70-290

1. WINDOW SERVER 2003 EDITIONS

Edition of Windows server 2003 :-
 Small Business Server (SBS)
 Web edition
 Standard Edition
 Enterprises Edition
 Datacenter Edition
Small Business Server:-
Small Business Server is a low cost Edition designed for small organization. This edition supports up to
75 users. It comes in two editions standard and premium.
Web Edition
Web edition is specially designed for web hosting companies. This edition supports up to 2 GB RAM. This
edition does support ADS.
Standard Edition
This is a perfect edition for small to medium business organization. Supports file and print service and
secure internet connectivity. Supports 4 way symmetric multi processing and 4 GM RAM. Besides this it
also supports distributed file system (DFS), Encrypting file services (EFS) and shadow copies.
Enterprises Edition
Window Server 2003 enterprises edition is made for medium to big business organization. This is full
function server for organization. This edition supports 8-way symmetric multiprocessing (8 Processor). 32
Bit support 32GB RAM and 64 bit version support 64GB RAM.
Datacenter Edition
Window Server 2003 datacenter is made for very big Business organization, where high security and
reliability is needed. This edition is the power house of window platform. This edition supports the 32-way
symmetric multi processing (64 processor) and 512GB RAM.
 2. Sites Replication Domain Controllers Objects Delegation
Organizational Units

Active Directory includes a replication feature. Replication ensures that changes to a domain controller
are reflected in all domain controllers within a domain. A domain controller stores a replica of the domain
directory. Each domain can contain one or more domain controllers.
Within a site, Active Directory automatically generates a ring topology for replication among domain
controllers in the same domain. The topology defines the path for directory updates to flow from one
domain controller to another until all receive the directory updates.

The ring structure ensures that there are at least two replication paths from one domain controller to
another. Therefore, if one domain controller is down temporarily, replication still continues to all other
domain controllers.
Active Directory periodically analyzes the replication topology within a site to ensure that it is still efficient.
If you add or remove a domain controller from the network or a site, Active Directory reconfigures the
topology to reflect the change.
Objects
An object is a distinct named set of attributes that represents a network resource.
Enterprise resources are represented in Active Directory as objects, or records in the database.
Each object has numerous attributes, or properties, that define it. For example, a user object includes the
user name and password; a group object includes the group name and a list of its members. Active
Directory is capable of hosting millions of objects, including users, groups, computers, printers, shared
folders, sites, site links, Group Policy Objects (GPOs), and even DNS zones and host records.
Organizational Units
An organizational unit (OU) is a container used to organize objects within a domain into logical
administrative groups. They provide important administrative capabilities because they provide a point at
which administrative functions can be delegated and to which group policies can be linked. Enterprises
often have thousands of computers, groups, and users. If you had several thousand computers in a single
list, it would be very difficult to identify all the computers belonging to, say, the Accounting department, or
located within the Lucknow office. Enterprises need a way to organize these objects. OUs provide a way
to create administrative boundaries within a domain, allowing you to delegate administrative tasks within
the domain. An OU can contain objects such as user accounts, groups, computers, printers, applications,
file shares, and other OUs.
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domain's search
domain can implement its own OU hierarchy. There are no restrictions on the depth of the OU hierarchy.
However, a shallow hierarchy performs better than a deep one, so you should not create an OU hierarchy
any deeper than necessary.
Delegation
Each object in Active Directory ( user objects) includes an access control list (ACL) that defines
permissions for that object, just as files on a disk volume have ACLs that define access for those files.
For example, a user object's ACL will define what groups are allowed to reset its password. It would get
complicated to assign the frontline administrator permissions to change each individual user's password,
so instead you can put all of those users in a single OU and assign that administrator the reset password
permission on the OU. That permission will be inherited by all user objects in the OU, thereby allowing
that administrator to modify permissions for all users. Resetting user passwords is just one example of
administrative delegation.
There are thousands of combinations of permissions that could be assigned to groups administering and
supporting Active Directory. OUs allow an enterprise to create an active representation of its
administrative model and to specify who can do what to objects in the domain.
Sites
A site is a combination of one or more Internet Protocol (IP) subnets connected by a highly reliable, fast
link to localize as much network traffic as possible. Typically, a site has the same boundaries as a local
area network (LAN). When you group subnets on your network, you should combine only those subnets
that have fast, cheap, and reliable network connections with one another. Fast network connections are
at least 512 kilobits per second (Kbps). An available bandwidth of 128 Kbps and higher is sufficient.
Classes Attributes Directory Schema
In Active Directory, you can organize objects in classes, which are logical groupings of objects.Object
classes help organize objects by their similarities. For example, all user objects fall under the object class
Users.
When you create a new object, it automatically inherits attributes from its class. When you create a new
user account, the information you can enter about that user account (its attributes) are derived from the
object class Users. Microsoft defines a default set of object classes (and the attributes they define) used
by Active Directory. Of course, because Active Directory is extensible, administrators and applications
can modify the object classes available and the attributes that those classes define.
The classes and the attributes that they define are collectively referred to as the Active Directory
schema in database terms, a schema is the structure of the tables and fields and how they are related to
one another. You can think of the Active Directory schema as a collection of data (object classes) that
defines how the real data of the directory (the attributes of an object) is organized and stored.
 3. Active Directory Services funcation defination feature ads
domain tree forest

