Chapter 4 Active Directory, Domains & Trusts

Overview: Active Directory has an immense amount of power – but it is latent unless you can
manipulate and configure its content. This chapter sheds light on mastering domains, how
domain controllers work together, building trusts, intra-site and inter-site replication.

Knowledge of Active Directory requires that you know how to work the directory management
console, create and locate directory objects and work with Active Directory Scripting Interface
(ADSI).

You can delegate authority to responsible people in your group with Active Directory, which
lets you assign permissions, so that you need not work so hard!!! Learn how to establish and
manage trusts later on during this chapter.

Objectives: At the end of this chapter, you will be able to :

Define the working of the five roles in Active Directory
Know about Intra-site and inter-site replication
Identify and use the Directory Management console
Create and locate objects in Active Directory
Manage, assign and allocate directory permissions
Create and manage resources in a trust relationship

Mastering your Domain: In the previous chapter, you learnt something about the Active
Directory in Windows Server 2003. Domain controller roles are not defined during the
installation of Windows Server 2003. They are defined by running the Active Directory
Installation Wizard, about which you learned in the earlier chapter.

All domain controllers in Windows Server 2003 are equal and share peer-to-peer relationships
rather than acting either as a master (PDC) or a slave (BDC) in a master-slave relationship.

Windows Server 2003 utilizes five special roles to keep these peers in line. These roles are
called Flexible Single Master of Operations (FSMO) roles. Each of these five roles manages a
particular aspect of a domain or forest. Operations Masters are some of the FSMO domain
controllers and have a role that is domain-wide, so their effect is throughout the given domain.

In case of a forest having multiple domains, each domain has a domain-wide FSMO domain
controller. Other FSMO domain controllers have a forest-wide role. Each forest-wide FSMO
domain controller is the only one of its type in the entire forest, regardless of the number of
domains in the forest.

The following is a list of the working of the five roles in Active Directory.

Schema master: At the core of Active Directory, the schema is a blueprint for all
objects and containers. This is as the schema has to be the same throughout an entire
forest, only one domain controller can be used to make modifications to the schema.

Domain naming master: A domain name has to be verifiably unique to enable it to be

added to the forest. The domain naming master of the forest oversees the domain
name allocation and operation and ensures that only verifiably unique names are
assigned. Its other functions are to add or delete any cross-references to domains in
external directories, such as Lightweight Directory Access Protocol (LDAP) directories.

1
Chapter 4 Active Directory, Domains & Trusts

Relative ID (RID) master: Any domain controller can create new objects like users,
groups and computer accounts. The RID master is controlled by the domain controller
when fewer than 100 RIDs are left. This means that the RID master can be unavailable
for short periods of time without causing object creation problems. This ensures that
each object has a unique RID. There is only one RID master per domain.

PDC emulator: The PDC emulator domain controller acts as a Windows NT primary
domain controller in a domain environment with Windows 2003 DCs. It processes all
NT4 password changes from clients and replicates domain updates to the down-level
BDCs. After upgrades are performed to the domain controllers and all BDCs are either
upgraded or removed from the environment, the Windows 2003 domain can be
switched to native mode. At this stage, the PDC emulator still performs certain duties
that are not handled by any other DCs in the domain. There is only one PDC emulator
domain controller for each domain in the forest, including child domains.

Infrastructure master: When a user and a group belong to different domains, there can
be a time gap between changes to the user-profile (e.g. user name) and its display in
the group. The responsibility for fixing the group- to-user interface rests with the
infrastructure master, which performs its fix-ups locally and relies on replication to bring
all other replicas of the domain up to date.

Trusts and Active Directory Domains: Windows Server 2003 uses Active Directory to keep
domains under control in times of trust relationships. It automatically creates trust relationships
between all domains in a forest just as it did under Windows 2000, but the real change is that
all trusts now are automatically created and transitive by default. Thus, if A trusts B and B
trusts C, A will automatically trust C and vice-versa.

In the previous chapter, you learnt about multi-master replication, with which, any change
made to an Active Directory database is replicated to all other domain controllers in that
domain. You will now take a look at intra -site replication and inter-site replication, but before
that, a word on sites.

