This document is provided "as-is". Information and views expressed in this document, including URL and other Internet Web site references, may change without
notice. This document does not provide you with any legal rights to any intellectual property in any Microsoft product or product name. You may copy and use
this document for your internal, reference purposes. You may modify this document for your internal, reference purposes. 2013 Microsoft. All rights reserved.
Terms of Use (http://technet.microsoft.com/cc300389.aspx) | Trademarks (http://www.microsoft.com/library/toolbar/3.0/trademarks/en-us.mspx)
Table Of Contents
Chapter 1
Understanding Active Directory
Active Directory Concepts
Chapter 1
Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. Therefore, it is recommended that all domain
controllers be locked in a secured room with limited public access. In addition, you should limit membership in the Enterprise Admins, Domain Admins, Account
Operators, Server Operators, Print Operators, and Backup Operators groups to trusted personnel in your organization. For more information about domain
controllers and groups, see Domain controllers and Default groups.
To
Use
Manage the security relationship between two forests and simplify security administration and
authentication across forests.
Forest trusts
See Forest trusts.
Group Policy
See Strong passwords.
Enable audit policy. Auditing event logs can notify you of actions that could pose a security
risk.
Group Policy
See Auditing Policy.
Assign user rights to new security groups so you can specifically define a user's administrative
role in the domain.
Group Policy
See Group types.
Enforce account lockouts on user accounts and decrease the possibility of an attacker
compromising your domain through repeated logon attempts.
Group Policy
See User and computer accounts.
Enforce password history on user accounts and decrease the possibility of an attacker
compromising your domain.
Group Policy
See Enforce password history.
Enforce minimum and maximum password ages on user accounts and decrease the possibility
of an attacker compromising your domain.
Group Policy
See Minimum password age, Maximum password age.
Verify and authenticate the validity of each user through the use of public key cryptography.
Run as
See Using Run as.
Restrict user, group, and computer access to shared resources and filter Group Policy settings.
Security groups
See Group types.
Prevent attacks from malicious users who might try to grant elevated user rights to another
user account.
SID filtering
See "Using Security Identifier (SID) Filtering to Prevent Elevation of
Privilege Attacks" at the Microsoft Web Site.
Smart cards
See Smart cards overview.
Use strong encryption techniques to secure account password information on local computers,
member servers, or domain controllers.
Syskey
See The system key utility.
Security descriptors
Access control permissions are assigned to shared objects and Active Directory objects to control how different users can use each object. A shared object, or shared
resource, is an object that is intended to be used over a network by one or more users and includes files, printers, folders, and services. Both shared objects and Active
Directory objects store access control permissions in security descriptors.
A security descriptor contains two access control lists (ACLs) used to assign and track security information for each object: the discretionary access control list (DACL) and
the system access control list (SACL).
Discretionary access control lists (DACLs). DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not
explicitly identify a user, or any groups that a user is a member of, the user will be denied access to that object. By default, a DACL is controlled by the owner of an
object or the person who created the object, and it contains access control entries (ACEs) that determine user access to the object.
System access control lists (SACLs). SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. Auditing is
used to monitor events related to system or network security, to identify security breaches, and to determine the extent and location of any damage. By default, a
SACL is controlled by the owner of an object or the person who created the object. A SACL contains access control entries (ACEs) that determine whether to record
a successful or failed attempt by a user to access a object using a given permission, for example, Full Control and Read.
For more information about auditing, see Auditing settings on objects.
To view DACLs and SACLs on Active Directory objects using Active Directory Users and Computers, on the View menu, click Advanced Features to access the Security tab
for each object. For more information, see Assign, change, or remove permissions on Active Directory objects or attributes. You can also use the DSACLS support tool to
manage access control lists in Active Directory. For more information, see Active Directory support tools.
By default, DACLs and SACLs are associated with every Active Directory object, which reduces attacks to your network by malicious users or any accidental mistakes made
by domain users. However, if a malicious user obtains a user name and password of any account with administrative credentials to Active Directory, your forest will be
vulnerable to attack. For this reason, consider renaming or disabling the default administrator account and following the best practices as described in Active Directory
Best practices.
Object inheritance
By default, Active Directory objects inherit ACEs from the security descriptor located in their parent container object. Inheritance enables the access control information
defined at a container object in Active Directory to apply to the security descriptors of any subordinate objects, including other containers and their objects. This eliminates
the need to apply permissions each time a child object is created. If necessary, you can change the inherited permissions. However, as a best practice, avoid changing the
default permissions or inheritance settings on Active Directory objects. For more information, see Best practices for assigning permissions on Active Directory objects and
Changing inherited permissions.
User authentication
Active Directory also authenticates and authorizes users, groups, and computers to access objects on the network. The Local Security Authority (LSA) is the security
subsystem responsible for all interactive user authentication and authorization services on a local computer. The LSA is also used to process authentication requests made
through the Kerberos V5 protocol or NTLM protocol in Active Directory. For more information about Kerberos authentication, see Kerberos V5 authentication. For more
information about NTLM authentication, see NTLM authentication.
Once the identity of a user has been confirmed in Active Directory, the LSA on the authenticating domain controller generates a user access token and associates a security
ID (SID) with the user.
Access token. When a user is authenticated, LSA creates a security access token for that user. An access token contains the user's name, the groups to which that
user belongs, a SID for the user, and all of the SIDs for the groups to which the user belongs. If you add a user to a group after the user access token has been
issued, the user must log off and log on again before the access token will be updated.
Security ID (SID). Active Directory automatically assigns SIDs to security principal objects at the time they are created. Security principals are accounts in Active
Directory that can be assigned permissions such as computer, group, or user accounts. Once a SID is issued to the authenticated user, it is attached to the access
token of the user.
The information in the access token is used to determine a user's level of access to objects whenever the user attempts to access them. The SIDs in the access token are
compared with the list of SIDs that make up the DACL for the object to ensure that the user has sufficient permission to access the object. This is because the access
control process identifies user accounts by SID rather than by name.
Important
When a domain controller provides an access token to a user, the access token only contains information about membership in domain local groups if the domain
local groups are local to the domain controller's domain. For domain directory objects replicated in the global catalog, this fact requires certain security
considerations. For more information, see Global catalog replication.
For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site.
For more information about access control and permissions, see Access control overview. For more information about authorization and access control, see "Authorization
and Access Control" at the Microsoft Windows Resource Kits Web site.
For information about additional security measures that can be implemented to protect Active Directory, see Securing Active Directory and Security information for Active
Directory.
2014 Microsoft. All rights reserved.
User accounts
In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (security account manager account name), and a UPN suffix. The
administrator enters the user logon name and selects the UPN suffix when creating the user account. Active Directory suggests a pre-Windows 2000 user logon name using
the first 20 bytes of the user logon name. Administrators can change the pre-Windows 2000 logon name at any time.
In Active Directory, each user account has a UPN based on IETF RFC 822, Standard for the Format of ARPA Internet Text Messages. The UPN is composed of the user logon
name and the UPN suffix joined by the @ sign.
Note
Do not add the @ sign to the user logon name or to the UPN suffix. Active Directory automatically adds it when it creates the UPN. A UPN that contains more than
one @ sign is invalid.
Important
Windows NT 4.0 and earlier domains allowed the use of a period (.) at the end of a user logon name as long as the user logon name did not consist solely of
period characters. Windows Server 2003 domains do not allow the use of a period or multiple periods at the end of a user logon name.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS domain name, the DNS name of any
domain in the forest, or it can be an alternative name created by an administrator and used just for log on purposes. This alternative UPN suffix does not need to be a
valid DNS name.
In Active Directory, the default UPN suffix is the DNS name of the domain in which user account created. In most cases, this is the domain name registered as the enterprise
domain on the Internet. Using alternative domain names as the UPN suffix can provide additional logon security and simplify the names used to log on to another domain
in the forest.
For example, if your organization uses a deep domain tree, organized by department and region, domain names can get quite long. The default user UPN for a user in
that domain might be sales.westcoast.microsoft.com. The logon name for a user in that domain would be user@sales.westcoast.microsoft.com. Creating a UPN suffix of
"microsoft" would allow that same user to log on using the much simpler logon name of user@microsoft. For more information about user accounts, see User and
computer accounts and Object names.
You can add or remove UPN suffixes using Active Directory Domains and Trusts. For more information, see Add user principal name suffixes.
Computer accounts
Each computer account created in Active Directory has a relative distinguished name, a pre-Windows 2000 computer name (security account manager account name), a
primary DNS suffix, a DNS host name, and a service principal name (SPN). The administrator enters the computer name when creating the computer account. This
computer name is used as the Lightweight Directory Access Protocol (LDAP) relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. The administrator can change the pre-Windows 2000
name at any time.
The DNS name for a host is called a full computer name and is a DNS fully qualified domain name (FQDN). The full computer name is a concatenation of the computer
name (the first 15 bytes of the SAM account name of the computer account without the "$" character) and the primary DNS suffix (the DNS domain name of the domain in
which the computer account exists). It is listed on the Computer Name tab in System Properties in Control Panel.
By default, the primary DNS suffix portion of the FQDN for a computer must be the same as the name of the Active Directory domain where the computer is located. To
allow different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
For more information, see Object names and User and computer accounts.
The service principal name (SPN) is a multivalue attribute. It is usually built from the DNS name of the host. The SPN is used in the process of mutual authentication between
the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect. The SPN can be
modified by members of the Domain Admins group.
2014 Microsoft. All rights reserved.
Domain data
The domain data holds information about objects within a domain. This is information such as e-mail contacts, user and computer account attributes, and published
resources that are of interest to administrators and users.
For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your
organization's directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.
Configuration data
The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests and the locations of the
domain controllers and global catalogs.
Schema data
The schema is the formal definition of all object and attribute data that can be stored in the directory. Domain controllers running Windows Server 2003 include a
default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and
programmers can extend the schema by defining new object types and attributes or by adding new attributes for existing objects. Schema objects are protected by
access control lists, ensuring that only authorized users can alter the schema.
For more information, see Schema.
Application data
Data stored in the application directory partition is intended to satisfy cases where information needs to be replicated but not necessarily on a global scale.
Application directory partitions are not part of the directory data store by default; they must be created, configured, and managed by the administrator.
For more information, see Application directory partitions.
Note
If a domain controller is also a global catalog, it stores a subset of the directory data for all other domains in the forest. For more information about domain
controllers, see Domain controllers. For more information about the global catalog, see The role of the global catalog.
unlimited. To help control the number of objects created and owned, the administrator specifies a default quota of 500. Now, each user can own a maximum of 500
objects on the partition. Because print queues are directory objects that are created and owned by the respective print servers, the new default quota of 500 limits each
print server to 500 print queues. To remove this constraint, the administrator creates a group called "Print Servers" and adds the computer account of each print server to
the group. The administrator then specifies a quota of 2,000 for the Print Servers group. Now, each print server can support its original number of print queues, while the
default quota continues to prevent excess object creation by all other security principals.
Only domain controllers running Windows Server 2003 can enforce quotas. Quotas are enforced only on originating directory operations; quotas are not enforced on
replicated operations. In order for quotas to be fully effective for any given directory partition, all domain controllers that contain a writable copy of that partition must be
running Windows Server 2003 . Therefore, for quotas to be effective on a domain directory partition, all domain controllers in that domain must be running Windows
Server 2003 . For quotas to be effective on the configuration partition, all domain controllers in the forest must by running Windows Server 2003 .
For information about creating, modifying, and querying quotas, default quotas, and tombstone quota factors, see Dsadd, Dsmod, and Dsquery.
2014 Microsoft. All rights reserved.
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
User accounts
The Users container located in Active Directory Users and Computers displays the three built-in user accounts: Administrator, Guest, and HelpAssistant. These built-in user
accounts are created automatically when you create the domain.
Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain,
while the Guest account has limited rights and permissions. The table below describes each default user account on domain controllers running Windows Server 2003.
Default user
account
Administrator
account
Description
The Administrator account has full control of the domain and can assign user rights and access control permissions to domain users as necessary. This
account must be used only for tasks that require administrative credentials. It is recommended that you set up this account with a strong password. For
more information, see Strong passwords. For additional security considerations for accounts with administrative credentials, see Active Directory Best
practices.
The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema
Admins groups in Active Directory. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed
or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more
difficult for malicious users to try and gain access to it. For more information about how to rename or disable a user account, see Rename a local user
account or Disable or enable a user account.
The Administrator account is the first account created when you set up a new domain using the Active Directory Installation Wizard.
Important When the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode.
Guest
account
The Guest account is used by people who do not have an actual account in the domain. A user whose account is disabled (but not deleted) can also use
the Guest account. The Guest account does not require a password.
You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests
group and the Domain Guests global group, which allows a user to log on to a domain. The Guest account is disabled by default, and it is
recommended that it stay disabled.
HelpAssistant
account
(installed with
a Remote
Assistance
session)
The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance
session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will
be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote
Assistance.
To obtain the security of user authentication and authorization, create an individual user account for each user who will participate on your network by using Active
Directory Users and Computers. Each user account (including the Administrator and Guest account) can then be added to a group to control the rights and permissions
assigned to the account. Using accounts and groups that are appropriate for your network ensures that users logging on to a network can be identified and can access
only the permitted resources.
You can help defend your domain from attackers by requiring strong passwords and implementing an account lockout policy. Strong passwords reduce the risk of
intelligent guessing and dictionary attacks on passwords. For more information, see Strong passwords and Password Best practices for passwords.
An account lockout policy decreases the possibility of an attacker compromising your domain through repeated logon attempts. This is because an account lockout policy
determines how many failed logon attempts a user account can have before it is disabled. For more information, see Apply or modify account lockout policy.
For more information about securing user accounts, see Securing Active Directory.
Account options
Each Active Directory user account has a number of account options that determine how someone logging on with that particular user account is authenticated on the
network. You can use the following options to configure password settings and security-specific information for user accounts:
Account option
Description
User must
change
password at next
logon
Forces a user to change their password the next time the user logs on to the network. Use this option when you want to ensure that the user will be
the only person to know their password.
User cannot
change
password
Prevents a user from changing their password. Use this option when you want to maintain control over a user account, such as for a guest or
temporary account.
Password never
expires
Prevents a user password from expiring. It is recommended that Service accounts should have this option enabled and should use strong
passwords. For more information about strong passwords, see Strong passwords.
Store passwords
using reversible
encryption
Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not
be used. For more information, see Store passwords using reversible encryption.
Account is
disabled
Prevents a user from logging on with the selected account. Many administrators use disabled accounts as templates for common user accounts. For
more information, see Disable or enable a user account.
Smart card is
required for
interactive logon
Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart card reader attached to their
computer and a valid personal identification number (PIN) for the smart card. When this option is selected, the password for the user account is
automatically set to a random and complex value. For more information about smart cards, see Logging on to a computer with a smart card and
Authentication process.
Account is
trusted for
delegation
Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user
account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer
where the service is running or on other computers. In a forest set to the Windows Server 2003 functional level, this setting is found on the
Delegation tab, and is only available for accounts that have been assigned service principal names (SPNs), as set using the setspn command from
the Windows Support Tools. This is a security-sensitive capability and should be cautiously assigned. For more information, see Allow a user to be
trusted for delegation and Delegating authentication.
This option is only available on domain controllers running Windows Server 2003 where the domain functionality is set to Windows 2000 mixed or
Windows 2000 native. On domain controllers running Windows Server 2003 where the domain functional level is set to Windows Server 2003, the
Delegation tab is used to configure delegation settings. The Delegation tab only appears for accounts which have an assigned SPN. For more
information about domain functionality, see Domain and forest functionality. For more information about configuring delegation in a Windows
Server 2003 domain, see Allow a user to be trusted for delegation.
Account is
sensitive and
cannot be
delegated
Allows control over a user account, such as for a guest or temporary account. This option can be used if this account cannot be assigned for
delegation by another account.
Use DES
encryption types
for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including MPPE Standard (40-bit), MPPE
Standard (56-bit), MPPE Strong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES). For more information about DES
encryption, see Data encryption.
Do not require
Kerberos
preauthentication
Provides support for alternate implementations of the Kerberos protocol. Domain controllers running Windows 2000 or Windows Server 2003 can
use other mechanisms to synchronize time. Because preauthentication provides additional security, use caution when enabling this option. For more
information about Kerberos, see Kerberos V5 authentication.
InetOrgPerson accounts
Active Directory provides support for the InetOrgPerson object class and its associated attributes defined in RFC 2798. The InetOrgPerson object class is used in several
non-Microsoft LDAP and X.500 directory services to represent people within an organization.
Support for InetOrgPerson makes migrations from other LDAP directories to Active Directory more efficient. The InetOrgPerson object is derived from the user class and
can be used as a security principal just like the user class. For information about creating an inetOrgPerson user account, see Create a new user account.
When the domain functional level has been set to Windows Server 2003, you can set the userPassword attribute on InetOrgPerson and user objects as being the effective
password just like you can with the unicodePwd attribute.
Computer accounts
Every computer running Windows NT, Windows 2000, Windows XP, or a server running Windows Server 2003 that joins a domain has a computer account. Similar to user
accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. Each computer account must be
unique.
Note Computers running Windows 95 and Windows 98 do not have advanced security features and are not assigned computer accounts.
User and computer accounts can be added, disabled, reset, and deleted using Active Directory Users and Computers. A computer account can also be created when you
join a computer to a domain. For more information about user and computer accounts, see Active Directory naming and Object names.
When the domain functional level has been set to Windows Server 2003, a new lastLogonTimestamp attribute is used to track the last logon time of a user or computer
account. This attribute is replicated within the domain and can provide you with important information regarding the history of a user or computer.
Object names
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Object names
Every object in Active Directory is an instance of a class defined in the schema. Each class has attributes that ensure:
For more information about schema, classes, and attributes, see Schema.
Each object in Active Directory can be referenced by several different names. Active Directory creates a relative distinguished name and a canonical name for each object
based upon information that was provided when the object was created or modified. Each object can also be referenced by its distinguished name, which is derived from
the relative distinguished name of the object and all of its parent container objects.
The LDAP relative distinguished name uniquely identifies the object within its parent container. For example, the LDAP relative distinguished name of a computer
named my computer is CN=mycomputer. Relative distinguished names must be unique in that users cannot have the same name within an organizational unit.
The LDAP distinguished name is globally unique. For example, the distinguished name of a computer named mycomputer in the MyOrganizationalUnit organizational
unit in the microsoft.com domain is CN=mycomputer, OU=MyOrganizationalUnit, DC=microsoft, DC=com.
The canonical name is constructed the same way as the distinguished name, but it is represented using a different notation. The canonical name of the computer in
the previous example would be Microsoft.com/MyOrganizationalUnit/mycomputer.
Security principal objects are Active Directory objects that are assigned security IDs (SIDs) and can be used to log on to the network and can be assigned access to domain
resources. An administrator needs to provide names for security principal objects (user accounts, computer accounts, and groups) that are unique within a domain.
Consider what occurs when a new user account is added to your directory. You provide a name the user must use to log on to the network, the name of the domain that
contains the user account, and other descriptive data, such as first name, last name, telephone number and so on (called attributes). All this information is recorded in the
directory.
The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a
leading space; a trailing space; and any of the following characters: # , + " \ < > ;
Security principal names must conform to the following guidelines:
Type of
account
name
Maximum size
Special limitations
User
account
A user account cannot consist solely of periods (.) or spaces, or end in a period. Any
leading periods or spaces are cropped. Use of the @ symbol is not supported with
the logon format for Windows NT 4.0 and earlier, which is DomainName\UserName.
Windows 2000 logon names are unique to the domain and Windows Server 2003
logon names are unique within the forest.
Computer
account
A computer account cannot consist solely of numbers, periods (.), or spaces. Any
leading periods or spaces are cropped.
Group
account
A group account cannot consist solely of numbers, periods (.), or spaces. Any leading
periods or spaces are cropped.
Note
If the administrator changes the default security settings, then it is possible to use computer names containing more than 15 characters. For more information, see
Active Directory naming.
From the information provided by the person who creates the security principal object, Active Directory generates a security ID (SID), and a globally unique ID used to
identify the security principal. Active Directory also creates an LDAP relative distinguished name, based on the security principal name. An LDAP distinguished name and a
canonical name are derived from the relative distinguished name and the names of the domain and container contexts in which the security principal object is created.
If your organization has several domains, it is possible to use the same user name or computer name in different domains. The SID, globally unique ID, LDAP distinguished
name, and canonical name generated by Active Directory will uniquely identify each user, computer, or group in the forest. If the security principal object is renamed or
moved to a different domain, the SID, LDAP relative distinguished name, LDAP distinguished name, and canonical name will change, but the globally unique ID generated by
Active Directory will not change.
Security principal objects, such as user accounts, may be renamed, moved, or contained within a nested domain hierarchy. To reduce the effect of renaming, moving, or
assigning user account names within a nested domain hierarchy, Active Directory provides a method for simplifying user logon names. For information about user logon
names, see Active Directory naming and Add user principal name suffixes, and User and computer accounts.
2014 Microsoft. All rights reserved.
Organizational units
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Organizational units
A particularly useful type of directory object contained within domains is the organizational unit. Organizational units are Active Directory containers into which you can
place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can
create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts
and resources based on your organizational model. For more information about Group Policy settings, see Group Policy (pre-GPMC).
As shown in the figure, organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's
hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.
You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a
domain or for a single organizational unit. An administrator of an organizational unit does not need to have administrative authority for any other organizational units in
the domain. For more information about delegating administrative authority, see Delegating administration.
2014 Microsoft. All rights reserved.
Member servers
A member server is a computer that:
Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.
Belongs to a domain.
Is not a domain controller.
A member server does not process account logons, participate in Active Directory replication, or store domain security policy information.
Member servers typically function as the following types of servers: file servers, application servers, database servers, Web servers, certificate servers, firewalls, and
remote access servers. For more information about server roles, see Server roles.
The following security-related features are common to all member servers:
Member servers adhere to Group Policy settings that are defined for the site, domain, or organizational unit.
Access control for resources that are available on a member server.
Member server users have assigned user rights.
Member servers contain a local security account database, the Security Accounts Manager (SAM).
Domain controllers
A domain controller is a computer that:
Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.
Uses Active Directory to store a read-write copy of the domain database, participate in multimaster replication, and authenticate users.
Domain controllers store directory data and manage communication between users and domains, including user logon processes, authentication, and directory searches.
Domain controllers synchronize directory data using multimaster replication, ensuring consistency of information over time. For more information about multimaster
replication, see Replication overview.
Active Directory supports multimaster replication of directory data between all domain controllers in a domain; however, multimaster replication is not appropriate for
some directory data replication. In this case, a domain controller, called the operations master, will process data. In an Active Directory forest, there are at least five
different operations master roles that are assigned to one or more domain controllers. For more information about operations masters, see Operations master roles.
As the needs of your computing environment change, you might want to change the role of a server. Using the Active Directory Installation Wizard, you can install Active
Directory on a member server to make it a domain controller, or you can remove Active Directory from a domain controller to make it a member server. For more
information about domain controllers, see Domain controllers.
Note
You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
Site awareness
You can log on to the domain controller that is closest to the client in the network. For more information, see Locating a domain controller.
Active Directory Service Interfaces (ADSI)
You can use scripting to Active Directory. ADSI also provides a common programming API to Active Directory programmers.
Distributed File System (DFS)
You can access DFS shared resources on servers running Windows 2000 and Windows Server 2003.
NTLM version 2 authentication
You can use the improved authentication features in NTLM version 2.
For more information about enabling NTML version 2, see article Q239869, "How to Enable NTLM 2 Authentication," in the Microsoft Knowledge Base.
Active Directory Windows Address Book (WAB) property pages
You can change properties, such as phone number and address, on user object pages.
Active Directory search capability
From the Start button, you can locate printers and people in a Windows 2000 Server or Windows Server 2003 domain.
For information about publishing printers in Active Directory, see article Q234619, "Publishing a Printer in Windows 2000 Active Directory," in the Microsoft
Knowledge Base.
Windows 2000 Professional and Windows XP Professional provide functionality that the Active Directory client on Windows 95, Windows 98, and Windows NT 4.0 does not,
including Kerberos V5 support; Group Policy or IntelliMirror support; and service principal name (SPN), or mutual authentication. You can take advantage of these
additional features by upgrading to Windows 2000 Professional or Windows XP Professional.
To install the Active Directory client, see the Active Directory client page at the Microsoft Web site.
2014 Microsoft. All rights reserved.
Domain controllers
Renaming domain controllers
Connecting to domain controllers running Windows 2000
Domains
Renaming domains
Domain and forest functionality
Raising domain and forest functional levels
Application directory partitions
Application directory partitions and domain controller demotion
Managing application directory partitions
Operations master roles
Transferring operations master roles
Responding to operations master failures
Domain controllers
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain controllers
When you create the first domain controller in your organization, you are also creating the first domain, the first forest, the first site, and installing Active Directory. Domain
controllers running Windows Server 2003 store directory data and manage user and domain interactions, including user logon processes, authentication, and directory
searches. Domain controllers are created by using the Active Directory Installation Wizard. For more information, see Using the Active Directory Installation Wizard.
Note
You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
When using domain controllers in your organization, you will want to think about how many domain controllers youll need, the physical security of those domain
controllers, a plan for backing up the domain data, and upgrading domain controllers.
Physical security
Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. For this reason, it is recommended that all domain
controllers in your organization be locked in a secured room with limited public access. You can use additional security measures such as Syskey for extra protection on
domain controllers. For more information about Syskey, see The system key utility.
When you use the backup tool on a domain controller it will automatically back up all of the system components and all of the distributed services upon which Active
Directory is dependent. This dependent data, which includes Active Directory, is known collectively as the System State data.
On a domain controller running Windows Server 2003, the System State data consists of the system startup files; the system registry; the class registration database of
COM+ (an extension to the Component Object Model); the SYSVOL directory; Certificate Services database (if installed); Domain Name System (if installed); Cluster service
(if installed); and Active Directory. It is recommended that you regularly back up System State data.
For general information about the System State, see System State data. For more information about how to back up the System State, see Back up System State data. For
more information about how to restore a System State backup, see Restore System State data.
You can install Active Directory on a server running Windows Server 2003 by using a restored backup taken from a domain controller running Windows Server 2003. For
more information, see Creating an additional domain controller.
domain before you can upgrade domain controllers running Windows 2000. For more information, see Upgrading from a Windows 2000 domain.
2014 Microsoft. All rights reserved.
When you rename a domain controller, you must ensure that there will be no interruption in the ability of clients to locate or authenticate to the renamed domain
controller, except when the domain controller is restarted. The recommended practice for renaming a domain controller without interruption to clients is to use the
Netdom tool. To rename a domain controller using the Netdom tool, the domain functional level must be set to Windows Server 2003. For more information about
renaming a domain controller, see Rename a domain controller.
The System Properties dialog box can also be used to rename a domain controller, and it does not require the functional level to be raised to Windows Server 2003.
Using this dialog box may result in a service interruption to clients. For more information about functional levels, see Domain and forest functionality.
The new name of the domain controller is automatically updated to Domain Name System (DNS) and Active Directory. Once the new name propagates to DNS and Active
Directory, clients are then capable of locating and authenticating to the renamed domain controller. DNS and Active Directory replication latency may delay client ability to
locate or authenticate to the renamed domain controller. The length of time this takes depends on specifics of your network and the replication topology of your particular
organization.
During replication latency, clients may not be able to access the newly renamed domain controller. This might be acceptable for clients that try to locate and authenticate to
a particular domain controller since other domain controllers should be available to process the authentication request.
Note
The corresponding nTFRSMember or msDFSR-Member object is not renamed automatically, but the reference attributes are correctly set so SYSVOL replication is not
impacted. The only potential problem with not renaming these objects is that if another domain controller is created at a later date with the same NetBIOS name of the
old domain controller, then a conflict can occur as described in KB article 316826. After the rename is complete, you can optionally rename the nTFRSMember or
msDFSR-Member object as part of cleanup.
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. The Active Directory administrative tools in
Windows 2000 do not sign and encrypt all LDAP traffic by default. In order to maintain a secure network, it is strongly recommended that you upgrade all domain
controllers running Windows 2000 to Service Pack 3 or later.
You can use the corresponding Active Directory administrative tools in Windows 2000 to manage Windows 2000 domain controllers that do not have the Windows 2000
Server Service Pack 3 or later installed. However, traffic is not signed and encrypted by LDAP on domain controllers running Windows 2000.
Although it is not recommended, you can disable encrypted and signed LDAP traffic used with Active Directory administrative tools on a server running Windows
Server 2003 or on a computer running Windows XP Professional that has the Windows Server 2003 Administration Tools Pack installed. For more information, see Disable
signed or encrypted LDAP traffic.
2014 Microsoft. All rights reserved.
Domains
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domains
Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the
domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. If your network
requires more than one domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain.
For more information about forests, see Creating a new forest. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a
domain tree. For more information, see Active Directory naming and Creating a new domain tree.
A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single
domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. For more information, see Sites overview.
A domain provides several benefits:
Organizing objects.
You do not need to create separate domains merely to reflect your company's organization of divisions and departments. Within a domain, you can use
organizational units for this purpose. Using organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy
settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. For more
information, see Organizational units.
Publishing resources and information about domain objects.
A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to
better serve a disparate user base. When using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and
directory publishing requirements. For more information, Publishing resources.
Applying a Group Policy object to the domain consolidates resource and security management.
A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies
are applied only within the domain and not across domains. For more information about applying GPOs, see Group Policy (pre-GPMC).
Delegating authority eliminates the need for a number of administrators with broad administrative authority.
Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to
manage objects in an entire domain or in one or more organizational units within the domain. For more information about delegating administrative control, see
Delegating administration.
Security policies and settings (such as user rights and password policies) do not cross from one domain to another.
Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. For more information, see
Creating a new forest.
Each domain stores only the information about the objects located in that domain.
By partitioning the directory this way, Active Directory can scale to very large numbers of objects.
