Transitive trust is a two-way relationship automatically created between parent and child domains in a Microsoft Active Directory forest. When a new domain is created, it shares resources with its parent domain by default, enabling an authenticated user to access resources in both the child and parent.
In mathematics, the transitive property of equality states that if a = b and b = c, then a = c. In an Active Directory transitive trust relationship, if domain A trusts domain B, and domain B trusts domain C, then domain A trusts domain C.
Active Directory tree
An Active Directory tree is a collection of domains within a Microsoft Active Directory network.
The term refers to the fact that each domain has exactly one parent, leading to a hierarchical tree structure. A group of Active Directory trees is known as a forest. Domains within the Active Directory tree structure have a transitive trust relationship, meaning that if a domain joins a tree, it automatically trusts all other domains in the tree.
Active Directory domain (AD domain)
An Active Directory domain is a collection of objects within a Microsoft Active Directory network. An object can be a single user or a group or it can be a hardware component, such as a computer or printer. Each domain holds a database containing object identity information.
Active Directory domains are grouped in a tree structure; a group of Active Directory trees is known as a forest, which is the highest level of organization within Active Directory. Active Directory domains can have multiple child domains, which in turn can have their own child domains. Authentication within Active Directory works through a transitive trust relationship.
Active Directory domains can be identified using a DNS name, which can be the same as an organization's public domain name, a sub-domain or an alternate version (which may end in .local). While Group Policy can be applied to an entire domain, it is typical to apply policies to sub-groups of objects known as organizational units (OUs). All object attributes, such as usernames, must be unique within a single domain and, by extension, an OU.
Active Directory forest (AD forest)
An Active Directory forest is the highest level of organization within Active Directory. Each forest shares a single database, a single global address list and a security boundary. By default, a user or administrator in one forest cannot access another forest.
Five Group Policy Preferences that replace Windows logon scripts
a logon script can do.
Here are five Group Policy Preferences (GPPs) that'll get you off the scripts and onto complete configuration control.
- Drive Maps
Many IT shops still use logon scripts solely because of their ability to map drives to shares. Until GPPs came around, logon scripts were the easiest way to associate those drives with specific users and groups. Logon scripts execute as the user logs on, so adding a net use into that script makes it so H: drives map to home folders and S: drives to shared ones. Add in a little conditional script logic, and you can map drives based on each user's identity.
Drive Maps are a GPP found under a Group Policy Object's User Configuration half. Creating yours there enables the same mapping of drives to users, but without all the nasty scripting. - Environment variables
Not every user needs environment variables set, nor does every application. Therefore, many logon scripts required some fairly complex logic to confirm variables were set based on user, machine, and even application.
GPPs greatly simplify this process. Found in a GPO's Computer Configuration half, environment variables can be configured on a per-machine basis. Even better, by tagging each GPP with the File Match item-level targeting, you can ensure an environment variable is only applied to computers containing the application that needs them. - Files
Ever have to work with an application whose settings are stored not in the registry, but in one or more files? There are still plenty of applications around that use files for storing their entire-machine and specific-user information. Files are great because they're easy to work with, but they can be hard when multiple users need configurations on multiple machines.
The "preferences" in Group Policy Preferences highlights the fact that GPPs don't have to be enforced. It is entirely possible (and encouraged!) to use GPPs for defining a user's or an application's initial configuration. Once that initial configuration is set, users can then make whatever changes suit their needs.
Files are a GPP found in either half of a GPO. This GPP enables you to copy files from a source to destination location. They're absolutely useful for copying files for those applications that need them. Just create your initial configuration, add that file to a GPP, and see it automatically distribute out to any relevant computer. Check the box for Apply once and do not reapply under the GPP's Common tab if you want to give users the preference and not the policy. - Registry
While there remain some apps that store configurations in files, the vast majority of them today use the Windows registry. Back before GPPs, making registry changes was notoriously difficult, especially if they were to the HKEY_CURRENT_USER hive.
GPPs once again come to the rescue for locking down (or suggesting) application configurations, across both HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER. In a GPO you'll find Registry GPP support in both the Computer and User Configuration halves. You can guess which hive each half corresponds to.
