Welcome to this evening’s TechNet Event We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources FREE quarterly technical magazine To subscribe to the newsletter or just to find out more, please visit or speak to a Microsoft representative during the break
New Features of Windows Server 2003 Active Directory - Scenario Based John Howard, IT Pro Evangelist, Microsoft UK
What we will cover: Active Directory Administration Forest Trusts Active Directory in Small and Remote Offices Group Policy Management Console Software Restriction Policies
Prerequisite Knowledge Familiarity with NT 4.0 Familiarity with NT 4.0 Domains Familiarity with Windows 2000 Familiarity with Active Directory Experience supporting Microsoft Networks Experience supporting end-users Level 200
Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies
Simplifying Management Goals Make every-day tasks easier Make the UI friendlier Easier to locate objects –Users and groups you manage Make automation easier –Provide tools that make scripting easier –Automate repetitive tasks
Simplified Management Drag and Drop Drag and drop is now supported –Active Directory Users and Computers –Active Directory Sites and Services Friendlier UI –Works like other administrative tools Drag and drop users into: –New containers or OUs –Groups
Simplified Management Drag and Drop Scenarios Scenarios: –Updating accounts Adding users or groups to groups Moving a server to a new site Benefits: –Don’t need to open user properties –Fewer clicks accomplish the same task –Operates like other standard tools
Simplified Management Saved Queries A query saved in the Active Directory Users and Computers –Accessed like a folder Only displays a specific set of objects based on the query Example – define queries to display accounts based on: –User\Group name or description –Account and password status –Days since last logon
Simplified Management Creating Saved Queries Create in Active Directory Users and Computers New Query: –Define Query Root – Start of search –Search users, printers, shares, etc. –Define variables Queries can be exported –Import into other AD Users and Computers consoles
Simplified Management Saved Queries Graphic
Simplified Management Saved Queries Scenarios Scenarios: –Display users and groups you manage –Display user accounts: That are disabled That haven’t been logged onto in 120 days That have non expiring passwords Benefits: –Perform tasks from the Saved Queries folder –You don’t have to navigate through the domain, OU, and container hierarchy to locate objects
Simplified Management Command Line Tools Automate common or repetitive administrative tasks –Add/remove accounts –Query for account properties –Move and modify Run from the command line or through scripts
Simplified Management Active Directory Tools DSAdd: –Adds AD object such as user, group, OU, etc. DSGet –Displays attributes of an AD object DSMod –Modifies an existing AD object DSMove –Moves or renames an AD object DSQuery –Queries and lists AD objects DSRM –Deletes AD objects
Simplified Management Command Line Tools Scenarios Scenarios: –Create scripts that helpdesk can use Perform complex tasks without error –Make bulk changes rapidly Add users to groups etc. Move entire department to new OU –Run reports Query for expired accounts Document user group memberships Benefits: –No need to manually perform repetitive tasks –Perform complex tasks without error
Simpler Active Directory Administration Simpler Active Directory Administration Drag and Drop Management Saved Queries Command Line Tools demonstration demonstration
Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies
Connecting Forests Goals Need a way to allow forest-to-forest connectivity Many companies have separate forests –Independent business units –Acquisitions or mergers –Business partners Forest trusts allow these forests to share resources
Connecting Forests Forest Trusts New trust type Allows all domains in one forest to trust all domains in another forest –Trust between domains both forests is transitive –Can be one-way or two-way trusts Trusts between forests are NOT transitive –Forest A trusts forest B –Forest A trusts forest C –Forest C does not trust forest B transitively
Connecting Forests Forest Trusts Graphic Intranet Division B Forest Division C Forest Division A Forest Users Trust
Connecting Forests Namespaces and Forest Trusts Forests publish namespaces Namespaces are UPN suffixes –WorldWideImporters.com –Streetmarket.net Namespaces used to determine where trusted accounts come from –Logon with a UPN logon when accessing resources in a trusted forest –Example: Forests are trusted to be authoritative for published namespaces
Connecting Forests Creating Forest Trusts Create in Active Directory Domains and Trusts: –Use the New Trust Wizard –Confirm incoming and outgoing trust –Can confirm both sides of the trust Prerequisites –Both forests must be at Windows Server 2003 forest functional level
Connecting Forests Forest Trust Scenarios Scenarios: –Large, decentralized organization Government, military, conglomerates –Organizations that are partnering –Organizations that must remain legally separate –Mergers and acquisitions Benefits: –Simplifies access to resources in both forests –Single sign-on
Forest Trusts Forest Trusts Create a Forest Trust Access Forest Resources demonstration demonstration
Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies
Connecting Small Offices Goals Address issues common to small offices –Low speed WAN links –Low amount of available bandwidth –No local Global Catalog server Make it easier to configure domain controllers Make is easier for users to logon
128K Connecting Small Offices Create Domain Controller from Replica Option for creating additional DCs in sites connected via slow links Back up system state on DC and copy to CD Restore data on system that will become new DC –Run “DCPromo /adv” Decreases initial replication of domain data Large Site Branch Office
Connecting Small Offices DC from Media Scenarios Scenarios: –DC needed at remote office –Useful for low bandwidth sites Benefits: –Allows Active Directory data to be restored rather than replicated across network
Connecting Small Offices Universal Group Membership Caching128K Univ Groups Large Office GCGC Query Branch Office DC Universal Group 1 Universal Group 2 Logon is faster because group memberships are cached locally!