Creating a domain
You create a domain by creating the first domain controller for a domain. To do this, install Active Directory on a member server running Windows Server 2003 by using
the Active Directory Installation Wizard. The wizard uses the information that you provide to create the domain controller and create the domain within the existing domain
structure of your organization. Depending on the existing domain structure, the new domain could be the first domain in a new forest, the first domain in a new domain
tree, or a child domain of an existing domain tree. For more information, see Creating a new forest, Creating a new domain tree, and Creating a new child domain.
A domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user and domain interactions,
including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. For more information, see Domain
controllers.
After you create the first domain controller for a domain, you can create additional domain controllers in an existing domain for fault tolerance and high availability of the
directory. For more information, see Creating an additional domain controller.
Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating
one or more domains for your organization. Understanding how directory data is replicated between domain controllers will help you plan the number of domains needed
by your organization. For more information about replication, see How replication works.
Removing a domain
In order to remove a domain, you must first remove Active Directory from all of the domain controllers associated with that domain. Once Active Directory has been
removed from the last domain controller the domain will be removed from the forest and all of the information in that domain will be deleted. A domain can only be
removed from the forest if it has no child domains. If this is the last domain in the forest, removing this domain will also delete the forest.
For more information about how to remove a domain, see Remove a domain.
Caution
Removing a domain will result in the permanent loss of amy data contained in that domain. This includes all user, group, and computer accounts.
Before removing Active Directory from a domain controller, you should first remove any application directory partitions from that domain controller. For more information,
see Application directory partitions and Create or delete an application directory partition.
Renaming domains
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Renaming domains
The ability to rename a domain provides you with the flexibility to make important changes to your forest structure and namespace as the needs of your organization
change. Renaming domains can accommodate acquisitions, mergers, name changes, or reorganizations. Domain rename allows you to:
Change the Domain Name System (DNS) and NetBIOS names of any domain in the forest (including the forest root domain).
Restructure the position of any domain in the forest (except the forest root domain).
You can only rename domains in a forest where all of the domain controllers are running Windows Server 2003 and the forest functional level has been raised to Windows
Server 2003. For more information, see Domain and forest functionality.
Forest restructuring
Using domain rename, you can also restructure the hierarchy of domains in your forest so that a domain residing in one domain tree can be moved to another domain
tree. Restructuring a forest allows you to move a domain anywhere within the forest in which it resides (except the forest root domain). This includes the ability to move a
domain so that it becomes the root of its own domain tree.
You can use the domain rename utility (Rendom.exe) to rename or restructure a domain. A domain rename will affect every domain controller in your forest and is a
multistep process that requires a detailed understanding of the operation. For more information about this process and to download the Rendom.exe tool, see the
Windows Server 2003 Active Directory Domain Rename Tools page at the Microsoft Web site.
2014 Microsoft. All rights reserved.
Domain functionality
Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.
The following table lists the domain functional levels and their corresponding supported domain controllers.
Windows NT 4.0
Windows 2000
Windows Server 2003 family
Windows 2000
Windows Server 2003 family
Windows NT 4.0
Windows Server 2003 family
Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise
the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
The following table describes the domain-wide features that are enabled for three of the domain functional levels. For information about the Windows Server 2003 interim
functional level, see Upgrading from a Windows NT domain.
Domain feature
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Universal Groups
For more information, see Group types and Group scope.
Enabled
Allows both security and
distribution groups.
Enabled
Allows both security and
distribution groups.
Group Nesting
For more information, see Nesting groups.
Enabled
Allows full group nesting.
Enabled
Allows full group nesting.
Converting Groups
For more information, see Converting groups.
Disabled
No group conversions allowed.
Enabled
Allows conversion between
security groups and
distribution groups.
Enabled
Allows conversion between
security groups and
distribution groups.
SID history
Disabled
Enabled
Allows migration of
security principals from
one domain to another.
Enabled
Allows migration of
security principals from
one domain to another.
Forest functionality
Forest functionality enables features across all the domains within your forest. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003
interim, and Windows Server 2003 . By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003 .
The following table lists the forest functional levels and their corresponding supported domain controllers:
Windows NT 4.0
Windows 2000
Windows Server 2003 family
Windows NT 4.0
Windows Server 2003 family
Once the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the
forest functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to the forest.
If you are upgrading your first Windows NT 4.0 domain so that it becomes the first domain in a new Windows Server 2003 forest, you can set the domain functional level to
Windows Server 2003 interim. For more information, see Upgrading from a Windows NT domain.
The following table describes the forest-wide features that are enabled for the Windows 2000 and Windows Server 2003 forest functional levels.
Windows
Server 2003
Forest feature
Windows 2000
Enabled
Disabled
Enabled
Forest trusts
For more information, see Forest trusts.
Disabled
Enabled
Disabled
Enabled
Domain rename
For more information, see Renaming domains.
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
If you created an application directory partition called example1 as a child of the microsoft.com domain, the DNS name of the application directory partition would be
example1.microsoft.com. The distinguished name of the application directory partition would be dc=example1, dc=microsoft, dc=com.
If you then created an application directory partition called example2 as a child of example1.microsoft.com, the DNS name of the application directory partition would be
example2.example1.microsoft.com and the distinguished name would be dc=example2, dc=example1, dc=microsoft, dc=com.
If the domain microsoft.com was the root of the only domain tree in your forest, and you created an application directory partition with the DNS name of example1 and the
distinguished name of dc=example1, this application directory partition is not in the same tree as the microsoft.com domain. This application directory partition would be
the root of a new tree in the forest.
Domain directory partitions cannot be children of an application directory partition. For example, if you created an application directory partition with the DNS name of
example1.microsoft.com, you could not create a domain with the DNS name of domain.example1.microsoft.com.
Objects stored in an application directory partition are never replicated to the global catalog as read-only replicas. Any domain controller running Windows
Server 2003 can hold a replica, including global catalogs.
Additionally, if an application requests data through the global catalog port, that query will not return any objects from an application directory partition, even if the
computer hosting the application directory partition is also hosting the global catalog. This is done so that LDAP queries to different global catalogs will not return
inconsistent results because the application directory partition is replicated to only one of the global catalogs.
The default security descriptor reference domain defines what domain name to use when an object in the application directory partition needs to define a domain value for
the default security descriptor. The default security descriptor reference domain is assigned at the time of creation.
If the application directory partition is a child of a domain directory partition, by default, the parent domain directory partition becomes the security descriptor reference
domain. If the application directory partition is a child object of another application directory partition, the security descriptor reference domain of the parent application
directory partition becomes the reference domain of the new, child, application directory partition. If the new application directory partition is created as the root of a new
tree, then the forest root domain is used as the default security descriptor reference domain.
You can manually specify a security reference domain using Ntdsutil. However, if you plan to change the default security descriptor reference domain of a particular
application directory partition, you should do so before creating the first instance of that partition. To do this, you must prepare the cross-reference object and change the
default security reference domain before completing the application directory partition creation process. For information about precreating the cross-reference object, see
Prepare a cross-reference object. For information about changing the default security reference domain, see Set an application directory partition reference domain.
2014 Microsoft. All rights reserved.
Remove the application directory partition using the tool provided or use Ntdsutil
Refer to the application's documentation for information about removing application directory partitions that were created and used by that application.
Caution
If possible, use the application's tool for managing its application directory partitions. The application may keep other data in addition to Active Directory managed
data for the application directory partitions. By using Ntdsutil, the two sets of data could cause a conflict.
If you cannot identify the application that created the application directory partition, or if your application does not provide a means to delete application directory
partitions that it created, you can use the Ntdsutil command-line tool. To do this, see Create or delete an application directory partition.
For information about demoting a domain controller, see Demote a domain controller. For general information about application directory partitions, see Application
directory partitions.
2014 Microsoft. All rights reserved.
For information about creating and managing application directory partitions with ADSI, see Active Directory Service Interfaces (ADSI) at the Microsoft Web site. For
information about LDP, see Administration tools for the Active Directory schema.
For information about the Ntdsutil command-line tool, see Ntdsutil.
The following provides information about using Ntdsutil to create and manage application directory partitions.
Normally only members of the Enterprise Admins group can create an application directory partition. However, it is possible for a member of the Enterprise Admins group
to prepare a cross-reference object for the application directory partition and to delegate the rest of the process to someone with more limited permissions.
The cross-reference object for an application directory partition holds several valuable pieces of information, including the domain controllers that are to have a replica of
this partition and the security descriptor reference domain. The partition root node is the Active Directory object at the root of the partition
The Enterprise Admin can create the cross-reference object then delegate to a person or group with less permissions the right to create the application directory partition
root node. Both creation of the cross-reference object and the application directory partition root node can be accomplished using Ntdsutil.
After using Ntdsutil to create the cross-reference object, the enterprise administrator must modify the cross-reference object's access control list to allow the delegated
administrator to modify this cross-reference. This will allow the delegated administrator to create the application directory partition and modify the list of domain
controllers that holds replicas of this application directory partition. The delegated administrator must use the names of the application directory partition and the domain
controller name that were specified during the precreation process. For more information, see Prepare a cross-reference object.
For more information about application directory partitions, see Application directory partitions.
2014 Microsoft. All rights reserved.
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
Schema master
Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema master
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the entire forest.
Any domain controller running Windows Server 2003 can hold the role of the domain naming master. A domain controller running Windows 2000 Server that holds
the role of domain naming master must also be enabled as a global catalog server.
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID master
The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller
acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the
same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.
To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently
contains the object.
To provide consistent password experience for users across sites (can be turned off with AvoidPdcOnWan registry parameter) - The PDC emulator is used as a
reference DC to double-check incorrect passwords and it also receives new password changes. When the PDC is reachable, users can use a new password
immediately and consistently across the environment. For more information about AvoidPdcOnWan see, New Password Change and Conflict Resolution Functionality
in Windows (http://go.microsoft.com/fwlink/?LinkId=202451)
As a preferred point of administration for services (examples are Group Policy and Distributed File System, DFS) - For more information about DFS see, DFS
Management (http://go.microsoft.com/fwlink/?LinkId=202456). For more information about DCs and Group Policy see, Specifying a Domain Controller for Editing
Group Policy (http://go.microsoft.com/fwlink/?LinkId=202457).
As a point of contact for applications hard-coded to the PDC (often written for Windows NT 4.0 and older domains) - The legacy API often used for this is
NetGetDcName. It is strongly suggested to change applications to use the new API to locate DCs. DsGetDcName by default does not target the PDC, and has more
options that allows you to pick the type of DC needed to perform the operation. For more information about locating DCs from applications see, DSGetDcName
Function (http://go.microsoft.com/fwlink/?LinkId=202455).
As a default time server for all other DCs in the domain - The time server configuration of a PDC requires manual consideration and should be reviewed when you
change the owner of the PDC role.
The domain controller configured with the PDC emulator role supports two authentication protocols:
Note
For instructions on how to configure the PDC emulator to synchronize with an external time source, see Synchronize the Time Server for the Domain Controller with an
External Source (http://go.microsoft.com/fwlink/?LinkId=122513).
Infrastructure master
At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references
from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates
for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the
updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
Important
Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global
catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will
never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does
not matter which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or
move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The
infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group
memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group
membership would notice the temporary inconsistency.
For information about transferring operations master roles, see Transferring operations master roles. For information about what to do when an operations master fails,
see Responding to operations master failures.
Role
Console in MMC
Schema master
RID master
Infrastructure master
For general information about operations master roles, see Operations master roles.
Note
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
Before forcing the transfer, first determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that
will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be
recovered and brought back online.
In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision
depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.
A domain controller whose schema master role has been seized must never be brought back online.
For procedures on how to seize the schema master role, see Seize the schema master role.
A domain controller whose domain naming master role has been seized must never be brought back online.
For procedures on how to seize the domain naming master role, see Seize the domain naming master role.
A domain controller whose RID master role has been seized must never be brought back online.
For procedures on how to seize the RID master role, see Seize the RID master role.
When this is done for folder redirection or logon script activities, it may also affect users when logging on and while they work.
Other than the conditions described above, there is no direct dependency of the domain members on the PDC role holder. However, you might be using applications that
are coded to contact the PDC only. You should try to avoid having this single point of failure.
Often, these applications were written for Windows NT 3.x and 4.0 deployments where the PDC was the only writable DC. However, since Active Directory, all DCs except
Read-Only DCs are writable. The DsGetDcName API allows you to pick the right type; similar options are available in AD API interfaces like ADSI (ADS_READONLY_SERVER)
or the .NET runtime.
The loss of the primary domain controller (PDC) emulator master may affect network users. Therefore, when the PDC emulator master is not available, you may need to
immediately seize the role.
For procedures on how to seize the PDC emulator role, see Seize the PDC emulator role.
Understanding Groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding groups
This section covers:
Groups
Group scope
Group types
Default groups
Nesting groups
Special identities
Where groups can be created
Groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Groups
A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit. Users and computers that belong to a particular
group are referred to as group members.
Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to
each account individually. For an overview of permissions and rights, see Access control overview.
Groups can be either directory-based or local to a particular computer. Groups in Active Directory are directory objects that reside within a domain and organizational unit
container objects. Active Directory provides a set of default groups upon installation, and also allows the option to create groups. For more information, see Default
groups.
Local groups, which exist on local computers and not in Active Directory, are discussed in Default local groups.
Groups in Active Directory allow you to:
Simplify administration by assigning permissions on a shared resource to a group, rather than to individual users. This assigns the same access on the resource to
all members of that group.
Delegate administration by assigning user rights once to a group through Group Policy, and then adding necessary members to the group that you want to have
the same rights as the group.
Create e-mail distribution lists. For more information, see Group types.
Groups are characterized by their scope and their type. The scope of a group determines the extent to which the group is applied within a domain or forest. For
information about group scope, see Group scope. The group type determines whether a group can be used to assign permissions from a shared resource (for security
groups) or if a group can be used for e-mail distribution lists only (for distribution groups). For information about security groups and distribution groups, see Group
types.
There are also groups for which you cannot modify or view the memberships. These groups are referred to as special identities and are used to represent different users
at different times, depending on the circumstances. For example, the Everyone group represents all current network users, including guests and users from other domains.
For more information, see Special identities.
2014 Microsoft. All rights reserved.
Group scope
Updated: March 16, 2007
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or
forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes:
universal, global, and domain local.
The following table describes the differences between the scopes of each group.
Group
scope
Universal
Domain local
Global (as long as no other
universal groups exist as
members)
Global
Domain
local
Note
The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is
set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope
are still permitted.
Note
When the domain functional level is set to Windows 2000 mixed, members of global groups can include only accounts from the same domain.
Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.
Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.
Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.
Universal to domain local. There are no restrictions for this operation.
Group types
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group types
Groups are used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of with individual users helps
simplify network maintenance and administration.
There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security
groups to assign permissions to shared resources.
Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which
means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.
Security groups
Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:
Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the
group.
Although a contact can be added to a security group as well as to a distribution group, contacts cannot be assigned rights and permissions. Contacts in a group
can be sent e-mail.
Default groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these
predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles. For information about default groups stored on
local computers, see Default local groups.
Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a
local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers
in the domain.
When you add a user to a group, the user receives all the user rights assigned to the group and all the permissions assigned to the group on any shared resources. For
more information about user rights and permissions, see Group types.
You can manage groups by using the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC). Default groups are located in the Builtin
container and the Users container.
The Builtin container default groups contain groups that are defined with domain local scope. You can move groups in and out of this container, but you cannot move the
default groups in this container to another location or to another domain.
The Users container default groups contain groups that are defined with global scope and groups that are defined with domain local scope. You can add the groups in
this container to other groups and you can move the default groups in this container to other organizational units (OUs) or containers, but you cannot move the group to
another domain.
As a security best practice, it is recommended that members of default groups with broad administrative access use the Run as command to perform administrative tasks.
For more information, see Using Run as. For information about security best practices, see Active Directory Best practices. For information about additional security
measures that can be used to protect Active Directory, see Securing Active Directory.
Note
To learn what group you need to be a member of to perform a particular procedure, many procedural topics under How To in Help and Support Center provide a
note that identifies this information.
Group
Description
Account
Operators
Members of this group can create, modify, and delete accounts for
users, groups, and computers located in the Users or Computers
containers and organizational units in the domain, except the Domain
Controllers organizational unit. Members of this group do not have
permission to modify the Administrators or the Domain Admins groups,
nor do they have permission to modify the accounts for members of
those groups. Members of this group can log on locally to domain
controllers in the domain and shut them down. Because this group has
significant power in the domain, add users with caution.
Administrators
Members of this group have full control of all domain controllers in the
domain. By default, the Domain Admins and Enterprise Admins groups
are members of the Administrators group. The Administrator account is
also a default member. Because this group has full control in the
domain, add users with caution.
Access this computer from the network; Adjust memory quotas for a
process; Back up files and directories; Bypass traverse checking; Change the
system time; Create a pagefile; Debug programs; Enable computer and
user accounts to be trusted for delegation; Force a shutdown from a
remote system; Increase scheduling priority; Load and unload device
drivers; Allow log on locally; Manage auditing and security log; Modify
firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and
directories; Shut down the system; Take ownership of files or other objects.
Backup
Operators
Members of this group can back up and restore all files on domain
controllers in the domain, regardless of their own individual
permissions on those files. Backup Operators can also log on to
domain controllers and shut them down. This group has no default
members. Because this group has significant power on domain
controllers, add users with caution.
Back up files and directories; Allow log on locally; Restore files and
directories; Shut down the system.
Guests
Incoming
Forest Trust
Builders (only
appears in the
forest root
domain)
the forest root domain. For example, members of this group residing in
Forest A can create a one-way, incoming forest trust from Forest B. This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain. This
group has no default members. For more information about creating
forest trusts, see Create a forest trust.
Network
Configuration
Operators
Members of this group can make changes to TCP/IP settings and renew
and release TCP/IP addresses on domain controllers in the domain.
This group has no default members.
Performance
Monitor Users
Performance
Log Users
PreWindows 2000
Compatible
Access
Members of this group have read access on all users and groups in the
domain. This group is provided for backward compatibility for
computers running Windows NT 4.0 and earlier. By default, the special
identity Everyone is a member of this group. For more information
about special identities, see Special identities. Add users to this group
only if they are running Windows NT 4.0 or earlier.
Print
Operators
Members of this group can manage, create, share, and delete printers
connected to domain controllers in the domain. They can also manage
Active Directory printer objects in the domain. Members of this group
can log on locally to domain controllers in the domain and shut them
down. This group has no default members. Because members of this
group can load and unload device drivers on all domain controllers in
the domain, add users with caution.
Remote
Desktop Users
Replicator
Server
Operators
Back up files and directories; Change the system time; Force shutdown from
a remote system; Allow log on locally; Restore files and directories; Shut
down the system.
Users
Group
Description
Cert Publishers
DnsAdmins
(installed with
DNS)
DnsUpdateProxy
(installed with
DNS)
Domain Admins
Access this computer from the network; Adjust memory quotas for a process; Back up
files and directories; Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to be trusted for
delegation; Force a shutdown from a remote system; Increase scheduling priority; Load
and unload device drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other objects.
Domain
Computers
Domain
Controllers
Domain Guests
Domain Users
Enterprise
Admins (only
appears in the
forest root
domain)
Access this computer from the network; Adjust memory quotas for a process; Back up
files and directories; Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to be trusted for
delegation; Force shutdown from a remote system; Increase scheduling priority; Load
and unload device drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other objects.
Group Policy
Creator Owners
IIS_WPG
(installed with
IIS)
Schema Admins
(only appears in
the forest root
domain)
See Also
Concepts
Using Run as
Create a shortcut using the runas command
Why you should not run your computer as an administrator
Other Resources
Run a program with administrative credentials
2014 Microsoft. All rights reserved.
Nesting groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Nesting groups
Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic.
Nesting options depend on whether the domain functionality of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed.
By default, when you nest a group within another group, user rights are inherited. For example, if you make Group_1 a member of Group_2, users in Group_1 have the
same permissions as the users in Group_2.
Groups in domains set to the Windows 2000 native functional level or distribution groups in domains set to the Windows 2000 mixed functional level can have the following
members:
Groups with universal scope can have the following members: accounts, computer accounts, other groups with universal scope, and groups with global scope from
any domain.
Groups with global scope can have the following members: accounts from the same domain and other groups with global scope from the same domain.
Groups with domain local scope can have the following members: accounts, groups with universal scope, and groups with global scope, all from any domain. This
group can also have as members other groups with domain local scope from within the same domain.
Security groups in domains set to the Windows 2000 mixed functional level are restricted to the following types of membership:
Groups with global scope can have as their members only accounts.
Groups with domain local scope can have as their members other groups with global scope and accounts.
Security groups with universal scope cannot be created in domains with the domain functional level set to Windows 2000 mixed because universal scope is supported only
in domains where the domain functional level is set to Windows 2000 native or Windows Server 2003.
Note
You cannot add the default groups that are located in the Builtin container as members to other groups. However, you can add other groups as members to the default
groups that are located in the Builtin container.
For more information about domain functionality, see Domain and forest functionality.
2014 Microsoft. All rights reserved.
Special identities
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Special identities
In addition to the groups in the Users and Builtin containers, servers running Windows Server 2003 include several special identities. For convenience, these identities are
generally referred to as groups. These special groups do not have specific memberships that can be modified, but they can represent different users at different times,
depending on the circumstances. The special groups are:
Anonymous Logon
Represents users and services that access a computer and its resources through the network without using an account name, password, or domain name. On
computers running Windows NT and earlier, the Anonymous Logon group is a default member of the Everyone group. On computers running a member of the
Windows Server 2003 family, the Anonymous Logon group is not a member of the Everyone group by default.
Everyone
Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is automatically added to
the Everyone group.
Network
Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where
the resource is located). Whenever a user accesses a given resource over the network, the user is automatically added to the Network group.
Interactive
Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the
resource over the network). Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to
the Interactive group.
Although the special identities can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to
special identities. Users are automatically assigned to these special identities whenever they log on or access a particular resource.
For general information about groups, see Groups.
2014 Microsoft. All rights reserved.
Groups can be moved within a domain. However, only groups with universal scope can be moved from one domain to another. The rights and permissions
assigned to a group with universal scope are lost when the group is moved to another domain and new assignments must be made.
For information about the tools used to move groups between domains, see Using the Windows Deployment and Resource Kits.
2014 Microsoft. All rights reserved.
Understanding Trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding trusts
This section covers:
Trusts
Trust types
Trust direction
Trust transitivity
When to create an external trust
When to create a shortcut trust
When to create a realm trust
When to create a forest trust
Forest trusts
Accessing resources across domains
Accessing resources across forests
Routing name suffixes across forests
Trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trusts
A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. Trust relationships
in Windows NT are different than in Windows 2000 and Windows Server 2003 operating systems.
Trusts in Windows NT
In Windows NT 4.0 and earlier, trusts are limited to two domains and the trust relationship is one-way and nontransitive. In the following figure, the nontransitive, one-way
trust is shown by the straight arrow pointing to the trusted domain.
Trusts in Windows Server 2003 and Windows 2000 Server operating systems
All trusts in a Windows 2000 and Windows Server 2003 forest are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. As shown in the
following figure, this means that if Domain A trusts Domain B and Domain B trusts Domain C, then users from Domain C can access resources in Domain A (when assigned
the proper permissions). Only members of the Domain Admins group can manage trust relationships.
Trust protocols
A domain controller running Windows Server 2003 authenticates users and applications using one of two protocols: Kerberos V5 or NTLM. The Kerberos V5 protocol is
the default protocol for computers running Windows 2000, Windows XP Professional, or Windows Server 2003. If any computer involved in a transaction does not support
Kerberos V5, the NTLM protocol will be used.
With the Kerberos V5 protocol, the client requests a ticket from a domain controller in its account domain to the server in the trusting domain. This ticket is issued by an
intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication. For more information, see
Kerberos V5 authentication.
When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a domain controller in
the client account domain to verify the account credentials.
Trust types
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust types
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in
another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New
Trust Wizard or the Netdom command-line tool.
Default trusts
By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation
Wizard. The two default trust types are defined in the following table.
Trust
type
Transitivity
Direction
Description
Parent
and
child
Transitive
Two-way
By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication
requests made from subordinate domains flow upward through their parent to the trusting domain. For information about creating
a new child domain, see Create a new child domain.
Treeroot
Transitive
Two-way
By default, when a new domain tree is created in an existing forest, a new tree-root trust is established. For information about
creating a new domain tree, see Create a new domain tree.
Other trusts
Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool: external, realm, forest, and shortcut trusts. These trusts are
defined in the following table.
Trust
type
Transitivity
Direction
Description
External
Nontransitive
One-way
or twoway
Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate
forest that is not joined by a forest trust. For more information, see When to create an external trust.
Realm
Transitive or
nontransitive
One-way
or twoway
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For
more information, see When to create a realm trust.
Forest
Transitive
One-way
or twoway
Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either
forest can reach the other forest. For more information, see When to create a forest trust.
Shortcut
Transitive
One-way
or twoway
Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when
two domains are separated by two domain trees. For more information, see When to create a shortcut trust.
When creating external, shortcut, realm, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.
If you choose to create each side of the trust separately, then you will need to run the New Trust Wizard twice--once for each domain. When creating trusts using the
method, you will need to supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. For more
information, see Strong passwords.
If you choose to create both sides of the trust simultaneously, you will need to run the New Trust Wizard once. When you choose this option, a strong trust password is
automatically generated for you.
You will need the appropriate administrative credentials for each domain between which you will be creating a trust.
Netdom.exe can also be used to create trusts. For more information about Netdom, see Active Directory support tools.
For more information about trusts, see Trust transitivity and Trust direction.
2014 Microsoft. All rights reserved.
Trust direction
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust direction
The trust type and its assigned direction will impact the trust path used for authentication. A trust path is a series of trust relationships that authentication requests must
follow between domains. Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2003 must determine
whether the trusting domain (the domain containing the resource the user is trying to access) has a trust relationship with the trusted domain (the user's logon domain). To
determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In the
following figure, trust paths are indicated by arrows showing the direction of the trust (this is a one-way trust):
All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.
One-way trust
A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in
Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts
can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.
Two-way trust
All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created
between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that
authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type
of trust being created. For more information, see Trust types.
A Windows Server 2003 domain can establish a one-way or two-way trust with:
Trust transitivity
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust transitivity
Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships
with other domains and a nontransitive trust can be used to deny trust relationships with other domains.
Transitive trusts
Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child
domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its
parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.
Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon
process, accounts with the proper permissions can access resources in any domain in the forest. For more information, see Authentication protocols overview.
The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the
Domain A tree can access resources in domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree, when the proper
permissions are assigned at the resource.
In addition to the default transitive trusts established in a Windows Server 2003 forest, using the New Trust Wizard, you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between a domain in the same domain tree or forest used to shorten the trust path in a large and complex domain tree or forest.
Forest trust. A transitive trust between a forest root domain and a second forest root domain.
Realm trust. A transitive trust between an Active Directory domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5
authentication.
Nontransitive trust
A nontransitive trust is restricted by the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way
trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. In summary, nontransitive domain trusts
are the only form of trust relationship possible between:
Using the New Trust Wizard, you manually create the following nontransitive trusts:
External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT domain or a Windows 2000 domain or Windows
Server 2003 domain in another forest.
When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between
Windows Server 2003 domains and Windows NT domains are nontransitive.
Realm trust. A nontransitive trust between an Active Directory domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos
V5 authentication.
When a trust is established between a domain in a particular forest and a domain outside of that forest, security principals from the external domain can access resources
in the internal domain. Active Directory creates a foreign security principal object in the internal domain to represent each security principal from the trusted external
domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains
outside of the forest.
Directory objects for foreign security principals are created by Active Directory and should not be manually modified. You can view foreign security principal objects from
Active Directory Users and Computers by enabling advanced features. For information about enabling advanced features, see To view advanced features.
In domains with the functional level set to Windows 2000 mixed, it is recommended that you delete external trusts from a domain controller running Windows Server 2003.
External trusts to Windows NT 4.0 or 3.51 domains can be deleted by authorized administrators on the domain controllers running Windows NT 4.0 or 3.51. However, only
the trusted side of the relationship can be deleted on the domain controllers running Windows NT 4.0 or 3.51. The trusting side of the relationship (created in the
Windows Server 2003 domain) is not deleted, and although it will not be operational, the trust will continue to display in Active Directory Domains and Trusts. To remove
the trust completely, you will need to delete the trust from a domain controller running Windows Server 2003 in the trusting domain. If an external trust is inadvertently
deleted from a domain controller running Windows NT 4.0 or 3.51, you will need to recreate the trust from any domain controller running Windows Server 2003 in the
trusting domain.
For more information about how to create an external trust, see Create an external trust.
domain administrator credentials in the trusted domain is a threat to the entire trusting forest.
SID filtering neutralizes the threat of malicious users in the trusted domain from using the SID history attribute to gain elevated privileges.
SID history data that contains SIDs from any domain other than the trusted domain will be removed from authentication requests made from the trusted domain.
This will result in access being denied to resources that have the user's old SID.
Universal group access control strategy between forests will require changes.
When SID filter quarantining is enabled, users who use SID history data for authorization to resources in the trusting domain no longer have access to those resources.
If you typically assign universal groups from a trusted forest to access control lists (ACLs) on shared resources in the trusting domain, SID filter quarantining will have a
major impact on your access control strategy.
Because universal groups must adhere to the same SID filter quarantining guidelines as other security principal objects (that is, the universal group object SID must also
contain the domain SID), you should verify that any universal groups that are assigned to shared resources in the trusting domain were created in the trusted domain.
If the universal group in the trusted forest was not created in the trusted domain, even though it may contain users from the trusted domain as members, authentication
requests made from members of that universal group will be filtered and discarded.
Therefore, before assigning access to resources in the trusting domain for users in the trusted domain, you should confirm that the universal group containing the trusted
domain users was created in the trusted domain.
You have the same level of trust for all administrators who have physical access to domain controllers in the trusted domain as the administrators in the trusting
domain.
You have a strict requirement to assign universal groups to resources in the trusting domain that were not created in the trusted domain.
Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on
the SID history attribute.
Only domain administrators can disable SID filtering. To disable SID filter quarantining for the trusting domain, type the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD:domainadministratorAcct/passwordD:domainadminpwd
To enable SID filter quarantining, set the /quarantine: command-line option to Yes. For more information about Netdom.exe, see Active Directory support tools.
