Running A 2003/2000-Based Active Directory

A guide to planning, installing, and running Active Directory-based networks with Windows Server 2003 Server and/or Windows 2000 Server

 

“...the shortest path to Active Directory satori...”

a two-day course by Mark Minasi, author of Mastering Windows 2000 Server and Mastering Windows Server 2003 from Sybex

Schedule of dates and cities •  Course Objectives  •  Prerequisites •  Course Outline  •   Course Materials  •  Bring a Class to Your Site • CDs

Course Objectives

This course explains and demonstrates to network techs and technical IT managers how to run an Active Directory-based network using Windows Server 2003 and Windows 2000 Server.  It does that in several ways:

  • First, it saves you time.  In two days you'll see what works (and sometimes doesn't work) in an Active Directory-based network built on Windows 2000 and Server 2003 systems.  And yes, that's both 2000 and 2003; we recognize that very few people will be able to move entirely to 2003 for a while, so we don't ignore 2000 in this course.
  • Second, it's built from a practical, spend-as-little-as-possible perspective.  The course's designer, Mark Minasi, runs these OSes every day in a real-life network and has experienced the goods and bads of them — and you'll hear it all.  Why spend days trying to figure out some obscure — but necessary — procedure when Mark's already spent those days figuring it out, and can explain it in just a few minutes?
  • Third, when it comes to network management, Mark is stingy.  While there are some great third-party tools out there, they're expensive — so you'll see in this course how to squeeze the most out of what's "in the box" with 2000 and 2003 to solve many network problems, and thereby save money.
  • Fourth, this course is a "second generation" Active Directory course based on a lot of real-world experience.  We've been using Active Directory constantly since 1999 and have helped many companies get AD working right.  You'll hear more than just "this is how to set up a domain" in this course.
  • Expanding upon the "second generation" notion, you will find a lot more information on AD maintenance and troubleshooting than in the first course.
  • Finally, it is an independent view of 2000 and 2003.  While they're both pretty good OSes in our experience, they do have their down-sides and "still-missing" pieces.  This course of course highlights the good stuff, but doesn't whitewash the not-so-good stuff.  Find out what works and what doesn't before committing staff-years to a network conversion.

This course is heavily demonstration-driven, so you'll see fewer concepts and more "how to make it work" skills.

In this course, we assume that you've made the choice to go to Active Directory, or are in the process of moving to AD.  We've found that building an AD and keeping it running boils down to a few basic things:

  • Making sure that DNS is secure and serving the AD, and understanding how to peer into your DNS structure to troubleshoot logon and authentication problems.
  • Understanding Active Directory.  But not just understanding its overall structural aspects — what is an organization unit, for example — but also understanding how to watch its health, maintain its database, recover from everyday problems, and re-arrange it to suit changing organizational needs.
  • Using group policies. AD is a lot of work and it's only a small simplification to say that its two main payoffs are delegation (that is, being able to fine-tune the powers of administrators so that you can let people administer some things in the network without having to give them the keys to the whole network) and group policies.  But many people appear reticent to use GPs, as they can seem overly complex and hard to troubleshoot.  But Microsoft offers some great new tools in 2003's Resultant Set Of Policies snap-in and the Group Policy Management Console — you'll learn about both of them in this class. 
  • Maintaining the shared Sysvol directories.  Every domain controller has a set of shared directories called Sysvol which contain system policies, group policies, login scripts, and default user profiles.  Sysvol is intended to run in a pretty maintenance-free mode and in general it does — but when it fails, it takes some important network pieces with it. In this class, you'll learn how it works, how to watch its health and how to fix it when it breaks.

With that focus, we think we've zeroed in on what you'll need to know to respond to your network challenges.  We'd like to do more, but many of you tell us that the boss won't let you go for more than two days — so we're trying to do the best we can with that time!

"So Is This A Windows 2000 Server Class Or a Windows Server 2003 Class?"

The short answer is "both and neither," and here's why: it focuses specifically on Active Directory rather than Server.  But it's both a 2000 Server and Server 2003 class because quite frankly the principles of running ADs are pretty much the same whether you're using 2000-based DCs, 2003-based DCs, or a combination of them.  Don't misunderstand, there are AD-related differences between 2000 and 2003 (a bit over a dozen changes, all good), and this course highlights them.  And if you want to bring this course in-house and want to focus entirely on 2000 or 2003, then we can do that.  But we felt that today's IT budget realities necessitated covering both OSes in this class.

This course is a major revision of our "Mastering Windows 2000 Server" course that we ran successfully for over two years.  Attendees to the previous course would see about 30 percent overlap in material between that course and this one.  By "revised and updated," we mean several things.