Active directory is a central component of the Windows platform, Active Directory service provides the
means to manage the identities and relationships that make up network environments. After installing
the Active Directory You can create centralized User & group for Whole Network. We can say Active
Directory does the function in the form of a main switch board for Network operating System. Active
Directory itself is more than just a database. It is a collection of supporting files that includes transaction
logs and the system volume, or Sysvol, that contains logon scripts and Group Policy information.
Active Directory simplifies the security and administration of resources throughout a network (including
the computers that are part of the network) by providing a single point of administration for all objects on
the network. Active Directory organizes resources hierarchically in domains, which are logical groupings
of servers and other network resources.
One big advantage that Active Directory provides is a single logon point for all network resources, so a
user can log on to the network with a single user name and password, and then access any resources to
which the user account is granted access. An administrator can log on to one computer and administer
objects on any computer in the network.
Domain Controllers
A domain controller is a server that has been promoted by running the Active Directory Installation
Wizard by running DCPROMO from the command line or using add remove a role from manage your
server . Once a server has become a domain controller, it hosts a copy, or replica, of Active Directory and
changes to the database on any domain controller are replicated to all domain controllers within the
domain.
Domains
The core unit of logical structure in Active Directory is the domain. However, an enterprise might have
more than one domain in its Active Directory.

Feature of Domains :-
 Domains allows administrators to divide the network into manageable boundaries.
 Administrators from different domains can establish their own security models (including password
complexity and password-length requirements); security from one domain can then be isolated so that
other domains security models are not affected.
 Domains provide a way to logically partition a network along the same administrative lines as an
organization. Organizations that are large enough to have more than one domain usually have divisions
that are responsible for maintaining and securing their own resources. Grouping objects into one or more
domains enables your network to reflect your company's organization.
 Domains are independent administrative units, with their own security and administrative policies.
 All network objects exist within a domain, and each domain stores information only about the objects that
it contains.
 Theoretically, a domain directory can contain up to 10 million objects, but 1 million objects per domain is
a more practical amount.
Trees
 A tree is a hierarchical arrangement of one or more domains that share a common schema and a
contiguous namespace. In the example shown in Figure all the domains in the tree under the
Example.com root domain share the namespace Example.com.

The first domain you create in a tree is called the root domain. The next domain that you add becomes a
child domain of that root. In this figure Lucknow.example.com and Jaiure.example.com are the child
domains.
Feature of Tree
 Following DNS standards, the domain name of a child domain is the relative name of that child domain
appended with the name of the parent domain.

 All domains within a single tree share a common schema, which is a formal definition of all object types
that you can store in an Active Directory deployment.

 All domains within a single tree share a common Global Catalog, which is the central repository of
information about objects in a tree.
 4. Pre – quest of ADS configuration active directory service

In our last article you learnt about the basic concept of ADS. In this article we will configure the ADS
service on server 2003.
Pre quest of Active directory services
 NTFS partition
 Manual ip configuration
 Connectivity of LAN
 CD of Server 2003 (ADS Configuration wizard require window files)
 Root partition (partition where you have installed server 2003) must be on NTFS
ADS configuration wizard store its installation files in NTDS folder and this folder must be located on
NTFS file system. Default file system of Server 2003 is NTFS unless you have changed it during the
installation. If you have changed the file system then you have to convert it in NFTS before you start
configuration of ADS.
To change file system from FAT to NTFS open command prompt and run following commands
c:\>convert c: /fs:ntfs
Replace c: with your installation drive latter
Reboot the system to take effect. After reboot verify that partition is successfully converted in NTFS
To verify open my computer and select properties from right click
From properties screen you could verify that file system is converted in NTFS

Manual IP configuration
Server IP address cannot be set to dynamic. You need to set static IP address before starting the
configuration of ADS. To set the static IP address opens the properties of local area connection. Now
select the TCP/IP and click on properties and set the IP address.