You can enable or disable SID filter quarantining only from the trusting side of the trust. If the trust is a two-way trust, you can also disable SID filter quarantining in the
trusted domain by using the domain administrator's credentials for the trusted domain and reversing the TrustingDomainName and TrustedDomainName values in the
command-line syntax.
Notes
To further secure your forest, you should consider enabling SID filter quarantining on all existing external trusts that were created by domain controllers running
Windows 2000 Service Pack 3 (or earlier). You can do this by using Netdom.exe to enable SID filtering on existing external trusts, or by recreating these external
trusts from a domain controller running Windows Server 2003 or Windows 2000 Service Pack 4 (or later).
You cannot turn off the default behavior that enables SID filter quarantining for newly created external trusts.
External trusts created from domain controllers running Windows 2000 Service Pack 3 (or earlier) do not enforce SID filter quarantining by default.
Domain controllers running Windows NT Server 4.0 do not take part in the trust creation process when existing domain controllers in the same domain are running
Windows 2000 or Windows Server 2003.
You can enable or disable SID filter quarantining only for trusts that extend beyond forest boundaries such as external and forest trusts. For more information about
SID filtering and forest trusts, see Forest trusts.
Shortcut trusts effectively shorten the path traveled for authentication's made between domains located in two separate trees.
For more information about how to create a shortcut trust, see Create a shortcut trust.
Forest trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Forest trusts
In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationships. A two-way,
forest trust is used to form a transitive trust relationship between every domain in both forests.
Forest trusts can provide the following benefits:
Simplified management of resources across two Windows Server 2003 forests by reducing the number of external trusts necessary to share resources.
Complete two-way trust relationships with every domain in each forest.
Use of user principal name (UPN) authentication across two forests.
Use of both the Kerberos V5 and NTLM authentication protocols to improve the trustworthiness of authorization data transferred between forests.
Flexibility of administration. Administrative tasks can be unique to each forest.
Forest trusts can only be created between two forests and cannot be implicitly extended to a third forest. This means that if a forest trust is created between forest 1 and
forest 2, and a forest trust is also created between forest 2 and forest 3, forest 1 will not have an implicit trust with forest 3. For more information about the requirements
needed for a forest trust, see When to create a forest trust.
Notes
In a Windows 2000 forest, if users in one forest need to access resources in another forest, an administrator can create an external trust relationship between the
two domains. External trusts can be one-way or two-way and are nontransitive, and therefore, limit the ability for trust paths to extend to other domains. For more
information about external trusts, see Trust types.
All trusts in Windows Server 2003 Active Directory use security identifier (SID) filtering to some degree. External trusts are quarantined by default, which prevents any
domain SIDs other than those of the quarantined trusted domain from traversing the trust relationship. SID filtering is used to prevent attacks from malicious users
who might try to grant elevated user rights to another user account. SID filtering on forest trusts does not prevent migrations to domains within the same forest
from using SID history and will not affect your universal group access control strategy. For more information about SID filtering, see When to create an external
trust.
To secure data within each forest. Sensitive data can be protected so that only users within that forest can access it.
To isolate directory replication within each forest. Schema changes, configuration changes, and the addition of new domains to a forest only have forest-wide
impact within that forest, not on a trusting forest.
Enterprise Admins
Domain Admins (in the forest root domain)
Schema Admins
Since membership in any of these groups can affect forest-wide behavior, add users with caution. As a security best practice, avoid adding users from another forest to
any of these forest-wide administrative groups. For more information about these groups, see Default groups.
GALs (Exchange)
Public folders
Directory objects
Synchronizing this data across forests will help end users view address lists and other data the same way as they do when viewing this information within their own forest.
For more information about MMS, see Microsoft Metadirectory Services.
2014 Microsoft. All rights reserved.
1. User1 logs on to Workstation1 using credentials from the child1.microsoft.com domain. As part of this process, the authenticating domain controller issues User1 a
ticket-granting ticket (TGT). This ticket is required to be authenticated to resources. The user then attempts to access a shared resource (\\fileserver1\share) on a file
server located in the child2 domain.
2. Workstation1 contacts the Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer1 service
principal name (SPN).
3. ChildDC1 does not find the SPN in its domain database and queries the global catalog to see if any domains in the forest contain this SPN. The global catalog sends
the requested information back to ChildDC1.
4. ChildDC1 sends the referral to Workstation1.
5. Workstation1 contacts a domain controller in ForestRootDC1 (its parent domain) for a referral to a domain controller (ChildDC2) in the Child2 domain.
ForestRootDC1 sends the referral to Workstation 1.
6. Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for the user to gain access to FileServer1.
7. Now that Workstation1 has a service ticket, it sends the service ticket to FileServer1, which reads the user's security credentials and constructs an access token
accordingly.
Each domain has its own set of security policies that do not cross from one domain to another. For more information, see Domains.
Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a
Once you have gained a thorough understanding of security group concepts, determine the resource needs of each department and geographical division to assist you
with the planning effort.
Organize domain users based on administrative needs, such as their locations or departments, and then create a global group, and add the appropriate user
accounts as members.
For example, add all employee user accounts in the Sales department to the Sales Department global group, and add all employee user accounts in the Accounting
Department to the Accounting Department global group.
Create a domain local group, and add all global groups from the other domains that need the same access to a resource in your domain.
For example, employees in the Sales Department and Accounting Department global groups located in DomainA use similar print resources located in DomainB. To
make future administration changes more flexible, create a domain local group called Print Resources in DomainB, and add as members both the Sales Department
and Accounting Department global groups in DomainA.
Assign the required permissions on the shared resource to the domain local group.
For example, assign permissions to the Print Resources domain local group located in DomainB so that its members, including the Sales Department and Accounting
Department groups from DomainA, can access the printer located in DomainB.
When a workstation in one forest attempts to access data on the resource computer in another forest, Kerberos contacts the domain controller for a service ticket to the
SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same forest as the domain controller, the
domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows
the referral chain until it gets to the domain where the resource is located.
The following figure and corresponding steps provide a detailed description of the Kerberos authentication process that is used when computers running Windows 2000
Professional, Windows XP Professional, Windows 2000 Server, or a member of the Windows Server 2003 family attempt to access resources from a computer located in
another forest.
1. User1 logs on to Workstation1 using credentials from the child.microsoft.com domain. The user then attempts to access a shared resource on FileServer1 located in
the msn.com forest.
2. Workstation1 contacts the Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer1 SPN.
3. ChildDC1 does not find the SPN in its domain database and queries the global catalog to see if any domains in the microsoft.com forest contain this SPN. Since a
global catalog is limited to its own forest, the SPN is not found. The global catalog then checks its database for information about any forest trusts that are
established with its forest, and, if found, it compares the name suffixes listed in the forest trust trusted domain object (TDO) to the suffix of the target SPN to find a
match. Once a match is found, the global catalog provides a routing hint back to ChildDC1.
4. ChildDC1 sends a referral for its parent domain back to Workstation1.
5. Workstation1 contacts a domain controller in ForestRootDC1 (its parent domain) for a referral to a domain controller (ForestRootDC2) in the forest root domain of
the msn.com forest.
6. Workstation1 contacts ForestRootDC2 in the msn.com forest for a service ticket to the requested service.
7. ForestRootDC2 contacts its global catalog to find the SPN, and the global catalog finds a match for the SPN and sends it back to ForestRootDC2.
8. ForestRootDC2 then sends the referral to child.msn.com back to Workstation1.
9. Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for User1 to gain access to FileServer1.
10. Now that workstation1 has a service ticket, it sends the server service ticket to FileServer1, which reads User1's security credentials and constructs an access token
accordingly.
When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces
include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO
objects are replicated to the global catalog. For more information about TDOs, see Trusts.
Routing hints
Routing hints are only used when all traditional authentication channels (local domain controller and then global catalog) have failed to produce a location of a SPN.
Routing hints help direct authentication requests toward the destination forest.
When an SPN cannot be located in the domain from where the network logon request originated or from the global catalog database, the global catalog checks the forest
trust TDO for trusted name suffixes located in the other forest that might match the suffix in the SPN. If a match is found, the forest root domain returns a routing hint back
to the original source computer so that it can continue the SPN location process in the other forest.
Notes
Routing hints can only reference trusted name suffixes that are listed in the TDO for its forest trust. They do not verify the name suffix before sending the hint back
to the original source computer.
Accessing NetBIOS names and Kerberos delegation across forest trusts is not supported. NTLM is fully supported and cannot be disabled.
Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a
resource. For more information, see Group types.
Group nesting. The ability to nest security groups is dependent on groups scopes and domain functionality. For more information, see Nesting groups.
Group scope. Group scope helps determine the domain-wide and forest-wide access boundaries of security groups. For more information, see Group scope.
Domain functionality. The domain functional level of the trusting and trusted domains can affect group functionality such as group nesting. For more information,
see Domain and forest functionality.
Once you have gained a thorough understanding of security group concepts, determine the resource needs of each department and geographical division to assist you
with the planning effort.
To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these
users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in
ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales
Department to the group. Create the global group AccountsOrder and add users in the Accounting Department to that group.
To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global
group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.
Note
Universal groups are not available as security groups in Windows 2000 Server mixed-mode domains or in Windows Server 2003 domains that have a domain
functional level of Windows 2000 mixed. They are available as distribution groups.
To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use
these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to
the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.
To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add
the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB.
When a new user account needs access to a resource in a different forest, add the account to the respective global group in the domain of the user. When a new resource
needs to be shared across forests, add the appropriate domain local group to the ACL for that resource. In this way, access is enabled across forests for resources on the
basis of group membership.
For more information, see Set permissions on a shared resource.
Active Directory Users and Computers in the second forest. Then, allow user or group access to the particular resources you want to share.
When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization
data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is
authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs
can be present in an authenticated user's context. For more detailed information about how selective authentication works, see Security Considerations for Trusts.
Administrators in each forest can add objects from one forest to access control lists (ACLs) on shared resources in the other forest. You can use the ACL editor to add or
remove objects residing in one forest to ACLs on resources in another forest. For more information about how to set permissions on resources, see Set permissions on a
shared resource.
For information about setting authentication restrictions for external domains, see Accessing resources across domains.
2014 Microsoft. All rights reserved.
Do not add the @ sign to the UPN suffix or a user name. When authentication requests are routed to a trusted forest, all characters before the first @ symbol are
interpreted as the user name and everything after the first @ symbol as the UPN suffix.
The Local Security Authority (LSA) will block routing to any UPN suffix that is not a valid DNS name. For example, adding an @ symbol to a UPN suffix will cause it to
automatically be disabled.
Collision detection
When two Windows Server 2003 forests are linked by a forest trust, there is a possibility that unique name suffixes existing in one forest might collide with unique name
suffixes located in the second forest. Collision detection guarantees that each name suffix will only be routed to a single forest.
Active Directory Domains and Trusts will detect a name suffix conflict when:
When a name suffix in a forest conflicts with a new forest trust partner or when a name suffix in an existing forest trust conflicts with a new forest trust partner, the name
will be disabled in the new trust. For example, a conflict will occur if one forest is named widgets.com and the second forest is named sales.widgets.com. Despite the name
suffix conflict, routing will still work for any other unique name suffixes in the second forest.
For another example, assume that the msn.com forest needs to establish a two-way, forest trust with the widgets.com forest. Both msn.com and widgets.com have identical
UPN suffixes of microsoft.com. During the creation of the two-way, forest trust, the New Trust Wizard will detect and display the conflict between the two UPN name
suffixes and then create the forest trust.
If Active Directory Domains and Trusts detects a name suffix conflict with a trust partner domain, access to that domain from outside the forest may be denied. However,
access to the conflicted domain from within its forest will function normally.
For example, if the domain widgets.com exists in both the msn.com and microsoft.com forests, users within the msn.com forest will be able to access resources in
widgets.com domain that resides in the msn.com forest. However, users in the msn.com forest will be denied access to resources in the widgets.com domain located in the
microsoft.com forest.
Conflicts will be listed in Active Directory Domains and Trusts, in the forest trust Properties dialog box, on the Name Suffix Routing tab. If a name suffix conflict is
detected during the creation of the forest trust, then the New Trust Wizard will prompt you to save a log file of the conflicts. You can also save a log file after a trust has
been created. For more information about how to save this log file, see Change the routing status of a name suffix.
If a NetBIOS or domain SID conflict exists, Active Directory Domains and Trusts identifies the name suffixes routing status as enabled or disabled with exceptions, as
appropriate. The details about where the conflict exists are listed in the log file.
You can also use the Netdom command-line tool to list all routed names and to enable and disable routing for NetBIOS names and SIDs. For example, a forest named
microsoft.com has a forest trust with widgets.com and you also need to add a forest trust to msn.com. Both widgets.com and msn.com have child domains with the
NetBIOS name of SALES (and DNS names of USsales.widgets.com and sales.msn.com).
After you create the new trust to msn.com, routing to the SALES domain name in msn.com will be disabled. If you need to use the name SALES to route to the msn.com
forest but don't need to use it to the widgets.com forest, you can use Netdom to disable SALES in widgets.com, and then enable it in msn.com.
For information about Netdom, see Active Directory support tools.
2014 Microsoft. All rights reserved.
Sites overview
Replication overview
How replication works
Replication within a site
Replication between sites
When to establish a single or separate sites
Bandwidth
Managing replication
Sites overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Sites overview
Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in
the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected
subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.
Using sites
Sites help facilitate several activities within Active Directory, including:
Replication. Active Directory balances the need for up-to-date directory information with the need for bandwidth optimization by replicating information within a
site more frequently than between sites. You can also configure the relative cost of connectivity between sites to further optimize replication. For more information,
see Replication between sites and Managing replication.
Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first searches its local site for a domain
controller to authenticate against. By establishing multiple sites, you can ensure that clients authenticate against domain controllers nearest to them, reducing
authentication latency and keeping traffic off WAN connections.
Active Directory-enabled services. Active Directory-enabled services can leverage site and subnet information to enable clients to locate the nearest server
providers more easily. For information about services, see Services.
Sites and subnets are represented in Active Directory by site and subnet objects, which you create through Active Directory Sites and Services. Each site object is associated
with one or more subnet objects.
For information about creating sites, see Create a site.
For information about creating subnets, see Create a subnet.
For information about subnets, see "Introduction to TCP/IP" at the Microsoft Windows Resource Kits Web site.
You can design and maintain the logical and physical structures of your network independently.
You do not have to base domain namespaces on your physical network.
You can deploy domain controllers for multiple domains within the same site. You can also deploy domain controllers for the same domain in multiple sites.
Replication overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Replication overview
Except for very small networks, directory data must reside in more than one place on the network to be equally useful to all users. Through replication, the
Active Directory directory service maintains replicas of directory data on multiple domain controllers, ensuring directory availability and performance for all users. Active
Directory uses a multimaster replication model, allowing you to make directory changes at any domain controller, not just at a designated primary domain controller.
Active Directory relies on the concept of sites to help keep replication efficient, and on the Knowledge Consistency Checker (KCC) to automatically determine the best
replication topology for the network.
The KCC actually creates a separate replication topology for each directory partition (schema, configuration, domain, application). Within a single site, these
topologies are usually identical for all partitions hosted by the same set of the domain controllers.
With certain restrictions, you can use the Simple Mail Transfer Protocol (SMTP) for replicating to sites that do not have a direct or reliable Internet Protocol (IP)
connection. For more information, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site.
Intersite replication through a firewall or virtual private network requires some special considerations. For more information, see Active Directory at the Microsoft
Web site.
A single site topology allows all replication on your network to occur as intrasite replication, which requires no manual replication configuration. A single site design also
allows all domain controllers to remain very current with respect to directory changes, because directory updates are replicated almost immediately. For more information,
see Replication within a site. For information about creating sites, see Create a site.
Physically separate network locations typically communicate over WAN connections, which are most often characterized by low-speed bandwidth. By creating a separate
site for each physical location on your network, you ensure that domain controllers communicating over WAN connections use intersite replication, which is specifically
designed for efficiency on low bandwidth connections. For more information, see Replication between sites.
With multiple sites, you have more detailed control of replication behavior through several configurable intersite replication settings. These settings include the relative cost
of different replication paths, the domain controllers associated with each site, the subnets associated with each site, the frequency of directory update transfers, and the
availability of connections for use by replication. For more information, see Managing replication.
A network client logging on to a domain must contact a domain controller as part of the authentication process, first looking within its own site. If the site includes two or
more physically separate network locations, the client may authenticate against a domain controller across a WAN connection. Authentication across a WAN introduces a
delay in the authentication process. By placing physically separate network locations into separate Active Directory sites, you can ensure that clients first attempt to
authenticate against a domain controller in their own site.
2014 Microsoft. All rights reserved.
Bandwidth
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Bandwidth
Bandwidth is the most important practical consideration affecting intrasite replication on your network. Although sites are conveniently defined by subnets, it is important to
understand that the reason for this choice is that subnets are typically well-connected. This means that subnets are generally, but not always, an effective way to determine
sites.
To organize your sites effectively, consider replication requirements and available connectivity. Find a balance that ensures domain controllers in the same site are
sufficiently well-connected to handle the frequent exchange of directory information, while not exacting what you consider to be excessive costs (such as high financial
expense or compromised network performance).
When considering bandwidth, you may want to combine several subnets into one site, or split one subnet among several sites, such as in the following instances:
You have very poorly connected computers, including several domain controllers in one subnet. Create several smaller subnets that are better connected than they
were as one large subnet. For this to be effective, each new subnet should contain a domain controller.
You have several subnets that are all well-connected or you have fewer domain controllers than subnets, but you want several subnets to be in a single site. To do
this, add multiple subnets to one site.
For more information about how bandwidth may affect the way you configure sites, see Replication between sites.
2014 Microsoft. All rights reserved.
Managing replication
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Managing replication
Active Directory relies on site configuration information to manage and optimize the process of replication. Active Directory provides automatic configuration of these
settings in some cases. In addition, you can configure site-related information for your network using Active Directory Sites and Services. Configurable information includes
settings for site links, site link bridges, and bridgehead servers.
Replication frequency
The replication frequency of a site link determines how often replication occurs over that site link. By default, the replication frequency for a site link is 180 minutes, meaning
that replication occurs over that site link every 180 minutes, or three hours. Using Active Directory Sites and Services, you can set the replication frequency from 15 minutes
to 10,080 minutes (one week). A site link must be available for any replication to occur. If a site link is not available when the number of minutes between replication
updates has passed, no replication will occur. For more information, see Configure site link replication frequency.
Your network is not fully routed (not every domain controller can directly communicate with every other domain controller).
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain
controller.
Your Active Directory design includes a large number of sites. For more information, see the Active Directory Branch Office Planning Guide at the Microsoft Web site.
For more information about site link bridges and their affects on replication, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site.
For information about disabling automatic site link bridging, see Enable or disable site link bridges.
For information about creating a site link bridge manually, see Create a site link bridge.
The partial copies of all domain objects included in the global catalog are those most commonly used in user search operations. These attributes are marked for inclusion
in the global catalog as part of their schema definition. Storing the most commonly searched upon attributes of all domain objects in the global catalog provides users
with efficient searches without affecting network performance with unnecessary referrals to domain controllers.
You can manually add or remove other object attributes to the global catalog by using the Active Directory Schema snap-in. For more information, see Customizing the
global catalog.
A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the
default location of the global catalog to another domain controller. For more information, see Enable or disable a global catalog.
A global catalog performs the following directory roles:
Finds objects
A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest
are performed with maximum speed and minimum network traffic.
When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you
enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution. For more information, see Finding
directory information and "Finding information in Active Directory" at the Microsoft Windows Resource Kits Web site.
Supplies user principal name authentication
A global catalog resolves user principal names UPNs when the authenticating domain controller does not have knowledge of the account. For example, if a users
account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer
located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the users account, and will then contact a global catalog
to complete the logon process. For more information, see Active Directory naming.
Supplies universal group membership information in a multiple domain environment
Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user
who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides
universal group membership information for the users account at the time the user logs on to the domain.
If a global catalog is not available when a user logs on to a domain set to the functional level of Windows 2000 native or higher, the computer will use cached
credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on
to the local computer. However, if a user logs on as the Administrator in the domain (Builtin Administrator account), the user can always log on to the domain, even
when a global catalog is not available.
For more information about universal groups, see Group scope. For more information about universal groups and replication, see Global catalog replication and
Global catalogs and sites.
Note
When there is only one domain in a forest, it is not necessary for users to obtain universal group memberships from a global catalog when logging on. This
is because Active Directory can detect that there are no other domains in the forest and will prevent a query to the global catalog for this information.
Validates object references within a forest
A global catalog is used by domain controllers to validate references to objects of other domains in the forest. When a domain controller holds a directory object
with an attribute containing a reference to an object in another domain, this reference is validated using a global catalog.
Adding attributes
Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in
the global catalog. Using the Active Directory Schema snap-in, you can specify additional attributes to be kept in the global catalog.
In Windows 2000 forests, extending the partial attribute set causes a full synchronization of all object attributes stored in the global catalog (for all domains in the forest).
In a large, multi-domain forest, this synchronization can cause significant network traffic. Between domain controllers enabled as global catalogs that are running Windows
Server 2003, only the newly added attribute is replicated. For more information about adding attributes to the global catalog, see Customizing the global catalog.
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory
partition objects replicated to the global catalog. For more information, see Global catalog replication.
Notes
In Windows 2000, adding a new attribute to the global catalog causes a full synchronization of all of the domain data from all of the domains in the forest. In a
large, multi-domain Windows 2000 forest, this synchronization can cause significant network traffic. Between domain controllers enabled as global catalogs that are
running Windows Server 2003, only the newly added attribute is replicated.
When deciding whether or not to include an attribute in the global catalog, remember that you are trading increased replication and increased disk storage on
global catalogs for potentially faster query performance.
Advantage
Disadvantage
A commonly used application in the site utilizes port 3268 to resolve global catalog queries.
Performance
improvement
Additional
network traffic
due to
replication
A slow or unreliable WAN connection is used to connect to other sites. Use the same failure and load distribution rules that you used
for individual domain controllers to determine whether additional global catalog servers are necessary in each site.
Fault
tolerance
Additional
network traffic
due to
replication
Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group
membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must
be routed over your WAN connection to a global catalog located in another site.
If a domain controller running Windows Server 2003 in the site has universal group membership caching enabled, then all users will
obtain a current cached listing of their universal group memberships.
Fast user
logons
Additional
network traffic
due to
replication
Note
Network traffic related to global catalog queries generally use more network resources than normal directory replication traffic.
Faster logon times since authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information.
No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog.
Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.
Note
You might want to continue using a global catalog in branch office locations if an application in a site is sending global catalog queries to port 3268. Universal
group membership caching does not intercept calls made to port 3268.
DNS integration
Group Policy integration
DNS integration
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNS integration
Active Directory is integrated with DNS in the following ways:
Active Directory and Domain Name System (DNS) have the same hierarchical structure.
Although separate and implemented differently for different purposes, an organization's namespace for DNS and Active Directory have an identical structure. For
example, microsoft.com is a DNS domain and an Active Directory domain. For more information, see Namespace planning for DNS.
DNS zones can be stored in Active Directory.
If you are using the Windows Server 2003 DNS Server service, primary zone files can be stored in Active Directory for replication to other Active Directory domain
controllers. For more information, see Active Directory integration.
Active Directory uses DNS as a locator service, resolving Active Directory domain, site, and service names to an IP address.
To log on to an Active Directory domain, an Active Directory client queries their configured DNS server for the IP address of the LDAP service running on a domain
controller for a specified domain. For more information about how Active Directory clients rely on DNS, see Locating a domain controller.
Note
You can use Dcdiag.exe and Netdiag.exe to troubleshoot client computers that cannot locate a domain controller. These tools can help determine both server and
client DNS misconfigurations. For more information, see article Q265706, "DCDiag/NetDiag Facilitate Join and DC Creation" in the Microsoft Knowledge Base. For a
brief description of support tools, see Active Directory support tools.
While Active Directory is integrated with DNS and shares the same namespace structure, it is important to distinguish the difference between them:
For a checklist on deploying DNS for Active Directory, see Checklist: Deploying DNS for Active Directory.
For information about configuring DNS servers for Active Directory, see Configure a DNS server for use with Active Directory.
2014 Microsoft. All rights reserved.
Set the minimum password length and the maximum length of time that a password will remain valid. This can be configured for an entire domain.
Administrators can automatically install an application on every computer in a particular domain or on all computers assigned to a particular group in a particular
site. For example, you could automatically install Microsoft Outlook on every computer in the domain and automatically install Microsoft Excel only on those
computers belonging to the Accounting group in a particular site.
Logon, logoff, startup, and shutdown scripts can be assigned based on the locations of the computer and user accounts in Active Directory.
If members of a particular group often use different computers, administrators can install the necessary applications on each of those computers.
Any user's My Documents folder can be redirected to a network location. Users can then gain access to their documents from any computer on the network.
Policy settings are stored in Group Policy objects. Group Policy settings from more than one Group Policy object can be applied to a particular site, domain, or
organizational unit. For example, if a site contains three domains, one Group Policy object could control computer configurations for the entire site. A separate policy for
each domain could determine specific security settings for the computers in each domain. If each domain contains an Accounting and a Marketing organizational unit,
additional Group Policy objects could determine what software is installed on the computers used by the Accounting and Marketing groups throughout the entire site.
This ability to automatically configure and secure computers throughout your organization by selectively applied Group Policy objects is a very powerful administrative tool.
For more information about controlling software installation with Group Policy and how to create a Group Policy object, see Group Policy (pre-GPMC).
You can use security groups to filter how Group Policy settings are applied to collections of users and computers belonging to a particular site, domain, or organizational
unit. For more information about security groups, see Group types. For general information about Group Policy, see Group Policy overview.
2014 Microsoft. All rights reserved.
Understanding Schema
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding schema
This section covers:
Schema
Schema classes and attributes
Schema object names
Deactivating a class or attribute
Extending the schema
Schema
Updated: May 1, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Schema
The Active Directory schema contains the definitions for all objects in the directory. Every new directory object you create is validated against the appropriate object
definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of
object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory
services. Because it is extensible, you can modify and add classes and attributes to the base schema. However, you should carefully consider each change you make,
because extending the schema affects the entire network. For more information, see Extending the schema.
Schema cache
To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it
holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache
manually for immediate effect. For more information, see Reload the schema.
Classes
ClassSchema objects are used to define classes in the schema. A classSchema object provides the template for building directory objects of that class. Examples of
classSchema include User and Server. A classSchema object contains, among other things, the following information:
Class types
Three different types of classes exist in the schema:
Class type
Purpose
Structural
Abstract
Auxiliary
Contains predefined lists of attributes that can be included in structural and abstract classes.
Note
With the Windows Server 2003 family, the inetOrgPerson class is now a part of base schema. This class can be used as a security principal in the same manner as
the user class.
Attributes
AttributeSchema objects are used to define attributes in the schema. An attributeSchema object determines the allowable contents and syntax for instances of that attribute
in the directory. Examples of attributeSchema include User-Principal-Name and Telex-Number. An attributeSchema object contains, among other things, the following
information:
Indexed attributes
Both multivalued and single valued attributes can be indexed to help improve the performance of queries on that attribute. (Indexing does not apply to classes.) Attributes
are marked for indexing based on their schema definition. Indexing an attribute also allows users to use wildcards (*) as prefixes and suffixes when specifying a search
string. When you mark an attribute as indexed, all instances of the attribute are added to the index, not just the instances that are members of a particular class. Indexing
attributes, particularly multivalued attributes, can negatively affect replication and object creation time, as well as directory database size. So, it is recommended that you
only index commonly used attributes. For more information, see Index an attribute in Active Directory.
For more information about the schema, see "Active Directory Schema" at the Microsoft Windows Resource Kits Web site and the Microsoft MSDN Web site.
Common name
The common name is a more readable version of the LDAP display name. The common names of the two attributes used in the previous example are SMTP-Mail-Address
and Machine-Password-Change-Interval. Common names are guaranteed to be unique within a container.
Object identifier
An object identifier (also known as OID) is issued by an issuing authority such as the International Organization for Standardization (ISO) or the American National
Standards Institute (ANSI). For example, the object identifier for the SMTP-Mail-Address attribute is 1.2.840.113556.1.4.786. Every object identifier must be unique. For more
information about ISO, see the International Organization for Standardization Web site.
When extending your schema, you can register new object identifiers through Microsoft. For more information, see the Microsoft Web site.
When a queuing alias object is deleted, the alias is automatically removed from all distribution lists that reference the alias.
A queue referenced by a queuing alias can be changed without changing the alias.
Queuing aliases can be used to reference a queue not listed in the directory service, including private queues or queues from another organization.
Queuing aliases can be used to send http messages by referencing the destination queue using a direct format name.
A queuing alias object has a single attribute, a format name that references a queue. Queuing aliases can contain public, private, and direct format names. The format
name for the queue cannot exceed 255 characters. For more information, see Using Message Queuing.
Note
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
Classes and attributes added to the base schema can be deactivated without raising the forest functional level. However, they can be redefined only in forests raised
to the Windows Server 2003 functional level or higher.
Default schema attributes or classes in the base schema cannot be deactivated if bit 4 of the systemFlags attribute is set to 1. Only attributes or classes where bit 4
of the systemFlags attribute is equal to zero can be deactivated.
Object identifiers must be unique. Mistyping a number when entering an object identifier can cause a conflict between the invalid object identifier and a legitimate object
identifier that is registered by an application. When installing an application that adds an attribute or class, the application may need to use the mistyped object identifier
for one of its legitimate schema extensions. You can correct object identifier conflicts in forests that are set to the Windows Server 2003 functional level. To correct the
conflict, deactivate the attribute or class with the incorrect object identifier. The application installation program will then be able to create the new attribute or class using
the correct object identifier.
Before deactivating a class, consider the following:
You can deactivate a class only if that class is not specified as a subClassOf, auxiliaryClass, systemAuxiliaryClass, possSuperiors, or systemPossSuperiors of any
existing active class.
You cannot use a defunct class in definitions of new classes, and you cannot add it to existing class definitions.
