ACTIVE DIRECTORY – DNS – FSMO – GROUP POLICY

What Is Active Directory?

Active Directory consists of a series of components that constitute both its logical
structure and its physical structure. It provides a way for organizations to centrally
manage and store their user objects, computer objects, group membership, and
define security boundaries in a logical database structure.

Purpose of Active Directory

Active Directory stores information about users, computers, and network resources
and makes the resources accessible to users and applications. It provides a
consistent way to name, describe, locate, access, manage, and secure information
about these resources

Functions of Active Directory

Active Directory provides the following functions:

● Centralizes control of network resources
By centralizing control of resources such as servers, shared files, and printers,
only authorized users can access resources in Active Directory.
● Centralizes and decentralizes resource management
Administrators have Centralized Administration with the ability to delegate
administration of subsets of the network to a limited number of individuals giving
them greater granularity in resource management.
● Store objects securely in a logical structure
Active Directory stores all of the resources as objects in a secure, hierarchical
logical structure.
● Optimizes network traffic
The physical structure of Active Directory enables you to use network bandwidth
more efficiently. For example, it ensures that, when users log on to the network,
the authentication authority that is nearest to the user, authenticates them
reducing the amount of network traffic.

Sites within Active Directory

Sites are defined as groups of well-connected computers. When you establish sites, domain
controllers within a single site communicate frequently. This communication minimizes the
latency within the site; that is, the time required for a change that is made on one domain
controller to be replicated to other domain controllers. You create sites to optimize the use of
bandwidth between domain controllers that are in different locations

1
Operations Master Roles

When a change is made to a domain, the change is replicated across all of the
domain controllers in the domain. Some changes, such as those made to the schema,
are replicated across all of the domains in the forest. This replication is called
multimaster replication.
During multimaster replication, a replication conflict can occur if originating updates
are performed concurrently on the same object attribute on two domain controllers. To
avoid replication conflicts, Active Directory uses single master replication, which
designates one domain controller as the only domain controller on which certain
directory changes can be made. This way, changes cannot occur at different places in
the network at the same time. Active Directory uses single master replication for
important changes, such as the addition of a new domain or a change to the forest-
wide schema.
Operations that use single-master replication are arranged together in specific roles in
a forest or domain. These roles are called operations master roles. For each
operations master role, only the domain controller that holds that role can make the
associated directory changes. The domain controller that is responsible for a particular
role is called an operations master for that role. Active Directory stores information
about which domain controller holds a specific role.

Forest-wide Roles

Forest-wide roles are unique to a forest, forest-wide roles are:

● Schema master
Controls all updates to the schema. The schema contains the master list of object
classes and attributes that are used to create all Active Directory objects, such as
users, computers, and printers.
● Domain naming master
Controls the addition or removal of domains in the forest. When you add a new
domain to the forest, only the domain controller that holds the domain naming
master role can add the new domain.
There is only one schema master and one domain naming master in the entire forest.

Domain-wide Roles

Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:
● Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain controllers (BDCs)
running Microsoft Windows® NT within a mixed-mode domain. This type of
domain has domain controllers that run Windows NT 4.0. The PDC emulator is the
first domain controller that you create in a new domain.
2
● Relative identifier master (RID)
When a new object is created, the domain controller creates a new security
principal that represents the object and assigns the object a unique security
identifier (SID). This SID consists of a domain SID, which is the same for all
security principals created in the domain, and a RID, which is unique for each
security principal created in the domain. The RID master allocates blocks of RIDs
to each domain controller in the domain. The domain controller then assigns a
RID to objects that are created from its allocated block of RIDs.
● Infrastructure master
when objects are moved from one domain to another, the infrastructure master
updates object references in its domain that point to the object in the other
domain. The object reference contains the object’s globally unique identifier
(GUID), distinguished name, and a SID. Active Directory periodically updates the
distinguished name and the SID on the object reference to reflect changes made
to the actual object, such as moves within and between domains and the deletion
of the object.

The global catalog contains:

● The attributes that are most frequently used in queries, such as a user’s first
name, last name, and logon name.
● The information that is necessary to determine the location of any object in the
directory.
● The access permissions for each object and attribute that is stored in the global
catalog. If you search for an object that you do not have the appropriate
permissions to view, the object will not appear in the search results. Access
permissions ensure that users can find only objects to which they have been
assigned access.
A global catalog server is a domain controller that, in addition to its full, writable
domain directory partition replica, also stores a partial, read-only replica of all other
domain directory partitions in the forest. Taking a user object as an example, it would
by default have many different attributes such as first name, last name, phone
number, and many more. The GC will by default only store the most common of those
attributes that would be used in search operations (such as a user’s first and last
names, or login name, for example). The partial attributes that it has for that object
would be enough to allow a search for that object to be able to locate the full replica of
the object in active directory. This allows searches done against a local GC, and
reduces network traffic over the WAN in an attempt to locate objects somewhere else
in the network.
Domain Controllers always contain the full attribute list for objects belonging to their
domain. If the Domain Controller is also a GC, it will also contain a partial replica of
objects from all other domains in the forest.

Active Directory uses DNS as the name resolution service to identify domains and
domain host computers during processes such as logging on to the network.

3
 Similar to the way a Windows NT 4.0 client will query WINS for a NetBIOS
DOMAIN[1B] record to locate a PDC, or a NetBIOS DOMAIN[1C] record for domain
controllers, a Windows 2000, 2003, or Windows XP client can query DNS to find a
domain controller by looking for SRV records.

Integration of DNS and Active Directory

The integration of DNS and Active Directory is essential because a client computer in
a Windows 2000 network must be able to locate a domain controller so that users can
log on to a domain or use the services that Active Directory provides. Clients locate
domain controllers and services by using A resource records and SRV records. The A
resource record contains the FQDN and IP address for the domain controller. The
SRV record contains the FQDN of the domain controller and the name of the service
that the domain controller provides.

What Are Active Directory Integrated Zones?

One benefit of integrating DNS and Active Directory is the ability to integrate DNS
zones into an Active Directory database. A zone is a portion of the domain namespace
that has a logical grouping of resource records, which allows zone transfers of these
records to operate as one unit.

Active Directory Integrated Zones

Microsoft DNS servers store information that is used to resolve host names to IP
addresses and IP addresses to host names in a database file that has the extension
.dns for each zone.
Active Directory integrated zones are primary zones that are stored as objects in the
Active Directory database. If zone objects are stored in an Active Directory domain
partition, they are replicated to all domain controllers in the domain.

What Are DNS Zones?

A zone starts as a storage database for a single DNS domain name. If other domains
are added below the domain used to create the zone, these domains can either be
part of the same zone or belong to another zone. Once a subdomain is added, it can
then either be:
● Managed and included as part of the original zone records, or
● Delegated away to another zone created to support the subdomain

4
Types of Zones

1
There are two types of zones, forward lookup and reverse lookup. Forward lookup
zones contain information needed to resolve names within the DNS domain. They
must include SOA and NS records and can include any type of resource record except
the PTR resource record. Reverse lookup zones contain information needed to
perform reverse lookups. They usually include SOA, NS, PTR, and CNAME records.
With most queries, the client supplies a name and requests the IP address that
corresponds to that name. This type of query is typically described as a forward
lookup. Active Directory requires forward lookup zones.
However, what if a client already has a computer's IP address and wants to determine
the DNS name for the computer? This is important for programs that implement
security based on the connecting FQDN, and is used for TCP/IP network
troubleshooting. The DNS standard provides for this possibility through reverse
lookups.
Once you have installed Active Directory, you have two options for storing your zones
when operating the DNS server at the new domain controller:

Standard Zone
Zones stored this way are located in .dns text files that are stored in the
%SystemRoot%\System32\Dns folder on each computer operating a DNS server.
Zone file names correspond to the name you choose for the zone when creating it,
such as Example.microsoft.com.dns if the zone name was
example.microsoft.com.
This type offers the choice of using either a Standard Primary zone or a Standard
Secondary zone.

Standard Primary Zone

For standard primary-type zones, only a single DNS server can host and load the
master copy of the zone. If you create a zone and keep it as a standard primary zone,
no additional primary servers for the zone are permitted. Only one server is allowed to
accept dynamic updates, also known as DDNS, and process zone changes. The
standard primary model implies a single point of failure.

Standard Secondary Zone

A secondary name server gets the data for its zones from another name server (either
a primary name server or another secondary name server) for that zone across the
network. The data in a Secondary zone is Read only, and updated information must
come from additional zone transfers. The process of obtaining this zone information
(i.e., the database file) across the network is referred to as a zone transfer. Zone
transfers occur over TCP port 53.
Secondary servers can provide a means to offload DNS query traffic in areas of the
network where a zone is heavily queried and used. Additionally, if a primary server is
down, a secondary server can provide some name resolution in the zone until the
primary server is available.

5
 Note A Standard Primary zone will not replicate its information to any other DNS
servers, but may allow zone transfers to Secondary zones. Win2003 also supports
stub zones. A secondary or stub zone cannot be hosted on a DNS server that
hosts a primary zone for the same domain name.

Directory-integrated Zone
Zones stored this way are located in the Active Directory tree under the domain object
container. Each directory-integrated zone is stored in a dnsZone container object
identified by the name you choose for the zone when creating it. Active Directory
integrated zones will replicate this information to other domain controllers in that
domain.