Connectivity of LAN
Sever will check the connectivity of LAN card during the installation of ADS. An unplugged lan card or
disable lan card will fail the configuration of ADS. So check it before ADS configurations. You can check
its status from the properties of my network places
Alternatively you can examine it just by looking at the task bar. Image below show the working LAN card

Once you have completed these entire necessary steps you are ready to configure ADS. In our next
article we will configure ADS.
 5. How to configure ADS Active Directory Service Step by Step
Guide

In our earlier article we have finished all necessary pre-quest. In this article we would configure ADS.
ADS configuration wizard can be invoked by thee ways.
 By running DCPROMO.EXE command
 From Configure your server
 Manage your server
No matter which options you choose all three will launch same ADS configuration wizard. I will show all
methods
Configure your server / Manage your server
To launch manage your server wizard click on start button and select manage your server option

To launch configure your server wizard click on start button and select configure your server wizard from
administrator tools.

Now click on Add remove a role

Now server will check the pre-quest which we have completed in our last article. Wizard would show error
message if any of pre-quest is not properly configured.

Wizard will show a list of all tasks which can be configured. Select Domain Controller (Active Directory)
It will show summary for ADS configuration wizard after checking all necessary services.
Click on next to launch ADS configuration wizard
Same wizard can be Launch directly by running DCPROMO.EXE command in run menu

On welcome screen click on next

This screen show that win95 or earlier version of win NT4.0 cannot be the clients of Server 2003 Click on
Next

This is the first domain controller in our domain so select Domain controller for a new domain and click on
next
This is the first domain in first forest so select domain in new forest and click on next

Give the full FQDN name of server, we are using example.com for practice you can choose your own
Wizard will automatically generate NetBIOS name of server don't change it.

ADS is installed in NTDS folder, don't change its default location.

Sysvols is a publically shared folder. It would be automatically share on all clients.

DNS is required by ADS for proper functioning Select second options install and configure DNS on this
computer
If you have any pre windows 2000 client in network then select
Permission compatible with pre windows 2000 server operating systems
If you don't have any pre windows 2000 server operating systems then select
Permissions compatible only with Windows 2000 or Windows 2003 operating systems for greater security
features
Now set directory services restore mode passwords. This is used when you restore directory or remove
ADS.

Click on next after review the summary of your selection if need change of any option go back and
change.

Now wizard will configure all the options you have selected
If you are running this wizard first time then it need to copy some files form Server 2003 CD, Insert Server
2003 CD when it is asked

We will configure DNS server separately after ADS so skip it here to save time
Click on finish to complete the installation

System reboot is required in order to take place the installation of ADS

After reboot server is a domain controller. In our next article we will learn how to verify that ADS is
configured properly.
 6. How To Verify the Installation of ADS and How to Remove
ADS

In our last article we have configured ADS. In this tutorial I will guide you how to check ads installation.
ADS installation can be verify from three methods.
 My computer properties
 Login screen
 Administrator tools

My computer properties
To check wheatear ADS is installed or not on server, right click on my computer and select properties,
now select computer name tab.
If you see here workgroup options means ADS is not configured
If you see here Domain options means ADS is configured
In image below you can see the Domain name mean ADS is configured on this server

Login screen
Server is domain controller or not it can be verify on Login screen also.
If you see logon to: option on login screen mean ADS is configured on this server
 Administrator tools
Most reliable testing of ADS is checking in administrator tools. If you see all three options listed below in
administrator tools means ADS is properly configured and functioning.
1. Active Directory Domains and Trusts
2. Active Directory Sites and Services
3. Active Directory Users and Computers

Removing of ADS
We have tested ADS installation now we would remove ADS so you can learn how to remove ADS.
 From configure your server wizard
 From manage your server wizard
 From DCPROMO.EXE
Choose any option it would launch same wizard for removing ADS.
To choose configure your server wizard click on start select administrator tools and click on configure
your server. This will launch configure your server window. Same windows can be access by clicking on
start button and select Manage your server.
Click on Add / remove a role
Select Domain controller from list and click on next that will launch ADS remove wizard.
Same wizard can be directly access by running DCPROMO commands in run menu

Click on next to welcome screen

A warning message will appear as this domain controller is the global catalog server click on ok