A site is a collection of machines and domain controllers connected by a fast network and
grouped by IP subnets. Sites have everything to do with replication – they allow you to define
different replication schedules depending on the domain controllers’ site membership.

Trust you know… Let there be two domains A and B. A trusts B, so B is the trusted domain
while A is the trusting domain. Because A trusts B to authenticate its users, those users from B
could be assigned access to resources in A. You could also have bi-directional trusts where
both the domains A and B trust each other and their users have access to both their resources.

Intra-site replication: When you make a change to the Active Directory, like adding or
deleting a user or changing an object attribute, it is replicated to all other domain controllers in
the domain. This first change is called an originating update.

What happens is this: the domain controller where the originating update was made sends a
notification to its replication partners that a change has been effected. After replication, the
partners get a copy of the change that was effected on the other domain controller. This
updating of the Active Directory on the partner domain controller is called a replicated update,
because it originated in a different location.

2
Chapter 4 Active Directory, Domains & Trusts

Replication takes place between domain controllers at a default setting of five-minute intervals,
but when it is urgent, replication using notification can be initiated for the following reasons:

An account is newly locked-out: This prevents users from moving to another part of a
domain to log on with a user account that has been locked out on a domain controller.
A trust account is modified: This enables all members of a domain to take advantage of
a new trust with another domain.

With Windows Server 2003, password changes are initially changed at the PDC FSMO, but in
case of password failure, the PDC FSMO is consulted to know if the password has been
recently changed, but not yet replicated.

If replication partners do not receive any change notifications in an hour, they initiate contact
with their replication partners to check for any updates were made remotely and whether the
subsequent change notifications were missed.

Inter-site replication: This takes place between particular servers in one site to particular
servers in another site. Windows Server 2003 excels because you can configure a timetable
of how often to replicate for every hour of the day, if you perform the following steps :

Go through the Active Directory sites and Services MMC snap-in (Start -> Administrative
Tools -> Active Directory Sites and Services).
Go to the Inter-Site Transport branch and select IP.
In the right-hand pane, select a site link, right-click and choose Properties.
Ensure that the General tab is selected and then click Change Schedule.

The following screengrab shows the dialog box where you change the replication times.
In the above visual, replication is set to occur from midnight to 5 a.m. all days of the week.
You could change this to any schedule you prefer.

You could have different replication schedules for every pair of sites, depending on the network
connectivity and geographical location, different schedules may be required. A slow WAN link
existing between two sites would call for less frequent replication to prevent bandwidth
consumption.
The Global Catalogue contains all information about every object in its domain and a subset for
every object in the forest. Windows Server 2003 performs all the calculations needed to
optimize this replication, freeing you from this bother.

Did you know … Windows Server 2003 has the capability of 10,000,000 objects per domain?
Compaq has performed tests and created 16,000,000 objects per domain without significant
performance problems, albeit with extremely powerful hardware. Your database size is
governed by your domain controller hardware and the physical network infrastructure. But
mostly, you will need just a single domain unless your company is huge, or you require multiple
domains and forests such as needing different schemas.

Controlling Domains and Directories: Windows Server 2003 comes with a complete set of
ready-to-use tools to harness the power of Active Directory. You can also write your own tools
and scripts using the Active Directory Interface (ADSI).

The directory management console: Management of Active Directory is accomplished using

a Microsoft Management Console (MMC) snap-in. The most-used snap-in is the Active
Directory Users and Computers snap-in, shown in the visual below. The Active Directory Uses
3
Chapter 4 Active Directory, Domains & Trusts

and Computers MMC snap-in. This snap-in would b used to create, manage and delete
everything from users to computers. You will also find some of the features of the old User
and Server Manager from Windows NT.

To activate this snap-in, choose Start -> Administrative Tools -> Active Directory Users and
Computers. At first sight, the snap-in shows your domain name as a DNS domain name at the
top of the directory. You also see several containers or folders which are built-in organizational
units containing objects in a domain that are organized into logical containers. This allows
finer segregation and control in a domain.