Note If DNS is running on a Windows 2000 server that is not a domain controller, it will
not be able to use an Active Directory integrated zones, or replicate with other
domain controllers since it does not have Active Directory installed.

DNS Records

After you create a zone, additional resource records need to be added to it. The most
common resource records (RRs) to be added are:
Table 1. Record Types
Name Description
Host (A) For mapping a DNS domain name to an IP address used by a
computer.
Alias (CNAME) For mapping an alias DNS domain name to another primary or
canonical name.
Mail Exchanger For mapping a DNS domain, name to the name of a computer that
(MX) exchanges or forwards mail.
Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of
a computer that points to the forward DNS domain name of that
computer.
Service location For mapping a DNS domain name to a specified list of DNS host
(SRV) computers that offer a specific type of service, such as Active Directory
domain controllers.
Other resource records as needed.

6
Q1. What does the logical component of the Active Directory structure include?

■ Objects:-Resources are stored in the Active Directory as objects.

Sub category: object class

An object is really just a collection of attributes. A user object, for example, is made up of
attributes such as name, password, phone number, group membership, and so on. The
attributes that make up an object are defined by an object class. The user class, for example,
specifies the attributes that make up the user object.

The Active Directory Schema:-

The classes and the attributes that they define are collectively referred to as the Active
Directory Schema—in database terms, a schema is the structure of the tables and fields and
how they are related to one another. You can think of the Active Directory Schema as a
collection of data (object classes) that defines how the real data of the directory (the attributes
of an object) is organized and stored

■ Domains

The basic organizational structure of the Windows Server 2003 networking model is the
domain. A domain represents an administrative boundary. The computers, users, and other
objects within a domain share a common security database.

■ Trees

Multiple domains are organized into a hierarchical structure called a tree. Actually, even if you
have only one domain in your organization, you still have a tree. The first domain you create in
a tree is called the root domain. The next domain that you add becomes a child domain of that
root. This expandability of domains makes it possible to have many domains in a tree. Figure
1-1 shows an example of a tree. Microsoft.com was the first domain created in Active Directory
in this example and is therefore the root domain.

Microsoft.com

sales.microsoft.co RND.Microsoft.com
m

East.Microsoft.com West.Microsoft.com

7
Figure 1-1 A tree is a hierarchical organization of multiple domains.
All domains in a tree share a common schema and a contiguous namespace. In the example
shown in Figure 1-1, all of the domains in the tree under the microsoft.com root domain share
the namespace microsoft.com. Using a single tree is fine if your organization is confined within
a single DNS namespace. However, for organizations that use multiple DNS namespaces,
your model must be able to expand outside the boundaries of a single tree. This is where the
forest comes in.

■ Forest

A forest is a group of one or more domain trees that do not form a contiguous namespace but
may share a common schema and global catalog. There is always at least one forest on a
network, and it is created when the first Active Directory–enabled computer (domain controller)
on a network is installed.

This first domain in a forest, called the forest root domain, is special because it holds the
schema and controls domain naming for the entire forest. It cannot be removed from the forest
without removing the entire forest itself. Also, no other domain can ever be created above the
forest root domain in the forest domain hierarchy.

Figure 1-2 shows an example of a forest with two trees. Each tree in the forest has its own
namespace. In the figure, microsoft.com is one tree and contoso.com is a second tree. Both
are in a forest named microsoft.com (after the first domain created)

Root domain of Root domain of

microsoft.com Contoso.com
forest & tree forest

Microsoft.com

Contoso.com

sales.microsoft.co RND.Microsoft.com
m

West.contoso.com
East.contoso.com

East.Microsoft.com West.Microsoft.com

Figure 1-2 Trees in a forest share the same schema, but not the same namespace.

8
A forest is the outermost boundary of Active Directory; the directory cannot be larger than the
forest. However, you can create multiple forests and then create trust relationships between
specific domains in those forests; this would let you grant access to resources and accounts
that are outside of a particular forest.

■Organizational Units

Organizational Units (OUs) provide a way to create administrative boundaries within a domain.
Primarily, this allows you to delegate administrative tasks within the domain.

OUs serve as containers into which the resources of a domain can be placed. You can then
assign administrative permissions on the OU itself. Typically, the structure of OUs follows an
organization’s business or functional structure. For example, a relatively small organization
with a single domain might create separate OUs for departments within the organization.

Q2. What does the physical structure of active directory contain?

Physical structures include domain controllers and sites.

Q3.What is nesting?

The creation of an OU inside another OU.

IMP: - once you go beyond about 12 OUs deep in a nesting structure, you start running into
significant performance issues.

Q4. What is trust relationship and how many types of trust relationship is there in
exchange 2003?

Since domains represent security boundaries, special mechanisms called trust relationships
allow objects in one domain (called the trusted domain) to access resources in another
domain (called the trusting domain).

Windows Server 2003 supports six types of trust relationships:

■ Parent and child trusts

■ Tree-root trusts
■ External trusts
■ Shortcut trusts
■ Realm trusts
■ Forest trusts

9
Q5. What is a site?

A Windows Server 2003 site is a group of domain controllers that exist on one or more IP
subnets (see Lesson 3 for more on this) and are connected by a fast, reliable network
connection. Fast means connections of at least 1Mbps. In other words, a site usually follows
the boundaries of a local area network (LAN). If different LANs on the network are connected
by a wide area network (WAN), you’ll likely create one site for each LAN.

Q6. What is the use of site?

Sites are primarily used to control replication traffic. Domain controllers within a site are pretty
much free to replicate changes to the Active Directory database whenever changes are made.
Domain controllers in different sites compress the replication traffic and operate based on a
defined schedule, both of which are intended to cut down on network traffic.

More specifically, sites are used to control the following:

■ Workstation logon traffic

■ Replication traffic
■ Distributed File System (DFS)

Distributed File System (DFS) is a server component that provides a unified naming
convention for folders and files stored on different servers on a network. DFS lets you create a
single logical hierarchy for folders and files that is consistent on a network, regardless of
where on the network those items are actually stored. Files represented in the DFS might be
stored in multiple locations on the network, so it makes sense that Active Directory should be
able to direct users to the closest physical location of the data they need. To this end, DFS
uses site information to direct a client to the server that is hosting the requested data within
the site. If DFS does not find a copy of the data within the same site as the client, DFS uses
the site information in Active Directory to determine which file server that has DFS shared data
is closest to the client.

■ File Replication Service (FRS)

Every domain controller has a built-in collection of folders named SYSVOL (for System
Volume). The SYSVOL folders provide a default Active Directory location for files that must be
replicated throughout a domain. You can use SYSVOL to replicate Group Policy Objects,
startup and shutdown scripts, and logon and logoff scripts. A Windows Server 2003 service
named File Replication Service (FRS) is responsible for replicating files in the SYSVOL folders
between domain controllers. FRS uses site boundaries to govern the replication of items in the
SYSVOL folders.

Q7. What are the objects a site contains?

Sites contain only two types of objects. The first type is the domain controllers contained in the
site. The second type of object is the site links configured to connect the site to other sites.

10
Q8.What is a Site link?

Within a site, replication happens automatically. For replication to occur between sites, you
must establish a link between the sites. There are two components to this link: the actual
physical connection between the sites (usually a WAN link) and a site link object. The site link
object is created within Active Directory and determines the protocol used for transferring
replication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]). The site link
object also governs when replication is scheduled to occur.

Q9. Explain Replication in Active directory?

Windows Server 2003 uses a replication model called multimaster replication, in which all
replicas of the Active Directory database are considered equal masters. You can make
changes to the database on any domain controller and the changes will be replicated to other
domain controllers in the domain.

Domain controllers in the same site replicate on the basis of notification. When changes are
made on a domain controller, it notifies its replication partners (the other domain controllers in
the site); the partners then request the changes and replication occurs. Because of the high-
speed, low-cost connections assumed within a site, replication occurs as needed rather than
according to a schedule.

You should create additional sites when you need to control how replication traffic occurs over
slower WAN links. For example, suppose you have a number of domain controllers on your
main LAN and a few domain controllers on a LAN at a branch location. Those two LANs are
connected to one another with a slow (256K) WAN link. You would want replication traffic to
occur as needed between the domain controllers on each LAN, but you would want to control
traffic across the WAN link to prevent it from affecting higher priority network traffic. To address
this situation, you would set up two sites— one site that contained all the domain controllers
on the main LAN and one site that contained all the domain controllers on the remote LAN.

Q10. What are the different types of replication?

Single site (called intrasite replication)

Replication between sites (called intersite replication).

■ Intrasite Replication Intrasite replication sends replication traffic in an uncompressed

format. This is because of the assumption that all domain controllers within the site are
connected by high-bandwidth links. Not only is the traffic uncompressed, but replication occurs
according to a change notification mechanism. This means that if changes are made in the
domain, those changes are quickly replicated to the other domain controllers.

■ Intersite Replication Intersite replication sends all data compressed. This shows an
appreciation for the fact that the traffic will probably be going across slower WAN links (as
opposed to the LAN connectivity intrasite replication assumes), but it increases the server load
because compression/decompression is added to the processing requirements. In addition to
the compression, the replication can be scheduled for times that are more appropriate to your
organization. For example, you may decide to allow replication only during slower times of the
11
day. Of course, this delay in replication (based on the schedule) can cause inconsistency
between servers in different sites.