You cannot create objects that are instances of the defunct class or modify existing instances of the class. However, the instances of the defunct class become
available again for modification when the defunct class is reactivated.
You can deactivate an attribute only if the attribute is not specified as a systemMustContain, mustContain, systemMayContain, mayContain, or rdnAttId of any existing
active class.
You cannot use a defunct attribute in definitions of new classes, and you cannot add it to existing class definitions.
You cannot read, modify, or delete instances of the defunct attribute present in existing objects. However, the instances of the defunct attribute become available
when the defunct attribute is reactivated.
To purge the directory of instances of an attribute you must delete the instances before deactivating the attribute.
Classes and attributes can be deactivated programmatically (recommended) or by using the Active Directory Schema snap-in. To deactivate a class or attribute using the
Active Directory Schema snap-in, see Deactivate a class or attribute. For information about programmatically deactivating classes and attributes, see the Active Directory
Programmer's Guide at the Microsoft Web site.
Reactivating a class
A defunct class can be reactivated. However, a defunct class cannot be reactivated unless the attributes referenced in its mustContain, systemMustContain, mayContain, and
systemMayContain properties are active and the classes referenced in its subClassOf, auxiliaryClass, systemAuxiliaryClass, possSuperiors, and systemPossibleSuperiors
properties are also active.
Further, a defunct class cannot be reactivated if the values of the following attributes collide with an already active attribute or class: ldapDisplayName, attributeId,
governsId, or schemaIdGuid.
To reactive a defunct class, see Reactivate a class or attribute.
Reactivating an attribute
An defunct attribute can be reactivated. However, a defunct attribute cannot be reactivated if the values of the following attributes collide with an already active attribute or
class: ldapDisplayName, attributeId, governsId, schemaIdGuid, or mapiId.
Verify that no existing class or attribute in the base schema meets your application or data needs. For the complete set of classes and
attributes in the base schema, see the Microsoft Web site.
Review schema
documentation
For detailed information about extending the schema, see the Active Directory Programmer's Guide at the Microsoft Web site and
"Active Directory Schema" at the Microsoft Windows Resource Kits Web site.
When you extend the schema, the changes apply to every domain controller in the entire forest.
You cannot modify default system classes (those classes required for Windows to run) within the schema. However, directory-enabled
applications that modify the schema may add new classes that you can modify.
Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. For more information, see
Deactivating a class or attribute.
Every class and attribute in the schema must have a unique and valid object identifier (also known as OID). Do not create arbitrary object
identifiers or recycle old object identifiers. For information about obtaining valid object identifiers, see Schema object names.
Concepts
This section provides general background information about Active Directory:
A set of rules, the schema, that defines the classes of objects and attributes contained in the directory, the constraints and limits on instances of these objects, and
the format of their names. For more information about the schema, see Schema.
A global catalog that contains information about every object in the directory. This allows users and administrators to find directory information regardless of which
domain in the directory actually contains the data. For more information about the global catalog, see The role of the global catalog.
A query and index mechanism, so that objects and their properties can be published and found by network users or applications. For more information about
querying the directory, see Finding directory information.
A replication service that distributes directory data across a network. All domain controllers in a domain participate in replication and contain a complete copy of all
directory information for their domain. Any change to directory data is replicated to all domain controllers in the domain. For more information about Active
Directory replication, see Replication overview.
Support for Active Directory client software, which makes many features on Microsoft Windows 2000 Professional or Windows XP Professional available to
computers running Windows 95, Windows 98, and Windows NT Server 4.0. To client computers not running Active Directory client software, the directory will
appear like a Windows NT directory. For more information about client software, see Active Directory clients.
Note
You cannot install Active Directory on a server running Windows Server 2003, Web Edition, but you can join the server to an Active Directory domain as a member
server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
New Active Directory features in Windows Server 2003 with Service Pack 1 (SP1)
The following list summarizes the Active Directory features that are new since the original release of Windows Server 2003.
Directory service backup reminders. A new event message, event ID 2089, provides the backup status of each directory partition that a domain controller stores,
including application directory partitions and Active Directory Application Mode (ADAM) partitions. If halfway through the tombstone lifetime a partition has not
been backed up, this event is logged in the Directory Service event log and continues daily until the partition is backed up.
Added replication security and fewer replication errors. Replication metadata for domain controllers from which Active Directory has been removed is no longer
retained by default, although a waiting period can be configured. This change improves replication security and eliminates replication error messages that are
caused by failed attempts to replicate with decommissioned domain controllers. For more information about preserving replication metadata, see How the
Active Directory Replication Model Works.
Install from Media improvement for installing DNS servers. Install from Media improvements make it easier to create a new domain controller that is a Domain
Name System (DNS) server by providing a new option to include application directory partitions in the backup media that is used to install the new domain
controller. This option eliminates the requirement for replication of the DomainDNSZones and ForestDNSZones application directory partitions before the DNS
server is operational.
Enhancements for replication and DNS testing. The Dcdiag.exe command-line tool, which is available in Windows Support Tools, provides new reporting on the
overall health of replication with respect to Active Directory security. This test provides a summary of results, along with detailed information for each domain
controller that is tested and a diagnosis of any security errors. Dcdiag.exe also has new DNS tests for connectivity, service availability, forwarders and root hints,
delegation, dynamic update, locator record registrations, external name resolution, and enterprise infrastructure. These tests can be performed on one domain
controller or on all domain controllers in a forest. For more information about using Dcdiag.exe, see Windows Support Tools Help.
Support for running domain controllers in virtual machines. On a single physical server that is running Windows Server 2003 and Microsoft Virtual Server 2005,
you can install multiple Windows Server 2003 or Windows 2000 Server domain controllers in separate virtual machines. This platform is well suited for test
environments. By using virtual machines, you can effectively host multiple domains, multiple domain controllers for the same domain, or even multiple forests on one
physical server that is running a single operating system. Windows Server 2003 SP1 also provides protection against directory corruption that can result from
improper backup and restore of domain controller images. For more information about running domain controllers in virtual machines, see Running Domain
Controllers in Virtual Server 2005.
Operations master health and status reporting. If an operation that requires a domain controller that holds an operations master role (also known as flexible
single-master operations (FSMO)) cannot be performed, events are now logged in the Directory Service event log. Events identify role holders that do not exist, exist
but are not available, or are available but have not replicated recently with the contacting domain controller. For more information about operations masters, see
How Operations Masters Work.
Extended storage of deleted objects. The default period that a copy of a deleted object is retained in Active Directory, called the tombstone lifetime, is extended
from 60 days to 180 days. Longer tombstone lifetime decreases the chance that a deleted object remains in the local directory of a disconnected domain controller
beyond the time when the object is permanently deleted from online domain controllers. The tombstone lifetime is not changed automatically when you upgrade to
Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after the upgrade. New forests that are installed with Windows Server 2003 with
SP1 have a default tombstone lifetime of 180 days. For more information about tombstone lifetime, see How the Data Store Works.
Improved domain controller name resolution. In response to DNS name resolution failures that may be encountered during location of replication partners and
global catalog servers, domain controllers running Windows Server 2003 with SP1 request other variations of the server name that might be registered, which
results in fewer failures due to DNS delays and misconfiguration. For more information about DNS name resolution, see How DNS Support for Active Directory
Works.
Improved server metadata removal. The Ntdsutil.exe command-line tool for managing the Active Directory database has new functionality that makes it easier to
remove domain controller metadata. Preliminary steps, such as connecting to a server, domain, and site, are no longer required. You simply specify the server to
remove. You can also specify the server on which to perform the deletion. Metadata removal is now more comprehensive: in addition to Active Directory replication
metadata, the tool now removes File replication service (FRS) metadata and operations master metadata. If an operations master role is assigned to the server that
is being removed, the tool attempts to transfer the role to an appropriate domain controller. For more information, see Delete extinct server metadata.
Improved security to protect confidential attributes. To prevent Read access to confidential attributes, such as a Social Security number, while allowing Read
access to other object attributes, you can designate specific attributes as confidential by setting a search flag on the respective attributeSchema object. By default,
only domain administrators have Read access to confidential attributes, but this access can be delegated. For more information about access to attributes, see How
Security Descriptors and Access Control Lists Work.
Retention of SID history on tombstones. The sIDHistory attribute has been added to the set of attributes that are retained on an object tombstone when the
object is deleted. If a tombstoned object is reactivated (undeleted), the sIDHistory attribute is now restored with the object. For more information about
tombstones, see How the Data Store Works.
Adprep.exe improvements for Windows 2000 Server upgrades. The Adprep tool has been improved to reduce the impact of FRS synchronization that results
from updating SYSVOL files during upgrade. Adprep is used to upgrade the Windows 2000 Server schema to the Windows Server 2003 schema and to update
some forest- and domain-specific configuration, including SYSVOL, that is required for a Windows Server 2003 domain controller to be operational. The tool now
allows performing SYSVOL operations in a separate step when the domain is prepared for upgrade. A new switch, /gpprep, has been added to accommodate the
SYSVOL updates, which can be performed at a convenient time following the upgrade. The adprep /domainprep command, which formerly performed both
directory and SYSVOL updates, now updates only the directory. Adprep also now detects third-party schema extensions that block an upgrade, identifies the
blocking extensions, and recommends fixes. Microsoft Exchange schema objects are also detected so that the Exchange schema can be prepared appropriately to
accommodate inetOrgPerson naming. For more information about Adprep.exe, see Adprep.
Improved authoritative restore. The authoritative restore option in Ntdsutil now locates backlinks for all objects that are authoritatively restored, including links
that were created before implementation of the Windows Server 2003 or Windows Server 2003 interim forest functional level, in which linked-value replication (LVR)
functionality was introduced. For example, suppose that a user object is restored and the user belongs to group G1, which was created before the forest functional
level was raised, and the user also belongs to group G2, which was created after the forest functional level was raised. During authoritative restore of the user
object, the member attribute of G2 is updated, but not the member attribute of G1. Ntdsutil now creates a text file that identifies the authoritatively restored objects
and uses this file to create an LDAP Data Interchange Format (LDIF) file that can be used to restore all backlinks for pre-LVR groups in this domain. In the example,
when this LDIF file is run after authoritative restore, the restored user is added to group G1. A new option in authoritative restore also allows you to generate an
LDIF file that you can use to restore links in other domains in which a restored object has backlinks.
Multiple selection of user objects. Modify common attributes of multiple user objects at one time.
Drag-and-drop functionality. Move Active Directory objects from container to container by dragging one or more objects to a desired location in the domain
hierarchy. You can also add objects to group membership lists by dragging one or more objects (including other group objects) to the target group.
Efficient search capabilities. Search functionality is object-oriented and provides an efficient search that minimizes network traffic associated with browsing objects.
For more information, see Finding directory information.
Saved queries. Save commonly used search parameters for reuse in Active Directory Users and Computers. For more information, see Using saved queries.
Active Directory command-line tools. Run new directory service commands for administration scenarios. For more information, see Managing Active Directory
from the command line.
InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class.
The userPassword attribute can also be used to set the account password. For more information, see User and computer accounts.
Application directory partitions. Configure the replication scope for application-specific data among domain controllers. For example, you can control the
replication scope of Domain Name System (DNS) zone data stored in Active Directory so that only specific domain controllers in the forest participate in DNS zone
replication. For more information, see Application directory partitions.
Ability to add additional domain controllers using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using
backup media. For more information, see Using the Active Directory Installation Wizard.
Universal group membership caching. Prevent the need to locate a global catalog across a wide area network (WAN) when logging on by storing universal group
membership information on an authenticating domain controller. For more information, see Global catalogs and sites.
Secure LDAP traffic. Active Directory administrative tools sign and encrypt all Lightweight Directory Access Protocol (LDAP) traffic by default. Signing LDAP traffic
guarantees that the packaged data comes from a known source and that it has not been tampered with. For more information, see Connecting to domain
controllers running Windows 2000.
Active Directory quotas. Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory
partition. Domain Administrators and Enterprise Administrators are exempt from quotas.
Domain controller rename tool. Rename domain controllers without first demoting them. For more information, see Renaming domain controllers.
Domain rename. Rename any Windows Server 2003 domain. You can change the NetBIOS name or DNS name of any child, parent, tree, or forest root domain. For
more information, see Renaming domains.
Different location option for user and computer accounts. You can now redirect the default location for user accounts and computer accounts that are created
by the following application programming interfaces (APIs): NetUserAdd, NetGroupAdd, and NetJoinDomain. You can redirect the location of the accounts from the
Users and Computers containers to organizational units (OUs) where Group Policy settings can be applied. For more information, see Redirect the Users and
Computers Containers.
Forest trusts. Create a forest trust to extend two-way transitivity beyond the scope of a single forest to a second forest. For more information, see Forest trusts.
Forest restructuring. Move existing domains to other locations in the domain hierarchy. For more information, see Renaming domains.
Defunct schema objects. Deactivate unnecessary classes or attributes from the schema. For more information, see Deactivating a class or attribute.
Dynamic auxiliary classes. Provides support for dynamically linking auxiliary classes to individual objects, and not just to entire classes of objects. In addition,
auxiliary classes that have been attached to an object instance can subsequently be removed from the instance.
Global catalog replication improvements. Preserves the synchronization state of the global catalog when an administrative action results in an extension of the
partial attribute set. This minimizes the replication traffic as a result of a partial attribute set extension by only transmitting attributes that were added. For more
information, see Global catalog replication.
Replication enhancements. Linked-value replication allows individual group members to be replicated across the network instead of treating the entire group
membership as a single unit of replication. For more information about linked-value replication, see How replication works. In addition, new spanning tree
algorithms make replication more efficient, as well as more scalable across a larger number of domains and sites in both Windows 2000 and Windows Server 2003
forests. For more information, see Replication overview.
User access control to resources between domains or forests. Block users in a domain or forest from accessing resources in another domain or forest, and then
allow selective access by setting the Allow to authenticate access control entry (ACE) on a local resource for the user or group object. For more information, see
Accessing resources across domains or Accessing resources across forests.
Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. Therefore, it is recommended that all domain
controllers be locked in a secured room with limited public access. In addition, you should limit membership in the Enterprise Admins, Domain Admins, Account
Operators, Server Operators, Print Operators, and Backup Operators groups to trusted personnel in your organization. For more information about domain
controllers and groups, see Domain controllers and Default groups.
To
Use
Manage the security relationship between two forests and simplify security administration and
authentication across forests.
Forest trusts
See Forest trusts.
Group Policy
See Strong passwords.
Enable audit policy. Auditing event logs can notify you of actions that could pose a security
risk.
Group Policy
See Auditing Policy.
Assign user rights to new security groups so you can specifically define a user's administrative
role in the domain.
Group Policy
See Group types.
Enforce account lockouts on user accounts and decrease the possibility of an attacker
compromising your domain through repeated logon attempts.
Group Policy
See User and computer accounts.
Enforce password history on user accounts and decrease the possibility of an attacker
compromising your domain.
Group Policy
See Enforce password history.
Enforce minimum and maximum password ages on user accounts and decrease the possibility
of an attacker compromising your domain.
Group Policy
See Minimum password age, Maximum password age.
Verify and authenticate the validity of each user through the use of public key cryptography.
Run as
See Using Run as.
Restrict user, group, and computer access to shared resources and filter Group Policy settings.
Security groups
See Group types.
Prevent attacks from malicious users who might try to grant elevated user rights to another
user account.
SID filtering
See "Using Security Identifier (SID) Filtering to Prevent Elevation of
Privilege Attacks" at the Microsoft Web Site.
Smart cards
See Smart cards overview.
Use strong encryption techniques to secure account password information on local computers,
member servers, or domain controllers.
Syskey
See The system key utility.
Security descriptors
Access control permissions are assigned to shared objects and Active Directory objects to control how different users can use each object. A shared object, or shared
resource, is an object that is intended to be used over a network by one or more users and includes files, printers, folders, and services. Both shared objects and Active
Directory objects store access control permissions in security descriptors.
A security descriptor contains two access control lists (ACLs) used to assign and track security information for each object: the discretionary access control list (DACL) and
the system access control list (SACL).
Discretionary access control lists (DACLs). DACLs identify the users and groups that are assigned or denied access permissions on an object. If a DACL does not
explicitly identify a user, or any groups that a user is a member of, the user will be denied access to that object. By default, a DACL is controlled by the owner of an
object or the person who created the object, and it contains access control entries (ACEs) that determine user access to the object.
System access control lists (SACLs). SACLs identify the users and groups that you want to audit when they successfully access or fail to access an object. Auditing is
used to monitor events related to system or network security, to identify security breaches, and to determine the extent and location of any damage. By default, a
SACL is controlled by the owner of an object or the person who created the object. A SACL contains access control entries (ACEs) that determine whether to record
a successful or failed attempt by a user to access a object using a given permission, for example, Full Control and Read.
For more information about auditing, see Auditing settings on objects.
To view DACLs and SACLs on Active Directory objects using Active Directory Users and Computers, on the View menu, click Advanced Features to access the Security tab
for each object. For more information, see Assign, change, or remove permissions on Active Directory objects or attributes. You can also use the DSACLS support tool to
manage access control lists in Active Directory. For more information, see Active Directory support tools.
By default, DACLs and SACLs are associated with every Active Directory object, which reduces attacks to your network by malicious users or any accidental mistakes made
by domain users. However, if a malicious user obtains a user name and password of any account with administrative credentials to Active Directory, your forest will be
vulnerable to attack. For this reason, consider renaming or disabling the default administrator account and following the best practices as described in Active Directory
Best practices.
Object inheritance
By default, Active Directory objects inherit ACEs from the security descriptor located in their parent container object. Inheritance enables the access control information
defined at a container object in Active Directory to apply to the security descriptors of any subordinate objects, including other containers and their objects. This eliminates
the need to apply permissions each time a child object is created. If necessary, you can change the inherited permissions. However, as a best practice, avoid changing the
default permissions or inheritance settings on Active Directory objects. For more information, see Best practices for assigning permissions on Active Directory objects and
Changing inherited permissions.
User authentication
Active Directory also authenticates and authorizes users, groups, and computers to access objects on the network. The Local Security Authority (LSA) is the security
subsystem responsible for all interactive user authentication and authorization services on a local computer. The LSA is also used to process authentication requests made
through the Kerberos V5 protocol or NTLM protocol in Active Directory. For more information about Kerberos authentication, see Kerberos V5 authentication. For more
information about NTLM authentication, see NTLM authentication.
Once the identity of a user has been confirmed in Active Directory, the LSA on the authenticating domain controller generates a user access token and associates a security
ID (SID) with the user.
Access token. When a user is authenticated, LSA creates a security access token for that user. An access token contains the user's name, the groups to which that
user belongs, a SID for the user, and all of the SIDs for the groups to which the user belongs. If you add a user to a group after the user access token has been
issued, the user must log off and log on again before the access token will be updated.
Security ID (SID). Active Directory automatically assigns SIDs to security principal objects at the time they are created. Security principals are accounts in Active
Directory that can be assigned permissions such as computer, group, or user accounts. Once a SID is issued to the authenticated user, it is attached to the access
token of the user.
The information in the access token is used to determine a user's level of access to objects whenever the user attempts to access them. The SIDs in the access token are
compared with the list of SIDs that make up the DACL for the object to ensure that the user has sufficient permission to access the object. This is because the access
control process identifies user accounts by SID rather than by name.
Important
When a domain controller provides an access token to a user, the access token only contains information about membership in domain local groups if the domain
local groups are local to the domain controller's domain. For domain directory objects replicated in the global catalog, this fact requires certain security
considerations. For more information, see Global catalog replication.
For more information about authentication, see "Logon and Authentication" at the Microsoft Windows Resource Kits Web site.
For more information about access control and permissions, see Access control overview. For more information about authorization and access control, see "Authorization
and Access Control" at the Microsoft Windows Resource Kits Web site.
For information about additional security measures that can be implemented to protect Active Directory, see Securing Active Directory and Security information for Active
Directory.
2014 Microsoft. All rights reserved.
User accounts
In Active Directory, each user account has a user logon name, a pre-Windows 2000 user logon name (security account manager account name), and a UPN suffix. The
administrator enters the user logon name and selects the UPN suffix when creating the user account. Active Directory suggests a pre-Windows 2000 user logon name using
the first 20 bytes of the user logon name. Administrators can change the pre-Windows 2000 logon name at any time.
In Active Directory, each user account has a UPN based on IETF RFC 822, Standard for the Format of ARPA Internet Text Messages. The UPN is composed of the user logon
name and the UPN suffix joined by the @ sign.
Note
Do not add the @ sign to the user logon name or to the UPN suffix. Active Directory automatically adds it when it creates the UPN. A UPN that contains more than
one @ sign is invalid.
Important
Windows NT 4.0 and earlier domains allowed the use of a period (.) at the end of a user logon name as long as the user logon name did not consist solely of
period characters. Windows Server 2003 domains do not allow the use of a period or multiple periods at the end of a user logon name.
The second part of the UPN, the UPN suffix, identifies the domain in which the user account is located. This UPN suffix can be the DNS domain name, the DNS name of any
domain in the forest, or it can be an alternative name created by an administrator and used just for log on purposes. This alternative UPN suffix does not need to be a
valid DNS name.
In Active Directory, the default UPN suffix is the DNS name of the domain in which user account created. In most cases, this is the domain name registered as the enterprise
domain on the Internet. Using alternative domain names as the UPN suffix can provide additional logon security and simplify the names used to log on to another domain
in the forest.
For example, if your organization uses a deep domain tree, organized by department and region, domain names can get quite long. The default user UPN for a user in
that domain might be sales.westcoast.microsoft.com. The logon name for a user in that domain would be user@sales.westcoast.microsoft.com. Creating a UPN suffix of
"microsoft" would allow that same user to log on using the much simpler logon name of user@microsoft. For more information about user accounts, see User and
computer accounts and Object names.
You can add or remove UPN suffixes using Active Directory Domains and Trusts. For more information, see Add user principal name suffixes.
Computer accounts
Each computer account created in Active Directory has a relative distinguished name, a pre-Windows 2000 computer name (security account manager account name), a
primary DNS suffix, a DNS host name, and a service principal name (SPN). The administrator enters the computer name when creating the computer account. This
computer name is used as the Lightweight Directory Access Protocol (LDAP) relative distinguished name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative distinguished name. The administrator can change the pre-Windows 2000
name at any time.
The DNS name for a host is called a full computer name and is a DNS fully qualified domain name (FQDN). The full computer name is a concatenation of the computer
name (the first 15 bytes of the SAM account name of the computer account without the "$" character) and the primary DNS suffix (the DNS domain name of the domain in
which the computer account exists). It is listed on the Computer Name tab in System Properties in Control Panel.
By default, the primary DNS suffix portion of the FQDN for a computer must be the same as the name of the Active Directory domain where the computer is located. To
allow different primary DNS suffixes, a domain administrator may create a restricted list of allowed suffixes by creating the msDS-AllowedDNSSuffixes attribute in the
domain object container. This attribute is created and managed by the domain administrator using Active Directory Service Interfaces (ADSI) or the Lightweight Directory
Access Protocol (LDAP).
For more information, see Object names and User and computer accounts.
The service principal name (SPN) is a multivalue attribute. It is usually built from the DNS name of the host. The SPN is used in the process of mutual authentication between
the client and the server hosting a particular service. The client finds a computer account based on the SPN of the service to which it is trying to connect. The SPN can be
modified by members of the Domain Admins group.
2014 Microsoft. All rights reserved.
Domain data
The domain data holds information about objects within a domain. This is information such as e-mail contacts, user and computer account attributes, and published
resources that are of interest to administrators and users.
For example, when a user account is added to your network, a user account object and attribute data are stored in the domain data. When changes to your
organization's directory objects occur, such as object creation, deletion, or attribute modification, this data is stored in the domain data.
Configuration data
The configuration data describes the topology of the directory. This configuration data includes a list of all domains, trees, and forests and the locations of the
domain controllers and global catalogs.
Schema data
The schema is the formal definition of all object and attribute data that can be stored in the directory. Domain controllers running Windows Server 2003 include a
default schema that defines many object types, such as user and computer accounts, groups, domains, organizational units, and security policies. Administrators and
programmers can extend the schema by defining new object types and attributes or by adding new attributes for existing objects. Schema objects are protected by
access control lists, ensuring that only authorized users can alter the schema.
For more information, see Schema.
Application data
Data stored in the application directory partition is intended to satisfy cases where information needs to be replicated but not necessarily on a global scale.
Application directory partitions are not part of the directory data store by default; they must be created, configured, and managed by the administrator.
For more information, see Application directory partitions.
Note
If a domain controller is also a global catalog, it stores a subset of the directory data for all other domains in the forest. For more information about domain
controllers, see Domain controllers. For more information about the global catalog, see The role of the global catalog.
unlimited. To help control the number of objects created and owned, the administrator specifies a default quota of 500. Now, each user can own a maximum of 500
objects on the partition. Because print queues are directory objects that are created and owned by the respective print servers, the new default quota of 500 limits each
print server to 500 print queues. To remove this constraint, the administrator creates a group called "Print Servers" and adds the computer account of each print server to
the group. The administrator then specifies a quota of 2,000 for the Print Servers group. Now, each print server can support its original number of print queues, while the
default quota continues to prevent excess object creation by all other security principals.
Only domain controllers running Windows Server 2003 can enforce quotas. Quotas are enforced only on originating directory operations; quotas are not enforced on
replicated operations. In order for quotas to be fully effective for any given directory partition, all domain controllers that contain a writable copy of that partition must be
running Windows Server 2003 . Therefore, for quotas to be effective on a domain directory partition, all domain controllers in that domain must be running Windows
Server 2003 . For quotas to be effective on the configuration partition, all domain controllers in the forest must by running Windows Server 2003 .
For information about creating, modifying, and querying quotas, default quotas, and tombstone quota factors, see Dsadd, Dsmod, and Dsquery.
2014 Microsoft. All rights reserved.
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
User accounts
The Users container located in Active Directory Users and Computers displays the three built-in user accounts: Administrator, Guest, and HelpAssistant. These built-in user
accounts are created automatically when you create the domain.
Each built-in account has a different combination of rights and permissions. The Administrator account has the most extensive rights and permissions over the domain,
while the Guest account has limited rights and permissions. The table below describes each default user account on domain controllers running Windows Server 2003.
Default user
account
Administrator
account
Description
The Administrator account has full control of the domain and can assign user rights and access control permissions to domain users as necessary. This
account must be used only for tasks that require administrative credentials. It is recommended that you set up this account with a strong password. For
more information, see Strong passwords. For additional security considerations for accounts with administrative credentials, see Active Directory Best
practices.
The Administrator account is a default member of the Administrators, Domain Admins, Enterprise Admins, Group Policy Creator Owners, and Schema
Admins groups in Active Directory. The Administrator account can never be deleted or removed from the Administrators group, but it can be renamed
or disabled. Because the Administrator account is known to exist on many versions of Windows, renaming or disabling this account will make it more
difficult for malicious users to try and gain access to it. For more information about how to rename or disable a user account, see Rename a local user
account or Disable or enable a user account.
The Administrator account is the first account created when you set up a new domain using the Active Directory Installation Wizard.
Important When the Administrator account is disabled, it can still be used to gain access to a domain controller using Safe Mode.
Guest
account
The Guest account is used by people who do not have an actual account in the domain. A user whose account is disabled (but not deleted) can also use
the Guest account. The Guest account does not require a password.
You can set rights and permissions for the Guest account just like any user account. By default, the Guest account is a member of the built-in Guests
group and the Domain Guests global group, which allows a user to log on to a domain. The Guest account is disabled by default, and it is
recommended that it stay disabled.
HelpAssistant
account
(installed with
a Remote
Assistance
session)
The primary account used to establish a Remote Assistance session. This account is created automatically when you request a Remote Assistance
session and has limited access to the computer. The HelpAssistant account is managed by the Remote Desktop Help Session Manager service and will
be automatically deleted if no Remote Assistance requests are pending. For more information about Remote Assistance, see Administering Remote
Assistance.
To obtain the security of user authentication and authorization, create an individual user account for each user who will participate on your network by using Active
Directory Users and Computers. Each user account (including the Administrator and Guest account) can then be added to a group to control the rights and permissions
assigned to the account. Using accounts and groups that are appropriate for your network ensures that users logging on to a network can be identified and can access
only the permitted resources.
You can help defend your domain from attackers by requiring strong passwords and implementing an account lockout policy. Strong passwords reduce the risk of
intelligent guessing and dictionary attacks on passwords. For more information, see Strong passwords and Password Best practices for passwords.
An account lockout policy decreases the possibility of an attacker compromising your domain through repeated logon attempts. This is because an account lockout policy
determines how many failed logon attempts a user account can have before it is disabled. For more information, see Apply or modify account lockout policy.
For more information about securing user accounts, see Securing Active Directory.
Account options
Each Active Directory user account has a number of account options that determine how someone logging on with that particular user account is authenticated on the
network. You can use the following options to configure password settings and security-specific information for user accounts:
Account option
Description
User must
change
password at next
logon
Forces a user to change their password the next time the user logs on to the network. Use this option when you want to ensure that the user will be
the only person to know their password.
User cannot
change
password
Prevents a user from changing their password. Use this option when you want to maintain control over a user account, such as for a guest or
temporary account.
Password never
expires
Prevents a user password from expiring. It is recommended that Service accounts should have this option enabled and should use strong
passwords. For more information about strong passwords, see Strong passwords.
Store passwords
using reversible
encryption
Allows a user to log on to a Windows network from Apple computers. If a user is not logging on from an Apple computer, this option should not
be used. For more information, see Store passwords using reversible encryption.
Account is
disabled
Prevents a user from logging on with the selected account. Many administrators use disabled accounts as templates for common user accounts. For
more information, see Disable or enable a user account.
Smart card is
required for
interactive logon
Requires that a user possess a smart card to log on to the network interactively. The user must also have a smart card reader attached to their
computer and a valid personal identification number (PIN) for the smart card. When this option is selected, the password for the user account is
automatically set to a random and complex value. For more information about smart cards, see Logging on to a computer with a smart card and
Authentication process.
