Couple 2003 questions

I haven't studied my 70-290 yet, but I'll get to it eventually. I've been going through videos and practiced setting up 2003 lately, using VMware to get a small network running. I have various users who are able to log into my one Domain controller with group policies in effect.

Now when I disabled a user account, I know that a user won't be able to log back in once he logs out. However...I was able to log out and log back in. He hasn't been restricted access...so this confuses me. I looked into cached credentials and it didn't sound like that would be the issue. I only have very basic policies in place(disable run command, control panel, etc).

I tried signing that user on a couple minutes later, and he was then restricted. So do I need to wait a specific period of time before settings like that will occur? I only have one DC...is the 5-minute replication still a factor?

My other question...sites and forests still confuse me. Why do we need them? I have a test Forest called deathgodsnote.com and have client computer logging into it...how is the forest related to the internet? If I registered that domain name, would I place a web server somewhere in that forest so people can connect to it?
Confused.

Find more posts tagged with

Comments

Everlife

Hi KG,

From my understanding, a forest is used to create a relationship between multiple trees (non-contiguous namespace.) For example, say I have two companies, CompanyA and CompanyB. CompanyA's domain is companyA.com and CompanyB is CompanyB.com.

I have employees in CompanyB whom I want to have access to certain resources within CompanyA. When I create a trust between the two non-contiguous domains allowing CompanyB to have set permissions on various resources in CompanyA, I am creating a forest.

Think of it like this.....

companyA.com -> accounting.companyA.com -> finance.companyA.com would be a tree. companyB.com -> accounting.companyB.com -> finance.companyB.com would be a tree.
The trust between companyA.com -> companyB.com would form a forest.

It is a difficult concept to understand, and my understanding is still meh. The concept of a forest is used to represent trusts between multiple non-contiguous namespaces. That's probably the best explanation I can give.

I'm sure Royal or one of the other experts will be able to give you a much clearer explanation.

royal

You make that change on 1 DC but the user might log onto another DC. You'll have to wait for all replication to take place between Domain Controllers to ensure that user will not be allowed to log in. There are certain things that trigger something called "Urgent Replication" that will bypass the entire replication interval and replicate immediately. Account lockouts are one of these but accounts being disabled are not.

So let's explain forests, trees, domains, sites, and the internet a bit.

Forests are used to isolate data. Domains are used to separate policy boundaries and who can administrate these policies. Sites are geographically separated areas that are rich in bandwidth.

In Active Directory, we have multiple partitions. The schema partition, configuration, and domain partition. There is also the DomainDNSZone and ForestDNSZone partition in Server 2003. Basically, a forest shares the schema partition and the configuration partition. This means, that in the Forest, the first created domain is the root forest domain which holds the Enterprise Administrator privileges. No other domain in that forest will contain the Enterprise Administrator account. Now imagine politics in this scenario. Many admins will be like, "Screw that." They'll want to create their own forest with their own domain being a root domain so they have unlimited control over their own schema and configuration. They will then create a trust with configuration modifications they need.

Now let's say there isn't many political problems in your organization and you decide to just create 1 forest with multiple domains. There might be a situation you create an empty forest root with multiple domains. Why? Well because the root domain will have Enterprise Administrator power to govern the Schema and Configuration, some organizations will create an empty forest root and select certain administrators from the child domains to be granted access to the Enterprise Administrator account from the root domain. This way the domains with the regular Domain Administrators will be able to govern their own policies and certain administrators from each domain will be allowed to govern the entire forest.

Now let's talk about domains. As I said, domains are basically seperating the policies you define. You always want to design with the simplest design in mind (1 forest and 1 domain) and only add to it if the need is necessary. If you have 2 domains, you now have to worry about 2 sets of groups, group policies, etc... Both of these domains in this forest will still share the same Schema and Configuration due to them being part of the same forest, but they will both have different Domain partitions. Each domain will have its own set of group policies, groups, etc... This means the domain's data isn't isolated but they are managing their own policies. Remember, data is not isolated until you create a new forest due to the sharing of the schema and configuration partitions.

Now let's talk about sites. As I said earlier, Sites are geographically separated areas that are rich in bandwidth. It let's services that are site aware (Exchange 2007, Distributed File Service, etc.) know what location they are connected to and what local services are available in that site. So let's say we have an Active Directory Domain called domain.com. This domain is being hosted in Florida and California. Now when a client logs on in California, we do not want this client logging into a Florida Domain Controller. Because of this, in Active Directory Sites and Services, we create 2 sites. One site would be called California and one would be called Florida. We then define the subnets that are configured in the California office and then configure the subnets that are configured int he Florida Office. We then attach those subnets to their respective offices. Now when a client in Florida logs on, they will see they are in a subnet that belongs to the Florida office. Becuase of that, Windows knows to have that user ultimately find a Domain Controller located in the Florida office and have that user authenticate to that local Domain Controller. This ultimately saves WAN bandwidth as well as ensures that user can log in much faster.

Windows Server 2003 is also smart enough to know what sites are closest to each other through the use of costs. So for instance, let's say we had 5 sites distributed across the USA. We assign costs to these site links. Now let's say we had DFS. IF all the DFS servers go down in 1 site, a user will be re-directed to a DFS server that is located in the "closest" site; or simply the next site with the lowest cost link.

Now the internet. Many companies will configure VPNs so the bridgehead servers from one Active Directory Site will tunnel Active Directory traffic from one site to another site. Many clients will also purchase private T1/DS1/etc. links from one site to another site. They then use these private links which are not publicly available to internet users to send traffic from one site to another site. They also have their public internet links to the internet. Now I'm not a Cisco guy, but I'm 99% sure that the Cisco guys will configure the routers so if traffic is going from one site to another site, they'll send the traffic out from the private link interface to the private link interface in the other site. This way the traffic isn't being sent over the public internet link. Any other traffic hitting the router will go out to the internet.

Hope this helps.

nel

royals got it spot on there. there is some good explanations.

one final point tho...in regards to the web server you would have that placed in a dmz and not within your internal network. just remeber in secuirty terms the less you can see is always best. so if you have sum webservers and a few dns servers for their records then these are only what ppl need to see.

i would also recommend getting a copy of mastering windows server 2003 by mark minassi. its a v good book and a one that covers the 2003 technology. its very good as another reference book while studying your ms exams.