First, we sharpened the focus to just Active Directory planning, implementation, operation, maintenance and troubleshooting.  Second, because very few of you will have the luxury of (or the desire to) immediately upgrade to Server 2003, the course shows you how to attain AD health whether you're running 2000, 2003 or a mix.  Third, the first class taught a lot of concepts simply because AD's newness required that we all understand basic concepts just to get started.  But now it's time for fewer concepts and more skills -- good rock-solid, how-do-I-solve-this-problem kinds of skills.  So you'll see a lot more step-by-steps in this class.  And that's "see" those steps, not just hear them, as Mark drives the course demos with a network of five virtual computers running under VMWare.  Advanced domain administration involves complex procedures, and one false step can mess up your network. These are the kind of things that you want to see done in a relaxed seminar atmosphere, than in the heat of battle.

Even if Server 2003 had not arrived, the class would still have required updating, as audiences have a higher level of background knowledge than they did a few years ago. Even audiences from organizations that haven't yet implemented 2000 or Active Directory tend to know that they can't get Active Directory to work without good DNS, or what an organizational unit is, or that 2000 incorporates Plug and Play.  Leaving those kinds of things in the course, then, didn't make sense. Audiences are now more likely to need to know how to get that DNS running in an AD-optimal and AD-secure way, how to set up the OUs so as to give OU admins the power that they need.  Thus, while this seminar introduces the "what's new" aspects of Server 2003, it also covers more in-depth topics that apply to both 2000 and 2003.  

With this course, we don't have as much new conceptual ground to cover because of 2003's similarity to 2000.  Where the NT 4 to 2000 shift was a major change, 2000-to-2003 is a nice "1.1" upgrade.  That's another reason why we would be unable to honestly say "sure, this new class is all-2003, all-the-time," as there just plain aren't enough things that are new about 2003 to justify such a class.

With this revision we decided to remove some of the peripheral issues covered in the past class and focus on what we saw as the main issue -- making your domain run as smoothly and reliably as is possible, thus the AD focus.

Prerequisites

You'll get the most out of this class if you already know the basics of Microsoft networking — what a domain is, that 2000, XP and 2003 aren't really Windows but are actually NT, what an NTFS permission is, that sort of thing. 

Course Outline

  1. DNS for AD: A Split-Brain Cookbook

    2. DNS is, of course, the naming system of the Internet — you found our Web server by typing "www.minasi.com" into your browser, not "68.15.149.117."  And thankfully it's also the naming system of Active Directory. AD doesn't — can't — work without DNS.  In the NT 4 days, DNS was something of an afterthought in the Microsoft networking world.  But in 2000-based networks, DNS is now a central repository of essential network information.  Easily more than half of the logon failures you'll experience under AD stem from an incorrectly configured DNS server or client.

    But you can't really set up a "normal" DNS system for Active Directory; instead, you'll typically set up a somewhat more complex DNS structure called a "split-brain" or "split-horizon" DNS system. This section shows you what you'll need to know to set up and maintain an AD-optimized split-brain system that avoids the most common DNS woes, including the "DNS island" problem.  You'll also learn about what Server 2003's new stub zones and conditional forwarding are and when you'd use them.

    1. DNS's essential role
    2. The Split-Brain Cookbook
    3. Active Directory-integrated considerations
    4. DNS architecture for multi-domain ADs
      1. Designing architectures with two or more co-existing split-brain domains
      2. Solutions:
        1. Pervasive secondary DNS servers
        2. Stub zones
        3. Conditional forwarding
        4. When to use each
    5. Creating a DNS zone for your AD domain: scripting and GUI
  2. Active Directory Components

    3. 2003 and 2000's "big show" is Active Directory.  This section reviews its major components with an eye to monitoring and troubleshooting your AD.

    1. Domains
    2. Organizational Units
    3. Trees, forests and the empty root
      1. Trees versus forests
      2. Forest design limitations
      3. Forest restructuring limitations in 2000 and 2003
    4. The global catalog
      1. What is a GC?
      2. The GC's role in logons
      3. Handling sites without GCs in 2000 and in 2003
    5. Sites
      1. What sites do
      2. Creating site, subnet and site link objects
      3. Configuring site links
      4. Site limitations in 2000 and 2003
      5. Controlling site coverage in branch offices
    6. Operations masters / FSMOs
      1. FSMO basics
      2. Forest-wide FSMOS: understanding and planning for schema master and domain naming masters
      3. Domain FSMOs: understanding and planning for PDC, RID and infrastructure masters
      4. Transferring operations master/FSMO roles
      5. Seizing operations master/FSMO roles

       

  3. Functional levels: Identifying 2000 versus 2003-based Active Directories

    To get the most out of a Windows 2000-based Active Directory, you've got to kick out the old NT 4 backup domain controllers (BDCs) and shift from "mixed" to "native" mode.  With Server 2003, things are a bit more complex, as there are more possibilities — your network could be a mix of NT, 2000, and 2003, just 2000 and 2003, possibly NT and 2003 with no 2000 around at all, or you might be purely 2003.  You tell AD about the makeup of your domain controller population via "functional levels," and you do have to pay attention to these — incorrectly setting your functional levels can either make your network non-functional (a "functional level" that we're all far too acquainted with!) or cause you to miss out on some of the features that you paid for!