Check mark on the box of This server is the last domain controller in the domain
Now ADS will remove all DNS information store for this domain Click on next

Wizard will finally confirm you to delete all partitions. Tick mark on Delete all application directory
partitions on this domain controller.
Now set administrator password to login after the removal of ADS

Review all the option you have selected and click on next to remove ADS
Now wizard will start removing ADS it will take few minutes

Click on finish button to complete the wizard

A system reboot will require to take place click on restart now

Removing ADS form registry

Always use configuration wizard to remove ADS. Use registry method only when configuration wizard fail
to remove ADS.
To remove ADS form registry run regedit command in run box

Locate this key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
In left pane double click on productType

Replace the default LanmanNT to ServerNT and exit from registry

A system reboot will require to take place Restart the system

After restart you will see logon to: option on login screen its normal just select local computer and login.
You can reconfigure ADS after login in local computer.
After login you can configure ADS form any of one method we have discussed in our previous article.
 7. How to add or remove clients from domain network of server
2003

In a domain network a client is computer where actual works are done by users. All clients are controlled
by the server. In our previous article we have configured Server. Now we need client computers so user
can perform assigned task.
We assume that you have configured server before starting this process.
Pre-quest of client process
 ADS is configured on server 2003 and working
 DNS is configured on server 2003 and working
 Client computer is connected with Server.
Once you have completed necessary steps go on client computer and login form administrator account.

Right click on My computer and Select Properties In properties click on change button from Computer
name tab

In open window select Domain form Member of radio select pane. And give our server name that is
Example.com. It will ask you to authenticate the joining. We will use default administrator account of
server as we haven't created special account for this purpose.
Give the username to administrator and server administrator’s password.

After few minute a welcome message will appear on screen click on it.

System reboot is required to take the effect. Restart the system

There are several way to confirm that system is client or not. You can confirm on login screen.
If you see the logon to options on login screen means system is the member of domain network.
If you don't found any logon to options here means system is the part of workgroup network.
After login you can check it in My computer properties. Select computer name tab in My computer
properties.
If you see workgroup here mean computer is the part of workgroup network.
If you see the domain here means computer is the part of domain network.

How to disjoin from domain network

We have successfully joined the client in domain. Now we would learn how to remove client form domain.
For practice we would remove the client which we have just added.
Login form local administrative account.

Right click on My computer and Select Properties In properties click on change button from Computer
name tab

In open window select WORKGROUP form Member of radio select pane. And give any name. It will ask
you to authenticate the disjoining. We will use default local administrator account.
Give the username to administrator and local administrator's password.

After few minute a welcome message will appear on screen click on it. System reboot is required to take
the effect. Restart the system

After reboot Verify disjoining process by any method given in above. Either by login screen or my
computer properties.
Administrator account can be used in LAB environments. But in a real company environments using
administrator account for joining or disjoining process create a huge security risk. Always avoid using
administrator account for this process. In our next article we will discuss that how we can deploy other
account for this process.
 8. How to add clients in domain advance method used in
Company Environments Server side Configurations

In our last article we have added client in domain using default administrator account. Administrator
account can be used in LAB environment. But in a real company environment using administrator account
for joining or disjoining process create a huge security risk. Always avoid using administrator account for
this process. In this article for server side process we would create a special user account.
For this article I assume that
 ADS is configured on server 2003 and working
 DNS is configured on server 2003 and working
 Client computer is connected with Server.
If you miss any of above see our previous articles.
On Server computer Login from administrative account and open Active directory users and
computers.

Right click on Users folder and select User form New options
In open window fill the user information and click on next

On password screen give password and remove tick mark from User must change password at next
login
On summary screen click on Finish button

Verify that you have successfully created user accounts

Now make this user the member of built in Domain Admins group

User must be show in the Member tab of Domain Admins group's properties
Now create a computer account for client computer. Right click on Computers folder And
select Computer from New options

Give client computer name [ Make sure you give exact same name which you have on client computer,
Check it before giving here on client computer ]
On managed screen Do not check on This is a managed computer Click on next

On next screen click on finish

Next step is to grant the access of add client in domain. To do this open domain controller security policy

In left pane expand the local polices. In local polices select User Rights Assignment and in right pane
double click on Add workstation to domain
Now add administrators [group], administrator [Account], and Vinita[ User which you want to grant the
access]

Now refresh the group policy by running GPUPDATE commands in run

We have completed all necessary steps on server in our next article we will see how to use this account
to make client