Q11. What is LDAP?

LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other
programs use to look up information from a server.

An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the
objects stored in the directory and publishes them. LDAP-aware clients can query the server in
a wide variety of ways.

Q12.What types of naming convention active directory uses?

Active Directory supports several types of names for the different formats that can
accessActive Directory.
These names include:

■ Relative Distinguished Names

The relative distinguished name (RDN) of an object identifies an object uniquely, but only
within its parent container. Thus the name uniquely identifies the object relative to the other
objects within the same container. In the example

CN=wjglenn,CN=Users,DC=contoso,DC=com,

the relative distinguished name of the object is CN=wjglenn. The relative distinguished name
of the parent organizational unit is Users. For most objects, the relative distinguished name of
an object is the same as that object’s Common Name attribute. Active Directory creates the
relative distinguished name automatically, based on information provided when the object is
created. Active Directory does not allow two objects with the same relative distinguished name
to exist in the same parent container.

The notations used in the relative distinguished name (and in the distinguished name
discussed in the next section) use special notations called LDAP attribute tags to identify each
part of the name. The three attribute tags used include:

■ DC The Domain Component (DC) tag identifies part of the DNS name of the domain, such
as COM or ORG.
■ OU The Organizational Unit (OU) tag identifies an organizational unit container.
■ CN The Common Name (CN) tag identifies the common name configured for an Active
Directory object.

■ Distinguished Names

Each object in the directory has a distinguished name (DN) that is globally unique and
identifies not only the object itself, but also where the object resides in the overall object
hierarchy. You can think of the distinguished name as the relative distinguished name of an

12
object concatenated with the relative distinguished names of all parent containers that make
up the path to the object.

An example of a typical distinguished name would be:

CN=wjglenn,CN=Users,DC=contoso,DC=com.

This distinguished name would indicate that the user object wjglenn is in the Users container,
which in turn is located in the contoso.com domain. If the wjglenn object is moved to another
container, its DN will change to reflect its new position in the hierarchy. Distinguished names
are guaranteed to be unique in the forest, similar to the way that a fully qualified domain name
uniquely identifies an object’s placement in a DNS hierarchy. You cannot have two objects with
the same distinguished name.

■ User Principal Names

The user principal name that is generated for each object is in the form username@
domain_name. Users can log on with their user principal name, and an administrator can
define suffixes for user principal names if desired. User principal names should be unique, but
Active Directory does not enforce this requirement. It’s best, however, to formulate a naming
convention that avoids duplicate user principal names.

■ Canonical Names

An object’s canonical name is used in much the same way as the distinguished name— it just
uses a different syntax. The same distinguished name presented in the preceding section
would have the canonical name:

contoso.com/Users/wjglenn.

As you can see, there are two primary differences in the syntax of distinguished names and
canonical names. The first difference is that the canonical name presents the root of the path
first and works downward toward the object name. The second difference is that the canonical
name does not use the LDAP attribute tags (e.g., CN and DC).

Q13. What is multimaster replication?

Active Directory follows the multimaster replication which every replica of the Active Directory
partition held on every domain is considered an equal master. Updates can be made to
objects on any domain controller, and those updates are then replicated to other domain
controllers.

Q14.Which two operations master roles should be available when new security
principals are being created and named?

Domain naming master and the relative ID master

13
Q15. What are different types of groups?

■ Security groups Security groups are used to group domain users into a single
administrative unit. Security groups can be assigned permissions and can also be used as e-
mail distribution lists. Users placed into a group inherit the permissions assigned to the group
for as long as they remain members of that group. Windows itself uses only security groups.

■ Distribution groups These are used for nonsecurity purposes by applications other than
Windows. One of the primary uses is within an e-mail

As with user accounts, there are both local and domain-level groups. Local groups are stored
in a local computer’s security database and are intended to control resource access on that
computer. Domain groups are stored in Active Directory and let you gather users and control
resource access in a domain and on domain controllers.

Q16. What is a group scope and what are the different types of group scopes?

Group scopes determine where in the Active Directory forest a group is accessible and what
objects can be placed into the group. Windows Server 2003 includes three group scopes:
global, domain local, and universal.

■ Global groups are used to gather users that have similar permissions requirements. Global
groups have the following characteristics:

1. Global groups can contain user and computer accounts only from the domain in which the
global group is created.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003
(i.e., the domain contains only Windows 2000 or 2003 servers), global groups can also contain
other global groups from the local domain.
3. Global groups can be assigned permissions or be added to local groups in any domain in a
forest.

■ Domain local groups exist on domain controllers and are used to control access to
resources located on domain controllers in the local domain (for member servers and
workstations, you use local groups on those systems instead). Domain local groups share the
following characteristics:

1. Domain local groups can contain users and global groups from any domain in a forest no
matter what functional level is enabled.
2. When the domain functional level is set to Windows 2000 native or Windows Server 2003,
domain local groups can also contain other domain local groups and universal groups.

■ Universal groups are normally used to assign permissions to related resources in multiple
domains. Universal groups share the following characteristics:

1. Universal groups are available only when the forest functional level is set to Windows 2000
native or Windows Server 2003.
2. Universal groups exist outside the boundaries of any particular domain and are managed by
Global Catalog servers.
3. Universal groups are used to assign permissions to related resources in multiple domains.

14
4. Universal groups can contain users, global groups, and other universal groups from any
domain in a forest.
5. You can grant permissions for a universal group to any resource in any domain.

Q17. What are the items that groups of different scopes can contain in mixed and native
mode domains?

Q18. What is group nesting?

Placing of one group in another is called as group nesting

For example, suppose you had juniorlevel administrators in four different geographic locations,
as shown in Figure 4-10. You could create a separate group for each location (named
something like Dallas Junior
Admins). Then, you could create a single group named Junior Admins and make each of the
location-based groups a member of the main group. This approach would allow you to set
permissions on a single group and have those permissions flow down to the members, yet still
be able to subdivide the junior administrators by location.

Q19. How many characters does a group name contain?

64

Q20. Is site part of the Active Directory namespace?

NO: - When a user browses the logical namespace, computers and users are grouped into
domains and OUs without reference to sites. However, site names are used in the Domain
Name System (DNS) records, so sites must be given valid DNS names.

15
Q21. What is DFS?

The Distributed File System is used to build a hierarchical view of multiple file servers and
shares on the network. Instead of having to think of a specific machine name for each set of
files, the user will only have to remember one name; which will be the 'key' to a list of shares
found on multiple servers on the network. Think of it as the home of all file shares with links
that point to one or more servers that actually host those shares.

DFS has the capability of routing a client to the closest available file server by using Active
Directory site metrics. It can also be installed on a cluster for even better performance and
reliability.

Understanding the DFS Terminology

It is important to understand the new concepts that are part of DFS. Below is an definition of
each of them.

Dfs root: You can think of this as a share that is visible on the network, and in this share you
can have additional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the root. When a
user opens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have two
identical shares, normally stored on different servers, you can group them together as Dfs
Targets under the same link.

The image below shows the actual folder structure of what the user sees when using DFS and
load balancing.

Figure 1: The actual folder structure of DFS and load balancing

Windows 2003 offers a revamped version of the Distributed File System found in Windows
2000, which has been improved to better performance and add additional fault tolerance, load
balancing and reduced use of network bandwidth. It also comes with a powerful set of
command-line scripting tools which can be used to make administrative backup and
restoration tasks of the DFS namespaces easier. The client windows operating system
consists of a DFS client which provides additional features as well as caching.

16
Q22. What are the types of replication in DFS?

There are two types of replication:

* Automatic - which is only available for Domain DFS
* Manual - which is available for stand alone, DFS and requires all files to be replicated
manually.

Q23. Which service is responsible for replicating files in SYSVOL folder?

File Replication Service (FRS)

Q24. What all can a site topology owner do?

The site topology owner is the name given to the administrator (or administrators) that oversee
the site
topology. The owner is responsible for making any necessary changes to the site as the
physical network grows and changes. The site topology owner’s responsibilities include:

■ Making changes to the site topology based on changes to the physical network topology.
■ Tracking subnetting information for the network. This includes IP addresses, subnet masks,
and the locations of the subnets.
■ Monitoring network connectivity and setting the costs for links between sites.

Q1. What is DNS.

DNS provides name registration and name to address resolution capabilities. And DNS
drastically lowers the need to remember numeric IP addresses when accessing hosts on the
Internet or any other TCP/IP-based network.
Before DNS, the practice of mapping friendly host or computer names to IP addresses was
handled via host files. Host files are easy to understand. These are static ASCII text files that
simply map a host name to an IP address in a table-like format. Windows ships with a
HOSTS file in the \winnt\system32\drivers\etc subdirectory
The fundamental problem with the host files was that these files were labor intensive. A host
file is manually modified, and it is typically centrally administrated.
The DNS system consists of three components: DNS data (called resource records), servers
(called name servers), and Internet protocols for fetching data from the servers.

