setting the default home page for each user’s
browser.

 Redirecting folders. By assigning drive letters to specific folders, the user’s files can be redirected to special
areas on the network
Administrative Tools: The GPO Editor
So how are these magic GPOs created and managed? To be clear, GPOs can get very complicated, so you may be
best served by using your IT staff or IT consultant to define or troubleshoot configurations on your system.
However, if you’re the tech-savvy kind, or you just appreciate knowing how things work, here are the access steps.
For Windows Server 2000 and 2003 domains, you use the Group Policy Object Editor from the Active Directory
Users and Computers console following these steps:

 Click Start, then Administrative Tools, and select Active Directory Users and Computers.

 In the console tree, locate and right-click the domain to which you want to link a GPO, and click Properties on
the shortcut menu.

 When the Properties dialog box for the domain opens, click the Group Policy tab.

 In the Group Policy Object Links list, click New and then click Edit to create a new GPO—or choose an existing
GPO in the Group Policy Object Links list and then click Edit.

 The Group Policy Object Editor opens for the domain GPO.
If you’ re running a Windows 2008 domain, it’s a little different:

 Click Start, All Programs, AdministrativeTools, and then click the Group Policy Management icon.

 Expand the domain name.

 Expand Group Policy Objects.

Generally, you would edit the default domain policy. The default domain policy already has a lot of built-in objects
that can be edited very easily to control the computing environment in your office. A wealth of technical details on
what they are and how to edit, implement and troubleshoot them can be found on the Microsoft site
at technet.microsoft.com/en-us/library. But again, especially in larger environments, it is not for the faint of heart.
Be sure you’re very comfortable with the tools before tackling it yourself.

Common GPOs for Law Offices

Now let’s get to the more interesting items—some standard controls that we recommend for all law offices. Several
of these are commonly implemented for security and confidentiality reasons. Others tend to be for application
management or standardization within the firm.
 Last logon ID. One highly recommended GPO involves removing the default display of the last ID that was
used to log on to a computer. And here’s why: Typically, you need to log on to a computer using a user name
and a password. But by default, Windows will leave the box for the user name populated with the last user’s
ID. This means that only one more piece of information (the password) is needed to gain access to the
computer and, therefore, the data on the network. Removing the display of the last logged on user
means two pieces of information (user ID and password) are needed, which makes it harder for an
unauthorized person to compromise your systems.

 Password length. Another object you should define on your network is password length. At present,
passwords that are at least 8 characters in length are typically required. However, recent research on
password-cracking results finds that requiring passwords that are 12 characters in length should be the
standard.

 Password expiration. For proper security, you should have a GPO that ensures passwords expire after a
certain period of time, thereby requiring that they be reset. You’re familiar with this concept if you do any
online banking. Periodic password changes help maintain the security of the system. A good policy is to set the
password expiration at 45 days.

 Password history. This registry value defines how much time must pass before you can reuse a password. It
prevents a user from changing the password (because it expired) back to a previous password value—which, of
course, would defeat the purpose of the expiration period. A smart policy sets this value at 24 months, which
means you’ll never see the same password being used again for at least two years. Some users will likely
object to this and complain that they can’t remember their passwords, but resist the temptation to soften this
policy. Teaching users to implement pass-phrases can help overcome resistance to mandatory password
updating.

 Account lockout threshold. This defines the number of times an incorrect user ID or password can be typed
in before the account is locked out—which is important in stopping attempts by a computer program or person
trying to gain access to your systems. Setting the threshold at a number between 3 and 5 should be sufficient
to account for honest mistakes and typographical errors.

 Account lockout duration. This defines the period of time that the account remains locked following the
number of invalid logon attempts defined in the threshold value. If you use a value of 0, the account will
remain locked until it is manually unlocked by the administrator. A lockout duration of 30 to 60 minutes,
though, will be sufficient to stop hackers or botnet computers from guessing user ID and password
combinations.

 Folder redirection. Via this GPO, the system folder contents for individual users are redirected to a central
storage area on the server. This allows them to use any computer and have their information stay consistent.
For example, by redirecting a user’s Application Data folder, which contains the user configuration files, user-
specific data that’s utilized by applications and PKI files, the user’s applications will work in exactly the same
way on another computer on the system. Similarly, by redirecting the Desktop folder, which contains the files
 and shortcuts that appear on the user’s desktop, or the My Documents folder, which contains the user’s files
and pictures, the user can access any of these items from any computer.

