Embed Size (px)
Citation preview
Chapter 4
Chapter 4: Planning the Active Directory
and Security
Chapter 4: Planning the Active Directory
and Security
Chapter 4
Learning ObjectivesLearning Objectives
Explain the contents of the Active DirectoryExplain the contents of the Active Directory Plan how to set up Active Directory Plan how to set up Active Directory
elements such as organizational units, elements such as organizational units, domains, trees, forests, and sitesdomains, trees, forests, and sites
Plan which Windows 2000 security Plan which Windows 2000 security features to use in an organization, features to use in an organization, including interactive logon, object security, including interactive logon, object security, and services security and services security
Chapter 4
Learning Objectives (continued)Learning Objectives (continued)
Plan how to use groups, group policies, Plan how to use groups, group policies, and security templatesand security templates
Plan IP security measuresPlan IP security measures
Chapter 4
Windows NT Domain StructureWindows NT Domain Structure
Security Accounts Manager (SAM) Security Accounts Manager (SAM) database holds data on user accounts, database holds data on user accounts, groups, and security privilegesgroups, and security privileges
One primary domain controller (PDC) One primary domain controller (PDC) has master copy of the SAMhas master copy of the SAM
One or more backup domain controllers One or more backup domain controllers (BDCs) have backup copies of the SAM(BDCs) have backup copies of the SAM
Chapter 4
Using a PDC, BDCs, and the SAM databaseUsing a PDC, BDCs, and the SAM database
Domainresources
BDC PDC BDC BDC
BackupSAM
BackupSAM
BackupSAM
Prim arySAM
BackupSAM
BDC
Figure 4-1 Figure 4-1 Windows NT Windows NT
SAM architectureSAM architecture
Chapter 4
Windows 2000 Active DirectoryWindows 2000 Active Directory
Domain objects including user Domain objects including user accounts, computers, servers, printers, accounts, computers, servers, printers, groups, security policies, domains, and groups, security policies, domains, and other objects compose the Active other objects compose the Active DirectoryDirectory
Chapter 4
Active Directory ObjectsActive Directory Objects
ActiveDirectory
D omainobjects
Figure 4-2Figure 4-2Domain objects in Domain objects in
the Active Directorythe Active Directory
Chapter 4
Multimaster ReplicationMultimaster Replication
Multimaster replication: In Windows Multimaster replication: In Windows 2000 there can be multiple servers, 2000 there can be multiple servers, called domain controllers (DCs), that called domain controllers (DCs), that store the Active Directory and replicate store the Active Directory and replicate it to each other. Because each DC acts it to each other. Because each DC acts as a master, replication does not stop as a master, replication does not stop when one is down. Each DC is a master when one is down. Each DC is a master in its own right.in its own right.
Chapter 4
Multimaster ArchitectureMultimaster Architecture
Domainobjects
DC DC DC DC
Activ eDirectory
Activ eDirectory
Activ eDirectory
Activ eDirectory
Figure 4-3Figure 4-3Windows 2000 Active Windows 2000 Active Directory architectureDirectory architecture
Chapter 4
Schema Schema
Schema: Elements used in the definition Schema: Elements used in the definition of each object contained in the Active of each object contained in the Active Directory, including the object class and Directory, including the object class and its attributesits attributes
Chapter 4
Example Schema Characteristics of the User Account Class
Example Schema Characteristics of the User Account Class
Unique object nameUnique object name Globally unique identifier (GUID) Globally unique identifier (GUID)
associated with each object nameassociated with each object name Required attributesRequired attributes Optional attributesOptional attributes Syntax of how attributes are definedSyntax of how attributes are defined Pointers to parent entitiesPointers to parent entities
Chapter 4
Example User Account AttributesExample User Account Attributes
UsernameUsername User’s full nameUser’s full name PasswordPassword
Chapter 4
Schema Example Schema Example
Active D irectory
Useraccount
Computer Prin ter Domain
O bjectclasses
O bject nam e G UID Required attributes O ptional attributes Syntax Parent relationships
Usernam e User's full nam e Password
Account description Rem ote access O K
SchemaFigure 4-4 Sample schema information for user accounts
Chapter 4
Default Object ClassesDefault Object Classes
DomainDomain User accountUser account GroupGroup Shared driveShared drive Shared folderShared folder ComputerComputer PrinterPrinter
Chapter 4
Object NamingObject Naming