17
Q2. Which are the four generally accepted naming conventions?
NetBIOS Name (for instance, SPRINGERS01)

TCP/IP Address (121.133.2.44)

Host Name (Abbey)

Media Access Control (MAC)—this is the network adapter hardware address

Q3. How DNS really works

DNS uses a client/server model in which the DNS server maintains a static database of
domain names mapped to IP addresses. The DNS client, known as the resolver, perform
queries against the DNS servers. The bottom line? DNS resolves domain names to IP
address using these steps

Step 1. A client (or “resolver”) passes its request to its local name server. For example, the
URL term www.idgbooks.com typed into Internet Explorer is passed to the DNS server
identified in the client TCP/IP configuration. This DNS server is known as the local name
server.

Step 2. If, as often happens, the local name server is unable to resolve the request, other
name servers are queried so that the resolver may be satisfied.

Step 3. If all else fails, the request is passed to more and more, higher-level name servers
until the query resolution process starts with far-right term (for instance, com) or at the top of
the DNS tree with root name servers

18
Below is the Steps explained with the help of a chart.
Figure 8-5: How DNS works

Q4. Which are the major records in DNS?

1. Host or Address Records (A):- map the name of a machine to its numeric IP address. In
clearer terms, this record states the hostname and IP address of a certain machine. Have
three fields: Host Name, Domain, Host IP Address.
E.g.:- eric.foobarbaz.com. IN A 36.36.1.6
It is possible to map more than one IP address to a given hostname. This often happens for
people who run a firewall and have two 19thernet cards in one machine. All you must do is
add a second A record, with every column the same save for the IP address.

19
2. Aliases or Canonical Name Records (CNAME)
“CNAME” records simply allow a machine to be known by more than one hostname. There
must always be an A record for the machine before aliases can be added. The host name of
a machine that is stated in an A record is called the canonical, or official name of the
machine. Other records should point to the canonical name. Here is an example of a
CNAME:
www.foobarbaz.com. IN CNAME eric.foobarbaz.com.
You can see the similarities to the previous record. Records always read from left to right,
with the subject to be queried about on the left and the answer to the query on the right. A
machine can have an unlimited number of CNAME aliases. A new record must be entered
for each alias.
You can add A or CNAME records for the service name pointing to the machines you want to
load balance.
3. Mail Exchange Records (MX)
MX” records are far more important than they sound. They allow all mail for a domain to be
routed to one host. This is exceedingly useful – it abates the load on your internal hosts
since they do not have to route incoming mail, and it allows your mail to be sent to any
address in your domain even if that particular address does not have a computer associated
with it. For example, we have a mail server running on the fictitious machine
eric.foobarbaz.com. For convenience sake, however, we want our email address to be
“user@foobarbaz.com” rather than “user@eric.foobarbaz.com”. This is accomplished by the
record shown below:
foobarbaz.com. IN MX 10 eric.foobarbaz.com.
The column on the far left signifies the address that you want to use as an Internet email
address. The next two entries have been explained thoroughly in previous records. The next
column, the number “10”, is different from the normal DNS record format. It is a signifier of
priority. Often larger systems will have backup mail servers, perhaps more than one.
Obviously, you will only want the backups receiving mail if something goes wrong with the
primary mail server. You can indicate this with your MX records. A lower number in an MX
record means a higher priority, and mail will be sent to the server with the lowest number
(the lowest possible being 0). If something happens so that this server becomes
unreachable, the computer delivering the mail will attempt every other server listed in the
DNS tables, in order of priority.
Obviously, you can have as many MX records as you would like. It is also a good idea to
include an MX record even if you are having mail sent directly to a machine with an A record.
Some sendmail programs only look for MX records.
It is also possible to include wildcards in MX records. If you have a domain where your users
each have their own machine running mail clients on them, mail could be sent directly to
each machine. Rather than clutter your DNS entry, you can add an MX record like this one:
*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.
This would make any mail set to any individual workstation in the foobarbaz.com domain go
through the server eric.foobarbaz.com.

20
One should use caution with wildcards; specific records will be given precedence over ones
containing wildcards.

4. Pointer Records (PTR)

Although there are different ways to set up PTR records, we will be explaining only the most
frequently used method, called “in-addr.arpa”.
In-addr.arpa PTR records are the exact inverse of A records. They allow your machine to be
recognized by its IP address. Resolving a machine in this fashion is called a “reverse
lookup”. It is becoming more and more common that a machine will do a reverse lookup on
your machine before allowing you to access a service (such as a World Wide Web page).
Reverse lookups are a good security measure, verifying that your machine is exactly who it
claims to be. In-addr.arpa records look as such:
6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.
As you can see from the example for the A record in the beginning of this document, the
record simply has the IP address in reverse for the host name in the last column.
A note for those who run their own name servers: although Allegiance Internet is capable of
pulling zones from your name server, we cannot pull the inverse zones (these in-addr.arpa
records) unless you have been assigned a full class C network. If you would like us to put
PTR records in our name servers for you, you will have to fill out the online web form on the
support.allegianceinternet.com page.
5. Name Server Records (NS)
NS records are imperative to functioning DNS entries. They are very simple; they merely
state the authoritative name servers for the given domain. There must be at least two NS
records in every DNS entry. NS records look like this:
foobarbaz.com. IN NS draven.foobarbaz.com.
There also must be an A record in your DNS for each machine you enter as A NAME server
in your domain.
If Allegiance Internet is doing primary and secondary names service, we will set up these
records for you automatically, with “nse.algx.net” and “nsf.algx.net” as your two authoritative
name servers.
6. Start Of Authority Records (SOA)
The “SOA” record is the most crucial record in a DNS entry. It conveys more information than
all the other records combined. This record is called the start of authority because it denotes
the DNS entry as the official source of information for its domain. Here is an example of a
SOA record, then each part of it will be explained:
foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com. (

1996111901 ; Serial
10800 ; Refresh

21
3600 ; Retry

3600000 ; Expire
86400 ) ; Minimum
The first column contains the domain for which this record begins authority for. The next two
entries should look familiar. The “draven.foobarbaz.com” entry is the primary name server for
the domain. The last entry on this row is actually an email address, if you substituted a “@”
for the first “.”. There should always be a viable contact address in the SOA record.
The next entries are a little more unusual then what we have become used to. The serial
number is a record of how often this DNS entry has been updated. Every time a change is
made to the entry, the serial number must be incremented. Other name servers that pull
information for a zone from the primary only pull the zone if the serial number on the primary
name server’s entry is higher than the serial number on it’s entry. In this way the name
servers for a domain are able to update themselves. A recommended way of using your
serial number is the YYYYMMDDNN format shown above, where the NN is the number of
times that day the DNS has been changed.
Also, a note for Allegiance Internet customers who run their own name servers: even if the
serial number is incremented, you should still fill out the web form and use the comment box
when you make changes asking us to pull the new zones.
All the rest of the numbers in the record are measurements of time, in seconds. The “refresh”
number stands for how often secondary name servers should check the primary for a
change in the serial number. “Retry” is how long a secondary server should wait before
trying to reconnect to primary server if the connection was refused. “Expire” is how long the
secondary server should use its current entry if it is unable to perform a refresh, and
“minimum” is how long other name servers should cache, or save, this entry.
There can only be one SOA record per domain. Like NS records, Allegiance Internet
sets up this record for you if you are not running your own name server.
Quick Summary of the major records in DNS

Record Type Definition

Host (A) Maps host name to IP address in a DNS zone. Has three fields:
Domain, Host Name, Host IP Address.
Aliases (CNAME) Canonical name resource record that creates an alias for a host
name. CNAME records are typically used to hide implementation
details from clients. Fields include: Domain, Alias Name, For Host
DNS Name.
Nameservers (NS) Identifies the DNS name servers in the DNS domain. NS records
appear in all DNS zones and reverse zones. Fields include: Domain,
Name Server DNS Name.
Pointer (PTR) Maps IP address to host name in a DNS reverse zone. Fields
include: IP Address, Host DNS Name.

22
Mail Exchange (MX) Specifies a mail exchange server for a DNS domain name. Note that
the term “exchange” does not refer to Microsoft Exchange, a
BackOffice e-mail application. However, to connect Microsoft
Exchange to the Internet via the Internet Mail Server (IMS), the MX
record must be correctly configured by your ISP.

A mail exchange server is a host that will either process or forward

mail for the DNS domain name. Processing the mail means either
delivering it to the addressee or passing it to a different type of mail
transport. Forwarding the mail means sending it to its final destination
server, sending it using Simple Mail Transfer Protocol to another mail
server that is closer to the final destination, or queuing it for a
specified amount of time.

Fields include: Domain, Host Name (Optional), Mail Exchange Server

DNS Name, Preference Number.

Q5.What is a DNS zone

A zone is simply a contiguous section of the DNS namespace. Records for a zone are
stored and managed together. Often, subdomains are split into several zones to make
manageability easier. For example, support.microsoft.com and msdn.microsoft.com are
separate zones, where support and msdn are subdomains within the Microsoft.com domain.
Q6. Name the two Zones in DNS?
DNS servers can contain primary and secondary zones. A primary zone is a copy of a zone
where updates can be made, while a secondary zone is a copy of a primary zone. For fault
tolerance purposes and load balancing, a domain may have several DNS servers that
respond to requests for the same information.
The entries within a zone give the DNS server the information it needs to satisfy requests
from other computers or DNS servers.
Q7. How many SOA record does each zone contain?
Each zone will have one SOA record. This records contains many miscellaneous settings for
the zone, such as who is responsible for the zone, refresh interval settings, TTL (Time To
Live) settings, and a serial number (incremented with every update).
Q8. Short summary of the records in DNS.
The NS records are used to point to additional DNS servers. The PTR record is used for
reverse lookups (IP to name). CNAME records are used to give a host multiple names. MX
records are used when configuring a domain for email.