Often, however, the hardest part of controlling registry values is merely finding them. The software packager tool can help. Many software packagers do their work by analyzing two snapshots of a system, one before the application and another after it completes. By looking for what's different between these two snapshots, the packager can identify what files and registry keys were changed by an installation.
You can use that same process to figure out which registry value an application setting corresponds to. The trick: Do the initial snapshot with the application already installed. Change the application setting, and then do the second snapshot. Whatever changed is what you'll enter into the Registry GPP. - Printers
You think you're smart because you've published your printers into your Active Directory, but even the most well-documented (and well-named) printer structure can still confuse users. Why not map whatever printer is closest to them, automatically?
You can with Printers in a GPP, linked with either the Computer or User half of a GPO. You'll also need the aid of some setting on each computer that identifies where that computer lives. A common one is its subnet.
If your network engineers have laid out subnets by location, you can use that network in a GPP's Item-Level Targeting. Just add it as an IP Address Range, and the next time users log in they'll automatically attach to their closest printer.
GPPs aren't even new technology. They've been around since the release of Windows Server 2008. They're stable, they're easy to use, and they're a technology you already have on-hand. No extra software (or budget) needed.
Options available to you in Group Policy it makes it a lot easier to administer using a GUI. However since the release of Windows Server 2008 there are Group Policy PowerShell commands available that can help make this process a lot easier.
Get-GPO
The Get-GPO command retrieves all the information you require about a specific Group Policy Object (GPO). You can retrieve the GPO information based on GPO name, the GPO's GUID or, by choosing the -all switch, all of the GPOs in the domain. Although you may feel you can get all this information from the Group Policy Management Console (GPMC), the output also lists useful information you might normally miss, such as the owner of the GPO, the time it was created, the time it was last modified and whether everything is enabled or disabled. This is very useful when troubleshooting the creating and editing of GPOs within your network.
Backup/Restore-GPO
Although it is assumed that your GPOs are backed up as part of a System State backup it is also a good idea to back up Group Policy as a separate task, as this will make restoring GPOs much easier. Fortunately PowerShell allows you to do this by using the backup-GPO cmdlet. As with the Get-GPO command, you can specify your GPO to be backed up based on its name, GUID or using the blanket -all switch. The most useful part of this command is that it allows you to schedule a backup using a PowerShell script:
Backup-Gpo -Name CompanyGPO -Path C:\GPO-Backup -Comment "Monthly Backup"
The Restore-GPO cmdlet restores GPOs back to the domain specified. However if you are using the backup and restore GPO commands as a way of transferring Group Policy objects, you'll need to keep to the same version of the Windows Server 2008 operating system. Non-Windows Server 2008 R2 versions cannot restore Windows Server 2008 R2 GPOs.
Get-ResultantSetOfPolicy
The Resultant Set of Policy tool has been available in the GPMC for some time, and is a useful tool for logging and planning your Group Policy deployments. The PowerShell get- ResultantSetOfPolicy tool allows you to produce Group Policy reports very quickly, in HTML format. For example if you wanted to check the resultant policy settings for particular user on a particular computer you could run the following command and produce an HTML document with all of the information broken down:
Get-GPResultantSetofPolicy -user domain\domain.user -reporttype html -path c:\GPO-Reports\UserGPOReport.html
As with all of the cmdlets mentioned, an extra tool that PowerShell offers is the ability to script the command on a scheduled basis so you can monitor your Group Policy infrastructure more efficiently.
Set/Remove – GPLink
The GPLink cmdlet allows you to create and remove links between GPOs and organizational units. Although this may seem easy to achieve using the GPMC the cmdlet does also provide you with another handy admin tool. Say you require a GPO to run on a specific day once a month, and the rest of the month you don't want the GPO to apply at all. Using the GP link command you can schedule when a link is applied and then removed without having to do so manually. You can also use other GPO cmdlets in combination with GPLink and then use the pipe command to execute the remove-GPLink cmdlet, as in the example below which specifies a Group Policy or an inherited Group Policy and then removes the link:
(Get-GPInheritance -Target "ou=CompanyOU,dc=domain,dc=com").GpoLinks | Remove-GPLink
Get-GPPermissions
One reason a Group Policy application sometimes fails to apply is because the incorrect permissions have been set on the GPO. The Get-GPPermissions cmdlet produces a breakdown report of who exists in the GPO's Access Control List (ACL) and the permissions that have been applied. So if you wanted to view exactly who had permissions on a certain GPO, you can use the following cmdlet:
Get-GPPermissions -Name CompanyGPO -TargetName "Company" - TargetType Group
This would give you the following output:
# Trustee: Domain Users
# TrusteeType: Group
# PermissionLevel: GpoRead
# Inherited: False
You could also get this information for all of the objects in the ACL, therefore including all admin and system groups as well. With such a simple output this makes it very easy to rule out any permission-based issues when applying GPOs.