Common name (CN): The most basic name Common name (CN): The most basic name of an object in the Active Directory, such as of an object in the Active Directory, such as the name of a printerthe name of a printer
Distinguished name (DN): A name in the Distinguished name (DN): A name in the Active Directory that contains all Active Directory that contains all hierarchical components of an object, such hierarchical components of an object, such as that object’s organizational unit and as that object’s organizational unit and domain, in addition to the object’s common domain, in addition to the object’s common namename
Chapter 4
Object Naming (continued)Object Naming (continued)
Relative distinguished name (RDN): An Relative distinguished name (RDN): An object name in the Active Directory that object name in the Active Directory that has two or more related components, has two or more related components, such as the RDN of a user account such as the RDN of a user account name that consists of User (a container name that consists of User (a container for accounts) and the first and last name for accounts) and the first and last name of the actual userof the actual user
Chapter 4
NamespaceNamespace
Namespace: A logical area on a Namespace: A logical area on a network that contains directory services network that contains directory services and named objects, and that has the and named objects, and that has the ability to perform name resolutionability to perform name resolution
Chapter 4
Types of NamespacesTypes of Namespaces
Contiguous namespace: A namespace Contiguous namespace: A namespace in which every child object contains the in which every child object contains the name of its parent objectname of its parent object
Disjointed namespace: A namespace in Disjointed namespace: A namespace in which the child object name does not which the child object name does not resemble the name of its parent objectresemble the name of its parent object
Chapter 4
Active Directory ElementsActive Directory Elements
DomainsDomains Organizational units (OUs)Organizational units (OUs) TreesTrees ForestsForests SitesSites
Chapter 4
Active Directory ArchitectureActive Directory Architecture
Figure 4-5Figure 4-5Active Directory Active Directory
hierarchical containershierarchical containers
F ores t
Tree
O U O UO U O U O UO U
Domain Domain
S ite A
Domain Domain
Tree
O U O U O U O U O U
S ite B
S ite C
Chapter 4
Functions of a DomainFunctions of a Domain
Provide a security boundary for objects Provide a security boundary for objects in a common relationshipin a common relationship
Establish a set of data to be replicated Establish a set of data to be replicated among DCsamong DCs
Expedite management of a set of Expedite management of a set of objects objects
Chapter 4
Using a Single domainUsing a Single domain
Internet
Domain
DC DC
Activ eDirectory
Activ eDirectory
In tranet 1 Intranet 2
Security andmanagementboundary
Figure 4-6Figure 4-6Single domainSingle domain
Chapter 4
Using Multiple DomainsUsing Multiple Domains
Domain forSouth Carolina site
DC DC
AD AD AD AD
DC DCDC DC
AD AD AD AD
DC DC
Satellite dish
Satellite
Domain forsite in Japan
DC DC
AD AD AD AD
DC DCDC DC
AD AD AD AD
DC DC
Satellite dish
Figure 4-7Figure 4-7Using multiple Using multiple
domainsdomains
Chapter 4
Domain Creation Dos and Don’tsDomain Creation Dos and Don’ts
Do’s Don’ts
Create a domain in circumstances that
require special security measures between
organizational groupings, such as
departments, units, or divisions
Create domains that represent the organizational
structure, because frequent reorganizations result in
major restructuring of domains and the Active
Directory
Create a domain for specialized
management of particular resources (often
also related to the security and network
architecture)
Create domains along business process divisions,
which are often political divisions within an
organization, because new management may
redefine business process activities, resulting in a
major restructuring of domains and the Active
Directory
Chapter 4
Domain Creation Dos and Don’ts (continued)
Domain Creation Dos and Don’ts (continued)
Do’s Don’ts
Create a domain to migrate Windows NT
servers to Windows 2000
Create a domain when geography or WAN
links make it difficult to replicate DCs
between organizational groupings, such as
departments, units, or divisions
Chapter 4
Functions of an OUFunctions of an OU
Group related objects, such as user Group related objects, such as user accounts and printers, for easier accounts and printers, for easier management management
Reflect the structure of an organizationReflect the structure of an organization Group objects to be administered using Group objects to be administered using
the same group policiesthe same group policies
Chapter 4
Using OUs to Reflect Organizational Structure