23
Q9. What is an AD-integrated zone?

AD-integrated zones store the zone data in Active Directory and use the same replication
process used to replicate other data between domain controllers. The one catch with AD-
integrated zones is that the DNS server must also be a domain controller. Overloading DNS
server responsibilities on your domain controllers may not be something you want to do if you
plan on supporting a large volume of DNS requests.

Q10.What is a STUB zone?

A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces. This type of resolution may be necessary
when a corporate merger requires that the DNS servers for two separate DNS namespaces
resolve names for clients in both namespaces.
The master servers for a stub zone are one or more DNS servers authoritative for the child
zone, usually the DNS server hosting the primary zone for the delegated domain name.

Q11. What does a stub zone consists of?

A stub zone consists of:

• The start of authority (SOA) resource record, name server (NS) resource records, and the
glue A resource records for the delegated zone.
• The IP address of one or more master servers that can be used to update the stub zone.

Q12. How the resolution in a stub zone takes place?

When a DNS client performs a recursive query operation on a DNS server hosting a stub
zone, the DNS server uses the resource records in the stub zone to resolve the query. The
DNS server sends an iterative query to the authoritative DNS servers specified in the NS
resource records of the stub zone as if it were using NS resource records in its cache. If the
DNS server cannot find the authoritative DNS servers in its stub zone, the DNS server hosting
the stub zone attempts standard recursion using its root hints.

The DNS server will store the resource records it receives from the authoritative DNS servers
listed in a stub zone in its cache, but it will not store these resource records in the stub zone
itself; only the SOA, NS, and glue A resource records returned in response to the query are
stored in the stub zone. The resource records stored in the cache are cached according to the
Time-to-Live (TTL) value in each resource record. The SOA, NS, and glue A resource records,
24
which are not written to cache, expire according to the expire interval specified in the stub
zone's SOA record, which is created during the creation of the stub zone and updated during
transfers to the stub zone from the original, primary zone.

If the query was an iterative query, the DNS server returns a referral containing the servers
specified in the stub zone.

Q 13.What is the benefits of Active Directory Integration?

For networks deploying DNS to support Active Directory, directory-integrated primary zones
are strongly recommended and provide the following benefits:
* Multimaster update and enhanced security based on the capabilities of Active
Directory

In a standard zone storage model, DNS updates are conducted based upon a single-master
update model. In this model, a single authoritative DNS server for a zone is designated as the
primary source for the zone.

This server maintains the master copy of the zone in a local file. With this model, the primary
server for the zone represents a single fixed point of failure. If this server is not available,
update requests from DNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are conducted based upon a
multimaster update model.

In this model, any authoritative DNS server, such as a domain controller running a DNS
server, is designated as a primary source for the zone. Because the master copy of the zone
is maintained in the Active Directory database, which is fully replicated to all domain
controllers, the zone can be updated by the DNS servers operating at any domain controller
for the domain.

With the multimaster update model of Active Directory, any of the primary servers for the
directory-integrated zone can process requests from DNS clients to update the zone as long
as a domain controller is available and reachable on the network.

Also, when using directory-integrated zones, you can use access control list (ACL) editing to
secure a dnsZone object container in the directory tree. This feature provides granulated
access to either the zone or a specified RR in the zone.

For example, an ACL for a zone RR can be restricted so that dynamic updates are only
allowed for a specified client computer or a secure group such as a domain administrators
group. This security feature is not available with standard primary zones.

Note that when you change the zone type to be directory-integrated, the default for updating
the zone changes to allow only secure updates. Also, while you may use ACLs on DNS-
related Active Directory objects, ACLs may only be applied to the DNS client service.

25
* Directory replication is faster and more efficient than standard DNS replication.

Because Active Directory replication processing is performed on a per-property basis, only

relevant changes are propagated. This allows less data to be used and submitted in updates
for directory-stored zones.

Note: Only primary zones can be stored in the directory. A DNS server cannot store secondary
zones in the directory. It must store them in standard text files. The multimaster replication
model of Active Directory removes the need for secondary zones when all zones are stored in
Active Directory.

Q14. What is Scavenging?

DNS scavenging is the process whereby resource records are automatically removed if they
are not updated after a period of time. Typically, this applies to only resource records that were
added via DDNS, but you can also scavenge manually added, also referred to as static,
records. DNS scavenging is a recommended practice so that your DNS zones are
automatically kept clean of stale resource records.

Q15. What is the default interval when DNS server will kick off the scavenging process?

The default value is 168 hours, which is equivalent to 7 days.

DNS Q&A corner

Q1. How do I use a load balancer with my name servers?

 Just wanted to ask a question about load balanced DNS servers

> via an external network load balancing appliance (i.e - F5's Big IP,
> Cisco's Content Switches/ Local Directors).
> The main question being the configuration whether to use 2
> Master/Primary Servers or is it wiser to use 1 Primary and 1
> Secondary? The reason is that I feel there are two configurations
> that could be setup. One in which only the resolvers query the
> virtual IP address on the load balancing appliance or actually
> configure your NS records to point to the Virtual Address so that all
> queries, ie - both by local queries directly from local users and
> also queries from external DNS servers. I've included a text
> representation of the physical configuration. Have you ever
> heard or architected such a configuration?

26
 > VIP = 167.147.1.5
> ------------------------------------
>> Load Balancer Device |
> ------------------------------------
> |
> |
> -----------------
> | |
> ---------------- --------------
>> DNS 1 | | DNS 2 |
> ---------------- --------------
> 1.1.1.1 1.1.1.2

There's usually not much need to design solutions like these, since most
name server implementations will automatically choose the name server
that responds most quickly. In other words, if DNS 1 fails, remote
name servers will automatically try DNS 2, and vice versa.

However, it can be useful for resolvers. In that case, you don't need to
worry about NS records (since resolvers don't use them), just setting up
a virtual IP address.

> Also, Is there any problems in running two Master/Primaries?

Just that you'd have to synchronize the zone data between the two
manually.

Q2. How does reverse mapping work?

 How can reverse lookup possibly work on the Internet - how can a local
> resolver or ISP's Dns server find the pointer records please? E.g. I run
> nslookup 161.114.1.206 & get a reply for a Compaq server
> - how does it know where to look? Is there a giant reverse lookup zone in
> the sky?

Yes, actually, there is: in-addr.arpa.

If a resolver needs to reverse map, say, 161.114.1.206 to a domain name, it first inverts
the octets of the IP address and appends "in-addr.arpa." So, in this case, the IP
address would become the domain name 206.1.114.161.in-addr.arpa.

Then the resolver sends a query for PTR records attached to that domain name. If
necessary, the resolution process starts at the root name servers. The root name
servers refer the querier to the 161.in-addr.arpa name servers, run by an organization
called ARIN, the American Registry for Internet Numbers. These name servers refer the
querier to 1.114.161.in-addr.arpa name servers, run by Compaq. And, finally, these
name servers map the IP address to inmail.compaq.com.

27
Q3. What are the pros and cons of running slaves versus caching-only name servers?

> Question: I am in the process of setting up dns servers in several locations for my
> business. I have looked into having a primary master server running in my server
> room and adding slave servers in the other areas. I then thought I could just
> setup a primary and a single slave server and run caching only servers in the other
> areas. What are the pros and cons of these two options, or should I run a slave
> server in every location and still have a caching server with it? I just don't
> know what the best way would be. Please help.

The main advantage of having slaves everywhere is that you have a

source of your own zone data on each name server. So if you have
a community of hosts near each slave that look up domain names in
your zones, the local name server can answer most of their queries.

On the other hand, administering slaves is a little more work than

administering caching-only name servers, and a little greater burden
on the primary master name server.

Q4. Can I set a TTL on a specific record?

> Is it possible to setup ttl values for individual records in bind?

Sure. You specify explicit TTLs in a record's TTL field, between the owner
field and the class field:

foo.example. 300 IN A 10.0.0.1

Q5. Can I use an A record instead of an MX record?

> I have a single machine running DNS mail and web for a domain
> and I'm not sure that I have DNS setup properly. If the machine
> that is running the mail is the name of the domain does there need
> to be an MX record for mail?

Technically, no. Nearly all mailers will look up A records for a

domain name in a mail destination if no MX records exist.

> If an MX record is not needed, how would you put in an MX

> record for a backup mailserver.

You can't. If you want to use a backup mailer, you need to use
MX records.

> www cname 192.168.0.1

> mail cname 192.168.0.1
> pop cname 192.168.0.1
> smtp cname 192.168.0.1

28
These CNAME records are all incorrect. CNAME records create
an alias from one domain name to another, so the field after "CNAME"
must contain a domain name, not an IP address. For example:
www CNAME foo.example.

Q6. What are a zone's NS records used for?

> Could you elaborate a little bit on why do we need to put NS records for
> the zone we are authoritative for ?
> The parent name server handles these already. Is there any problem if our
> own NS records have lower TTLs than the records from parent name server ?