 Browser settings. Many firms like consistency among workstation browsers. A GPO to change the default
home page for each user’s Internet Explorer home page can easily bring some uniformity by setting it to be the
home page for the firm’s Web site. This GPO will override any subsequent user changes. So, if a couple of
associates change their home page to CNN, too bad. The next time they log on and launch Internet Explorer,
they’re right back to the firm’s home page.

 Application deployment. This valuable feature can be used for things like rolling out new versions of MS
Office to every computer, and distributing antivirus software and software patches within the firm. While it’s
probably not worth the effort to implement a GPO to distribute QuickBooks to two computers, pushing out a
Tabs3 update to 14 computers is worth it.
Now that you know some of their common uses, you can imagine how GPOs can benefit your firm. Clearly, while
GPOs are not for the faint of heart, they offer great value in terms of consistency, in time and money savings and
in many levels of security.

How to use Group Policy to remotely

install software in Windows Server
2003 and Windows Server 2008.
This step-by-step article describes how to use Group Policy to automatically distribute
programs to client computers or users. You can use Group Policy to distribute
computer programs by using the following methods:

Assigning Software:
You can assign a program distribution to users or computers. If you assign the
program to a user, it is installed when the user logs on to the computer. When the
user first runs the program, the installation is completed. If you assign the program to
a computer, it is installed when the computer starts, and it is available to all users
who log on to the computer. When a user first runs the program, the installation is
completed.

Publishing Software:
You can publish a program distribution to users. When the user logs on to the
computer, the published program is displayed in the Add or Remove Programs dialog
box, and it can be installed from there.

Create a distribution point:

Log on to the server as an administrator.
Create a shared network folder where you will put the Microsoft Windows Installer
package (.msi file) that you want to distribute.
Set permissions on the share to allow access to the distribution package.

Create a Group Policy Object (GPO):

To create a Group Policy Object (GPO) to use to distribute the software package,
follow these steps:
Start the Active Directory Users and Computers snap-in. To do this, click Start,
point to Administrative Tools, and then click Active Directory Users and
Computers.
In the console tree, right-click your domain, and then click Properties.
Click the Group Policy tab, and then click New.
Type a name for this new policy (for example, Office XP distribution), and then
press Enter.
Click Properties, and then click the Security tab.
Clear the Apply Group Policy check box for the security groups that you don't
want this policy to apply to.
Select the Apply Group Policy check box for the groups that you want this policy
to apply to.
When you are finished, click OK.

Assign a package:
To assign a program to computers that are running Windows Server 2003, Windows
2000, or Windows XP Professional, or to users who are logging on to one of these
workstations, follow these steps:
Start the Active Directory Users and Computers snap-in. To do this, click Start,
point to Administrative Tools, and then click Active Directory Users and
Computers.
In the console tree, right-click your domain, and then click Properties.
Click the Group Policy tab, select the policy that you want, and then click Edit.
Under Computer Configuration, expand Software Settings.
Right-click Software installation, point to New, and then click Package.
In the Open dialog box, type the full Universal Naming Convention (UNC) path of
the shared installer package that you want. For example, \\file
server\share\filename.msi.

Important
Do not use the Browse button to access the location. Make sure
that you use the UNC path of the shared installer package.


Click Open.
Click Assigned, and then click OK. The package is listed in the right-pane of
the Group Policy window.
Close the Group Policy snap-in, click OK, and then close the Active Directory Users
and Computers snap-in.
When the client computer starts, the managed software package is automatically
installed.

Publish a package:
To publish a package to computer users and make it available for installation from
the Add or Remove Programs list in Control Panel, follow these steps:
Start the Active Directory Users and Computers snap-in. To do this, click Start,
point to Administrative Tools, and then click Active Directory Users and
Computers.
In the console tree, right-click your domain, and then click Properties.
Click the Group Policy tab, click the policy that you want, and then clickEdit.
Under User Configuration, expand Software Settings.
Right-click Software installation, point to New, and then click Package.
In the Open dialog box, type the full UNC path of the shared installer package that
you want. For example, \\file server\share\file name.msi.

Important
Do not use the Browse button to access the location. Make sure
that you use the UNC path of the shared installer package.