Using OUs to Reflect Organizational Structure
ManufacturingDivision OU
DC DC
ActiveDirectory
ActiveDirectory
DistributionDivision OU
DC
ActiveDirectory
Retail D ivision OU
DC DC
ActiveDirectory
ActiveDirectory
ActiveDirectory
ActiveDirectory
DC DC
grocery.com(dom ain)
Figure 4-8 Figure 4-8 OUs used to reflect OUs used to reflect
the divisional the divisional structure of a companystructure of a company
Chapter 4
Design Tips for Using OUsDesign Tips for Using OUs
Limit OUs to 10 levels or fewerLimit OUs to 10 levels or fewer OUs use less CPU resources when they OUs use less CPU resources when they
are set up horizontally instead of are set up horizontally instead of verticallyvertically
Each request through an OU level Each request through an OU level requires CPU time in a searchrequires CPU time in a search
Chapter 4
OU Creation Dos and Don’tsOU Creation Dos and Don’ts
Do’s Don’ts
Create OUs, as needed, to represent the
organizational structure of departments, units,
and divisions for different policies and to
delegate administration
Create OUs more than 10 layers deep
Create OUs, as needed, to represent objects
in the Active Directory that have similar
policies, security, or other characteristics,
such as shared printers or shared disk drives
Create more OUs than absolutely
necessary
Chapter 4
OU Creation Dos and Don’ts (continued)
OU Creation Dos and Don’ts (continued)
Do’s Don’ts
Create OUs, as needed, to represent specific
project areas, such as for employees who are
temporarily helping with the installation of a
new client/server system
Create OUs for major security
boundaries when this can be handled by
a domain or by sites (discussed later),
such as for IP traffic control
Create OUs, as needed, to represent the
business process or political functions in an
organization, such as an OU for the
president’s office, one for the business office,
and one for each research group in a health
research organization
Create OUs for DC replication
Chapter 4
Characteristics of a TreeCharacteristics of a Tree
Member domains are in a contiguous Member domains are in a contiguous namespacenamespace
Member domains can compose a Member domains can compose a hierarchyhierarchy
Member domains use the same schema Member domains use the same schema for common objectsfor common objects
Member domains use the same global Member domains use the same global catalogcatalog
Chapter 4
Global CatalogGlobal Catalog
Global catalog: A grand repository for all Global catalog: A grand repository for all objects and the most frequently used objects and the most frequently used attributes for each object in all domains. attributes for each object in all domains. Each tree has one global catalog.Each tree has one global catalog.
Chapter 4
Global Catalog FunctionsGlobal Catalog Functions
Authenticating usersAuthenticating users Providing lookup and access to Providing lookup and access to
resources in all domainsresources in all domains Providing replication of key Active Providing replication of key Active
Directory elementsDirectory elements Keeping a copy of the most attributes Keeping a copy of the most attributes
for all objectsfor all objects
Chapter 4
Hierarchical Domains in a Tree
Hierarchical Domains in a Tree
tracksport.com
west.tracksport.comeast.tracksport.com north .tracksport.com south.tracksport.com
Tree
Two-waytrusts
Figure 4-9 Tree with hierarchical domainsFigure 4-9 Tree with hierarchical domains
Chapter 4
Kerberos Transitive TrustKerberos Transitive Trust
Kerberos Transitive Trust Relationship: Kerberos Transitive Trust Relationship: A set of two-way trusts between two or A set of two-way trusts between two or more domains in which Kerberos more domains in which Kerberos security is used.security is used.
Chapter 4
Trusted and Trusting DomainsTrusted and Trusting Domains
Trusted domain: A domain that has Trusted domain: A domain that has been granted security access to been granted security access to resources in another domainresources in another domain
Trusting domain: A domain that allows Trusting domain: A domain that allows another domain security access to its another domain security access to its resources and objects, such as serversresources and objects, such as servers
Chapter 4
Tree Creation Dos and Don’tsTree Creation Dos and Don’ts
Do’s Don’ts
Define main domains before defining a tree Define a tree prior to creating the first
domain
Plan the hierarchy of domains and use of OUs before
creating a tree
Define a tree if you can use a single
domain structure (a better alternative
than using trees, if possible)
Define a tree when you have domains in different
countries so that you can set up each domain to use a
language native to the country where it resides
Define a tree if you must use a
disjointed namespace
Chapter 4
Tree Creation Dos and Don’ts (continued)