That's a good question. The NS records from your zone data file are used for several things:

- Your name servers returns them in responses to queries, in the authority section of the DNS
message. Moreover, the set of NS records that comes directly from your name server
supersedes the set that a querier gets from your parent zone's name servers, so if the two
sets are different, yours "wins."

- Your name servers use the NS records to determine where to send NOTIFY messages.

- Dynamic updaters determine where to send updates using the NS records, which they often
get from the authoritative name servers.

Q7. Do slaves only communicate with their masters over TCP?

> When the slave zone checks in with the master zone for the serial number, is
> all this traffic happening on TCP. For example, if you have acl's blocking
> udp traffic but allowing tcp traffic will the transfer work or will it fail
> due to the slaves inability to query for the SOA record on udp?

No. The refresh query (for the zone's SOA record) is usually done over UDP.

Q8. What's the largest number I can use in an MX record?

> Could you tell us the highest possible number we can use for the MX
> preference ?

Preference is an unsigned, 16-bit number, so the largest number you

can use is 65535.

Q9. Why are there only 13 root name servers?

> I'm very wondering why there are only 13 root servers on globally.
> Some documents explain that one of the reason is technical limit on Domain
> Name System (without any detailed explanation).
> From my understanding, it seems that some limitation of NS record numbers
> in DNS packet that specified by certain RFCs, or just Internet policy stuff.
>
> Which one is proper reason?

29
It's a technical limitation. UDP-based DNS messages can be up to 512 bytes
long, and only 13 NS records and their corresponding A records will fit into a DNS message
that size.

IMP information
http://www.menandmice.com/online_docs_and_faq/glossary/glossarytoc.htm
Q1.Which is the FIVE FSMO roles?

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forest
PDC Emulator Domain Level One per domain
RID Master Domain Level One per domain
Infrastructure Master Domain Level One per domain
Q2. What are their functions?
1. Schema Master (Forest level)
The schema master FSMO role holder is the Domain Controller responsible for
performing updates to the active directory schema. It contains the only writable copy
of the AD schema. This DC is the only one that can process updates to the directory
schema, and once the schema update is complete, it is replicated from the schema
master to all other DCs in the forest. There is only one schema master in the forest.
2. Domain Naming Master (Forest level)
The domain naming master FSMO role holder is the DC responsible for making
changes to the forest-wide domain name space of the directory. This DC is the only
one that can add or remove a domain from the directory, and that is it's major
purpose. It can also add or remove cross references to domains in external
directories. There is only one domain naming master in the active directory or forest.
3. PDC Emulator (Domain level)
In a Windows 2000 domain, the PDC emulator server role performs the following
functions:
Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator first.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator for validation before a bad password
failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Time synchronization for the domain.
Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains Windows NT 4

BDCs, then the Windows 2000 domain controller, that is the PDC emulator, acts as a
Windows NT 4 PDC to the BDCs.

There is only one PDC emulator per domain.

Note: Some consider the PDC emulator to only be relevant in a mixed mode domain.
This is not true. Even after you have changed your domain to native mode (no more
30
NT 4 domain controllers), the PDC emulator is still necessary for the reasons above.
4. RID Master (Domain level)
The RID master FSMO role holder is the single DC responsible for processing RID
Pool requests from all DCs within a given domain. It is also responsible for removing
an object from its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer

account, it attaches a unique Security ID (SID) to the object. This SID consists of a
domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that
makes the object unique in a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the
security principals it creates. When a DC's allocated RID pool falls below a threshold,
that DC issues a request for additional RIDs to the domain's RID master. The domain
RID master responds to the request by retrieving RIDs from the domain's unallocated
RID pool and assigns them to the pool of the requesting DC.

There is one RID master per domain in a directory.

5. Infrastructure Master (Domain level)
The DC that holds the Infrastructure Master FSMO role is responsible for cross
domain updates and lookups. When an object in one domain is referenced by
another object in another domain, it represents the reference by the GUID, the SID
(for references to security principals), and the distinguished name (DN) of the object
being referenced. The Infrastructure role holder is the DC responsible for updating an
object's SID and distinguished name in a cross-domain object reference.

When a user in DomainA is added to a group in DomainB, then the Infrastructure

master is involved. Likewise, if that user in DomainA, who has been added to a
group in DomainB, then changes his username in DomainA, the Infrastructure master
must update the group membership(s) in DomainB with the name change.

There is only one Infrastructure master per domain.

Q3. What if a FSMO server fails?

Schema Master No updates to the Active Directory schema will be possible.

Since schema updates are rare (usually done by certain
applications and possibly an Administrator adding an attribute to
an object), then the malfunction of the server holding the Schema
Master role will not pose a critical problem.
Domain Naming Master The Domain Naming Master must be available when adding or
removing a domain from the forest (i.e. running DCPROMO). If it
is not, then the domain cannot be added or removed. It is also
needed when promoting or demoting a server to/from a Domain
Controller. Like the Schema Master, this functionality is only
used on occasion and is not critical unless you are modifying
31
 your domain or forest structure.
PDC Emulator The server holding the PDC emulator role will cause the most
problems if it is unavailable. This would be most noticeable in a
mixed mode domain where you are still running NT 4 BDCs and
if you are using downlevel clients (NT and Win9x). Since the
PDC emulator acts as a NT 4 PDC, then any actions that depend
on the PDC would be affected (User Manager for Domains,
Server Manager, changing passwords, browsing and BDC
replication).
In a native mode domain the failure of the PDC emulator isn't as
critical because other domain controllers can assume most of the
responsibilities of the PDC emulator.
RID Master The RID Master provides RIDs for security principles (users,
groups, computer accounts). The failure of this FSMO server
would have little impact unless you are adding a very large
number of users or groups.
Each DC in the domain has a pool of RIDs already, and a
problem would occur only if the DC you adding the users/groups
on ran out of RIDs.
Infrastructure Master This FSMO server is only relevant in a multi-domain
environment. If you only have one domain, then the Infrastructure
Master is irrelevant. Failure of this server in a multi-domain
environment would be a problem if you are trying to add objects
from one domain to another.

Q4. Where are these FSMO server roles found?

The first domain controller that is installed in a Windows 2000 domain, by default,
holds all five of the FSMO server roles. Then, as more domain controllers are added
to the domain, the FSMO roles can be moved to other domain controllers.
Q5. Can you Move FSMO roles?
Yes, moving a FSMO server role is a manual process, it does not happen
automatically. But what if you only have one domain controller in your domain? That
is fine. If you have only one domain controller in your organization then you have one
forest, one domain, and of course the one domain controller. All 5 FSMO server roles
will exist on that DC. There is no rule that says you have to have one server for each
FSMO server role.

Q6. Where to place the FSMO roles?

Assuming you do have multiple domain controllers in your domain, there are some best
practices to follow for placing FSMO server roles.

32
 The Schema Master and Domain Naming Master should reside on the same server, and that
machine should be a Global Catalog server. Since all three are, by default, on the first
domain controller installed in a forest, then you can leave them as they are.
Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server.
If you are going to separate the Domain Naming master and Schema master, just make sure
they are both on Global Catalog servers.

IMP:- Why Infrastructure Master should not be on the same server that acts as a Global
Catalog server?
The Infrastructure Master should not be on the same server that acts as a Global Catalog
server.
The reason for this is the Global Catalog contains information about every object in the forest.
When the Infrastructure Master, which is responsible for updating Active Directory information
about cross domain object changes, needs information about objects not in it's domain, it
contacts the Global Catalog server for this information. If they both reside on the same server,
then the Infrastructure Master will never think there are changes to objects that reside in other
domains because the Global Catalog will keep it constantly updated. This would result in the
Infrastructure Master never replicating changes to other domain controllers in its domain.
Note: In a single domain environment this is not an issue.

Microsoft also recommends that the PDC Emulator and RID Master be on the same server.
This is not mandatory like the Infrastructure Master and the Global Catalog server above, but
is recommended. Also, since the PDC Emulator will receive more traffic than any other FSMO
role holder, it should be on a server that can handle the load.

It is also recommended that all FSMO role holders be direct replication partners and they
have high bandwidth connections to one another as well as a Global Catalog server.

Q7.What permissions you should have in order to transfer a FSMO role?

Before you can transfer a role, you must have the appropriate permissions depending on
which role you plan to transfer:

Schema Master member of the Schema Admins group

Domain Naming Master member of the Enterprise Admins group
member of the Domain Admins group and/or
PDC Emulator
the Enterprise Admins group
member of the Domain Admins group and/or
RID Master
the Enterprise Admins group
member of the Domain Admins group and/or
Infrastructure Master
the Enterprise Admins group
FSMO TOOLS

Q8. Tools to find out what servers in your domain/forest hold what server roles?

33
 1. Active Directory Users and Computers:- use this snap-in to find out where the
domain level FSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and
also to change the location of one or more of these 3 FSMO roles.

Open Active Directory Users and Computers, right click on the domain you want to view the
FSMO roles for and click "Operations Masters". A dialog box (below) will open with three tabs,
one for each FSMO role. Click each tab to see what server that role resides on. To change
the server roles, you must first connect to the domain controller you want to move it to. Do
this by right clicking "Active Directory Users and Computers" at the top of the Active Directory
Users and Computers snap-in and choose "Connect to Domain Controller". Once connected
to the DC, go back into the Operations Masters dialog box, choose a role to move and click
the Change button.
When you do connect to another DC, you will notice the name of that DC will be in the field
below the Change button (not in this graphic).