Connecting Small Offices UGMC Scenarios Scenarios: –Small or branch offices connected to a Global Catalog server with a low speed WAN link –Offices experiences slow logons due to Universal Group Membership processing Benefits: –Faster logon without a Global Catalog server in the site
Enabling Active Directory in Small and Remote Offices Create a Domain Controller from Backup Media Enable UGMC demonstration demonstration
Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies
Managing Group Policies Goals Problem: Group Policy is too hard Existing UI confusing and limited Core capabilities missing –Reporting of GPO settings –Backup/restore of GPOs –Import/export of GPOs Existing capabilities not scriptable
Managing Group Policies Group Policy Management Console (GPMC) What is the GPMC? –New admin tool for managing Group Policy: Set of scriptable objects for managing GP MMC Snap-in, built on these objects Standalone Web release shortly after Windows Server 2003 RTM GPMC Design goals –Unify management of Group Policy –Address key deployment issues –Provide better UI for visualization –Enable programmatic access to GP
Policy Managing Group Policies Copy and Import Policy Division A Forest Division B Forest Forest Trust Copy Policy Import Policy Administrator
Managing Group Policies Backup and Restore Backup / Export: –Transfers any live GPO to the file system –Backs up policy settings, ACLs, links to WMI filters Restore: –Puts things back exactly as before –GPO must be in the same domain Scenario: –Restore a policy to return to original settings
Managing Group Policies Group Policy Modeling Group Policy Modeling Wizard –Replaces Resultant Set of Policies (RSoP) – Planning Mode Select user and computer OUs –Or select specific accounts Displays winning policy settings –See effects of GPOs prior to deployment –Avoid conflicts and unexpected results View results in Web based report
Managing Group Policies Group Policy Modeling Output
Managing Group Policies GPMC Scenarios Centralized management of policies –Even across domain and forest boundaries Group Policy deployment planning Sharing and reusing GPOs across domain/forest boundaries Centralized GPO backup and restore All Group Policy Management tasks
Managing Group Policies GPMC Benefits A single tool for managing GPOs –Multiple domains and forests can be managed –Single tool for all policy management Plan with Group Policy Modeling –View effects of polices prior to deployment –Avoid policy conflicts or unexpected behavior Troubleshoot with Group Policy Results –Identify existing policy conflicts Share and reuse GPOs –Import and Copy GPOs across domains and forests
Managing Group Policies Software Restriction Policy Goals New feature of Group Policies Allow or restrict access to software –Set default to allow or disallow software –Create rules to bypass the default –Specify affected file extensions Prevent: –Viruses –Unapproved or non-standard applications –Any applications you wish to restrict
Managing Group Policies Software Restriction Policy Rules Certificate Rules –Verify digital certificate Hash Rules –Identifies software with unique hash Internet Zone Rules –Applies to Windows Installer packages Path Rules –Define specific path for software
Managing Group Policies Software Restriction Policies Scenarios Scenarios: –Prevent problematic file types (.vbs, etc) –Restrict access to non-standard software Benefits: –Helps prevent viruses and unstable or conflicting software installations –Flexible rules structure –Consistent, automated deployment through Group Policies
Group Policy Management Group Policy Management GPMC Modeling Wizard Software Restriction Policies demonstration demonstration
Session Summary Simpler Active Directory administration. Access forest resources with Forest Trusts Easier Active Directory installation in small or remote offices Streamline GPO deployment and administration with the GPMC
For More Information… Visit TechNet at For additional information on books, courses and other community resources that support this session visit
MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit
3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers
Training Training Resources for IT Professionals Updating Support Skills from Windows NT 4.0 to Windows Server 2003 Family –Course Number: 2270 –Availability: Current –Detailed Syllabus: To locate a training provider, please access Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services
What is TechNet? Put the right answers at your fingertips –The comprehensive collection of resources to help IT pros plan, deploy and manage Microsoft products successfully Monthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and maintain Microsoft products TechNet Subscription Accessible at Online resources and community Subscriber-only Online Services TechNet Web Site Biweekly e-newsletter Security updates, new resources, and special offers TechNet Flash Briefings on the latest Microsoft products and technologies Hands-on, “how to” information TechNet Events and Webcasts User Groups Managed Newsgroups TechNet Communities
Where Can I Get TechNet? Visit TechNet Online at Register for the TechNet Flash Join the TechNet Online forum at Become a TechNet Subscriber at Attend More TechNet Events or view on-line