Account is
trusted for
delegation
Allows a service running under this account to perform operations on behalf of other user accounts on the network. A service running under a user
account (otherwise known as a service account) that is trusted for delegation can impersonate a client to gain access to resources on the computer
where the service is running or on other computers. In a forest set to the Windows Server 2003 functional level, this setting is found on the
Delegation tab, and is only available for accounts that have been assigned service principal names (SPNs), as set using the setspn command from
the Windows Support Tools. This is a security-sensitive capability and should be cautiously assigned. For more information, see Allow a user to be
trusted for delegation and Delegating authentication.
This option is only available on domain controllers running Windows Server 2003 where the domain functionality is set to Windows 2000 mixed or
Windows 2000 native. On domain controllers running Windows Server 2003 where the domain functional level is set to Windows Server 2003, the
Delegation tab is used to configure delegation settings. The Delegation tab only appears for accounts which have an assigned SPN. For more
information about domain functionality, see Domain and forest functionality. For more information about configuring delegation in a Windows
Server 2003 domain, see Allow a user to be trusted for delegation.
Account is
sensitive and
cannot be
delegated
Allows control over a user account, such as for a guest or temporary account. This option can be used if this account cannot be assigned for
delegation by another account.
Use DES
encryption types
for this account
Provides support for the Data Encryption Standard (DES). DES supports multiple levels of encryption, including MPPE Standard (40-bit), MPPE
Standard (56-bit), MPPE Strong (128-bit), IPSec DES (40-bit), IPSec 56-bit DES, and IPSec Triple DES (3DES). For more information about DES
encryption, see Data encryption.
Do not require
Kerberos
preauthentication
Provides support for alternate implementations of the Kerberos protocol. Domain controllers running Windows 2000 or Windows Server 2003 can
use other mechanisms to synchronize time. Because preauthentication provides additional security, use caution when enabling this option. For more
information about Kerberos, see Kerberos V5 authentication.
InetOrgPerson accounts
Active Directory provides support for the InetOrgPerson object class and its associated attributes defined in RFC 2798. The InetOrgPerson object class is used in several
non-Microsoft LDAP and X.500 directory services to represent people within an organization.
Support for InetOrgPerson makes migrations from other LDAP directories to Active Directory more efficient. The InetOrgPerson object is derived from the user class and
can be used as a security principal just like the user class. For information about creating an inetOrgPerson user account, see Create a new user account.
When the domain functional level has been set to Windows Server 2003, you can set the userPassword attribute on InetOrgPerson and user objects as being the effective
password just like you can with the unicodePwd attribute.
Computer accounts
Every computer running Windows NT, Windows 2000, Windows XP, or a server running Windows Server 2003 that joins a domain has a computer account. Similar to user
accounts, computer accounts provide a means for authenticating and auditing computer access to the network and to domain resources. Each computer account must be
unique.
Note Computers running Windows 95 and Windows 98 do not have advanced security features and are not assigned computer accounts.
User and computer accounts can be added, disabled, reset, and deleted using Active Directory Users and Computers. A computer account can also be created when you
join a computer to a domain. For more information about user and computer accounts, see Active Directory naming and Object names.
When the domain functional level has been set to Windows Server 2003, a new lastLogonTimestamp attribute is used to track the last logon time of a user or computer
account. This attribute is replicated within the domain and can provide you with important information regarding the history of a user or computer.
Object names
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Object names
Every object in Active Directory is an instance of a class defined in the schema. Each class has attributes that ensure:
For more information about schema, classes, and attributes, see Schema.
Each object in Active Directory can be referenced by several different names. Active Directory creates a relative distinguished name and a canonical name for each object
based upon information that was provided when the object was created or modified. Each object can also be referenced by its distinguished name, which is derived from
the relative distinguished name of the object and all of its parent container objects.
The LDAP relative distinguished name uniquely identifies the object within its parent container. For example, the LDAP relative distinguished name of a computer
named my computer is CN=mycomputer. Relative distinguished names must be unique in that users cannot have the same name within an organizational unit.
The LDAP distinguished name is globally unique. For example, the distinguished name of a computer named mycomputer in the MyOrganizationalUnit organizational
unit in the microsoft.com domain is CN=mycomputer, OU=MyOrganizationalUnit, DC=microsoft, DC=com.
The canonical name is constructed the same way as the distinguished name, but it is represented using a different notation. The canonical name of the computer in
the previous example would be Microsoft.com/MyOrganizationalUnit/mycomputer.
Security principal objects are Active Directory objects that are assigned security IDs (SIDs) and can be used to log on to the network and can be assigned access to domain
resources. An administrator needs to provide names for security principal objects (user accounts, computer accounts, and groups) that are unique within a domain.
Consider what occurs when a new user account is added to your directory. You provide a name the user must use to log on to the network, the name of the domain that
contains the user account, and other descriptive data, such as first name, last name, telephone number and so on (called attributes). All this information is recorded in the
directory.
The names of security principal objects can contain all Unicode characters except the special LDAP characters defined in RFC 2253. This list of special characters includes: a
leading space; a trailing space; and any of the following characters: # , + " \ < > ;
Security principal names must conform to the following guidelines:
Type of
account
name
Maximum size
Special limitations
User
account
A user account cannot consist solely of periods (.) or spaces, or end in a period. Any
leading periods or spaces are cropped. Use of the @ symbol is not supported with
the logon format for Windows NT 4.0 and earlier, which is DomainName\UserName.
Windows 2000 logon names are unique to the domain and Windows Server 2003
logon names are unique within the forest.
Computer
account
A computer account cannot consist solely of numbers, periods (.), or spaces. Any
leading periods or spaces are cropped.
Group
account
A group account cannot consist solely of numbers, periods (.), or spaces. Any leading
periods or spaces are cropped.
Note
If the administrator changes the default security settings, then it is possible to use computer names containing more than 15 characters. For more information, see
Active Directory naming.
From the information provided by the person who creates the security principal object, Active Directory generates a security ID (SID), and a globally unique ID used to
identify the security principal. Active Directory also creates an LDAP relative distinguished name, based on the security principal name. An LDAP distinguished name and a
canonical name are derived from the relative distinguished name and the names of the domain and container contexts in which the security principal object is created.
If your organization has several domains, it is possible to use the same user name or computer name in different domains. The SID, globally unique ID, LDAP distinguished
name, and canonical name generated by Active Directory will uniquely identify each user, computer, or group in the forest. If the security principal object is renamed or
moved to a different domain, the SID, LDAP relative distinguished name, LDAP distinguished name, and canonical name will change, but the globally unique ID generated by
Active Directory will not change.
Security principal objects, such as user accounts, may be renamed, moved, or contained within a nested domain hierarchy. To reduce the effect of renaming, moving, or
assigning user account names within a nested domain hierarchy, Active Directory provides a method for simplifying user logon names. For information about user logon
names, see Active Directory naming and Add user principal name suffixes, and User and computer accounts.
2014 Microsoft. All rights reserved.
Organizational units
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Organizational units
A particularly useful type of directory object contained within domains is the organizational unit. Organizational units are Active Directory containers into which you can
place users, groups, computers, and other organizational units. An organizational unit cannot contain objects from other domains.
An organizational unit is the smallest scope or unit to which you can assign Group Policy settings or delegate administrative authority. Using organizational units, you can
create containers within a domain that represent the hierarchical, logical structures within your organization. You can then manage the configuration and use of accounts
and resources based on your organizational model. For more information about Group Policy settings, see Group Policy (pre-GPMC).
As shown in the figure, organizational units can contain other organizational units. A hierarchy of containers can be extended as necessary to model your organization's
hierarchy within a domain. Using organizational units will help you minimize the number of domains required for your network.
You can use organizational units to create an administrative model that can be scaled to any size. A user can have administrative authority for all organizational units in a
domain or for a single organizational unit. An administrator of an organizational unit does not need to have administrative authority for any other organizational units in
the domain. For more information about delegating administrative authority, see Delegating administration.
2014 Microsoft. All rights reserved.
Member servers
A member server is a computer that:
Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.
Belongs to a domain.
Is not a domain controller.
A member server does not process account logons, participate in Active Directory replication, or store domain security policy information.
Member servers typically function as the following types of servers: file servers, application servers, database servers, Web servers, certificate servers, firewalls, and
remote access servers. For more information about server roles, see Server roles.
The following security-related features are common to all member servers:
Member servers adhere to Group Policy settings that are defined for the site, domain, or organizational unit.
Access control for resources that are available on a member server.
Member server users have assigned user rights.
Member servers contain a local security account database, the Security Accounts Manager (SAM).
Domain controllers
A domain controller is a computer that:
Runs an operating system in the Windows 2000 Server family or the Windows Server 2003 family.
Uses Active Directory to store a read-write copy of the domain database, participate in multimaster replication, and authenticate users.
Domain controllers store directory data and manage communication between users and domains, including user logon processes, authentication, and directory searches.
Domain controllers synchronize directory data using multimaster replication, ensuring consistency of information over time. For more information about multimaster
replication, see Replication overview.
Active Directory supports multimaster replication of directory data between all domain controllers in a domain; however, multimaster replication is not appropriate for
some directory data replication. In this case, a domain controller, called the operations master, will process data. In an Active Directory forest, there are at least five
different operations master roles that are assigned to one or more domain controllers. For more information about operations masters, see Operations master roles.
As the needs of your computing environment change, you might want to change the role of a server. Using the Active Directory Installation Wizard, you can install Active
Directory on a member server to make it a domain controller, or you can remove Active Directory from a domain controller to make it a member server. For more
information about domain controllers, see Domain controllers.
Note
You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
Site awareness
You can log on to the domain controller that is closest to the client in the network. For more information, see Locating a domain controller.
Active Directory Service Interfaces (ADSI)
You can use scripting to Active Directory. ADSI also provides a common programming API to Active Directory programmers.
Distributed File System (DFS)
You can access DFS shared resources on servers running Windows 2000 and Windows Server 2003.
NTLM version 2 authentication
You can use the improved authentication features in NTLM version 2.
For more information about enabling NTML version 2, see article Q239869, "How to Enable NTLM 2 Authentication," in the Microsoft Knowledge Base.
Active Directory Windows Address Book (WAB) property pages
You can change properties, such as phone number and address, on user object pages.
Active Directory search capability
From the Start button, you can locate printers and people in a Windows 2000 Server or Windows Server 2003 domain.
For information about publishing printers in Active Directory, see article Q234619, "Publishing a Printer in Windows 2000 Active Directory," in the Microsoft
Knowledge Base.
Windows 2000 Professional and Windows XP Professional provide functionality that the Active Directory client on Windows 95, Windows 98, and Windows NT 4.0 does not,
including Kerberos V5 support; Group Policy or IntelliMirror support; and service principal name (SPN), or mutual authentication. You can take advantage of these
additional features by upgrading to Windows 2000 Professional or Windows XP Professional.
To install the Active Directory client, see the Active Directory client page at the Microsoft Web site.
2014 Microsoft. All rights reserved.
Domain controllers
Renaming domain controllers
Connecting to domain controllers running Windows 2000
Domains
Renaming domains
Domain and forest functionality
Raising domain and forest functional levels
Application directory partitions
Application directory partitions and domain controller demotion
Managing application directory partitions
Operations master roles
Transferring operations master roles
Responding to operations master failures
Domain controllers
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domain controllers
When you create the first domain controller in your organization, you are also creating the first domain, the first forest, the first site, and installing Active Directory. Domain
controllers running Windows Server 2003 store directory data and manage user and domain interactions, including user logon processes, authentication, and directory
searches. Domain controllers are created by using the Active Directory Installation Wizard. For more information, see Using the Active Directory Installation Wizard.
Note
You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a
member server. For more information about Windows Server 2003, Web Edition, see Overview of Windows Server 2003, Web Edition.
When using domain controllers in your organization, you will want to think about how many domain controllers youll need, the physical security of those domain
controllers, a plan for backing up the domain data, and upgrading domain controllers.
Physical security
Physical access to a domain controller can provide a malicious user unauthorized access to encrypted passwords. For this reason, it is recommended that all domain
controllers in your organization be locked in a secured room with limited public access. You can use additional security measures such as Syskey for extra protection on
domain controllers. For more information about Syskey, see The system key utility.
When you use the backup tool on a domain controller it will automatically back up all of the system components and all of the distributed services upon which Active
Directory is dependent. This dependent data, which includes Active Directory, is known collectively as the System State data.
On a domain controller running Windows Server 2003, the System State data consists of the system startup files; the system registry; the class registration database of
COM+ (an extension to the Component Object Model); the SYSVOL directory; Certificate Services database (if installed); Domain Name System (if installed); Cluster service
(if installed); and Active Directory. It is recommended that you regularly back up System State data.
For general information about the System State, see System State data. For more information about how to back up the System State, see Back up System State data. For
more information about how to restore a System State backup, see Restore System State data.
You can install Active Directory on a server running Windows Server 2003 by using a restored backup taken from a domain controller running Windows Server 2003. For
more information, see Creating an additional domain controller.
domain before you can upgrade domain controllers running Windows 2000. For more information, see Upgrading from a Windows 2000 domain.
2014 Microsoft. All rights reserved.
When you rename a domain controller, you must ensure that there will be no interruption in the ability of clients to locate or authenticate to the renamed domain
controller, except when the domain controller is restarted. The recommended practice for renaming a domain controller without interruption to clients is to use the
Netdom tool. To rename a domain controller using the Netdom tool, the domain functional level must be set to Windows Server 2003. For more information about
renaming a domain controller, see Rename a domain controller.
The System Properties dialog box can also be used to rename a domain controller, and it does not require the functional level to be raised to Windows Server 2003.
Using this dialog box may result in a service interruption to clients. For more information about functional levels, see Domain and forest functionality.
The new name of the domain controller is automatically updated to Domain Name System (DNS) and Active Directory. Once the new name propagates to DNS and Active
Directory, clients are then capable of locating and authenticating to the renamed domain controller. DNS and Active Directory replication latency may delay client ability to
locate or authenticate to the renamed domain controller. The length of time this takes depends on specifics of your network and the replication topology of your particular
organization.
During replication latency, clients may not be able to access the newly renamed domain controller. This might be acceptable for clients that try to locate and authenticate to
a particular domain controller since other domain controllers should be available to process the authentication request.
Note
The corresponding nTFRSMember or msDFSR-Member object is not renamed automatically, but the reference attributes are correctly set so SYSVOL replication is not
impacted. The only potential problem with not renaming these objects is that if another domain controller is created at a later date with the same NetBIOS name of the
old domain controller, then a conflict can occur as described in KB article 316826. After the rename is complete, you can optionally rename the nTFRSMember or
msDFSR-Member object as part of cleanup.
Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. The Active Directory administrative tools in
Windows 2000 do not sign and encrypt all LDAP traffic by default. In order to maintain a secure network, it is strongly recommended that you upgrade all domain
controllers running Windows 2000 to Service Pack 3 or later.
You can use the corresponding Active Directory administrative tools in Windows 2000 to manage Windows 2000 domain controllers that do not have the Windows 2000
Server Service Pack 3 or later installed. However, traffic is not signed and encrypted by LDAP on domain controllers running Windows 2000.
Although it is not recommended, you can disable encrypted and signed LDAP traffic used with Active Directory administrative tools on a server running Windows
Server 2003 or on a computer running Windows XP Professional that has the Windows Server 2003 Administration Tools Pack installed. For more information, see Disable
signed or encrypted LDAP traffic.
2014 Microsoft. All rights reserved.
Domains
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Domains
Domains are units of replication. All of the domain controllers in a particular domain can receive changes and replicate those changes to all other domain controllers in the
domain. Each domain in Active Directory is identified by a Domain Name System (DNS) domain name and requires one or more domain controllers. If your network
requires more than one domain, you can easily create multiple domains.
One or more domains that share a common schema and global catalog are referred to as a forest. The first domain in a forest is referred to as the forest root domain.
For more information about forests, see Creating a new forest. If multiple domains in the forest have contiguous DNS domain names, then the structure is referred to as a
domain tree. For more information, see Active Directory naming and Creating a new domain tree.
A single domain can span multiple physical locations or sites and can contain millions of objects. Site structure and domain structure are separate and flexible. A single
domain can span multiple geographical sites, and a single site can include users and computers belonging to multiple domains. For more information, see Sites overview.
A domain provides several benefits:
Organizing objects.
You do not need to create separate domains merely to reflect your company's organization of divisions and departments. Within a domain, you can use
organizational units for this purpose. Using organizational units helps you manage the accounts and resources in the domain. You can then assign Group Policy
settings and place users, groups, and computers into the organizational units. Using a single domain greatly simplifies administrative overhead. For more
information, see Organizational units.
Publishing resources and information about domain objects.
A domain stores only the information about objects located in that domain, so by creating multiple domains, you are partitioning or segmenting the directory to
better serve a disparate user base. When using multiple domains, you can scale the Active Directory directory service to accommodate your administrative and
directory publishing requirements. For more information, Publishing resources.
Applying a Group Policy object to the domain consolidates resource and security management.
A domain defines a scope or unit of policy. A Group Policy object (GPO) establishes how domain resources can be accessed, configured, and used. These policies
are applied only within the domain and not across domains. For more information about applying GPOs, see Group Policy (pre-GPMC).
Delegating authority eliminates the need for a number of administrators with broad administrative authority.
Using delegated authority in conjunction with Group Policy objects and group memberships enables you to assign an administrator rights and permissions to
manage objects in an entire domain or in one or more organizational units within the domain. For more information about delegating administrative control, see
Delegating administration.
Security policies and settings (such as user rights and password policies) do not cross from one domain to another.
Each domain has its own security policies and trust relationships with other domains. However, the forest is the final security boundary. For more information, see
Creating a new forest.
Each domain stores only the information about the objects located in that domain.
By partitioning the directory this way, Active Directory can scale to very large numbers of objects.
Creating a domain
You create a domain by creating the first domain controller for a domain. To do this, install Active Directory on a member server running Windows Server 2003 by using
the Active Directory Installation Wizard. The wizard uses the information that you provide to create the domain controller and create the domain within the existing domain
structure of your organization. Depending on the existing domain structure, the new domain could be the first domain in a new forest, the first domain in a new domain
tree, or a child domain of an existing domain tree. For more information, see Creating a new forest, Creating a new domain tree, and Creating a new child domain.
A domain controller provides the Active Directory directory service to network users and computers, stores directory data, and manages user and domain interactions,
including user logon processes, authentication, and directory searches. Every domain must contain at least one domain controller. For more information, see Domain
controllers.
After you create the first domain controller for a domain, you can create additional domain controllers in an existing domain for fault tolerance and high availability of the
directory. For more information, see Creating an additional domain controller.
Although using a single domain for an entire network has several advantages, to meet additional scalability, security, or replication requirements you may consider creating
one or more domains for your organization. Understanding how directory data is replicated between domain controllers will help you plan the number of domains needed
by your organization. For more information about replication, see How replication works.
Removing a domain
In order to remove a domain, you must first remove Active Directory from all of the domain controllers associated with that domain. Once Active Directory has been
removed from the last domain controller the domain will be removed from the forest and all of the information in that domain will be deleted. A domain can only be
removed from the forest if it has no child domains. If this is the last domain in the forest, removing this domain will also delete the forest.
For more information about how to remove a domain, see Remove a domain.
Caution
Removing a domain will result in the permanent loss of amy data contained in that domain. This includes all user, group, and computer accounts.
Before removing Active Directory from a domain controller, you should first remove any application directory partitions from that domain controller. For more information,
see Application directory partitions and Create or delete an application directory partition.
Renaming domains
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Renaming domains
The ability to rename a domain provides you with the flexibility to make important changes to your forest structure and namespace as the needs of your organization
change. Renaming domains can accommodate acquisitions, mergers, name changes, or reorganizations. Domain rename allows you to:
Change the Domain Name System (DNS) and NetBIOS names of any domain in the forest (including the forest root domain).
Restructure the position of any domain in the forest (except the forest root domain).
You can only rename domains in a forest where all of the domain controllers are running Windows Server 2003 and the forest functional level has been raised to Windows
Server 2003. For more information, see Domain and forest functionality.
Forest restructuring
Using domain rename, you can also restructure the hierarchy of domains in your forest so that a domain residing in one domain tree can be moved to another domain
tree. Restructuring a forest allows you to move a domain anywhere within the forest in which it resides (except the forest root domain). This includes the ability to move a
domain so that it becomes the root of its own domain tree.
You can use the domain rename utility (Rendom.exe) to rename or restructure a domain. A domain rename will affect every domain controller in your forest and is a
multistep process that requires a detailed understanding of the operation. For more information about this process and to download the Rendom.exe tool, see the
Windows Server 2003 Active Directory Domain Rename Tools page at the Microsoft Web site.
2014 Microsoft. All rights reserved.
Domain functionality
Domain functionality enables features that will affect the entire domain and that domain only. Four domain functional levels are available: Windows 2000 mixed (default),
Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003. By default, domains operate at the Windows 2000 mixed functional level.
The following table lists the domain functional levels and their corresponding supported domain controllers.
Windows NT 4.0
Windows 2000
Windows Server 2003 family
Windows 2000
Windows Server 2003 family
Windows NT 4.0
Windows Server 2003 family
Once the domain functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the domain. For example, if you raise
the domain functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to that domain.
The following table describes the domain-wide features that are enabled for three of the domain functional levels. For information about the Windows Server 2003 interim
functional level, see Upgrading from a Windows NT domain.
Domain feature
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Disabled
Disabled
Enabled
Universal Groups
For more information, see Group types and Group scope.
Enabled
Allows both security and
distribution groups.
Enabled
Allows both security and
distribution groups.
Group Nesting
For more information, see Nesting groups.
Enabled
Allows full group nesting.
Enabled
Allows full group nesting.
Converting Groups
For more information, see Converting groups.
Disabled
No group conversions allowed.
Enabled
Allows conversion between
security groups and
distribution groups.
Enabled
Allows conversion between
security groups and
distribution groups.
SID history
Disabled
Enabled
Allows migration of
security principals from
one domain to another.
Enabled
Allows migration of
security principals from
one domain to another.
Forest functionality
Forest functionality enables features across all the domains within your forest. Three forest functional levels are available: Windows 2000 (default), Windows Server 2003
interim, and Windows Server 2003 . By default, forests operate at the Windows 2000 functional level. You can raise the forest functional level to Windows Server 2003 .
The following table lists the forest functional levels and their corresponding supported domain controllers:
Windows NT 4.0
Windows 2000
Windows Server 2003 family
Windows NT 4.0
Windows Server 2003 family
Once the forest functional level has been raised, domain controllers running earlier operating systems cannot be introduced into the forest. For example, if you raise the
forest functional level to Windows Server 2003, domain controllers running Windows 2000 Server cannot be added to the forest.
If you are upgrading your first Windows NT 4.0 domain so that it becomes the first domain in a new Windows Server 2003 forest, you can set the domain functional level to
Windows Server 2003 interim. For more information, see Upgrading from a Windows NT domain.
The following table describes the forest-wide features that are enabled for the Windows 2000 and Windows Server 2003 forest functional levels.
Windows
Server 2003
Forest feature
Windows 2000
Enabled
Disabled
Enabled
Forest trusts
For more information, see Forest trusts.
Disabled
Enabled
Disabled
Enabled
Domain rename
For more information, see Renaming domains.
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
Disabled
Enabled
If you created an application directory partition called example1 as a child of the microsoft.com domain, the DNS name of the application directory partition would be
example1.microsoft.com. The distinguished name of the application directory partition would be dc=example1, dc=microsoft, dc=com.
If you then created an application directory partition called example2 as a child of example1.microsoft.com, the DNS name of the application directory partition would be
example2.example1.microsoft.com and the distinguished name would be dc=example2, dc=example1, dc=microsoft, dc=com.
If the domain microsoft.com was the root of the only domain tree in your forest, and you created an application directory partition with the DNS name of example1 and the
distinguished name of dc=example1, this application directory partition is not in the same tree as the microsoft.com domain. This application directory partition would be
the root of a new tree in the forest.
Domain directory partitions cannot be children of an application directory partition. For example, if you created an application directory partition with the DNS name of
example1.microsoft.com, you could not create a domain with the DNS name of domain.example1.microsoft.com.
Objects stored in an application directory partition are never replicated to the global catalog as read-only replicas. Any domain controller running Windows
Server 2003 can hold a replica, including global catalogs.
Additionally, if an application requests data through the global catalog port, that query will not return any objects from an application directory partition, even if the
computer hosting the application directory partition is also hosting the global catalog. This is done so that LDAP queries to different global catalogs will not return
inconsistent results because the application directory partition is replicated to only one of the global catalogs.
The default security descriptor reference domain defines what domain name to use when an object in the application directory partition needs to define a domain value for
the default security descriptor. The default security descriptor reference domain is assigned at the time of creation.
If the application directory partition is a child of a domain directory partition, by default, the parent domain directory partition becomes the security descriptor reference
domain. If the application directory partition is a child object of another application directory partition, the security descriptor reference domain of the parent application
directory partition becomes the reference domain of the new, child, application directory partition. If the new application directory partition is created as the root of a new
tree, then the forest root domain is used as the default security descriptor reference domain.
You can manually specify a security reference domain using Ntdsutil. However, if you plan to change the default security descriptor reference domain of a particular
application directory partition, you should do so before creating the first instance of that partition. To do this, you must prepare the cross-reference object and change the
default security reference domain before completing the application directory partition creation process. For information about precreating the cross-reference object, see
Prepare a cross-reference object. For information about changing the default security reference domain, see Set an application directory partition reference domain.
2014 Microsoft. All rights reserved.
Remove the application directory partition using the tool provided or use Ntdsutil
Refer to the application's documentation for information about removing application directory partitions that were created and used by that application.
Caution
If possible, use the application's tool for managing its application directory partitions. The application may keep other data in addition to Active Directory managed
data for the application directory partitions. By using Ntdsutil, the two sets of data could cause a conflict.
If you cannot identify the application that created the application directory partition, or if your application does not provide a means to delete application directory
partitions that it created, you can use the Ntdsutil command-line tool. To do this, see Create or delete an application directory partition.
For information about demoting a domain controller, see Demote a domain controller. For general information about application directory partitions, see Application
directory partitions.
2014 Microsoft. All rights reserved.
For information about creating and managing application directory partitions with ADSI, see Active Directory Service Interfaces (ADSI) at the Microsoft Web site. For
information about LDP, see Administration tools for the Active Directory schema.
For information about the Ntdsutil command-line tool, see Ntdsutil.
The following provides information about using Ntdsutil to create and manage application directory partitions.
Normally only members of the Enterprise Admins group can create an application directory partition. However, it is possible for a member of the Enterprise Admins group
to prepare a cross-reference object for the application directory partition and to delegate the rest of the process to someone with more limited permissions.
The cross-reference object for an application directory partition holds several valuable pieces of information, including the domain controllers that are to have a replica of
this partition and the security descriptor reference domain. The partition root node is the Active Directory object at the root of the partition
The Enterprise Admin can create the cross-reference object then delegate to a person or group with less permissions the right to create the application directory partition
root node. Both creation of the cross-reference object and the application directory partition root node can be accomplished using Ntdsutil.
After using Ntdsutil to create the cross-reference object, the enterprise administrator must modify the cross-reference object's access control list to allow the delegated
administrator to modify this cross-reference. This will allow the delegated administrator to create the application directory partition and modify the list of domain
controllers that holds replicas of this application directory partition. The delegated administrator must use the names of the application directory partition and the domain
controller name that were specified during the precreation process. For more information, see Prepare a cross-reference object.
For more information about application directory partitions, see Application directory partitions.
2014 Microsoft. All rights reserved.
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
Schema master
Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one schema master and one domain naming master.
Schema master
The schema master domain controller controls all updates and modifications to the schema. To update the schema of a forest, you must have access to the schema
master. There can be only one schema master in the entire forest.
Any domain controller running Windows Server 2003 can hold the role of the domain naming master. A domain controller running Windows 2000 Server that holds
the role of domain naming master must also be enabled as a global catalog server.
These roles must be unique in each domain. This means that each domain in the forest can have only one RID master, PDC emulator master, and infrastructure master.
RID master
The RID master allocates sequences of relative IDs (RIDs) to each of the various domain controllers in its domain. At any time, there can be only one domain controller
acting as the RID master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique security ID (SID). The SID consists of a domain SID, which is the
same for all SIDs created in the domain, and a RID, which is unique for each SID created in the domain.
To move an object between domains (using Movetree.exe), you must initiate the move on the domain controller acting as the RID master of the domain that currently
contains the object.
To provide consistent password experience for users across sites (can be turned off with AvoidPdcOnWan registry parameter) - The PDC emulator is used as a
reference DC to double-check incorrect passwords and it also receives new password changes. When the PDC is reachable, users can use a new password
immediately and consistently across the environment. For more information about AvoidPdcOnWan see, New Password Change and Conflict Resolution Functionality
in Windows (http://go.microsoft.com/fwlink/?LinkId=202451)
As a preferred point of administration for services (examples are Group Policy and Distributed File System, DFS) - For more information about DFS see, DFS
Management (http://go.microsoft.com/fwlink/?LinkId=202456). For more information about DCs and Group Policy see, Specifying a Domain Controller for Editing
Group Policy (http://go.microsoft.com/fwlink/?LinkId=202457).
As a point of contact for applications hard-coded to the PDC (often written for Windows NT 4.0 and older domains) - The legacy API often used for this is
NetGetDcName. It is strongly suggested to change applications to use the new API to locate DCs. DsGetDcName by default does not target the PDC, and has more
options that allows you to pick the type of DC needed to perform the operation. For more information about locating DCs from applications see, DSGetDcName
Function (http://go.microsoft.com/fwlink/?LinkId=202455).
As a default time server for all other DCs in the domain - The time server configuration of a PDC requires manual consideration and should be reviewed when you
change the owner of the PDC role.
The domain controller configured with the PDC emulator role supports two authentication protocols:
Note
For instructions on how to configure the PDC emulator to synchronize with an external time source, see Synchronize the Time Server for the Domain Controller with an
External Source (http://go.microsoft.com/fwlink/?LinkId=122513).
Infrastructure master
At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references
from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates
for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the
updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
Important
Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global
catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will
never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does
not matter which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or
move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The
infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group
memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update. Only an administrator looking at that particular group
membership would notice the temporary inconsistency.