34
2. Active Directory Domains and Trusts - use this snap-in to find out where the
Domain Naming Master FSMO role is and to change it's location.

The process is the same as it is when viewing and changing the Domain level FSMO
roles in Active Directory Users and Computers, except you use the Active Directory
Domains and Trusts snap-in. Open Active Directory Domains and Trusts, right click
"Active Directory Domains and Trusts" at the top of the tree, and choose "Operations
Master". When you do, you will see the dialog box below. Changing the server that
houses the Domain Naming Master requires that you first connect to the new domain
controller, then click the Change button. You can connect to another domain controller
by right clicking "Active Directory Domains and Trusts" at the top of the Active
Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller".

3. Active Directory Schema - this snap-in is used to view and change the Schema
Master FSMO role. However... the Active Directory Schema snap-in is not part of the
default Windows 2000 administrative tools or installation. You first have to install the
Support Tools from the \Support directory on the Windows 2000 server CD or install
the Windows 2000 Server Resource Kit. Once you install the support tools you can
open up a blank Microsoft Management Console (start, run, mmc) and add the snap-
in to the console. Once the snap-in is open, right click "Active Directory Schema" at
the top of the tree and choose "Operations Masters". You will see the dialog box
below. Changing the server the Schema Master resides on requires you first connect
to another domain controller, and then click the Change button.
You can connect to another domain controller by right clicking "Active Directory
Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to
Domain Controller

35
4.Netdom

The easiest and fastest way to find out what server holds what FSMO role is by using
the Netdom command line utility. Like the Active Directory Schema snap-in, the
Netdom utility is only available if you have installed the Support Tools from the
Windows 2000 CD or the Win2K Server Resource Kit.

To use Netdom to view the FSMO role holders, open a command prompt window and
type:
netdom query fsmo and press enter. You will see a list of the FSMO role servers:

36
5. Active Directory Relication Monitor another tool that comes with the Support
Tools is the Active Directory Relication Monitor. Open this utility from Start,
Programs, Windows 2000 Support Tools. Once open, click Edit, Add Monitored
Server and add the name of a Domain Controller. Once added, right click the Server
name and choose properties. Click the FSMO Roles tab to view the servers holding
the 5 FSMO roles (below). You cannot change roles using Replication Monitor, but this
tool has many other useful purposes in regard to Active Directory information. It is
something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change
servers for FSMO roles. Ntdsutil.exe, a command line utility that is installed with
Windows 2000 server, is rather complicated and beyond the scope of this document.
6. DUMPFSMOS
Command-line tool to query for the current FSMO role holders
Part of the Microsoft Windows 2000 Server Resource Kit
Downloadable from http://www.microsoft.com/windows2000
37
/techinfo/reskit/default.asp
Prints to the screen, the current FSMO holders
Calls NTDSUTIL to get this information
7. NLTEST
Command-line tool to perform common network administrative tasks
Type “nltest /?” for syntax and switches
Common uses
Get a list of all DCs in the domain
Get the name of the PDC emulator
Query or reset the secure channel for a server
Call DsGetDCName to query for an available domain controller

8. Adcheck (470k) (3rd party)

A simple utility to view information about AD and FSMO roles
http://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msi

Q9. How to Transfer and Seize a FSMO Role

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504

38
GROUP POLICY

Q1. What are Group Policies?

Group Policies are settings that can be applied to Windows computers, users or both. In
Windows 2000 there are hundreds of Group Policy settings. Group Policies are usually used
to lock down some aspect of a PC. Whether you don't want users to run Windows Update or
change their Display Settings, or you want to insure certain applications are installed on
computers - all this can be done with Group Policies.

Group Policies can be configured either Locally or by Domain Polices. Local policies can be
accessed by clicking Start, Run and typing gpedit.msc. They can also be accessed by
opening the Microsoft Management Console (Start, Run type mmc), and adding the Group
Policy snap-in. You must be an Administrator to configure/modify Group Policies. Windows
2000 Group Policies can only be used on Windows 2000 computers or Windows XP
computers. They cannot be used on Win9x or WinNT computers.

Q2. Domain policy gets applied to whom ?

Domain Policies are applied to computers and users who are members of a Domain, and
these policies are configured on Domain Controllers. You can access Domain Group Polices
by opening Active Directory Sites and Services (these policies apply to the Site level only) or
Active Directory Users and Computers (these policies apply to the Domain and/or
Organizational Units).

Q3. From Where to create a Group Policy?

To create a Domain Group Policy Object open Active Directory Sites and Services and right
click Default-First-Site-Name or another Site name, choose properties, then the Group Policy
tab, then click the New button. Give the the GPO a name, then click the Edit button to
configure the policies.
For Active Directory Users and Computers, it the same process except you right click the
Domain or an OU and choose properties.

Q4. Who can Create/Modify Group Policies?

You have to have Administrative privileges to create/modify group policies. The following table
shows who can create/modify group policies:

Policy Type Allowable Groups/Users

Site Level Group Policies Enterprise Administrators and/or Domain Administrators in
the root domain. The root domain is the first domain created
in a tree or forest. The Enterprise Administrators group is
found only in the root domain.
Domain Level Group Enterprise Administrators, Domain Administrators or
Policies members of the built-in group - Group Policy Creator
Owners. By default only the Administrator user account is a

39

OU Level Group Policies
member of this group
Enterprise Administrators, Domain Administrators or
members of the Group Policy Creator Owners. By default
only the Administrator user account is a member of this
group.

Additionally, at the OU level, users can be delegated control

Local Group Policies
for the OU Group Policies by starting the Delegate Control
Wizard (right click the OU and choose Delegate Control).
However, the wizard only allows the delegated user to Link
already created group policies to the OU. If you want to
give the OU administrators control over creating/modifying
group policies, add them to the Group Policy Creator
Owners group for the domain.
The local Administrator user account or members of the
local Administrators group.

Q5. How are Group Policies Applied?

Group Polices can be configured locally, at the Site level, the Domain level or at the
Organizational Unit (OU) level. Group Policies are applied in a Specific Order, LSDO - Local
policies first, then Site based policies, then Domain level policies, then OU polices, then
nested OU polices (OUs within OUs). Group polices cannot be linked to a specific user or
group, only container objects.

In order to apply Group Polices to specific users or computers, you add users (or groups) and
computers to container objects. Anything in the container object will then get the policies linked
to that container. Sites, Domains and OUs are considered container objects.

Computer and User Active Directory objects do not have to put in the same container object.
For example, Sally the user is an object in Active Directory. Sally's Windows 2000 Pro PC is
also an object in Active Directory. Sally the user object can be in one OU, while her computer
object can be another OU. It all depends on how you organize your Active Directory structure
and what Group Policies you want applied to what objects.

40
User and Computer Policies

There are two nodes in each Group Policy Object that is created. A Computer node and a
User Node. They are called Computer Configuration and User Configuration (see image
above). The polices configured in the Computer node apply to the computer as a whole.
Whoever logs onto that computer will see those policies.
Note: Computer policies are also referred to as machine policies.

User policies are user specific. They only apply to the user that is logged on. When creating
Domain Group Polices you can disable either the Computer node or User node of the Group
Policy Object you are creating. By disabling a node that no policies are defined for, you are
decreasing the time it takes to apply the polices.
To disable the node polices: After creating a Group Policy Object, click that Group Policy
Object on the Group Policy tab, then click the Properties button. You will see two check boxes
at the bottom of the General tab.

It's important to understand that when Group Policies are being applied, all the policies for a
node are evaluated first, and then applied. They are not applied one after the other. For
example, say Sally the user is a member of the Development OU, and the Security OU. When
Sally logs onto her PC the policies set in the User node of the both the Development OU and
the Security OU Group Policy Objects are evaluated, as a whole, and then applied to Sally the
user. They are not applied Development OU first, and then Security OU (or visa- versa).
The same goes for Computer policies. When a computer boots up, all the Computer node
polices for that computer are evaluated, then applied.
41
When computers boot up, the Computer policies are applied. When users login, the User
policies are applied. When user and computer group policies overlap, the computer policy
wins.

Note: IPSec and EFS policies are not additive. The last policy applied is the policy the
user/computer will have.

When applying multiple Group Policies Objects from any container, Group Policies are applied
from bottom to top in the Group Policy Object list. The top Group Policy in the list is the last to
be applied. In the above image you can see three Group Policy Objects associated with the
Human Resources OU. These polices would be applied No Windows Update first, then No
Display Settings, then No ScreenSaver. If there were any conflicts in the policy settings, the
one above it would take precedence.

Q6.How to disable Group Policy Objects

When you are creating a Group Policy Object, the changes happen immediately. There is no
"saving" of GPOs. To prevent a partial GPO from being applied, disable the GPO while you
are configuring it. To do this, click the Group Policy Object on the Group Policy tab and under
the Disable column, double click - a little check will appear. Click the Edit button, make your
changes, then double click under the Disable column to re-enable the GPO. Also, if you want
to temporarily disable a GPO for troubleshooting reasons, this is the place to do it. You can
also click the Options button on the Group Policy tab and select the Disabled check box.