     

    1. Windows 2000-based Active Directory modes
      1. Mixed mode versus native mode
      2. Requirements for native mode
      3. New names for mixed and native mode
    2. Server 2003-based Active Directory functional levels
      1. Domain functional levels
      2. New levels: Server 2003 interim functional level and Server 2003 functional level
      3. Forest functional levels
      4. What each level requires
      5. What you get from each level

  4. Migrating to and Reconfiguring Active Directories

    5. Installing Active Directory is easiest in a world without any previously-existing networks: build an empty domain, start up Active Directory Users and Computers, and start entering account names.  But networks are so ubiquitous nowadays that it's unlikely that you'll run into many new-from-the-ground-up networks.  So our jobs are often to take users, computers, and other things from an old network and move them to the new Active Directory network.  Sometimes that means moving from one version of the OS to another, as when we migrate from NT 4 to 2000 or 2003, upgrade from 2000 to 2003, or the like.  But networks serve organizations of people, and organizations of people change due to re-organizations, mergers, or changes in management, and then it's our job to alter the network to reflect those changes.  Sometimes a domain upgrade is no more difficult than shoving the Server CD into the drive clicking "Upgrade"... but not usually. This section explains and demonstrates how to migrate, modify, upgrade and rearrange your Active Directory structure with the least trouble and cost.  Server 2003 provides a powerful — but complex — reorganization tool in the form of domain renaming, which can also re-arrange domains within a forest.

    The important point is this:  migration isn't just something that you'll do once; domain reorganizations can be a nearly annual event.  This section introduces you to the tools you'll need to accomplish successful migrations.

    1. The approaches: in-place versus clean and pristine
    2. The free tools
      1. adprep
      2. Netdom
      3. Active Directory Migration Tool
      4. Sidhist.vbs
      5. Ldp.exe
      6. 2003's Domain Rename function
    3. Connecting domains: 2003's new domain types
      1. External trusts
      2. Forest trusts (the cool new transitive trusts!)
      3. Shortcut trusts
      4. Realm trusts
      5. Where to use them, how to create them
    4. Renaming domains in 2003
      1. Requirements for renaming domains
      2. Doing it: the fourteen-step program
    5. Using SID histories
      1. Understanding SID histories
      2. Constraints on SID histories
      3. Viewing SID histories
      4. Removing SID histories
      5. Creating SID histories with sidhist.vbs/cloneprincipal
    6. Active Directory Migration Tool (ADMT)
      1. What it can do
      2. ADMT 2.0's password migration feature
      3. Step-by-step instructions on using ADMT to
        1. Migrate global groups
        2. Migrate user passwords
        3. Migrate user accounts
        4. Migrate member servers/workstation
        5. Change permissions on migrated servers/workstations
    7. Other tools
      1. xcopy /z
      2. permcopy
      3. subinacl

  5. Delegation and Rights: Fine-Tuning Administrator Powers

    After all this work, you might be asking yourself why you're moving to AD in the first place.  Here's one very good reason:  delegation.  Active Directories of all functional levels let you fine-tune administrator powers to a far greater degree than NT 4-based domains ever did.  But it's not all roses:  while you do have more control, there are still things that you can't do, as you'll see.  This section discusses and demonstrates how to "roll your own" departmental administrators.

     

    1. How delegation works
    2. The role of organizational units
    3. Delegating the easy (but limited) way:  the Delegation Wizard
    4. Delegating the hard (but flexible and often necessary) way
    5. Command-line delegation with DSACLS
    6. Testing delegations: all is usually not what it seems
    7. Un-delegating 
    8. User rights

  6. Maintaining and Troubleshooting an AD

    7. Once you've got an AD set up, you'll soon learn the Awful Truth.  Are you ready?  Here it is:  congratulations, you're now a database administrator.  Active Directory is a big database and running a domain sometimes means keeping that database in good shape.  In this section, you'll learn (and see) how to handle the day-to-day maintenance (and the occasional recovery) of an AD database.