For information about transferring operations master roles, see Transferring operations master roles. For information about what to do when an operations master fails,
see Responding to operations master failures.
Role
Console in MMC
Schema master
RID master
Infrastructure master
For general information about operations master roles, see Operations master roles.
Note
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
The operations master roles are sometimes called flexible single master operations (FSMO) roles.
Before forcing the transfer, first determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that
will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be
recovered and brought back online.
In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision
depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.
A domain controller whose schema master role has been seized must never be brought back online.
For procedures on how to seize the schema master role, see Seize the schema master role.
A domain controller whose domain naming master role has been seized must never be brought back online.
For procedures on how to seize the domain naming master role, see Seize the domain naming master role.
A domain controller whose RID master role has been seized must never be brought back online.
For procedures on how to seize the RID master role, see Seize the RID master role.
When this is done for folder redirection or logon script activities, it may also affect users when logging on and while they work.
Other than the conditions described above, there is no direct dependency of the domain members on the PDC role holder. However, you might be using applications that
are coded to contact the PDC only. You should try to avoid having this single point of failure.
Often, these applications were written for Windows NT 3.x and 4.0 deployments where the PDC was the only writable DC. However, since Active Directory, all DCs except
Read-Only DCs are writable. The DsGetDcName API allows you to pick the right type; similar options are available in AD API interfaces like ADSI (ADS_READONLY_SERVER)
or the .NET runtime.
The loss of the primary domain controller (PDC) emulator master may affect network users. Therefore, when the PDC emulator master is not available, you may need to
immediately seize the role.
For procedures on how to seize the PDC emulator role, see Seize the PDC emulator role.
Understanding Groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding groups
This section covers:
Groups
Group scope
Group types
Default groups
Nesting groups
Special identities
Where groups can be created
Groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Groups
A group is a collection of user and computer accounts, contacts and other groups that can be managed as a single unit. Users and computers that belong to a particular
group are referred to as group members.
Using groups can simplify administration by assigning a common set of permissions and rights to many accounts at once, rather than assigning permissions and rights to
each account individually. For an overview of permissions and rights, see Access control overview.
Groups can be either directory-based or local to a particular computer. Groups in Active Directory are directory objects that reside within a domain and organizational unit
container objects. Active Directory provides a set of default groups upon installation, and also allows the option to create groups. For more information, see Default
groups.
Local groups, which exist on local computers and not in Active Directory, are discussed in Default local groups.
Groups in Active Directory allow you to:
Simplify administration by assigning permissions on a shared resource to a group, rather than to individual users. This assigns the same access on the resource to
all members of that group.
Delegate administration by assigning user rights once to a group through Group Policy, and then adding necessary members to the group that you want to have
the same rights as the group.
Create e-mail distribution lists. For more information, see Group types.
Groups are characterized by their scope and their type. The scope of a group determines the extent to which the group is applied within a domain or forest. For
information about group scope, see Group scope. The group type determines whether a group can be used to assign permissions from a shared resource (for security
groups) or if a group can be used for e-mail distribution lists only (for distribution groups). For information about security groups and distribution groups, see Group
types.
There are also groups for which you cannot modify or view the memberships. These groups are referred to as special identities and are used to represent different users
at different times, depending on the circumstances. For example, the Everyone group represents all current network users, including guests and users from other domains.
For more information, see Special identities.
2014 Microsoft. All rights reserved.
Group scope
Updated: March 16, 2007
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope that identifies the extent to which the group is applied in the domain tree or
forest. The boundary, or reach, of a group scope is also determined by the domain functional level setting of the domain in which it resides. There are three group scopes:
universal, global, and domain local.
The following table describes the differences between the scopes of each group.
Group
scope
Universal
Domain local
Global (as long as no other
universal groups exist as
members)
Global
Domain
local
Note
The information in this table implies that the domain functional level is set to either Windows 2000 native or Windows Server 2003. When the domain functional level is
set to Windows 2000 mixed or Windows Server 2003 interim, security groups with universal scope cannot be created, although distribution groups with universal scope
are still permitted.
Note
When the domain functional level is set to Windows 2000 mixed, members of global groups can include only accounts from the same domain.
Global to universal. This conversion is allowed only if the group that you want to change is not a member of another global scope group.
Domain local to universal. This conversion is allowed only if the group that you want to change does not have another domain local group as a member.
Universal to global. This conversion is allowed only if the group that you want to change does not have another universal group as a member.
Universal to domain local. There are no restrictions for this operation.
Group types
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Group types
Groups are used to collect user accounts, computer accounts, and other group accounts into manageable units. Working with groups instead of with individual users helps
simplify network maintenance and administration.
There are two types of groups in Active Directory: distribution groups and security groups. You can use distribution groups to create e-mail distribution lists and security
groups to assign permissions to shared resources.
Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send e-mail to collections of users. Distribution groups are not security-enabled, which
means that they cannot be listed in discretionary access control lists (DACLs). If you need a group for controlling access to shared resources, create a security group.
Security groups
Used with care, security groups provide an efficient way to assign access to resources on your network. Using security groups, you can:
Like distribution groups, security groups can also be used as an e-mail entity. Sending an e-mail message to the group sends the message to all the members of the
group.
Although a contact can be added to a security group as well as to a distribution group, contacts cannot be assigned rights and permissions. Contacts in a group
can be sent e-mail.
Default groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Default groups
Default groups, such as the Domain Admins group, are security groups that are created automatically when you create an Active Directory domain. You can use these
predefined groups to help control access to shared resources and delegate specific domain-wide administrative roles. For information about default groups stored on
local computers, see Default local groups.
Many default groups are automatically assigned a set of user rights that authorize members of the group to perform specific actions in a domain, such as logging on to a
local system or backing up files and folders. For example, a member of the Backup Operators group has the right to perform backup operations for all domain controllers
in the domain.
When you add a user to a group, the user receives all the user rights assigned to the group and all the permissions assigned to the group on any shared resources. For
more information about user rights and permissions, see Group types.
You can manage groups by using the Active Directory Users and Computers snap-in in Microsoft Management Console (MMC). Default groups are located in the Builtin
container and the Users container.
The Builtin container default groups contain groups that are defined with domain local scope. You can move groups in and out of this container, but you cannot move the
default groups in this container to another location or to another domain.
The Users container default groups contain groups that are defined with global scope and groups that are defined with domain local scope. You can add the groups in
this container to other groups and you can move the default groups in this container to other organizational units (OUs) or containers, but you cannot move the group to
another domain.
As a security best practice, it is recommended that members of default groups with broad administrative access use the Run as command to perform administrative tasks.
For more information, see Using Run as. For information about security best practices, see Active Directory Best practices. For information about additional security
measures that can be used to protect Active Directory, see Securing Active Directory.
Note
To learn what group you need to be a member of to perform a particular procedure, many procedural topics under How To in Help and Support Center provide a
note that identifies this information.
Group
Description
Account
Operators
Members of this group can create, modify, and delete accounts for
users, groups, and computers located in the Users or Computers
containers and organizational units in the domain, except the Domain
Controllers organizational unit. Members of this group do not have
permission to modify the Administrators or the Domain Admins groups,
nor do they have permission to modify the accounts for members of
those groups. Members of this group can log on locally to domain
controllers in the domain and shut them down. Because this group has
significant power in the domain, add users with caution.
Administrators
Members of this group have full control of all domain controllers in the
domain. By default, the Domain Admins and Enterprise Admins groups
are members of the Administrators group. The Administrator account is
also a default member. Because this group has full control in the
domain, add users with caution.
Access this computer from the network; Adjust memory quotas for a
process; Back up files and directories; Bypass traverse checking; Change the
system time; Create a pagefile; Debug programs; Enable computer and
user accounts to be trusted for delegation; Force a shutdown from a
remote system; Increase scheduling priority; Load and unload device
drivers; Allow log on locally; Manage auditing and security log; Modify
firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and
directories; Shut down the system; Take ownership of files or other objects.
Backup
Operators
Members of this group can back up and restore all files on domain
controllers in the domain, regardless of their own individual
permissions on those files. Backup Operators can also log on to
domain controllers and shut them down. This group has no default
members. Because this group has significant power on domain
controllers, add users with caution.
Back up files and directories; Allow log on locally; Restore files and
directories; Shut down the system.
Guests
Incoming
Forest Trust
Builders (only
appears in the
forest root
domain)
the forest root domain. For example, members of this group residing in
Forest A can create a one-way, incoming forest trust from Forest B. This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain. This
group has no default members. For more information about creating
forest trusts, see Create a forest trust.
Network
Configuration
Operators
Members of this group can make changes to TCP/IP settings and renew
and release TCP/IP addresses on domain controllers in the domain.
This group has no default members.
Performance
Monitor Users
Performance
Log Users
PreWindows 2000
Compatible
Access
Members of this group have read access on all users and groups in the
domain. This group is provided for backward compatibility for
computers running Windows NT 4.0 and earlier. By default, the special
identity Everyone is a member of this group. For more information
about special identities, see Special identities. Add users to this group
only if they are running Windows NT 4.0 or earlier.
Print
Operators
Members of this group can manage, create, share, and delete printers
connected to domain controllers in the domain. They can also manage
Active Directory printer objects in the domain. Members of this group
can log on locally to domain controllers in the domain and shut them
down. This group has no default members. Because members of this
group can load and unload device drivers on all domain controllers in
the domain, add users with caution.
Remote
Desktop Users
Replicator
Server
Operators
Back up files and directories; Change the system time; Force shutdown from
a remote system; Allow log on locally; Restore files and directories; Shut
down the system.
Users
Group
Description
Cert Publishers
DnsAdmins
(installed with
DNS)
DnsUpdateProxy
(installed with
DNS)
Domain Admins
Access this computer from the network; Adjust memory quotas for a process; Back up
files and directories; Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to be trusted for
delegation; Force a shutdown from a remote system; Increase scheduling priority; Load
and unload device drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other objects.
Domain
Computers
Domain
Controllers
Domain Guests
Domain Users
Enterprise
Admins (only
appears in the
forest root
domain)
Access this computer from the network; Adjust memory quotas for a process; Back up
files and directories; Bypass traverse checking; Change the system time; Create a
pagefile; Debug programs; Enable computer and user accounts to be trusted for
delegation; Force shutdown from a remote system; Increase scheduling priority; Load
and unload device drivers; Allow log on locally; Manage auditing and security log;
Modify firmware environment values; Profile single process; Profile system
performance; Remove computer from docking station; Restore files and directories;
Shut down the system; Take ownership of files or other objects.
Group Policy
Creator Owners
IIS_WPG
(installed with
IIS)
Schema Admins
(only appears in
the forest root
domain)
See Also
Concepts
Using Run as
Create a shortcut using the runas command
Why you should not run your computer as an administrator
Other Resources
Run a program with administrative credentials
2014 Microsoft. All rights reserved.
Nesting groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Nesting groups
Using nesting, you can add a group as a member of another group. You nest groups to consolidate member accounts and reduce replication traffic.
Nesting options depend on whether the domain functionality of your Windows Server 2003 domain is set to Windows 2000 native or Windows 2000 mixed.
By default, when you nest a group within another group, user rights are inherited. For example, if you make Group_1 a member of Group_2, users in Group_1 have the
same permissions as the users in Group_2.
Groups in domains set to the Windows 2000 native functional level or distribution groups in domains set to the Windows 2000 mixed functional level can have the following
members:
Groups with universal scope can have the following members: accounts, computer accounts, other groups with universal scope, and groups with global scope from
any domain.
Groups with global scope can have the following members: accounts from the same domain and other groups with global scope from the same domain.
Groups with domain local scope can have the following members: accounts, groups with universal scope, and groups with global scope, all from any domain. This
group can also have as members other groups with domain local scope from within the same domain.
Security groups in domains set to the Windows 2000 mixed functional level are restricted to the following types of membership:
Groups with global scope can have as their members only accounts.
Groups with domain local scope can have as their members other groups with global scope and accounts.
Security groups with universal scope cannot be created in domains with the domain functional level set to Windows 2000 mixed because universal scope is supported only
in domains where the domain functional level is set to Windows 2000 native or Windows Server 2003.
Note
You cannot add the default groups that are located in the Builtin container as members to other groups. However, you can add other groups as members to the default
groups that are located in the Builtin container.
For more information about domain functionality, see Domain and forest functionality.
2014 Microsoft. All rights reserved.
Special identities
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Special identities
In addition to the groups in the Users and Builtin containers, servers running Windows Server 2003 include several special identities. For convenience, these identities are
generally referred to as groups. These special groups do not have specific memberships that can be modified, but they can represent different users at different times,
depending on the circumstances. The special groups are:
Anonymous Logon
Represents users and services that access a computer and its resources through the network without using an account name, password, or domain name. On
computers running Windows NT and earlier, the Anonymous Logon group is a default member of the Everyone group. On computers running a member of the
Windows Server 2003 family, the Anonymous Logon group is not a member of the Everyone group by default.
Everyone
Represents all current network users, including guests and users from other domains. Whenever a user logs on to the network, the user is automatically added to
the Everyone group.
Network
Represents users currently accessing a given resource over the network (as opposed to users who access a resource by logging on locally at the computer where
the resource is located). Whenever a user accesses a given resource over the network, the user is automatically added to the Network group.
Interactive
Represents all users currently logged on to a particular computer and accessing a given resource located on that computer (as opposed to users who access the
resource over the network). Whenever a user accesses a given resource on the computer to which they are currently logged on, the user is automatically added to
the Interactive group.
Although the special identities can be assigned rights and permissions to resources, the memberships cannot be modified or viewed. Group scopes do not apply to
special identities. Users are automatically assigned to these special identities whenever they log on or access a particular resource.
For general information about groups, see Groups.
2014 Microsoft. All rights reserved.
Groups can be moved within a domain. However, only groups with universal scope can be moved from one domain to another. The rights and permissions
assigned to a group with universal scope are lost when the group is moved to another domain and new assignments must be made.
For information about the tools used to move groups between domains, see Using the Windows Deployment and Resource Kits.
2014 Microsoft. All rights reserved.
Understanding Trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding trusts
This section covers:
Trusts
Trust types
Trust direction
Trust transitivity
When to create an external trust
When to create a shortcut trust
When to create a realm trust
When to create a forest trust
Forest trusts
Accessing resources across domains
Accessing resources across forests
Routing name suffixes across forests
Trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trusts
A trust is a relationship established between domains that enables users in one domain to be authenticated by a domain controller in the other domain. Trust relationships
in Windows NT are different than in Windows 2000 and Windows Server 2003 operating systems.
Trusts in Windows NT
In Windows NT 4.0 and earlier, trusts are limited to two domains and the trust relationship is one-way and nontransitive. In the following figure, the nontransitive, one-way
trust is shown by the straight arrow pointing to the trusted domain.
Trusts in Windows Server 2003 and Windows 2000 Server operating systems
All trusts in a Windows 2000 and Windows Server 2003 forest are transitive, two-way trusts. Therefore, both domains in a trust relationship are trusted. As shown in the
following figure, this means that if Domain A trusts Domain B and Domain B trusts Domain C, then users from Domain C can access resources in Domain A (when assigned
the proper permissions). Only members of the Domain Admins group can manage trust relationships.
Trust protocols
A domain controller running Windows Server 2003 authenticates users and applications using one of two protocols: Kerberos V5 or NTLM. The Kerberos V5 protocol is
the default protocol for computers running Windows 2000, Windows XP Professional, or Windows Server 2003. If any computer involved in a transaction does not support
Kerberos V5, the NTLM protocol will be used.
With the Kerberos V5 protocol, the client requests a ticket from a domain controller in its account domain to the server in the trusting domain. This ticket is issued by an
intermediary trusted by the client and the server. The client presents this trusted ticket to the server in the trusting domain for authentication. For more information, see
Kerberos V5 authentication.
When a client tries to access resources on a server in another domain using NTLM authentication, the server containing the resource must contact a domain controller in
the client account domain to verify the account credentials.
Trust types
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust types
Communication between domains occurs through trusts. Trusts are authentication pipelines that must be present in order for users in one domain to access resources in
another domain. Two default trusts are created when using the Active Directory Installation Wizard. There are four other types of trusts that can be created using the New
Trust Wizard or the Netdom command-line tool.
Default trusts
By default, two-way, transitive trusts are automatically created when a new domain is added to a domain tree or forest root domain using the Active Directory Installation
Wizard. The two default trust types are defined in the following table.
Trust
type
Transitivity
Direction
Description
Parent
and
child
Transitive
Two-way
By default, when a new child domain is added to an existing domain tree, a new parent and child trust is established. Authentication
requests made from subordinate domains flow upward through their parent to the trusting domain. For information about creating
a new child domain, see Create a new child domain.
Treeroot
Transitive
Two-way
By default, when a new domain tree is created in an existing forest, a new tree-root trust is established. For information about
creating a new domain tree, see Create a new domain tree.
Other trusts
Four other types of trusts can be created using the New Trust Wizard or the Netdom command-line tool: external, realm, forest, and shortcut trusts. These trusts are
defined in the following table.
Trust
type
Transitivity
Direction
Description
External
Nontransitive
One-way
or twoway
Use external trusts to provide access to resources located on a Windows NT 4.0 domain or a domain located in a separate
forest that is not joined by a forest trust. For more information, see When to create an external trust.
Realm
Transitive or
nontransitive
One-way
or twoway
Use realm trusts to form a trust relationship between a non-Windows Kerberos realm and a Windows Server 2003 domain. For
more information, see When to create a realm trust.
Forest
Transitive
One-way
or twoway
Use forest trusts to share resources between forests. If a forest trust is a two-way trust, authentication requests made in either
forest can reach the other forest. For more information, see When to create a forest trust.
Shortcut
Transitive
One-way
or twoway
Use shortcut trusts to improve user logon times between two domains within a Windows Server 2003 forest. This is useful when
two domains are separated by two domain trees. For more information, see When to create a shortcut trust.
When creating external, shortcut, realm, or forest trusts, you have the option to create each side of the trust separately or both sides of a trust simultaneously.
If you choose to create each side of the trust separately, then you will need to run the New Trust Wizard twice--once for each domain. When creating trusts using the
method, you will need to supply the same trust password for each domain. As a security best practice, all trust passwords should be strong passwords. For more
information, see Strong passwords.
If you choose to create both sides of the trust simultaneously, you will need to run the New Trust Wizard once. When you choose this option, a strong trust password is
automatically generated for you.
You will need the appropriate administrative credentials for each domain between which you will be creating a trust.
Netdom.exe can also be used to create trusts. For more information about Netdom, see Active Directory support tools.
For more information about trusts, see Trust transitivity and Trust direction.
2014 Microsoft. All rights reserved.
Trust direction
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust direction
The trust type and its assigned direction will impact the trust path used for authentication. A trust path is a series of trust relationships that authentication requests must
follow between domains. Before a user can access a resource in another domain, the security system on domain controllers running Windows Server 2003 must determine
whether the trusting domain (the domain containing the resource the user is trying to access) has a trust relationship with the trusted domain (the user's logon domain). To
determine this, the security system computes the trust path between a domain controller in the trusting domain and a domain controller in the trusted domain. In the
following figure, trust paths are indicated by arrows showing the direction of the trust (this is a one-way trust):
All domain trust relationships have only two domains in the relationship: the trusting domain and the trusted domain.
One-way trust
A one-way trust is a unidirectional authentication path created between two domains. This means that in a one-way trust between Domain A and Domain B, users in
Domain A (trusted domain) can access resources in Domain B (trusting domain). However, users in Domain B cannot access resources in Domain A. Some one-way trusts
can be a nontransitive trust or a transitive trust depending on the type of trust being created. For more information about trust types, see Trust types.
Two-way trust
All domain trusts in a Windows Server 2003 forest are two-way, transitive trusts. When a new child domain is created, a two-way, transitive trust is automatically created
between the new child domain and the parent domain. In a two-way trust, both domains that are involved in a trust relationship trust each other. This means that
authentication requests can be passed between the two domains in both directions. Some two-way relationships can be nontransitive or transitive depending on the type
of trust being created. For more information, see Trust types.
A Windows Server 2003 domain can establish a one-way or two-way trust with:
Trust transitivity
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Trust transitivity
Transitivity determines whether a trust can be extended outside of the two domains with which it was formed. A transitive trust can be used to extend trust relationships
with other domains and a nontransitive trust can be used to deny trust relationships with other domains.
Transitive trusts
Each time you create a new domain in a forest, a two-way, transitive trust relationship is automatically created between the new domain and its parent domain. If child
domains are added to the new domain, the trust path flows upward through the domain hierarchy extending the initial trust path created between the new domain and its
parent domain.
Transitive trust relationships flow upward through a domain tree as it is formed, creating transitive trusts between all domains in the domain tree.
Authentication requests follow these trust paths, so accounts from any domain in the forest can be authenticated at any other domain in the forest. With a single logon
process, accounts with the proper permissions can access resources in any domain in the forest. For more information, see Authentication protocols overview.
The diagram displays that all domains in the Domain A tree and all domains in the Domain 1 tree have transitive trust relationships by default. As a result, users in the
Domain A tree can access resources in domains in the Domain 1 tree and users in the Domain 1 tree can access resources in the Domain A tree, when the proper
permissions are assigned at the resource.
In addition to the default transitive trusts established in a Windows Server 2003 forest, using the New Trust Wizard, you can manually create the following transitive trusts.
Shortcut trust. A transitive trust between a domain in the same domain tree or forest used to shorten the trust path in a large and complex domain tree or forest.
Forest trust. A transitive trust between a forest root domain and a second forest root domain.
Realm trust. A transitive trust between an Active Directory domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos V5
authentication.
Nontransitive trust
A nontransitive trust is restricted by the two domains in the trust relationship and does not flow to any other domains in the forest. A nontransitive trust can be a two-way
trust or a one-way trust.
Nontransitive trusts are one-way by default, although you can also create a two-way relationship by creating two one-way trusts. In summary, nontransitive domain trusts
are the only form of trust relationship possible between:
Using the New Trust Wizard, you manually create the following nontransitive trusts:
External trust. A nontransitive trust created between a Windows Server 2003 domain and a Windows NT domain or a Windows 2000 domain or Windows
Server 2003 domain in another forest.
When you upgrade a Windows NT domain to a Windows Server 2003 domain, all existing Windows NT trusts are preserved intact. All trust relationships between
Windows Server 2003 domains and Windows NT domains are nontransitive.
Realm trust. A nontransitive trust between an Active Directory domain and an Kerberos V5 realm. For more information about Kerberos V5 realms, see Kerberos
V5 authentication.
When a trust is established between a domain in a particular forest and a domain outside of that forest, security principals from the external domain can access resources
in the internal domain. Active Directory creates a foreign security principal object in the internal domain to represent each security principal from the trusted external
domain. These foreign security principals can become members of domain local groups in the internal domain. Domain local groups can have members from domains
outside of the forest.
Directory objects for foreign security principals are created by Active Directory and should not be manually modified. You can view foreign security principal objects from
Active Directory Users and Computers by enabling advanced features. For information about enabling advanced features, see To view advanced features.
In domains with the functional level set to Windows 2000 mixed, it is recommended that you delete external trusts from a domain controller running Windows Server 2003.
External trusts to Windows NT 4.0 or 3.51 domains can be deleted by authorized administrators on the domain controllers running Windows NT 4.0 or 3.51. However, only
the trusted side of the relationship can be deleted on the domain controllers running Windows NT 4.0 or 3.51. The trusting side of the relationship (created in the
Windows Server 2003 domain) is not deleted, and although it will not be operational, the trust will continue to display in Active Directory Domains and Trusts. To remove
the trust completely, you will need to delete the trust from a domain controller running Windows Server 2003 in the trusting domain. If an external trust is inadvertently
deleted from a domain controller running Windows NT 4.0 or 3.51, you will need to recreate the trust from any domain controller running Windows Server 2003 in the
trusting domain.
For more information about how to create an external trust, see Create an external trust.
domain administrator credentials in the trusted domain is a threat to the entire trusting forest.
SID filtering neutralizes the threat of malicious users in the trusted domain from using the SID history attribute to gain elevated privileges.
SID history data that contains SIDs from any domain other than the trusted domain will be removed from authentication requests made from the trusted domain.
This will result in access being denied to resources that have the user's old SID.
Universal group access control strategy between forests will require changes.
When SID filter quarantining is enabled, users who use SID history data for authorization to resources in the trusting domain no longer have access to those resources.
If you typically assign universal groups from a trusted forest to access control lists (ACLs) on shared resources in the trusting domain, SID filter quarantining will have a
major impact on your access control strategy.
Because universal groups must adhere to the same SID filter quarantining guidelines as other security principal objects (that is, the universal group object SID must also
contain the domain SID), you should verify that any universal groups that are assigned to shared resources in the trusting domain were created in the trusted domain.
If the universal group in the trusted forest was not created in the trusted domain, even though it may contain users from the trusted domain as members, authentication
requests made from members of that universal group will be filtered and discarded.
Therefore, before assigning access to resources in the trusting domain for users in the trusted domain, you should confirm that the universal group containing the trusted
domain users was created in the trusted domain.
You have the same level of trust for all administrators who have physical access to domain controllers in the trusted domain as the administrators in the trusting
domain.
You have a strict requirement to assign universal groups to resources in the trusting domain that were not created in the trusted domain.
Users have been migrated to the trusted domain with their SID histories preserved, and you want to grant them access to resources in the trusting domain based on
the SID history attribute.
Only domain administrators can disable SID filtering. To disable SID filter quarantining for the trusting domain, type the following syntax at a command-prompt:
Netdom trust TrustingDomainName /domain: TrustedDomainName /quarantine:No /userD:domainadministratorAcct/passwordD:domainadminpwd
To enable SID filter quarantining, set the /quarantine: command-line option to Yes. For more information about Netdom.exe, see Active Directory support tools.
You can enable or disable SID filter quarantining only from the trusting side of the trust. If the trust is a two-way trust, you can also disable SID filter quarantining in the
trusted domain by using the domain administrator's credentials for the trusted domain and reversing the TrustingDomainName and TrustedDomainName values in the
command-line syntax.
Notes
To further secure your forest, you should consider enabling SID filter quarantining on all existing external trusts that were created by domain controllers running
Windows 2000 Service Pack 3 (or earlier). You can do this by using Netdom.exe to enable SID filtering on existing external trusts, or by recreating these external
trusts from a domain controller running Windows Server 2003 or Windows 2000 Service Pack 4 (or later).
You cannot turn off the default behavior that enables SID filter quarantining for newly created external trusts.
External trusts created from domain controllers running Windows 2000 Service Pack 3 (or earlier) do not enforce SID filter quarantining by default.
Domain controllers running Windows NT Server 4.0 do not take part in the trust creation process when existing domain controllers in the same domain are running
Windows 2000 or Windows Server 2003.
You can enable or disable SID filter quarantining only for trusts that extend beyond forest boundaries such as external and forest trusts. For more information about
SID filtering and forest trusts, see Forest trusts.
Shortcut trusts effectively shorten the path traveled for authentication's made between domains located in two separate trees.
For more information about how to create a shortcut trust, see Create a shortcut trust.
Forest trusts
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Forest trusts
In a Windows Server 2003 forest, you can link two disjoined Windows Server 2003 forests together to form a one-way or two-way, transitive trust relationships. A two-way,
forest trust is used to form a transitive trust relationship between every domain in both forests.
Forest trusts can provide the following benefits:
Simplified management of resources across two Windows Server 2003 forests by reducing the number of external trusts necessary to share resources.
Complete two-way trust relationships with every domain in each forest.
Use of user principal name (UPN) authentication across two forests.
Use of both the Kerberos V5 and NTLM authentication protocols to improve the trustworthiness of authorization data transferred between forests.
Flexibility of administration. Administrative tasks can be unique to each forest.
Forest trusts can only be created between two forests and cannot be implicitly extended to a third forest. This means that if a forest trust is created between forest 1 and
forest 2, and a forest trust is also created between forest 2 and forest 3, forest 1 will not have an implicit trust with forest 3. For more information about the requirements
needed for a forest trust, see When to create a forest trust.
Notes
In a Windows 2000 forest, if users in one forest need to access resources in another forest, an administrator can create an external trust relationship between the
two domains. External trusts can be one-way or two-way and are nontransitive, and therefore, limit the ability for trust paths to extend to other domains. For more
information about external trusts, see Trust types.
All trusts in Windows Server 2003 Active Directory use security identifier (SID) filtering to some degree. External trusts are quarantined by default, which prevents any
domain SIDs other than those of the quarantined trusted domain from traversing the trust relationship. SID filtering is used to prevent attacks from malicious users
who might try to grant elevated user rights to another user account. SID filtering on forest trusts does not prevent migrations to domains within the same forest
from using SID history and will not affect your universal group access control strategy. For more information about SID filtering, see When to create an external
trust.
To secure data within each forest. Sensitive data can be protected so that only users within that forest can access it.
To isolate directory replication within each forest. Schema changes, configuration changes, and the addition of new domains to a forest only have forest-wide
impact within that forest, not on a trusting forest.
Enterprise Admins
Domain Admins (in the forest root domain)
Schema Admins
Since membership in any of these groups can affect forest-wide behavior, add users with caution. As a security best practice, avoid adding users from another forest to
any of these forest-wide administrative groups. For more information about these groups, see Default groups.
GALs (Exchange)
Public folders
Directory objects
Synchronizing this data across forests will help end users view address lists and other data the same way as they do when viewing this information within their own forest.
For more information about MMS, see Microsoft Metadirectory Services.
2014 Microsoft. All rights reserved.
1. User1 logs on to Workstation1 using credentials from the child1.microsoft.com domain. As part of this process, the authenticating domain controller issues User1 a
ticket-granting ticket (TGT). This ticket is required to be authenticated to resources. The user then attempts to access a shared resource (\\fileserver1\share) on a file
server located in the child2 domain.
2. Workstation1 contacts the Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer1 service
principal name (SPN).
3. ChildDC1 does not find the SPN in its domain database and queries the global catalog to see if any domains in the forest contain this SPN. The global catalog sends
the requested information back to ChildDC1.