Active Directory management services: cleanup and optimization
Active Directory is widely regarded as being maintenance free, but there are still opportunities for VARs to offer cleanup, optimization and other Active Directory management services.
Active Directory (AD) centers on the Directory Services database. This database will perform more efficiently when it is free from clutter. An AD database that has been in place for a year is likely to contain unnecessary objects. Solution providers can offer Active Directory management services that involve cleaning out these unnecessary objects, then optimizing AD for maximum performance.
Active Directory cleanup services
Unnecessary AD objects tend to fall into two main categories: user accounts and computer accounts. There are other types of objects that can be removed as part of your Active Directory management services, but user and computer accounts are the most common (and the easiest to identify).
Often, AD user accounts will exist for users who no longer work for the organization, or for users to really don't need an account. One way to identify such user accounts when performing Active Directory cleanup services is to use a free tool called AD Tidy to determine when each user last logged in.
As a word of caution, you cannot assume that it is safe to delete a user account just because a user has not logged in for an extended period of time. In larger organizations it has become a common to disable a former employee's account rather than deleting it. This is done because Exchange Server ties mailbox contents to user accounts. Therefore, if you delete a user account you will delete all of the email associated with their account as well. As such, it is best to generate a list of potentially unneeded user accounts and let your client make the decision as to which ones should be deleted. It is also best to make a backup file before removing anything from AD.
Computer accounts are a lot safer to remove. The process of joining a server or workstation to the domain creates a computer account for that machine. If a computer is decommissioned without destroying it from the domain then a computer account will remain in AD even though the computer is technically no longer participating in the domain.
When it comes to Active Directory cleanup and removing computer accounts, the one thing you need to know is that removing a computer account does not necessarily remove references to that computer account. For example, suppose that an Exchange server crashes and your client decides to replace it with a different server that has a different name. In such a situation you could safely delete the old server's computer account from AD because that server will never be used again. But, the remaining Exchange servers will still see the failed server as a part of the Exchange organization because the AD database still contains references to the server even though its computer account has been deleted. To get rid of the unwanted references to the old server, you would use the ADSI edit tool to manually edit AD.
Active Directory optimization services
Normally you don't have to do anything in regards to Active Directory optimization, because Windows Server performs an automated maintenance cycle that defragments the database on a regular basis. But when items are deleted from the AD database, they are replaced by white space. The defragmentation process consolidates all of the white space, but it does nothing to shrink the size of the database.
In most cases you won't have to worry about trying to reclaim disk space from the AD database, but there are a few special situations in which such Active Directory optimization is necessary. For example, you might want to try to shrink the AD database if there is less than 500 MB of space remaining on the volume containing the NTDS.DIT file. Likewise, you should consider shrinking the database if the remaining free disk space on the volume housing the database is equal to 20% or less of the NTDS.DIT file's size.
If the log files happen to reside on the same volume as the database then the volume should contain at least 1 GB of free space, and should always have at least enough free space to accommodate a 20% growth of both the database and the log files.
Consolidating the AD database requires rebooting the server into Active Directory Restore Mode and using NTDSUTIL to shrink the database. A similar process can also be used to relocate the database.
You must create a full system state backup before taking the domain controller offline because performing the procedure incorrectly can destroy the domain controller. The procedure can also fail because of undetected corruption in the database.
Although Active Directory optimization can be performed manually, there are also a number of products that are designed to automate the process. If you decide to offer Active Directory management services to your customers, you can use these products to your advantage. If customers prefer to maintain their own Active Directory, you can sell them an Active Directory cleanup product.
No comments:
Post a Comment