Tree Creation Dos and Don’ts (continued)
Do’s Don’ts
Define a tree if you are planning multiple domains that will
be administered at different sites by different people
Create a tree and multiple domains when WAN connectivity
is slow between distant sites, because global catalog
replication transfers less information and requires less
bandwidth than DC replication
Chapter 4
Planning TipPlanning Tip
Make sure each tree has at least one DC Make sure each tree has at least one DC that is also configured as a global catalogthat is also configured as a global catalog
Locate global catalog servers in a network Locate global catalog servers in a network design architecture that enables fast user design architecture that enables fast user authentication (so that authentication does authentication (so that authentication does not have to be performed over a WAN not have to be performed over a WAN link, for example)link, for example)
Chapter 4
Characteristics of a ForestCharacteristics of a Forest
Member trees use a disjointed Member trees use a disjointed namespace (but contiguous namespace (but contiguous namespaces within trees)namespaces within trees)
Member trees use the same schemaMember trees use the same schema Member trees use the same global Member trees use the same global
catalogcatalog
Chapter 4
Single ForestSingle Forest
Single forest:Single forest: An Active Directory An Active Directory model in which there is only one forest model in which there is only one forest with interconnected trees and domains with interconnected trees and domains that use the same schema and global that use the same schema and global catalogcatalog
Chapter 4
Single Forest ArchitectureSingle Forest Architecture
partsp lus.com
toronoto.partsplus.com m ontreal.partsplus.com detroit.partsplus.com
2m.com
greenville.2m .com florence.2m .com atlanta.2m .com
chelos.com
oaxaca.chelos.com
m exicocity.chelos.com
m onterrey.chelos.com puebla.chelos.com
Forestpartsplus.com
valencia.chelos.com
Figure 4-10 A forestFigure 4-10 A forest
Chapter 4
Separate ForestSeparate Forest
Separate forest: An Active Directory Separate forest: An Active Directory model that links two or more forests in a model that links two or more forests in a partnership, but the forests cannot have partnership, but the forests cannot have Kerberos transitive trusts or use the Kerberos transitive trusts or use the same schemasame schema
Chapter 4
Separate Forest ArchitectureSeparate Forest Architecture
health .books.com
cook.books.comForestbooks.com
hardback.prin ters.com
paperback.prin ters.com
textbook.prin ters.comForestprin ters.com
Figure 4-11Figure 4-11Separate forest Separate forest
modelmodel
Chapter 4
Forest Creation Dos and Don’tsForest Creation Dos and Don’ts
Do’s Don’ts
Create a forest to join trees/domains
that can share schemas and global
catalogs
Create forests when the member trees
have little in common or cannot share
the same schema
Create a single forest when there is
no need to separate internal and
external DNS resources between trees
Create a single or separate forest
until you understand the security
needs of all domains, trees, and
potential forests
Chapter 4
Forest Creation Dos and Don’ts (continued)Forest Creation Dos
and Don’ts (continued)Do’s Don’ts
Create separate forests when the
internal and external DNS resources
must be keep separate between two
or more forests
Create a separate forest when there is
a possibility that the forests may
merge into a single forest in the
future
Establish a forest’s name by using
the name of the root domain or first
domain in the first tree
Create a separate forest when the
member forests must have a Kerberos
transitive trust between them
Chapter 4
Design TipDesign Tip
When you create a separate forest When you create a separate forest structure remember that:structure remember that: Replication cannot take place between Replication cannot take place between
forestsforests The forests use different schema and The forests use different schema and
global catalogsglobal catalogs The forests cannot be easily blended into a The forests cannot be easily blended into a
single forest in the futuresingle forest in the future
Chapter 4
SiteSite
Site: An option in the Active Directory to Site: An option in the Active Directory to interconnect IP subnets so that it can interconnect IP subnets so that it can determine the fastest route to connect determine the fastest route to connect clients for authentication and to connect clients for authentication and to connect DCs for replication of the Active DCs for replication of the Active Directory. Site information also enables Directory. Site information also enables the Active Directory to create redundant the Active Directory to create redundant routes for DC replication.routes for DC replication.