Click Open.
Click Publish, and then click OK.
The package is listed in the right-pane of the Group Policy window.
Close the Group Policy snap-in, click OK, and then close the Active Directory Users
and Computers snap-in.
Test the package.

Note
Because there are several versions of Microsoft Windows, the
following steps may be different on your computer. If they are,
see your product documentation to complete these steps.

Log on to a workstation that is running Windows 2000 Professional or Windows XP

Professional by using an account that you published the package to.
In Windows XP, click Start, and then click Control Panel.
Double-click Add or Remove Programs, and then click Add New Programs.
In the Add programs from your network list, click the program that you published,
and then click Add. The program is installed.
Click OK, and then click Close.

Note

How to Install Software Using GPOs

Assuming that you already have the .msi file ready, let's start with creating a shared folder on our network.

1. Browse to the location on your network, right-click and select New, then Folder.

2. Name the folder -- in this example we are going to call it "Software".

3. Select that folder and then click on the Share button on the menu toolbar.
4. Like I mentioned above, every machine needs to have at least read access to this folder. To do this type
in Everyone and hit enter, or click on the Add button.

5. Make sure the Permission Level says Reader and then click the Share button.
6. Remember or write down the location of this shared folder. In our example the location is \\
Y-MEM1-2K8\Software

7. Double click on the Shared Folder you just created and once again perform the steps to create a new
folder.

This time name the folder with a name specific to the software you are about to install. We are going to call
it "Foxit".
8. Double click on the new folder ("Foxit") and copy and paste the .msi file for the software you want to
install. Our .msi is called FoxitReader23.

9. Now it is time to switch to your domain controller.

We are going to switch to our DC1 server. Once there, go ahead and open up Server Manager.
10. Now you need to point to the Organizational Unit where the new Group Policy Object will reside.

To start off, go ahead and expand Features, then Group Policy Management, and then your Forest. In our
example it is the Globomantics.com forest.

11. Then expand Domains and then the domain in which you want to create the GPO.

12. Once you are in the correct domain, expand the Organizational Unit. In our example, we are expanding
NewYorkOU.

13. Since we want the software to be installed on every single computer, we are going to create the Group
Policy Object in our NYComputers Organization Unit.

Go ahead and click on that OU.

14. To create a new GPO, right-click on the appropriate Organization Unit and select Create a GPO in this
domain, and Link it here...

15. Name your new GPO and hit OK.

16. To make sure the new GPO was created, go ahead and expand the Group Policy Objects.

You should see your GPO listed there. That GPO is now being linked to our NYComputers OU.

17. Select and then right click on the GPO under the Organization Unit. Then select Edit.
18. That should open a Group Policy Management Editor.

19. Go ahead and expand Computer Configuration, then Policies, and then Software Settings.

20. Next click on and select Software Installation.

21. Right click on the right side of the Software Installation, select New and then click on Package.
22. Browse to the location where your software .msi file exists.

In our example it is NY-MEM1-2K8 → Software → Foxit. Once you have located it, double click on the file
or select it and then click on the Open button.

23. Select Assigned and click OK.

Testing
Before you actually go and test this on one of your client machines, do not forget to run a GPO Update. To
do so, open up you command prompt on your Domain Controller and type in gpupdate /force.

Once the update ran through you can go to one of your clients and restart the machine. Keep in mind that in
order for the software to be installed on a computer, you will need to do a hard reboot.

Now go ahead and relax for the rest of your day.

Ready to test your skills in Windows Networking Infrastructure? See how they stack up with this assessment
from Smarterer. Start this Windows Networking Infrastructure test now

Network Printer

Learning Objectives:
At the end of the lesson, the trainee should be able to;
1. Identify the network printer installation procedures
2. Explain the use of printer on the network

Introduction
This unit covers topics on Network Printer. Advanced printing configuration with
detailed procedures is illustrated in this section. The learner will learn how to setup
multiple printers in the network. Specifically, it illustrates the configuration of sharing
printer and installing a printer in a network,

Advanced Printing

Whether printing devices are attached to the computer that is running Windows 2000
Server or are located elsewhere on the AppleTalk network, the Printers folder displays a
list of print jobs for the printers you created to represent the devices. Each list, by default,
presents jobs on a first-come, first-serve basis. You can change the priority of jobs,
however, and specify permissions for the printer and times for print jobs to run. For
example:

 Set up multiple printers that all send print jobs to a single printing device. You
might want to assign the printers a priority number or assign times for the printer
to spool its jobs. Figure 13.7 illustrates this approach.
 Set up a single printer that sends print jobs to a pool of printing devices. Doing
this can make printing more efficient because print jobs are sent to the first
available printing device in the pool.