42
Q7. When does the group policy Scripts run?

Startup scripts are processed at computer bootup and before the user logs in.
Shutdown scripts are processed after a user logs off, but before the computer shuts down.

Login scripts are processed when the user logs in.

Logoff scripts are processed when the user logs off, but before the shutdown script runs.

Q8. When the group policy gets refreshed/applied?

Group Policies can be applied when a computer boots up, and/or when a user logs in.
However, policies are also refreshed automatically according to a predefined schedule. This is
called Background Refresh.

Background refresh for non DCs (PCs and Member Servers) is every 90 mins., with a +/- 30
min.
interval. So the refresh could be 60, 90 or 120 mins. For DCs (Domain Controllers),
background refresh is every 5 mins.
Also, every 16 hours every PC will request all group policies to be reapplied (user and
machine) These settings can be changed under Computer and User Nodes, Administrative
Templates,System, Group Policy.

Q9. Which are the policies which does not get affected by background refresh?

Policies not affected by background refresh. These policies are only applied at logon time:

Folder Redirection
Software Installation
Logon, Logoff, Startup, Shutdown Scripts

Q9. How to refresh Group Policies suing the command line?

Secedit.exe is a command line tool that can be used to refresh group policies on a Windows
2000 computer. To use secedit, open a command prompt and type:

secedit /refreshpolicy user_policy to refresh the user policies

secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies

These parameters will only refresh any user or computer policies that have changed since the
last refresh. To force a reload of all group policies regardless of the last change, use:

secedit /refreshpolicy user_policy /enforce

secedit /refreshpolicy machine_policy /enforce

43
Gpupdate.exe is a command line tool that can be used to refresh group policies on a Windows
XP computer. It has replaced the secedit command. To use gpupdate, open a command
prompt and
type:

gpupdate /target:user to refresh the user policies

gpupdate /target:machine to refresh the machine (or computer) policies

As with secedit, these parameters will only refresh any user or computer policies that have
changed since the last refresh. To force a reload of all group policies regardless of the last
change, use:

gpupdate /force

Notice the /force switch applies to both user and computer policies. There is no separation of
the two like there is with secedit

Q10. What is the Default Setting for Dial-up users?

Win2000 considers a slow dial-up link as anything less than 500kbps. When a user logs into a
domain on a link under 500k some policies are not applied.

Windows 2000 will automatically detect the speed of the dial-up connection and make a
decision about applying Group Policies.

Q11. Which are the policies which get applied regardless of the speed of the dial-up
connection?

Some policies are always applied regardless of the speed of the dial-up connection. These
are:

Administrative Templates
Security Settings
EFS Recovery
IPSec

Q12. Which are the policies which do not get applied over slow links?

IE Maintenance Settings
Folder Redirection
Scripts
Disk Quota settings
Software Installation and Maintenance

These settings can be changed under Computer and User Nodes, Administrative Templates,
System, Group Policy.

44
If the user connects to the domain using "Logon Using Dial-up Connection" from the logon
screen, once the user is authenticated, the computer policies are applied first, followed by the
user policies.

If the user connects to the domain using "Network and Dial-up Connections", after they
logon, the policies are applied using the standard refresh cycle.

Q13. Which are the two types of default policies?

There are two default group policy objects that are created when a domain is created. The
Default Domain policy and the Default Domain Controllers policy.

Default Domain Policy - this GPO can be found under the group policy tab for that domain. It
is the first policy listed. The default domain policy is unique in that certain policies can only be
applied at the domain level.

If you double click this GPO and drill down to Computer Configuration, Windows Settings,
Security Settings, Account Policies, you will see three policies listed:

Password Policy
Acount Lockout Policy
Kerberos Policy

These 3 policies can only be set at the domain level. If you set these policies anywhere else-
Site or OU, they are ignored. However, setting these 3 policies at the OU level will have the
effect of setting these policies for users who log on locally to their PCs. Login to the domain
you get the domain policy, login locally you get the OU policy.

If you drill down to Computer Configuration, Windows Settings, Security Settings, Local
Policies, Security Options, there are 3 policies that are affected by Default Domain Policy:

Automatically log off users when logon time expires

Rename Adminsitrator Account - When set at the domain level, it affects the Domain
Administrator account only.
Rename Guest Account - When set at the domain level, it affects the Domain Guest account
only.

The Default Domain Policy should be used only for the policies listed above. If you want to
create additional domain level policies, you should create additional domain level GPOs.
Do not delete the Default Domain Policy. You can disable it, but it is not recommended.

Default Domain Controllers Policy - This policy can be found by right clicking the Domain
Controllers OU, choosing Properties, then the Group Policy tab. This policy affects all Domain
Controllers in the domain regardless of where you put the domain controllers. That is, no
matter where you put your domain controllers in Active Directory (whatever OU you put them
in), they will still process this policy.

Use the Default Domain Controllers Policy to set local policies for your domain controllers,
e.g. Audit Policies, Event Log settings, who can logon locally and so on.

45
Q14.How to restore Group policy setting back to default?

The following command would replace both the Default Domain Security Policy and Default
Domain Controller Security Policy. You can specify Domain or DC instead of Both, to only
restore one or the other.

> dcgpofix /target:Both

Note that this must be run from a domain controller in the target domain where you want to
reset the GPO

If you've ever made changes to the default GPOs and would like to revert back to the original
settings, the dcgpofix utility is your solution. dcgpofix works with a particular version of
schema. If the version it expects to be current is different from what is in Active Directory, it
not restore the GPOs. You can work around this by using the /ignoreschema switch, which
restore the GPO according to the version dcgpofix thinks is current. The only time you might
experience this issue is if you install a service pack on a domain controller (dc1) that extends
schema, but have not installed it yet on a second domain controller (dc2). If you try to run

dcgpofix from dc2, you will receive the error since a new version of the schema and the
dcgpofix utility was installed on dc1.

Resolving GPOs from Multiple Sources

Because GPOs can come from different sources to apply to a single user or computer, there
must be a way of determining how those GPOs are combined. GPOs are processed in the
following order:

1. Local GPO The local GPO on the computer is processed and all settings specified in that
GPO are applied.

2. Site GPOs GPOs linked to the site in which the computer resides are processed. Settings
made at this level override any conflicting settings made at the preceding level. If multiple
GPOs are linked to a site, the site administrator can control the order in which those GPOs are
processed.

3. Domain GPOs GPOs linked to the domain in which the computer resides are processed
and any settings are applied. Settings made at the domain level override conflicting settings
applied at the local or site level. Again, the administrator can control the processing order
when multiple GPOs are linked to the domain.
4. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed.
Settings made at the OU level override conflicting settings applied at the domain, local, or site
level. It is possible for a single object to be in multiple OUs. In this case, GPOs linked to the
highest level OU in the Active Directory hierarchy are processed first, followed by the next
highest level OU, and so on. If multiple GPOs are linked to a single
46
Q15. What are the two exceptions to control the inheritance of the group policy?

■ No Override When you link a GPO to a container, you can configure a No Override option
that prevents settings in the GPO from being overridden by settings in GPOs linked to child
containers. This provides a way to force child containers to conform to a particular policy.
■ Block Inheritance You can configure the Block Inheritance option on a container to
prevent the container from inheriting GPO settings from its parent containers. However, if a
parent container has the No Override option set, the child container cannot block inheritance
from this parent.

Q16. How to Redirect New User and Computer Accounts?

By default, new user and computer accounts are created in the Users and Computers
containers, respectively. You cannot link a GPO to either of these built-in containers. Even
though the built-in containers inherit GPOs linked to the domain, you may have a situation that
requires user accounts and computer accounts to be stored in an OU to which you can link a
GPO. Windows Server 2003 includes two new tools that let you redirect the target location
for new user and computer accounts. You can use redirusr.exe to redirect user accounts and
redircomp.exe to redirect computer accounts. Once you choose the OU for redirection, new
user and computer accounts are created
directly in the new target OU, where the appropriate GPOs are linked. For example, you could
create an OU named New Users, link an appropriate GPO to the OU, and then redirect the
creation of new-users accounts to the New Users OU. Any new users created would
immediately be affected by the settings in the GPO. Administrators could then move the new
user accounts to a more appropriate location later. You can find both of these tools in the
%windir%\system32 folder on any computer running Windows Server 2003. You can learn
more about using these tools in Knowledge Base article 324949, “Redirecting the Users and
Computers Containers in Windows Server 2003 Domains,” in the Microsoft Knowledge Base
at http://support.microsoft.com.

Q17. What permissions should a administrator have to manage GPOs?

Editing GPOs linked to sites requires Enterprise Administrative permissions.

Editing GPOs linked to domains requires Domain Administrative
Editing GPOs linked to OUs requires permissions for the OU.

Q18. What is the client requirement for supporting GPOs?

For client computers to accept Group Policy settings, they must be members of Active
Directory. Support for Group Policy for key operating systems includes the following:

■ Windows 95/98/Me do not support Group Policy.

■ Windows NT 4.0 and earlier versions do not support Group Policy.
■ Windows 2000 Professional and Server support many of the Group Policy settings available
in Windows Server 2003, but not all. Unsupported settings are ignored.
47
■ Windows XP Professional, Windows XP 64-bit Edition, and Windows Server 2003 fully
support Group Policy.

48