Some certain container objects appear in all typical Active Directory installations:

Builtin: By default, the details of the old Windows NT 4.0 groups, like Administrators and
Backup Operators.
Computers: The computer accounts that were managed by the Windows NT Server
Manager.
Domain controllers: A built-in organizational unit containing all the domain controllers.
Users: The default store for all domain users.

Tip : Everything is context driven in Windows Server 2003. If you right-click an object or
container, a menu specific to that object / container is displayed. This is more advantageous
compared with hunting through huge standard menus for options relevant to the chosen object.

Creating directory objects: Windows Server 2003 comprises a lot of objects like computer,
user, group and shared folder objects. You first require to think about where you want to place
such an object. It is better if you think of placement from the beginning, though movement of
objects is possible.

You can create a user object in two places – in the default User/Computer container or in some
organizational unit already created. If you delegate the ability to create objects, you can set it
up so that the delegated users can create objects in only one location or certain selected
locations.
Tip… Use OUs to help organize your data into logical containers. First create an OU for the
various departments in your organization – accounting, personnel, manufacturing etc. Then
put all user and computer objects from a particular department in its OU. You can reduce the
administrative load by giving a person from each department the necessary rights needed to
manage his or her OU only.

To create a user object, perform the following steps:

1. Start Active Directory Users and Computers (Start -> Administrative Tools -> Active
Directory Users and Computers).

2. In Active Directory Users and Computers, right-click the container (such as Users) in
which you want to create the user object and then choose New -> User.

The first page of the User Creation Wizard (the New Object - User dialog box) is displayed, as
shown below:

3. Type the user's name and a logon name, and then click Next. The next page of the Wizard
allows you to set the new password and the following options:
User must change password at next logon
User cannot change password
4
Chapter 4 Active Directory, Domains & Trusts

Password never expires

Account is disabled

4. Make the appropriate selections, and then click Next. A summary of the proposed addition
is displayed.

5. Click Finish.

After creating the user object, right-click it and select Properties, to get the following dialog box
:
The Elvis A. Presley user object

Each of the tabs in the screen grab pertains to various aspects of the selected user object.
These tabs vary on the Windows Server 2003 subsystems in use, on other back office
applications like Exchange Server or SQL Server and even on any third-party software
installed.

Creating a computer account is simpler, with less tabs. Again, in Active Directory Users and
Computers, right-click the container where you wish to create the new computer object and
choose New -> Computer.

The New Object – Computer dialog box appears as shown in the following figure :

Only type in the computer name and select who can add the computer to the domain.
The new computer object is named Fried-Banana-Sandwich.

Finding objects: One of the greatest advantages of Active Directory is the finding of objects
anywhere in an enterprise forest, using the Global Catalog.
You can search for
A user
A computer
A printer
Attributes – which may vary depending on the type of object you are searching for.
You could ask the computer to locate the closest color printer to your location. You don’t need
to specify where you are – Active Directory figures it out for itself!

Windows Server 2003 has a Search component that you can access from the Start menu, with
the following options:
Files or folders
On the Internet
Find Printers
For People
Use the tabs on each window that appears to fine-tune your search and locate what you are
hunting for.

Active Directory Scripting Interface (ADSI): This feature of Windows Server 2003 allows
you to manipulate the directory service from a script. You can use Java, Visual Basic, C or
C++ scripts. With ADSI, you can write scripts that automatically create users, including their
startup scripts, profiles and details.

5
Chapter 4 Active Directory, Domains & Trusts

Learn ADSI if you need to manage a medium or large domain, to save a whole load of time
and aggravation.

Managing Allocation of Directory Permissions: In Windows Server 2003, you have the
freedom to delegate the responsibility of managing low- level users to slightly higher level
users. You, the administrator, concentrate on the more weighty constructs, like domain forests
and trees or intra-site access.

Access Control Lists allow a set of permissions to be applied to a file, directory, share or printer
(and more), thus controlling which users can access and modify these particular objects.
Windows Server 2003 adds value to ACLs by assigning an ACL to every single attribute of
every single object. With this, you can control user access to a fine degree.