4. ChildDC1 sends the referral to Workstation1.
5. Workstation1 contacts a domain controller in ForestRootDC1 (its parent domain) for a referral to a domain controller (ChildDC2) in the Child2 domain.
ForestRootDC1 sends the referral to Workstation 1.
6. Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for the user to gain access to FileServer1.
7. Now that Workstation1 has a service ticket, it sends the service ticket to FileServer1, which reads the user's security credentials and constructs an access token
accordingly.
Each domain has its own set of security policies that do not cross from one domain to another. For more information, see Domains.
Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a
Once you have gained a thorough understanding of security group concepts, determine the resource needs of each department and geographical division to assist you
with the planning effort.
Organize domain users based on administrative needs, such as their locations or departments, and then create a global group, and add the appropriate user
accounts as members.
For example, add all employee user accounts in the Sales department to the Sales Department global group, and add all employee user accounts in the Accounting
Department to the Accounting Department global group.
Create a domain local group, and add all global groups from the other domains that need the same access to a resource in your domain.
For example, employees in the Sales Department and Accounting Department global groups located in DomainA use similar print resources located in DomainB. To
make future administration changes more flexible, create a domain local group called Print Resources in DomainB, and add as members both the Sales Department
and Accounting Department global groups in DomainA.
Assign the required permissions on the shared resource to the domain local group.
For example, assign permissions to the Print Resources domain local group located in DomainB so that its members, including the Sales Department and Accounting
Department groups from DomainA, can access the printer located in DomainB.
When a workstation in one forest attempts to access data on the resource computer in another forest, Kerberos contacts the domain controller for a service ticket to the
SPN of the resource computer. Once the domain controller queries the global catalog and identifies that the SPN is not in the same forest as the domain controller, the
domain controller sends a referral for its parent domain back to the workstation. At that point, the workstation queries the parent domain for the service ticket and follows
the referral chain until it gets to the domain where the resource is located.
The following figure and corresponding steps provide a detailed description of the Kerberos authentication process that is used when computers running Windows 2000
Professional, Windows XP Professional, Windows 2000 Server, or a member of the Windows Server 2003 family attempt to access resources from a computer located in
another forest.
1. User1 logs on to Workstation1 using credentials from the child.microsoft.com domain. The user then attempts to access a shared resource on FileServer1 located in
the msn.com forest.
2. Workstation1 contacts the Key Distribution Center (KDC) on a domain controller in its domain (ChildDC1) and requests a service ticket for the FileServer1 SPN.
3. ChildDC1 does not find the SPN in its domain database and queries the global catalog to see if any domains in the microsoft.com forest contain this SPN. Since a
global catalog is limited to its own forest, the SPN is not found. The global catalog then checks its database for information about any forest trusts that are
established with its forest, and, if found, it compares the name suffixes listed in the forest trust trusted domain object (TDO) to the suffix of the target SPN to find a
match. Once a match is found, the global catalog provides a routing hint back to ChildDC1.
4. ChildDC1 sends a referral for its parent domain back to Workstation1.
5. Workstation1 contacts a domain controller in ForestRootDC1 (its parent domain) for a referral to a domain controller (ForestRootDC2) in the forest root domain of
the msn.com forest.
6. Workstation1 contacts ForestRootDC2 in the msn.com forest for a service ticket to the requested service.
7. ForestRootDC2 contacts its global catalog to find the SPN, and the global catalog finds a match for the SPN and sends it back to ForestRootDC2.
8. ForestRootDC2 then sends the referral to child.msn.com back to Workstation1.
9. Workstation1 contacts the KDC on ChildDC2 and negotiates the ticket for User1 to gain access to FileServer1.
10. Now that workstation1 has a service ticket, it sends the server service ticket to FileServer1, which reads User1's security credentials and constructs an access token
accordingly.
When a forest trust is first established, each forest collects all of the trusted namespaces in its partner forest and stores the information in a TDO. Trusted namespaces
include domain tree names, user principal name (UPN) suffixes, service principal name (SPN) suffixes, and security ID (SID) namespaces used in the other forest. TDO
objects are replicated to the global catalog. For more information about TDOs, see Trusts.
Routing hints
Routing hints are only used when all traditional authentication channels (local domain controller and then global catalog) have failed to produce a location of a SPN.
Routing hints help direct authentication requests toward the destination forest.
When an SPN cannot be located in the domain from where the network logon request originated or from the global catalog database, the global catalog checks the forest
trust TDO for trusted name suffixes located in the other forest that might match the suffix in the SPN. If a match is found, the forest root domain returns a routing hint back
to the original source computer so that it can continue the SPN location process in the other forest.
Notes
Routing hints can only reference trusted name suffixes that are listed in the TDO for its forest trust. They do not verify the name suffix before sending the hint back
to the original source computer.
Accessing NetBIOS names and Kerberos delegation across forest trusts is not supported. NTLM is fully supported and cannot be disabled.
Security groups. User rights can be applied to groups in Active Directory while permissions can be assigned to security groups on member servers hosting a
resource. For more information, see Group types.
Group nesting. The ability to nest security groups is dependent on groups scopes and domain functionality. For more information, see Nesting groups.
Group scope. Group scope helps determine the domain-wide and forest-wide access boundaries of security groups. For more information, see Group scope.
Domain functionality. The domain functional level of the trusting and trusted domains can affect group functionality such as group nesting. For more information,
see Domain and forest functionality.
Once you have gained a thorough understanding of security group concepts, determine the resource needs of each department and geographical division to assist you
with the planning effort.
To represent the sets of users who need access to the same types of resources, create role-based global groups in every domain and forest that contains these
users. For example, users in the Sales Department in ForestA require access to an order-entry application that is a resource in ForestB. Account Department users in
ForestA require access to the same application, but these users are in a different domain. In ForestA, create the global group SalesOrder and add users in the Sales
Department to the group. Create the global group AccountsOrder and add users in the Accounting Department to that group.
To group the users from one forest who require similar access to the same resources in a different forest, create universal groups that correspond to the global
group roles. For example, in ForestA, create a universal group called SalesAccountsOrders and add the global groups SalesOrder and AccountsOrder to the group.
Note
Universal groups are not available as security groups in Windows 2000 Server mixed-mode domains or in Windows Server 2003 domains that have a domain
functional level of Windows 2000 mixed. They are available as distribution groups.
To assign permissions to resources that are to be accessed by users from a different forest, create resource-based domain local groups in every domain and use
these groups to assign permissions on the resources in that domain. For example, in ForestB, create a domain local group called OrderEntryApp. Add this group to
the access control list (ACL) that allows access to the order entry application, and assign appropriate permissions.
To implement access to a resource across a forest, add universal groups from trusted forests to the domain local groups in the trusting forests. For example, add
the SalesAccountsOrders universal group from ForestA to the OrderEntryApp domain local group in ForestB.
When a new user account needs access to a resource in a different forest, add the account to the respective global group in the domain of the user. When a new resource
needs to be shared across forests, add the appropriate domain local group to the ACL for that resource. In this way, access is enabled across forests for resources on the
basis of group membership.
For more information, see Set permissions on a shared resource.
Active Directory Users and Computers in the second forest. Then, allow user or group access to the particular resources you want to share.
When a user authenticates across a trust with the Selective authentication option enabled, an Other Organization security ID (SID) is added to the user's authorization
data. The presence of this SID prompts a check on the resource domain to ensure that the user is allowed to authenticate to the particular service. Once the user is
authenticated, then the server to which he authenticates adds the This Organization SID if the Other Organization SID is not already present. Only one of these special SIDs
can be present in an authenticated user's context. For more detailed information about how selective authentication works, see Security Considerations for Trusts.
Administrators in each forest can add objects from one forest to access control lists (ACLs) on shared resources in the other forest. You can use the ACL editor to add or
remove objects residing in one forest to ACLs on resources in another forest. For more information about how to set permissions on resources, see Set permissions on a
shared resource.
For information about setting authentication restrictions for external domains, see Accessing resources across domains.
2014 Microsoft. All rights reserved.
Do not add the @ sign to the UPN suffix or a user name. When authentication requests are routed to a trusted forest, all characters before the first @ symbol are
interpreted as the user name and everything after the first @ symbol as the UPN suffix.
The Local Security Authority (LSA) will block routing to any UPN suffix that is not a valid DNS name. For example, adding an @ symbol to a UPN suffix will cause it to
automatically be disabled.
Collision detection
When two Windows Server 2003 forests are linked by a forest trust, there is a possibility that unique name suffixes existing in one forest might collide with unique name
suffixes located in the second forest. Collision detection guarantees that each name suffix will only be routed to a single forest.
Active Directory Domains and Trusts will detect a name suffix conflict when:
When a name suffix in a forest conflicts with a new forest trust partner or when a name suffix in an existing forest trust conflicts with a new forest trust partner, the name
will be disabled in the new trust. For example, a conflict will occur if one forest is named widgets.com and the second forest is named sales.widgets.com. Despite the name
suffix conflict, routing will still work for any other unique name suffixes in the second forest.
For another example, assume that the msn.com forest needs to establish a two-way, forest trust with the widgets.com forest. Both msn.com and widgets.com have identical
UPN suffixes of microsoft.com. During the creation of the two-way, forest trust, the New Trust Wizard will detect and display the conflict between the two UPN name
suffixes and then create the forest trust.
If Active Directory Domains and Trusts detects a name suffix conflict with a trust partner domain, access to that domain from outside the forest may be denied. However,
access to the conflicted domain from within its forest will function normally.
For example, if the domain widgets.com exists in both the msn.com and microsoft.com forests, users within the msn.com forest will be able to access resources in
widgets.com domain that resides in the msn.com forest. However, users in the msn.com forest will be denied access to resources in the widgets.com domain located in the
microsoft.com forest.
Conflicts will be listed in Active Directory Domains and Trusts, in the forest trust Properties dialog box, on the Name Suffix Routing tab. If a name suffix conflict is
detected during the creation of the forest trust, then the New Trust Wizard will prompt you to save a log file of the conflicts. You can also save a log file after a trust has
been created. For more information about how to save this log file, see Change the routing status of a name suffix.
If a NetBIOS or domain SID conflict exists, Active Directory Domains and Trusts identifies the name suffixes routing status as enabled or disabled with exceptions, as
appropriate. The details about where the conflict exists are listed in the log file.
You can also use the Netdom command-line tool to list all routed names and to enable and disable routing for NetBIOS names and SIDs. For example, a forest named
microsoft.com has a forest trust with widgets.com and you also need to add a forest trust to msn.com. Both widgets.com and msn.com have child domains with the
NetBIOS name of SALES (and DNS names of USsales.widgets.com and sales.msn.com).
After you create the new trust to msn.com, routing to the SALES domain name in msn.com will be disabled. If you need to use the name SALES to route to the msn.com
forest but don't need to use it to the widgets.com forest, you can use Netdom to disable SALES in widgets.com, and then enable it in msn.com.
For information about Netdom, see Active Directory support tools.
2014 Microsoft. All rights reserved.
Sites overview
Replication overview
How replication works
Replication within a site
Replication between sites
When to establish a single or separate sites
Bandwidth
Managing replication
Sites overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Sites overview
Sites in Active Directory represent the physical structure, or topology, of your network. Active Directory uses topology information, stored as site and site link objects in
the directory, to build the most efficient replication topology. You use Active Directory Sites and Services to define sites and site links. A site is a set of well-connected
subnets. Sites differ from domains; sites represent the physical structure of your network, while domains represent the logical structure of your organization.
Using sites
Sites help facilitate several activities within Active Directory, including:
Replication. Active Directory balances the need for up-to-date directory information with the need for bandwidth optimization by replicating information within a
site more frequently than between sites. You can also configure the relative cost of connectivity between sites to further optimize replication. For more information,
see Replication between sites and Managing replication.
Authentication. Site information helps make authentication faster and more efficient. When a client logs on to a domain, it first searches its local site for a domain
controller to authenticate against. By establishing multiple sites, you can ensure that clients authenticate against domain controllers nearest to them, reducing
authentication latency and keeping traffic off WAN connections.
Active Directory-enabled services. Active Directory-enabled services can leverage site and subnet information to enable clients to locate the nearest server
providers more easily. For information about services, see Services.
Sites and subnets are represented in Active Directory by site and subnet objects, which you create through Active Directory Sites and Services. Each site object is associated
with one or more subnet objects.
For information about creating sites, see Create a site.
For information about creating subnets, see Create a subnet.
For information about subnets, see "Introduction to TCP/IP" at the Microsoft Windows Resource Kits Web site.
You can design and maintain the logical and physical structures of your network independently.
You do not have to base domain namespaces on your physical network.
You can deploy domain controllers for multiple domains within the same site. You can also deploy domain controllers for the same domain in multiple sites.
Replication overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Replication overview
Except for very small networks, directory data must reside in more than one place on the network to be equally useful to all users. Through replication, the
Active Directory directory service maintains replicas of directory data on multiple domain controllers, ensuring directory availability and performance for all users. Active
Directory uses a multimaster replication model, allowing you to make directory changes at any domain controller, not just at a designated primary domain controller.
Active Directory relies on the concept of sites to help keep replication efficient, and on the Knowledge Consistency Checker (KCC) to automatically determine the best
replication topology for the network.
The KCC actually creates a separate replication topology for each directory partition (schema, configuration, domain, application). Within a single site, these
topologies are usually identical for all partitions hosted by the same set of the domain controllers.
With certain restrictions, you can use the Simple Mail Transfer Protocol (SMTP) for replicating to sites that do not have a direct or reliable Internet Protocol (IP)
connection. For more information, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site.
Intersite replication through a firewall or virtual private network requires some special considerations. For more information, see Active Directory at the Microsoft
Web site.
A single site topology allows all replication on your network to occur as intrasite replication, which requires no manual replication configuration. A single site design also
allows all domain controllers to remain very current with respect to directory changes, because directory updates are replicated almost immediately. For more information,
see Replication within a site. For information about creating sites, see Create a site.
Physically separate network locations typically communicate over WAN connections, which are most often characterized by low-speed bandwidth. By creating a separate
site for each physical location on your network, you ensure that domain controllers communicating over WAN connections use intersite replication, which is specifically
designed for efficiency on low bandwidth connections. For more information, see Replication between sites.
With multiple sites, you have more detailed control of replication behavior through several configurable intersite replication settings. These settings include the relative cost
of different replication paths, the domain controllers associated with each site, the subnets associated with each site, the frequency of directory update transfers, and the
availability of connections for use by replication. For more information, see Managing replication.
A network client logging on to a domain must contact a domain controller as part of the authentication process, first looking within its own site. If the site includes two or
more physically separate network locations, the client may authenticate against a domain controller across a WAN connection. Authentication across a WAN introduces a
delay in the authentication process. By placing physically separate network locations into separate Active Directory sites, you can ensure that clients first attempt to
authenticate against a domain controller in their own site.
2014 Microsoft. All rights reserved.
Bandwidth
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Bandwidth
Bandwidth is the most important practical consideration affecting intrasite replication on your network. Although sites are conveniently defined by subnets, it is important to
understand that the reason for this choice is that subnets are typically well-connected. This means that subnets are generally, but not always, an effective way to determine
sites.
To organize your sites effectively, consider replication requirements and available connectivity. Find a balance that ensures domain controllers in the same site are
sufficiently well-connected to handle the frequent exchange of directory information, while not exacting what you consider to be excessive costs (such as high financial
expense or compromised network performance).
When considering bandwidth, you may want to combine several subnets into one site, or split one subnet among several sites, such as in the following instances:
You have very poorly connected computers, including several domain controllers in one subnet. Create several smaller subnets that are better connected than they
were as one large subnet. For this to be effective, each new subnet should contain a domain controller.
You have several subnets that are all well-connected or you have fewer domain controllers than subnets, but you want several subnets to be in a single site. To do
this, add multiple subnets to one site.
For more information about how bandwidth may affect the way you configure sites, see Replication between sites.
2014 Microsoft. All rights reserved.
Managing replication
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Managing replication
Active Directory relies on site configuration information to manage and optimize the process of replication. Active Directory provides automatic configuration of these
settings in some cases. In addition, you can configure site-related information for your network using Active Directory Sites and Services. Configurable information includes
settings for site links, site link bridges, and bridgehead servers.
Replication frequency
The replication frequency of a site link determines how often replication occurs over that site link. By default, the replication frequency for a site link is 180 minutes, meaning
that replication occurs over that site link every 180 minutes, or three hours. Using Active Directory Sites and Services, you can set the replication frequency from 15 minutes
to 10,080 minutes (one week). A site link must be available for any replication to occur. If a site link is not available when the number of minutes between replication
updates has passed, no replication will occur. For more information, see Configure site link replication frequency.
Your network is not fully routed (not every domain controller can directly communicate with every other domain controller).
You have a network routing or security policy in place that prevents every domain controller from being able to directly communicate with every other domain
controller.
Your Active Directory design includes a large number of sites. For more information, see the Active Directory Branch Office Planning Guide at the Microsoft Web site.
For more information about site link bridges and their affects on replication, see "Active Directory Replication" at the Microsoft Windows Resource Kits Web site.
For information about disabling automatic site link bridging, see Enable or disable site link bridges.
For information about creating a site link bridge manually, see Create a site link bridge.
The partial copies of all domain objects included in the global catalog are those most commonly used in user search operations. These attributes are marked for inclusion
in the global catalog as part of their schema definition. Storing the most commonly searched upon attributes of all domain objects in the global catalog provides users
with efficient searches without affecting network performance with unnecessary referrals to domain controllers.
You can manually add or remove other object attributes to the global catalog by using the Active Directory Schema snap-in. For more information, see Customizing the
global catalog.
A global catalog is created automatically on the initial domain controller in the forest. You can add global catalog functionality to other domain controllers or change the
default location of the global catalog to another domain controller. For more information, see Enable or disable a global catalog.
A global catalog performs the following directory roles:
Finds objects
A global catalog enables user searches for directory information throughout all domains in a forest, regardless of where the data is stored. Searches within a forest
are performed with maximum speed and minimum network traffic.
When you search for people or printers from the Start menu or choose the Entire Directory option within a query, you are searching a global catalog. Once you
enter your search request, it is routed to the default global catalog port 3268 and sent to a global catalog for resolution. For more information, see Finding
directory information and "Finding information in Active Directory" at the Microsoft Windows Resource Kits Web site.
Supplies user principal name authentication
A global catalog resolves user principal names UPNs when the authenticating domain controller does not have knowledge of the account. For example, if a users
account is located in example1.microsoft.com and the user decides to log on with a user principal name of user1@example1.microsoft.com from a computer
located in example2.microsoft.com, the domain controller in example2.microsoft.com will be unable to find the users account, and will then contact a global catalog
to complete the logon process. For more information, see Active Directory naming.
Supplies universal group membership information in a multiple domain environment
Unlike global group memberships, which are stored in each domain, universal group memberships are only stored in a global catalog. For example, when a user
who belongs to a universal group logs on to a domain that is set to the Windows 2000 native domain functional level or higher, the global catalog provides
universal group membership information for the users account at the time the user logs on to the domain.
If a global catalog is not available when a user logs on to a domain set to the functional level of Windows 2000 native or higher, the computer will use cached
credentials to log on the user if the user has logged on to the domain previously. If the user has not logged on to the domain previously, the user can only log on
to the local computer. However, if a user logs on as the Administrator in the domain (Builtin Administrator account), the user can always log on to the domain, even
when a global catalog is not available.
For more information about universal groups, see Group scope. For more information about universal groups and replication, see Global catalog replication and
Global catalogs and sites.
Note
When there is only one domain in a forest, it is not necessary for users to obtain universal group memberships from a global catalog when logging on. This
is because Active Directory can detect that there are no other domains in the forest and will prevent a query to the global catalog for this information.
Validates object references within a forest
A global catalog is used by domain controllers to validate references to objects of other domains in the forest. When a domain controller holds a directory object
with an attribute containing a reference to an object in another domain, this reference is validated using a global catalog.
Adding attributes
Active Directory defines a base set of attributes for each object in the directory. Each object and some of its attributes (such as universal group memberships) are stored in
the global catalog. Using the Active Directory Schema snap-in, you can specify additional attributes to be kept in the global catalog.
In Windows 2000 forests, extending the partial attribute set causes a full synchronization of all object attributes stored in the global catalog (for all domains in the forest).
In a large, multi-domain forest, this synchronization can cause significant network traffic. Between domain controllers enabled as global catalogs that are running Windows
Server 2003, only the newly added attribute is replicated. For more information about adding attributes to the global catalog, see Customizing the global catalog.
It is strongly recommended that you use global groups or universal groups instead of domain local groups when specifying permissions on domain directory
partition objects replicated to the global catalog. For more information, see Global catalog replication.
Notes
In Windows 2000, adding a new attribute to the global catalog causes a full synchronization of all of the domain data from all of the domains in the forest. In a
large, multi-domain Windows 2000 forest, this synchronization can cause significant network traffic. Between domain controllers enabled as global catalogs that are
running Windows Server 2003, only the newly added attribute is replicated.
When deciding whether or not to include an attribute in the global catalog, remember that you are trading increased replication and increased disk storage on
global catalogs for potentially faster query performance.
Advantage
Disadvantage
A commonly used application in the site utilizes port 3268 to resolve global catalog queries.
Performance
improvement
Additional
network traffic
due to
replication
A slow or unreliable WAN connection is used to connect to other sites. Use the same failure and load distribution rules that you used
for individual domain controllers to determine whether additional global catalog servers are necessary in each site.
Fault
tolerance
Additional
network traffic
due to
replication
Users in the site belong to a Windows 2000 domain running in native mode. In this case, all users must obtain universal group
membership information from a global catalog server. If a global catalog is not located within the same site all logon requests must
be routed over your WAN connection to a global catalog located in another site.
If a domain controller running Windows Server 2003 in the site has universal group membership caching enabled, then all users will
obtain a current cached listing of their universal group memberships.
Fast user
logons
Additional
network traffic
due to
replication
Note
Network traffic related to global catalog queries generally use more network resources than normal directory replication traffic.
Faster logon times since authenticating domain controllers no longer need to access a global catalog to obtain universal group membership information.
No need to upgrade hardware of existing domain controllers to handle the extra system requirements necessary for hosting a global catalog.
Minimized network bandwidth usage since a domain controller will not have to handle replication for all of the objects located in the forest.
Note
You might want to continue using a global catalog in branch office locations if an application in a site is sending global catalog queries to port 3268. Universal
group membership caching does not intercept calls made to port 3268.
DNS integration
Group Policy integration
DNS integration
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
DNS integration
Active Directory is integrated with DNS in the following ways:
Active Directory and Domain Name System (DNS) have the same hierarchical structure.
Although separate and implemented differently for different purposes, an organization's namespace for DNS and Active Directory have an identical structure. For
example, microsoft.com is a DNS domain and an Active Directory domain. For more information, see Namespace planning for DNS.
DNS zones can be stored in Active Directory.
If you are using the Windows Server 2003 DNS Server service, primary zone files can be stored in Active Directory for replication to other Active Directory domain
controllers. For more information, see Active Directory integration.
Active Directory uses DNS as a locator service, resolving Active Directory domain, site, and service names to an IP address.
To log on to an Active Directory domain, an Active Directory client queries their configured DNS server for the IP address of the LDAP service running on a domain
controller for a specified domain. For more information about how Active Directory clients rely on DNS, see Locating a domain controller.
Note
You can use Dcdiag.exe and Netdiag.exe to troubleshoot client computers that cannot locate a domain controller. These tools can help determine both server and
client DNS misconfigurations. For more information, see article Q265706, "DCDiag/NetDiag Facilitate Join and DC Creation" in the Microsoft Knowledge Base. For a
brief description of support tools, see Active Directory support tools.
While Active Directory is integrated with DNS and shares the same namespace structure, it is important to distinguish the difference between them:
For a checklist on deploying DNS for Active Directory, see Checklist: Deploying DNS for Active Directory.
For information about configuring DNS servers for Active Directory, see Configure a DNS server for use with Active Directory.
2014 Microsoft. All rights reserved.
Set the minimum password length and the maximum length of time that a password will remain valid. This can be configured for an entire domain.
Administrators can automatically install an application on every computer in a particular domain or on all computers assigned to a particular group in a particular
site. For example, you could automatically install Microsoft Outlook on every computer in the domain and automatically install Microsoft Excel only on those
computers belonging to the Accounting group in a particular site.
Logon, logoff, startup, and shutdown scripts can be assigned based on the locations of the computer and user accounts in Active Directory.
If members of a particular group often use different computers, administrators can install the necessary applications on each of those computers.
Any user's My Documents folder can be redirected to a network location. Users can then gain access to their documents from any computer on the network.
Policy settings are stored in Group Policy objects. Group Policy settings from more than one Group Policy object can be applied to a particular site, domain, or
organizational unit. For example, if a site contains three domains, one Group Policy object could control computer configurations for the entire site. A separate policy for
each domain could determine specific security settings for the computers in each domain. If each domain contains an Accounting and a Marketing organizational unit,
additional Group Policy objects could determine what software is installed on the computers used by the Accounting and Marketing groups throughout the entire site.
This ability to automatically configure and secure computers throughout your organization by selectively applied Group Policy objects is a very powerful administrative tool.
For more information about controlling software installation with Group Policy and how to create a Group Policy object, see Group Policy (pre-GPMC).
You can use security groups to filter how Group Policy settings are applied to collections of users and computers belonging to a particular site, domain, or organizational
unit. For more information about security groups, see Group types. For general information about Group Policy, see Group Policy overview.
2014 Microsoft. All rights reserved.
Understanding Schema
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Understanding schema
This section covers:
Schema
Schema classes and attributes
Schema object names
Deactivating a class or attribute
Extending the schema
Schema
Updated: May 1, 2010
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Schema
The Active Directory schema contains the definitions for all objects in the directory. Every new directory object you create is validated against the appropriate object
definition in the schema before being written to the directory. The schema is made up of object classes and attributes. The base (or default) schema contains a rich set of
object classes and attributes to meet the needs of most organizations, and is modeled after the International Standards Organization (ISO) X.500 standard for directory
services. Because it is extensible, you can modify and add classes and attributes to the base schema. However, you should carefully consider each change you make,
because extending the schema affects the entire network. For more information, see Extending the schema.
Schema cache
To improve performance on schema operations (such as new object validation), each domain controller holds a copy of the schema in memory (in addition to the copy it
holds on disk). This cached version is automatically updated (after a small time interval) each time you update the schema. Or, you can reload the updated schema to cache
manually for immediate effect. For more information, see Reload the schema.
Classes
ClassSchema objects are used to define classes in the schema. A classSchema object provides the template for building directory objects of that class. Examples of
classSchema include User and Server. A classSchema object contains, among other things, the following information:
Class types
Three different types of classes exist in the schema:
Class type
Purpose
Structural
Abstract
Auxiliary
Contains predefined lists of attributes that can be included in structural and abstract classes.
Note
With the Windows Server 2003 family, the inetOrgPerson class is now a part of base schema. This class can be used as a security principal in the same manner as
the user class.
Attributes
AttributeSchema objects are used to define attributes in the schema. An attributeSchema object determines the allowable contents and syntax for instances of that attribute
in the directory. Examples of attributeSchema include User-Principal-Name and Telex-Number. An attributeSchema object contains, among other things, the following
information:
Indexed attributes
Both multivalued and single valued attributes can be indexed to help improve the performance of queries on that attribute. (Indexing does not apply to classes.) Attributes
are marked for indexing based on their schema definition. Indexing an attribute also allows users to use wildcards (*) as prefixes and suffixes when specifying a search
string. When you mark an attribute as indexed, all instances of the attribute are added to the index, not just the instances that are members of a particular class. Indexing
attributes, particularly multivalued attributes, can negatively affect replication and object creation time, as well as directory database size. So, it is recommended that you
only index commonly used attributes. For more information, see Index an attribute in Active Directory.
For more information about the schema, see "Active Directory Schema" at the Microsoft Windows Resource Kits Web site and the Microsoft MSDN Web site.
Common name
The common name is a more readable version of the LDAP display name. The common names of the two attributes used in the previous example are SMTP-Mail-Address
and Machine-Password-Change-Interval. Common names are guaranteed to be unique within a container.
Object identifier
An object identifier (also known as OID) is issued by an issuing authority such as the International Organization for Standardization (ISO) or the American National
Standards Institute (ANSI). For example, the object identifier for the SMTP-Mail-Address attribute is 1.2.840.113556.1.4.786. Every object identifier must be unique. For more
information about ISO, see the International Organization for Standardization Web site.
When extending your schema, you can register new object identifiers through Microsoft. For more information, see the Microsoft Web site.
When a queuing alias object is deleted, the alias is automatically removed from all distribution lists that reference the alias.
A queue referenced by a queuing alias can be changed without changing the alias.
Queuing aliases can be used to reference a queue not listed in the directory service, including private queues or queues from another organization.
Queuing aliases can be used to send http messages by referencing the destination queue using a direct format name.
A queuing alias object has a single attribute, a format name that references a queue. Queuing aliases can contain public, private, and direct format names. The format
name for the queue cannot exceed 255 characters. For more information, see Using Message Queuing.
Note
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
Classes and attributes added to the base schema can be deactivated without raising the forest functional level. However, they can be redefined only in forests raised
to the Windows Server 2003 functional level or higher.
Default schema attributes or classes in the base schema cannot be deactivated if bit 4 of the systemFlags attribute is set to 1. Only attributes or classes where bit 4
of the systemFlags attribute is equal to zero can be deactivated.
Object identifiers must be unique. Mistyping a number when entering an object identifier can cause a conflict between the invalid object identifier and a legitimate object
identifier that is registered by an application. When installing an application that adds an attribute or class, the application may need to use the mistyped object identifier
for one of its legitimate schema extensions. You can correct object identifier conflicts in forests that are set to the Windows Server 2003 functional level. To correct the
conflict, deactivate the attribute or class with the incorrect object identifier. The application installation program will then be able to create the new attribute or class using
the correct object identifier.
Before deactivating a class, consider the following:
You can deactivate a class only if that class is not specified as a subClassOf, auxiliaryClass, systemAuxiliaryClass, possSuperiors, or systemPossSuperiors of any
existing active class.