Figure 13.7 Multiple Printers with a Single Printing Device

Creating Multiple Printers for a Single Printing Device

You might want to create multiple printers, all of which send print jobs to a single printing
device. Each printer has a print-priority level associated with it. If you create two printers
and associate them with a single printing device, jobs routed to the printer with the highest
priority print first.
For Windows 2000 users, it is a good idea to create a group that corresponds to each
printer. For example, users in Group 1 might have access rights to a priority 1 printer,
users in Group 2 might have access rights to a priority 2 printer, and so on. This allows
you to prioritize print jobs according to the users who are submitting them.

For Macintosh users, however, one user account must be created for all incoming print
jobs to the computer that is running Windows 2000 Server. Consequently, all Macintosh
users who are sending print jobs through the computer that is running Windows 2000
Server have the same access rights.

To specify priorities for printers sending jobs to a single printing device

1. If necessary, create two or more printers and share them.

2. Open Printers .
3. Right-click a printer, and click Properties .
4. In the Advanced tab, select a priority.

Creating Printing Pools

When you create a printer, you can associate it with more than one printing device in order
to form a printing pool. A printing pool consists of two or more similar printing devices
associated with one printer name. To set up a pool, you create a printer and assign it as
many output ports as you have identical printing devices. Printing pools have the following
characteristics:

 All devices in the pool share the same print property settings and act as a single
unit. For example, stopping one device stops them all.
 Print destinations can be of the same type, or they can be mixed (serial, parallel, and
network).
 When a job arrives for the printing pool, the spooler on the computer that is running
Windows 2000 Server checks the destinations to see which device is idle. The first
port that is selected gets checked first, the second port second, and so on. If your
pool consists of a different type of port, make sure you select the fastest port first
(network, then parallel, then serial).
 A printing pool can contain a mixture of printer interface types, but the printing
devices must all use the same printer driver.

How to Share Printers on a Network

install a network, Wi-Fi, or Bluetooth printer

1. Open Devices and Printers by clicking the Start button, and then, on the Start menu, clicking Devices and
Printers.
2. Click Add a printer.
3. In the Add Printer wizard, click Add a network, wireless or Bluetooth printer.
When you take into account its purchase price and all of the consumables it requires--
toner or ink, paper, imaging drums, and more--you may find that a printer is one of the
most expensive pieces of IT equipment in your business.

When any one user needs access to an expensive machine only intermittently, sharing the
hardware among as many users as possible makes sense. The simplest way to accomplish
this in an office is to put the printer on the office network, where all network users can
reach it.

There are three basic approaches to putting a printer on a network. The first is to use a
printer that has networking capabilities built in. The second is to attach a printer to a
separate network endpoint (a dedicated print server) that may or may not have additional
features. And the third is to attach the printer to a computer workstation and share it with
other network users.

Each of these methods has its own advantages and disadvantages, and each works best
under specific circumstances.

Connecting a Network-Enabled Printer

The easiest type of printer to connect is one that comes with a network adapter already
installed in it. If your network architecture is simple, you can have a peripheral of this type
printing across the network in a matter of minutes.

If every computer in the office or home network resides in the same network space (that is,
if the first three triplets in the xxx.xxx.xxx.xxx IP address are the same for each machine),
setting up printer sharing is quite simple. If different subnetworks exist (so that only the
first two triplets are the same for every computer) the task is more complicated--but in
such a case, your business probably also has a dedicated IT staff.

You can add standard

printers to a network with dedicated print server. Often the product description accompanying printers equipped
with preinstalled network adapters includes the words "network printer" or "network capable." Many printer
manufacturers signal that the printer is network-ready by including the letter "n" somewhere in the model name. The
network connection provided may be cable-based or wireless. Either method of data transfer will be faster than the
speed at which paper can come out of the printer, so the method has no significant impact on printer performance.
Network-enabled machines may be inkjets (such as the Epson B-510DN and the HP OfficeJet Pro 8000 Wireless) or
lasers (such as the Dell 5130cdn and the HP CP4025dn).