    1. Identifying and resolving logon failures
      1. How 2K/XP/2003 systems use DNS to log on
      2. Understanding _msdcs, _sites, _tcp and _udp
      3. Using NSLOOKUP to troubleshoot and solve logon problems
      4. Branch office considerations
      5. Modifying logon behavior through SRV records
      6. Group policies to control SRV record registration
      7. Resolving login failures due to time synchronization problems
    2. Moving the database
      1. Optimal database location
      2. Altering database and log locaton
    3. Defragmenting and compressing an AD database
      1. Why compress an AD?
      2. How to do it
      3. All DCs must be compressed
    4. Checking AD integrity
    5. Backing up an AD
      1. AD backup tools
      2. AD backup caveats: the bad news
    6. Restoring an AD with authoritative restore
    7. Removing domain controllers, domains, and other AD objects by force via "metadata cleanup"
    8. Understanding and deleting zombie objects
    9. DCPROMO:  an invaluable repair tool

  7.  Introducing Group Policies:  GP mechanics

    You've probably had the experience sometime of finding some Registry hack that solves a long-running problem:  pretty neat, but it makes you say, "why is this stuff a secret?"  Wouldn't it be great to find something like the Registry, but easier to look around in and exploit?  That's group policies.  They're a set of networked configuration tools for 2000, XP and 2003-based systems.  It's like finding that neat Registry hack and being able to implement it not just on one system, but on thousands... and all with a few clicks!  Of course, there's no entirely free lunch here, as group policies can be a bit complicated.  This section introduces what they do and how they do it.

     

    1. What policies do
    2. Local versus domain-based policies
    3. Working with policies: GPEDIT.MSC
    4. Numbers of policies versus numbers of effects (policy planning)
    5. Policy precedence:  sites, domains, OUs
    6. Policy order within a container:  which policy applies first in a domain?
    7. Fine-tuning policies:  policy filtering
    8. Altering precedence — no override and block policy inheritance

  8.  Tracking and Troubleshooting GPs:  2003's Resultant Set of Policies Tool

    9. Policies, as you've already read, can be complex.  When they work, it's great.  When they don't, well, then your clients will want to know why, and how quickly you can fix them!  This essential section presents solid steps to troubleshooting group policies.  It also highlights a terrific new tool that comes with Server 2003, the Resultant Set of Policies snap-in, and a free downloadable tool from Microsoft called Group Policy Management Console (GPMC).

    1. Forcing policy refreshes
    2. Getting 2003's power on 2000: the Group Policy Management Console (GPMC)
    3. Simple troubleshooting: GPRESULT
    4. 2003's troubleshooter: the RSOP MMC snap-in
    5. Modeling policies: "what if"-ing

  9. Creating Custom GPs

    10. There are hundreds of pre-built group policies in 2000, XP and 2003.

    But you just know that the one you want isn't in there.

    As we said earlier, there are tons of great Registry hacks out there.  And you'll probably find that some of your favorites are embedded in many of the built-in group policies.  But what about the Registry hacks that you really want to roll out in your network that don't have a group policy?  Simple:  build one.  In this section, you'll see how to take any Registry entry and make it a group policy.

    1. How custom GPs work
    2. Restrictions on custom GPs
    3. Understanding administrative templates
    4. Creating the new policy
    5. Using the new policy
  10.  Understanding and Managing Sysvol

    11. Most of a domain's information lives in its AD database, which automatically replicates between domain controllers.  But domains store some vital info outside of the AD, in the Sysvol folders.  This section describes what's in there, how it gets replicated, and what to do when the replication fails.

    1. Sysvol contents and location
    2. How Sysvol replicates
    3. Monitoring and troubleshooting tools

Certification Preparation

This is not an "exam cram" class.  Our goal in this class is to help your network professionals acquire essential job-related skills rather than to focus on particular testing concepts.  Don't misunderstand — there's nothing wrong with exam-centric classes — but this class isn't one of them.  Its focus is to help your administrators plan for and learn to manage a 2000/2003-based network.

Course Materials

The class works from PowerPoint presentations.  On-site clients are strongly urged to purchase Mastering Windows Server 2003 from Sybex for students. That's not necessary for public class students, as they receive the book as part of their course registration.

Arranging a Course At Your Location

We offer this class as a public seminar about a half-dozen times a year; you can view the current schedule www.minasi.com/pubsems.htm.  But you needn't wait — Mark can come to your organization to teach it on-site. On-site classes offer you the flexibility to lengthen or shorten the class, add hands-on labs, modify the course's focus and zero in on your group's specific needs.

Please contact our office at (757) 426-1431 between 12 Noon-5 Eastern time or email Assistant@Minasi.com to discuss scheduling and fees.  

Don't have enough people for a private class? Consider our volume discount for our public seminars. If you sign up 10 or more employees the per-seat rate drops from $1000 to $650. Find out more at www.minasi.com/pubsems.htm#bigdiscount.