You cannot use a defunct class in definitions of new classes, and you cannot add it to existing class definitions.
You cannot create objects that are instances of the defunct class or modify existing instances of the class. However, the instances of the defunct class become
available again for modification when the defunct class is reactivated.
You can deactivate an attribute only if the attribute is not specified as a systemMustContain, mustContain, systemMayContain, mayContain, or rdnAttId of any existing
active class.
You cannot use a defunct attribute in definitions of new classes, and you cannot add it to existing class definitions.
You cannot read, modify, or delete instances of the defunct attribute present in existing objects. However, the instances of the defunct attribute become available
when the defunct attribute is reactivated.
To purge the directory of instances of an attribute you must delete the instances before deactivating the attribute.
Classes and attributes can be deactivated programmatically (recommended) or by using the Active Directory Schema snap-in. To deactivate a class or attribute using the
Active Directory Schema snap-in, see Deactivate a class or attribute. For information about programmatically deactivating classes and attributes, see the Active Directory
Programmer's Guide at the Microsoft Web site.
Reactivating a class
A defunct class can be reactivated. However, a defunct class cannot be reactivated unless the attributes referenced in its mustContain, systemMustContain, mayContain, and
systemMayContain properties are active and the classes referenced in its subClassOf, auxiliaryClass, systemAuxiliaryClass, possSuperiors, and systemPossibleSuperiors
properties are also active.
Further, a defunct class cannot be reactivated if the values of the following attributes collide with an already active attribute or class: ldapDisplayName, attributeId,
governsId, or schemaIdGuid.
To reactive a defunct class, see Reactivate a class or attribute.
Reactivating an attribute
An defunct attribute can be reactivated. However, a defunct attribute cannot be reactivated if the values of the following attributes collide with an already active attribute or
class: ldapDisplayName, attributeId, governsId, schemaIdGuid, or mapiId.
Verify that no existing class or attribute in the base schema meets your application or data needs. For the complete set of classes and
attributes in the base schema, see the Microsoft Web site.
Review schema
documentation
For detailed information about extending the schema, see the Active Directory Programmer's Guide at the Microsoft Web site and
"Active Directory Schema" at the Microsoft Windows Resource Kits Web site.
When you extend the schema, the changes apply to every domain controller in the entire forest.
You cannot modify default system classes (those classes required for Windows to run) within the schema. However, directory-enabled
applications that modify the schema may add new classes that you can modify.
Attributes or classes cannot be removed after creation. At best, they can be modified or deactivated. For more information, see
Deactivating a class or attribute.
Every class and attribute in the schema must have a unique and valid object identifier (also known as OID). Do not create arbitrary object
identifiers or recycle old object identifiers. For information about obtaining valid object identifiers, see Schema object names.
Deployment resources
Using the Active Directory Installation Wizard
Creating an additional domain controller
Creating a new domain tree
Creating a new child domain
Creating a new forest
Upgrading from Windows NT or Windows 2000
Deployment resources
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Deployment resources
To deploy domain controllers running Windows Server 2003, it is recommended that you use the Microsoft Windows Server 2003 Deployment Kit, which is available online at
the Microsoft Windows Resource Kits Web site.
The online deployment kit includes case studies and the necessary information for deploying Windows Server 2003 Active Directory in networks that have domain
controllers running Windows NT 4.0 or Windows 2000. For complete information, see "Upgrading Windows NT 4.0 Domains to Windows Server 2003" at the Microsoft
Windows Resource Kits Web site.
If your network includes branch offices, see "Designing the Site Topology" at the Microsoft Windows Resource Kits Web site. This online guide helps plan Active Directory
deployment when there are branch office sites connected with slow network links.
For information about monitoring Active Directory, see "Monitoring Active Directory" at the Microsoft Windows Resource Kits Web site.
2014 Microsoft. All rights reserved.
Before using the Active Directory Installation Wizard, consider DNS configuration and support for existing applications.
DNS configuration
By default, the Active Directory Installation Wizard attempts to locate an authoritative DNS server for the new domain from its list of configured DNS servers that will accept
a dynamic update of a service (SRV) resource record. If found, all the appropriate records for the domain controller are automatically registered with the DNS server after
the domain controller is restarted.
If a DNS server that can accept dynamic updates is not found, either because the DNS server does not support dynamic updates or dynamic updates are not enabled for
the domain, then the Active Directory Installation Wizard will take the following steps to ensure that the installation process is completed with the necessary registration of
the SRV resource records:
1. The DNS service is installed on the domain controller and is automatically configured with a zone based on the Active Directory domain.
For example, if the domain that you chose for your first domain in the forest is example.microsoft.com, then a zone rooted at the DNS domain name of
example.microsoft.com is added and configured to use the DNS Server service on the new domain controller.
2. A text file containing the appropriate DNS resource records for the domain controller is created.
The file called Netlogon.dns is created in the systemroot\System32\Config folder and contains all the records needed to register the resource records of the
domain controller. Netlogon.dns is used by the Net Logon service and supports Active Directory on servers running non-Windows Server 2003 DNS.
If you are using a DNS server that supports the SRV resource record but does not support dynamic updates (such as a UNIX-based DNS server or a Windows NT
DNS server), you can import the records in Netlogon.dns into the appropriate primary zone file to manually configure the primary zone on that server to support
Active Directory.
If no DNS servers are available on the network, you can choose the option to automatically install and configure a local DNS server when you install Active Directory using
the Active Directory Installation Wizard. The DNS server will be installed on the server on which you are running the wizard, and the server's preferred DNS server setting
will be configured to use the new local DNS server.
Before running the Active Directory Installation Wizard, ensure that the authoritative DNS zone allows dynamic updates and that the DNS server hosting the zone supports
the DNS SRV resource record. For more information, see Checklist: Verifying DNS before installing Active Directory.
For more information, see Configure a DNS server for use with Active Directory. For general information about DNS integration with Active Directory, see DNS integration.
You can manually switch between the backward compatible and high-security settings on Active Directory objects by adding the Anonymous Logon security group to the
pre-Windows 2000 Compatible Access security group using Active Directory Users and Computers. For more information about adding members to a group, see Add a
member to a group. For more information about default groups, see Default groups and Special identities.
Note
If you select the Permissions compatible only with Windows Server 2003 operating systems check box when installing Active Directory and find that your
applications are not functioning correctly, try resolving the problem by manually adding the special group Everyone to the Pre-Windows 2000 Compatible Access
security group, and then restarting the domain controllers in the domain. Once you have upgraded to applications compatible with the Windows Server 2003 family,
you should return to the more secure Windows Server 2003 operating system configuration by removing the Everyone group from the Pre-Windows 2000
Compatible Access security group and restarting the domain controllers in the affected domain.
When upgrading a Windows NT domain to a Windows Server 2003 forest. You can upgrade a Windows NT domain to become the first domain in a new
Windows Server 2003 forest. To do this, you must first upgrade the primary domain controller in that domain. Then, you can upgrade backup domain controllers,
member servers, and client computers at any time.
You can also keep a Windows NT domain and create a new Windows Server 2003 forest by installing Active Directory on a member server running Windows
Server 2003. For more information, see Upgrading from a Windows NT domain.
To provide administrative autonomy. You can create a new forest when you need to segment your network for purposes of administrative autonomy.
Administrators who currently manage the IT infrastructure for autonomous divisions within the organization may want to assume the role of forest owner and
proceed with their own forest design. However, in other situations, potential forest owners may choose to merge their autonomous divisions into a single forest to
reduce the cost of designing and operating their own Active Directory or to facilitate resource sharing. Another alternative is to provide for some delegation of
administrative authority that enables the benefits of both approaches. For more information, see "Best Practice Active Directory Design for Managing Windows
Networks" on the Microsoft Web site or "Design Considerations for Delegation of Administration in Active Directory", also available on the Microsoft Web site.
Because there can be only one schema master and one domain naming master in a forest, these roles remain in the forest root domain. In an Active Directory forest with
only one domain and one domain controller, that domain controller owns all the operations master roles. For more information, see Operations master roles.
Upgrading overview
Upgrading from a Windows NT domain
Upgrading from a Windows 2000 domain
Converting groups
Upgrading overview
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Upgrading overview
The Active Directory directory service is compatible with Microsoft Windows NT and supports a mix of operations that support domain controllers running
Windows NT 4.0, Windows 2000, and Windows Server 2003. This allows you to upgrade domains and computers at your own pace, based on your organization's needs.
Active Directory supports the NTLM protocol used by Windows NT. This enables authorized users and computers from a Windows NT domain to log on and access
resources in Windows 2000 or Windows Server 2003 domains. To clients running Windows 95, Windows 98, or Windows NT that are not running Active Directory client
software, a Windows 2000 or Windows Server 2003 domain appears to be a Windows NT 4.0 domain. For more information, see Active Directory clients.
The upgrade to Active Directory can be gradual and performed without interrupting operations. If you follow domain upgrade recommendations, it should never be
necessary to take a domain offline to upgrade domain controllers, member servers, or workstations. When upgrading a Windows NT domain, you must upgrade the
primary domain controller first. You can upgrade member servers and workstations at any time after this. For more information, see Upgrading from a Windows NT
domain.
Active Directory allows upgrading from any Windows NT 4.0 domain model and supports both centralized and decentralized models. The typical master or multiple-master
domain model can be easily upgraded to an Active Directory forest.
2014 Microsoft. All rights reserved.
Improved replication efficiency and scalability. For more information, see Replication overview.
Linked value replication for more efficient replication of group memberships. For more information, see How replication works.
computer accounts). This single domain controller is configured as a PDC emulator master. The PDC emulator master emulates a Windows NT 4.0 or earlier PDC. For more
information about the PDC emulator role, see Operations master roles.
Other than the enhanced access to any other domains in the forest, clients will not be aware of any changes in the domain.
After upgrading a Windows NT 4.0 domain to an Active Directory domain, it is recommended that you delete and recreate all previously existing trusts with Active Directory
domains. Even though the domain has been upgraded, the trust remains a Windows NT 4.0 trust. Internet protocol security (IPSec) does not work over a Windows NT 4.0
trust.
You cannot upgrade domain controllers running Windows 2000 to Windows Server 2003 or Windows Server 2003 with SP1, or add domain controllers running
Windows Server 2003 or Windows Server 2003 with SP1 to Windows 2000 domains, until you have used adprep to prepare the forest and the domains within the
forest.
For more information about the enhancements to Adprep.exe in Windows Server 2003 with SP1, see article 324392, Enhancements to Adprep.exe in Windows Server 2003
Service Pack 1 and in hotfix 324392, in the Microsoft Knowledge Base.
For more information about how to prepare your forest and domains using Adprep.exe, see "Overview: Upgrading Windows 2000 Domain Controllers to
Windows Server 2003" in article 325379, How to Upgrade Windows 2000 Domain Controllers to Windows Server 2003, in the Microsoft Knowledge Base.
See Also
Concepts
Checklist: Performing an upgrade
Operations master roles
Adprep
2014 Microsoft. All rights reserved.
Converting groups
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Converting groups
When you upgrade a primary domain controller (PDC) running Windows NT Server 4.0 or earlier to a server running Windows Server 2003, existing Windows NT groups
are converted in the following ways:
Windows NT local groups are converted to domain local groups on servers running Windows Server 2003.
Windows NT global groups are converted to global groups on servers running Windows Server 2003.
Domain member computers running Windows NT can continue to display and access the converted groups. The groups appear to these clients as Windows NT 4.0 local
and global groups. However, a Windows NT client cannot display members of groups or modify the member properties when that membership violates Windows NT
group rules. For example, when a Windows NT client views the members of a global group on a server running Windows Server 2003, it does not view any other groups
that are members of that global group.
Using Run as
Using saved queries
Managing Active Directory from MMC
Managing Active Directory from the command line
Finding directory information
Administering other domains
Delegating administration
Publishing resources
Managing COM+ partitions in Active Directory
Managing COM+ partition sets in Active Directory
Using Run as
Updated: April 20, 2011
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Using Run as
Logging onto your computer using administrative credentials can pose a security risk to your computer and network. Therefore, as a security best practice, it is
recommended that you do not log on to your computer with administrative credentials. Instead, you can use Run as to accomplish administrative tasks without having to
log on to your computer with administrative credentials. For information about the security risks associated with being logged on as an administrator, see Why you should
not run your computer as an administrator.
Using Run as, you can open and run a program using a different account and security context than the one you are logged on with. So, you can log on using a regular user
account, then, using Run as, open an administrative program in the context of an administrative account. The administrative context is only used for that specific program
and is only available until that program is closed.
It is especially important for domain administrators to use Run as to accomplish administrative tasks. Running your computer as a domain administrator in Active Directory
makes your domain (and forest) vulnerable to Trojan horses and other security risks that target the logon sequence.
You can use Run as through the user interface or as a command-line tool.
User interface
The Run as feature built into the user interface is a shortcut that is accessed on the right-click menu for some programs (.exe), some Control Panel (.cpl) items, and
Microsoft Management Console (MMC) (.msc) consoles. Run as will prompt you for a user account and password before starting a program, Control Panel item, or
MMC console. Some programs and administrative tasks, such as upgrading the operating system or configuring system parameters, do not support Run as. These
tasks require an interactive logon. For more information about how to use the Run as feature, see Run a program with administrative credentials.
Command-line tool
In addition to the built-in Run as feature, the runas command provides the same capabilities. For more information about the runas command, see Runas. You can
also create a custom shortcut using the runas command. For more information about creating shortcuts, see Create a shortcut using the runas command.
Tip
For more options and examples, see the TechNet Wiki topic How to Run with Alternate Credentials and Open Elevated Command Prompts
(http://social.technet.microsoft.com/wiki/contents/articles/how-to-run-with-alternate-credentials-and-open-elevated-command-prompts.aspx).
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
You can also remotely administer Active Directory from a computer that is not a domain controller, such as a computer running Windows XP Professional. To do this, you
must install the Windows Server 2003 Administration Tools Pack. For more information, see Windows Server 2003 Administration Tools Pack Overview.
The Active Directory Schema snap-in is an Active Directory administrative tool for managing the schema. It is not available by default on the Administrative Tools menu, and
must be added manually. For more information, see Install the Active Directory Schema snap-in.
For advanced administrators and network support specialists, there are many command-line tools that can be used to configure, manage, and troubleshoot Active
Directory. For more information, see Active Directory support tools.
You can also create scripts that use Active Directory Service Interfaces (ADSI). Several sample scripts are supplied on the operating system installation media. For more
information about the sample scripts, see Using the Windows Deployment and Resource Kits. For more information about using ADSI, see Programming interfaces.
Customizing how data is displayed in Active Directory administrative tools and snap-ins
The Active Directory administrative tools, such as Active Directory Users and Computers, and the Windows shell extensions use display specifiers to dynamically create
context menu items and property pages. Display specifiers permit localization of class and attribute names, context menus, and property pages, and also support new
classes and attributes. You can add and modify classes and attributes in the schema and extend both the administrative tools and the Windows shell in many ways by
modifying attributes in display specifiers. For more information the Active Directory schema and display specifiers, see the Active Directory programmer's Guide at the
Microsoft Web site.
Builtin: Contains objects that define the default built-in groups, such as Account Operators or Administrators.
Computers: Contains Windows 2000, Windows XP, and Windows Server 2003 computer objects, including computer accounts that were originally created using
application programming interfaces (APIs) that could not use Active Directory. Computer objects are moved to the Computer container when Windows NT domains
are upgraded to Windows 2000 or a Windows Server 2003 operating system.
Domain Controllers: Contains computer objects for domain controllers running Windows 2000 or Windows Server 2003.
Users: Contains user accounts and groups that were originally created using APIs that could not use Active Directory. User accounts and groups are moved to the
Users container when Windows NT domains are upgraded to Windows 2000 or a Windows Server 2003 operating system. You can use the Windows NT 4.0 User
Manager (Usrmgr) tool to modify users and groups created using the APIs that could not use Active Directory.
When you select Advanced Features on the View menu, two additional folders are displayed in the console:
LostAndFound: Contains objects whose containers were deleted at the same time that the object was created. If an object has been created in or moved to a
location that is missing after replication, the lost object is added to the LostAndFound container. The LostAndFoundConfig container in the configuration directory
partition serves the same purpose for forest-wide objects.
System: Contains built-in system settings for the various system service containers and objects. For more information about the System container, see Using the
Windows Deployment and Resource Kits.
When you select Filter options on the View menu, you can show all objects, show only selected objects, configure the number of items that can be displayed for each
folder, or create custom filters using object attributes and LDAP queries.
/domain= FullyQualifiedDomainName
/domain= NetBIOSDomainName
/server= FullyQualifiedDomainControllerName
/server= NetBIOSDomainControllerName
You can use these command-line options to run the Active Directory MMC consoles directly from the command line, or you can create a shortcut to start a console and
add the appropriate command-line options to the shortcut. You can also use the command-line options with any custom consoles that you create. For more information
about creating and saving console files, see Windows interface administrative tool reference A-Z: Microsoft Management Console.
Command-line examples:
Notes
Do not use both a /domain and /server command-line option at the same time.
The /domain options can only be used with Active Directory Users and Computers.
Name
Description
CSVDE
Dsadd
Add users, groups, computers, contacts, and organizational units to Active Directory.
Dsmod
Modify an existing object of a specific type in the directory. The types of objects that can be modified are: users, groups, computers, servers, contacts, and
organizational units.
Dsrm
Dsmove
Rename an object without moving it in the directory tree, or move an object from its current location in the directory to a new location within a single domain
controller. (For cross-domain moves, use the Movetree command-line tool.)
Dsquery
Query and find a list of objects in the directory using specified search criteria. Use in a generic mode to query for any type of object or in a specialized
mode to query for for selected object types. The specific types of objects that can be queried through this command are: computers, contacts, subnets,
groups, organizational units, sites, servers and users.
Dsget
Display selected attributes of specific object types in Active Directory. Attributes of the following object types can be viewed: computers, contacts, subnets,
groups, organizational units, servers, sites, and users.
LDIFDE
Ceate, modify, and delete directory objects. This tool can also be used to extend the schema, export Active Directory user and group information to other
applications or services, and populate Active Directory with data from other directory services.
Ntdsutil
General purpose Active Directory management tool. Use Ntdsutil to perform database maintenance of Active Directory, to manage single master operations,
and remove metadata left behind by domain controllers that were removed from the network without being properly uninstalled.
Additional command-line tools are available in the Support tools folder of the product compact disc and from the Resource Kit
For information about other command-line tools, see Command-line reference A-Z. For more information about manageability, see Management Strategies and Tools.
2014 Microsoft. All rights reserved.
A secure method of controlling administrative access to a particular domain is to tightly control the number of accounts that are added to the Domain Admins group for
that domain and the number of people aware of those accounts. Only members of the Domain Admins group (or Enterprise Admins group) can make broad administrative
changes to the domain.
For example, if a domain administrator in one domain wanted to establish a shortcut trust with another domain, the domain administrator could establish the trust
relationship in that domain by communicating with the domain administrator of the other domain, agreeing on a common strong password for the trust, and having the
administrator of the other domain create the trust in that domain.
A more convenient, but less secure method of administering more than one domain is to logon interactively with a user account that has administrative credentials in both
domains. For example, user accounts that are members of the Enterprise Admins security group have permission to administer every domain in the forest. Logging on to a
computer with a user account that has broad administrative access is not recommended. For more information, see Why you should not run your computer as an
administrator.
Run as, when used with the appropriate user name and password, can be used to securely administer domains in any forest in your organization. For more information,
see Using Run as.
Notes
It is a security best practice to never log on with an account that has more rights and permissions than you need for the task you are currently performing.
It is also a security best practice to limit the scope of a particular administrator's rights and permissions to include only those tasks that the administrator commonly
performs.
You cannot administer a Windows Server 2003 domain or forest using the Windows 2000 Administrative Tools Pack. For more information, see Windows Server
2003 Administration Tools Pack Overview.
Delegating administration
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Delegating administration
By delegating administration, you can assign a range of administrative tasks to the appropriate users and groups. You can assign basic administrative tasks to regular
users or groups, and leave domain-wide and forest-wide administration to members of the Domain Admins and Enterprise Admins groups. By delegating administration,
you can allow groups within your organization to take more control of their local network resources. You also help secure your network from accidental or malicious
damage by limiting the membership of administrator groups.
You can delegate administrative control to any level of a domain tree by creating organizational units within a domain and delegating administrative control for specific
organizational units to particular users or groups.
To decide what organizational units you want to create, and which organizational units should contain accounts or shared resources, consider the structure of your
organization.
For example, you might want to create an organizational unit that enables you to assign a user the administrative control for all user and computer accounts in all branches
of a department, such as Human Resources. Or, you might want to assign a user administrative control only to some resources within a department, for example, computer
accounts. Another possible delegation of administrative control would be to assign a user the administrative control for the Human Resources organizational unit, but not
any organizational units contained within the Human Resources organizational unit.
Active Directory defines specific permissions and user rights that can be used for the purposes of delegating or restricting administrative control. Using a combination of
organizational units, groups, and permissions, you can define the most appropriate administrative scope for a particular person, which could be an entire domain, all
organizational units within a domain, or a single organizational unit.
Administrative control can be assigned to a user or group by using the Delegation of Control Wizard or through the Authorization Manager console. Both of these tools
allow you to assign rights or permissions to particular users or groups.
For example, a user can be given permissions to modify the Owner Of Accounts property, without being assigned the permissions to delete accounts in that organizational
unit. The Delegation of Control Wizard, as its name suggests, allows you to delegate administrative tasks using a wizard that steps you through the entire process. The
Authorization Manager is a Microsoft Management Console (MMC) console that also allows you to delegate administration. The Authorization Manager provides greater
flexibility than the Delegation of Control Wizard, at the cost of greater complexity.
For more information about using the Delegation of Control Wizard, see To delegate control. For more information about using Authorization Manager, see Authorization
Manager.
The console must be packaged before using the Software Installation snap-in. You can use a tool such as Windows Installer to package the customized console.
Once this has been accomplished you can configure the Software Installation snap-in to publish or assign the newly created package. For more information about
how to package an application, see Using the Windows Deployment and Resource Kits.
If the customized console you are packaging uses a snap-in that is not installed on the destination workstation or server for the published or assigned user, you will
need to include the snap-in file and the registration of the file in the package. You can either create a separate package that contains the snap-in or add the snap-in
during the creation of the customized console package so that it will be properly installed on the computer every time a user installs the console package.
Note
If a user is logged on to their computer at the time that a Group Policy object is applied to their account, the user will not see the published or assigned console
until they log off and then log on again.
For more information about other Active Directory security issues, see Security overview.
2014 Microsoft. All rights reserved.
Publishing resources
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Publishing resources
To help users locate the network resources they need, you can publish searchable information about these resources in Active Directory. Resources that can be published
include users, computers, printers, shared folders, and network services. Some commonly used directory information, like user and computer names, is published by
default when the objects are created. Other directory information, such as information about shared folders, must be published manually. For information about searching
the directory, see Finding directory information.
Using access control permissions, you can control which users and groups can search and view published information. Access control permissions give you detailed
control over directory information at both the resource and the property levels. For example, you can use permissions to prevent a particular group from viewing any user
information published in the directory. Or, you can use permissions to allow that group to view user names, but no other user information. For an overview of permissions,
see Access control overview. For information about assigning permissions to Active Directory objects and properties, see Assign, change, or remove permissions on Active
Directory objects or attributes.
Publishing services
A service is an application that makes data or operations available to network users. Publishing a service in Active Directory enables users and administrators to move from
a machine-centric view of the network to a service-centric view. By publishing a service, rather than computers or servers, administrators can focus on managing the service
regardless of which computer is providing the service or where the computer is located.
Some services, such as Certificate Services, are automatically published in Active Directory when they are installed. Other services can be published in the directory using
programming interfaces. For more information, see Programming interfaces. Administrators can manage published services using Active Directory Sites and Services. For
more information about services and how to publish them, see the Service Publication page at the Microsoft Web site. (http://msdn.microsoft.com/)
Binding information allows clients to connect to services that do not have well-known bindings and that conform to a service-centric model. By publishing the
bindings for these kinds of services, connections can be automatically established with services. Machine-centric services are typically handled on a service-byservice basis and should not be published to the directory.
Configuration information can be common across client applications. Publishing this sort of information allows you to distribute current configuration information for
these applications to all clients in the domain. The configuration information is accessed by client applications as needed. This eases application configuration for
users and gives you more control over application behaviors.
Useful to many clients. Information that is useful to a small set of clients or that is useful only in certain areas of the network should not be published. If not widely
used, this information wastes network resources, since it is published to every domain controller in the domain.
Relatively stable and unchanging. Although there may be exceptions to this rule, it generally makes sense to publish only service information that changes less
frequently than two replication intervals. For intrasite replication, the maximum replication period is fifteen minutes, and for intersite replication, the maximum
replication period is configured based on the replication interval of the site link used for the replication. Object properties that change more frequently create
excessive demands on network resources. Property values may be out of date until updates are published, which can take as long as the maximum replication
period. Consequently, having properties out of date for that period of time must not create unacceptable conditions.
For example, some network services select a valid TCP port for use each time they are started. After selecting the port, the service updates Active Directory with this
information, which is stored as the service connection point. Clients access the service connection point when they want to use the service, but if the new service
connection point has not been replicated when the client requests it, the client will receive an outdated port, rendering the service temporarily inaccessible.
Well-defined, reasonable properties. Information that is of a consistent form is easier for services to use. The information should be relatively small in size.
COM+ partitions in Active Directory are not available from domain controllers running Windows 2000.
Administering distributed applications becomes much easier because you can tailor access of a particular set of domain users to a specific set of applications.
Security policies can be applied to domain users and organizational units within each partition set.
Before assigning COM+ partition sets, you must first logically group one or more COM+ partitions into a single COM+ partition set. Once a COM+ partition set has been
defined, you can make applications available throughout the domain by mapping COM+ partition sets to domain users or organizational units. To do this, you must
perform tasks on both the domain controller where Active Directory resides and on the application server where the COM+ application is installed.
Local COM+ partitions are sometimes referred to as Empty Partitions in the Component Services user interface.
Resources
This section covers:
Web resources
Active Directory support tools
Programming interfaces
Web resources
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Web resources
The following items provide links to more information on the Web related to Active Directory:
For information about deploying Active Directory, see "Identifying an Active Directory Deployment Strategy" at the Microsoft Windows Resource Kits Web site.
For information about domain trust, see "Domain Trust" at the Microsoft Windows Resource Kits Web site.
For information about establishing domain trusts, see "Designing an Authorization Strategy" at the Microsoft Windows Resource Kits Web site.
For information about monitoring Active Directory, see "Monitoring Active Directory" at the Microsoft Windows Resource Kits Web site.
For information about delegating enterprise administrator operations, see "Delegating Enterprise Administrator Operations" at the Microsoft Windows Resource
Kits Web site.
For development information about Active Directory, see the Active Directory Programmer's Guide at the Microsoft Web site.
For development information about Lightweight Directory Access Protocol (LDAP), see the Lightweight Directory Access Protocol API at the Microsoft Web site.
For information about obtaining valid object identifiers, see Active Directory Naming Registration at the Microsoft Web site.
For information about Request for Comments (RFCs) and Internet drafts, see the Internet Engineering Task Force Web site.
Note
Web addresses can change, so you might be unable to connect to the Web site or sites mentioned here.
Tool
Description
Movetree
SIDWalk
Set the access control lists on objects previously owned by accounts that were moved, orphaned, or deleted.
LDP
Allows LDAP operations to be performed against Active Directory. This tool has a graphical user interface (GUI).
Dnscmd
Enables administrator to check presence of domain controller locator records in DNS, add or delete such records and perform configuration of
DNS servers, zones and records.
DSACLS
Netdom
Batch management of trusts, joining computers to domains, verifying trusts and secure channels.
NETDiag
NLTest
Repadmin
Check replication consistency between replication partners, monitor replication status, display replication metadata, force replication events and
knowledge consistency checker recalculation.
Replmon
Display replication topology, monitor replication status (including group policies), force replication events and knowledge consistency checker
recalculation. This tool has a graphical user interface (GUI).
DSAStat
ADSI Edit
A Microsoft Management Console (MMC) snap-in used to view all objects in the directory (including schema and configuration information),
modify objects and set access control lists on objects.
SDCheck
Check access control list propagation and replication for specified objects in the directory. This tool enables an administrator to determine if
access control lists are being inherited correctly and if access control list changes are being replicated from one domain controller to another.
ACLDiag
Determine whether a user has been assigned or denied access to a directory object. It can also be used to reset access control lists to their
default state.
DFSUtil
Command-line utility for managing all aspects of Distributed File System (DFS), checking the configuration concurrency of DFS servers, and
displaying the DFS topology.
Dcdiag
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to assist in troubleshooting.
Active Directory
Migration Tool
(ADMT)
A Microsoft Management Console (MMC) snap-in used to migrate user accounts, groups, and computer accounts from Windows NT 4.0 domains
to Active Directory domains (available on the installation compact disk in the \i386\ADMT folder).
For more information, see Install Windows Support Tools and Using the Windows Deployment and Resource Kits.
2014 Microsoft. All rights reserved.
Programming interfaces
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Programming interfaces
Active Directory Service Interfaces (ADSI) provides a simple, powerful, object-oriented interface to Active Directory. ADSI makes it easy for programmers and administrators
to create directory programs by using high-level tools, such as Microsoft Visual Basic, without having to worry about the underlying differences between the different
namespaces.
ADSI enables you to build or buy programs that give you a single point of access to multiple directories in your network environment, whether those directories are based
on LDAP or another protocol. ADSI is fully scriptable for ease of use by administrators.
For more information about ADSI, see the Active Directory Programmer's Guide at the Microsoft Web site and the Using the Windows Deployment and Resource Kits.
Active Directory also provides support for Messaging Application Programming Interface (MAPI), so legacy MAPI programs will continue to work with Active Directory.
In addition, Active Directory supports the LDAP C API as a lower-level interface for C programmers. For more information, see the Lightweight Directory Access Protocol
(LDAP) API at the Microsoft Web site.
2014 Microsoft. All rights reserved.