Install a printer on a home network

Windows 7

There are two basic ways to make a printer available to the computers on your home
network:

 Attach it directly to one computer and share it with all the others on a network.
 Connect the printer as a stand-alone device on the network itself.

This article explains how to do both in Windows. However, you should always first consult
the information that came with your model for specific installation and setup instructions.
If you're just getting started, and you need to install your printer, see Install a printer for
information about how to set up your printer.

Setting up a shared printer

Traditionally, the most common way to make a printer available to a home network has
been to connect it to one of the computers and then tell Windows to share it. This is called
a shared printer.

The advantage of sharing a printer is that it works with any USB printer. The downside?
The host computer always must be powered up, otherwise the rest of the network won't be
able to access the shared printer.

In previous versions of Windows, setting up a shared printer could sometimes be tricky.

But a new home networking feature in Windows 7 called HomeGroup has greatly simplified
the process.

When a network is set up as a homegroup, printers and certain files are automatically
shared. To learn more about what homegroups do and how to use them, see HomeGroup:
recommended links.

If you've already set up a homegroup and want to access a shared printer from another
homegroup computer, just follow these steps:

To manually connect to a homegroup printer

Setting up a network printer

Network printers—devices designed to connect directly to a computer network as a stand-

alone device—were once found mostly in large offices.

Today, printer manufacturers are increasingly offering inexpensive inkjet and laser
printers that are designed to serve as network printers on home networks. Network printers
have one big advantage over shared printers: they're always available.

There are two common types of network printers: wired and wireless.

 Wired printers have an Ethernet port, which you connect to your router or hub via
an Ethernet cable.
 Wireless printers typically connect to your home network using Wi-Fi or Bluetooth
technology.

Some printers offer both options. The instructions that came with your model should tell
you exactly how to install it.

Add Network Printers Automatically

Applies To: Windows 7, Windows Server 2008 R2

You can use the Print Management snap-in to automatically detect all the printers that
are located on the same subnet as the computer on which you are running Print
Management, install the appropriate printer drivers, set up the queues, and share the
printers.

To add a printer by IP address or hostname, you must be a member of the local

Administrators group or be granted the Manage Server permission.

To automatically add network printers to a print server

1. Open Print Management.

 2. In left pane, click Print Servers, click the applicable print server, right-click
Printers, and then click Add Printer.
3. On the Printer Installation page of the Network Printer Installation Wizard, click
Search the network for printers, and then click Next. If prompted, specify which
driver to install for the printer.

Note

To add printers that are on the same subnet as a remote print server, use Remote Desktop to log on to the print
server, open Print Management and then add the printer.

Additional considerations

 To open Print Management, click Start, point to Administrative Tools, and then click Print Management.

 If you are a member of the local Administrators group, you can grant someone else the Manage Server
permission to be able to add a printer by IP address or hostname. To do this, open Print Management, double-
click Print Servers, right-click the applicable print server, and click Properties. On the Printer Server Properties
dialog box, click the Security tab, select the user from the list, click the Manage Server check box under Allow,
and then click OK.

 If the Print Management snap-in is not available because the Print Server role service is not installed on this
server, you must have administrative privileges to be able to add a printer by IP address or hostname. While in
the Add Printer Wizard, select Add a local or network printer as an administrator and follow the instructions
in the Add Printer Wizard to add a printer using administrative privileges.

 To add Web Services for Devices (WSD) printers for sharing and to view them on your network, network
discovery must be enabled and the PnP-X IP Bus Enumerator service must be running. To add a WSD printer,
you must be a member of Administrators group.

To enable network discovery, click Start, click Control Panel, and then click Network and Internet. On the
Network and Internet page, click Network and Sharing Center. On the Network and Sharing Center page, click
Change advanced sharing settings. On the Advanced sharing settings page, Click the arrow next to Domain,
click turn on network discovery, and then click Save changes.

To start the PnP-X IP Bus Enumerator service, Click Start, click Administrative Tools and then click Services. In
the center pane, right-click PnP-X IP Bus Enumerator and then click Start.

References:

http://www.pcworld.com/article/203625/how_to_set_up_network_printing.html

https://technet.microsoft.com/en-us/library/cc976934.aspx

http://windows.microsoft.com/en-us/windows/install-printer-home-network#1TC=windows-7

https://technet.microsoft.com/en-us/library/cc732747.aspx