Assigning permissions
You can assign permissions to Active Directory objects in various ways. Take a careful look at
the Security tab.
In Active Directory Users and Computers, find a user, right-click the user and select Properties.
In the user’s Properties dialog box, click the Security tab.
Click the Advanced button.
The following screengrab will appear, showing a list of permission entries consisting of a type
(Allow / Deny), a user or group and the permission and its scope.
The Advanced Security Settings dialog box for an object used to control user access
Active Directory uses an inheritance model, so that you make changes only at the root and the
changes propagate from there. More about this in the next section.

Permissions inheritance: You have basically two permissions – explicit and inherited.
Explicit permissions are assigned directly to an object and
Inherited permissions are propagated to an object from its parent and so on.
By default, any object in a container inherits permissions from its container.

Sometimes, you may not wish permissions to be inherited, for example, when you have a
directory structure in which different permissions have to be assigned to different objects. In
that case, you can change the default behaviour.

Turn on the Advanced Features f r o m t h e V i e w menu. Right click the user, choose
Properties, click the Security tab, then click the Advanced button.

A small box with the words Allow inheritable permissions from parent to propagate to this
object and all child objects appears. Uncheck it to disable inheritance for the object.

If you disable inheritance, you are given these options:

Copy previously inherited permissions to this object
Remove inherited permissions
Cancel (disable) the inheritance

Inheritance can be enabled or disabled at will.

Delegating administrative control to others: Active Directory empowers you to delegate

administrative control over certain elements of your domain to different groups. Certain
responsible people can be given the authority over certain aspects of a domain’s
organizational unit.

6
Chapter 4 Active Directory, Domains & Trusts

The following steps can be employed to delegate administration on objects:

1. Right-click a container (an organizational unit or domain) in Active Directory Users and
Computers, and choose Delegate Control.

The Delegation of Control Wizard starts up and the welcome screen is displayed.

2. Click Next to start delegating!

3. Select the group of users to whom you want to delegate control. This is accomplished by
clicking the Add button to access the Active Directory search tool to locate users and
groups. Make your selections (hold down Ctrl to select multiple users at the same time).
The users are now displayed in the selected user's area. The people you have selected are
the ones who can perform the tasks you're about to choose.

4. Click Next.

A list of common tasks is displayed for which you can delegate control (for example : reset
passwords and modify group membership).

5. Make your selections, and then click Next. If you choose to create a custom task to
delegate, follow the steps presented by the Wizard.

6. When you have completed your changes, click Finish.

Managing Trusts in Windows Server 2003: In Windows Server 2003, trusts with two-way
transitive trust relationships are set up by default between all domains in a forest. This is done
automatically when you run DCPROMO. However, you can still create the old-fashioned
Windows NT 4 trusts for any domains that are not a part of the same enterprise forest.

Creating Trusts: You can create old-style trusts using Active Directory Domains and Trusts,
accessed by going from
Start -> Administrative Tool -> Active Directory Domains and Trusts.

Right click the domain of choice in the Active Directory Domains and Trusts interface.

Choose Properties.

Click the Trusts tab (figure given below) to create one- way trusts.

One- way external trusts are not transitive in nature and work in the same manner as the
old Windows NT 4.0 trusts.

Deleting a trust is possible by selecting the trust and clicking Remove.

Accessing Resources in a Trust Relationship: When you open a trust door in a forest
(which happens automatically between all domains in the same forest), anyone gets to enter
and access any resource. Anyone in any domain in the forest can be granted permission to
access any resource, since all trusts are transitive.

The trust is not transitive for old-style trust relationships which are created manually between
domains in different forests or in a Windows NT domain. Only the users in the two domains for
7
Chapter 4 Active Directory, Domains & Trusts

which the trust is defined can be assigned access to resources, and then only in the direction
of the trust.

You need not worry that users, once given permission, will automatically gain access to all
resources in a domain. User’s cannot access resources without getting specific permission to
gain access.