Chapter 4
Characteristics of a SiteCharacteristics of a Site
Reflects one or more interconnected Reflects one or more interconnected subnets (512 Kbps or faster)subnets (512 Kbps or faster)
Reflects the same boundaries as the LANReflects the same boundaries as the LAN Used for DC replicationUsed for DC replication Enables clients to access the closest DCEnables clients to access the closest DC Composed of servers and configuration Composed of servers and configuration
objectsobjects
Chapter 4
Site LinksSite Links
Site link object: An object created in the Site link object: An object created in the Active Directory to indicate one or more Active Directory to indicate one or more physical links between two different sitesphysical links between two different sites
Site link bridge: An Active Directory object Site link bridge: An Active Directory object (usually a router) that combines individual (usually a router) that combines individual site link objects to create faster routes site link objects to create faster routes when there are three or more site linkswhen there are three or more site links
Chapter 4
Site Link ArchitectureSite Link Architecture
Site C
Site B
Site A
Link 1 Link 1
Link 2
Link
2Bridge link
Router
Figure 4-12 Site link bridgeFigure 4-12 Site link bridge
Chapter 4
Site Creation Dos and Don’tsSite Creation Dos and Don’ts
Do’s Don’ts
Create sites to reflect interconnected
high-speed IP subnets
Create sites for small networks that
have no IP subnets
Create sites on medium and large
sized networks to enable fast
connectivity for users and for DCs
Create sites for IP links that have less
than 128 Kbps of available
bandwidth
Chapter 4
Site Creation Dos and Don’ts (continued)
Site Creation Dos and Don’ts (continued)
Do’s Don’ts Create additional sites on medium and large sized networks when user connectivity and DC replication is experiencing slow response
Create extra sites to improve network performance without first determining what network congestion factors are causing poor performance
Create sites to enable ring-based DC fault tolerance
Create one or more sites for a domain that encompasses two more far-reaching geographic locations
Chapter 4
Design TipDesign Tip
Define sites in the Active Directory on Define sites in the Active Directory on networks that have multiple global networks that have multiple global catalog servers that reside in different catalog servers that reside in different subnetssubnets
Use sites to enhance network Use sites to enhance network performance by optimizing performance by optimizing authentication and replicationauthentication and replication
Chapter 4
Active Directory GuidelinesActive Directory Guidelines
Keep the Active Directory implementation as Keep the Active Directory implementation as simple as possiblesimple as possible
Implement the least number of domains Implement the least number of domains possiblepossible
Implement only one domain on most small Implement only one domain on most small networksnetworks
Use OUs to reflect the organizational Use OUs to reflect the organizational structure (instead of using domains for this structure (instead of using domains for this purpose)purpose)
Chapter 4
Active Directory Guidelines (continued)
Active Directory Guidelines (continued)
Create only the number of OUs that are Create only the number of OUs that are necessarynecessary
Do not create OUs more than 10 levels Do not create OUs more than 10 levels deepdeep
Use domains for natural security Use domains for natural security boundariesboundaries
Implement trees and forests only as Implement trees and forests only as necessarynecessary
Chapter 4
Active Directory Guidelines (continued)
Active Directory Guidelines (continued)
Use trees for domains that have a Use trees for domains that have a contiguous namespacecontiguous namespace
Use forests for multiple trees that have Use forests for multiple trees that have disjointed namespaces between themdisjointed namespaces between them
Use sites in situations where there are Use sites in situations where there are multiple IP subnets and geographic multiple IP subnets and geographic locations to improve performancelocations to improve performance
Chapter 4
Basic Types of Active Directory Security
Basic Types of Active Directory Security
Account or interactive logon securityAccount or interactive logon security Object securityObject security Services security Services security
Chapter 4
Interactive Logon SecurityInteractive Logon Security
DC checks that the user account is in DC checks that the user account is in the Active Directorythe Active Directory
DC verifies the exact user account DC verifies the exact user account name and passwordname and password
Chapter 4
Object SecurityObject Security
Security descriptor: An individual security Security descriptor: An individual security property associated with a Windows 2000 property associated with a Windows 2000 Server object, such as enabling the account Server object, such as enabling the account MGardner (the security descriptor) to access MGardner (the security descriptor) to access the folder, Databasesthe folder, Databases
Access control list (ACL): A list of all security Access control list (ACL): A list of all security descriptors that have been set up for a descriptors that have been set up for a particular object, such as for a shared folder particular object, such as for a shared folder or a shared printeror a shared printer
Chapter 4
Typical ACL Types of Information
Typical ACL Types of Information
User account(s) that can access an User account(s) that can access an objectobject
Permissions that determine the type of Permissions that determine the type of accessaccess
Ownership of the objectOwnership of the object
Chapter 4
Typical Object PermissionsTypical Object Permissions
Deny: No access to the objectDeny: No access to the object Read: Access to view or read the object’s Read: Access to view or read the object’s
contentscontents Write: Permission to change the object’s Write: Permission to change the object’s
contents or propertiescontents or properties Delete: Permission to remove an objectDelete: Permission to remove an object Create: Permission to add an objectCreate: Permission to add an object Full Control: Permission for nearly any activityFull Control: Permission for nearly any activity
Chapter 4
Example Special PermissionsExample Special Permissions
Figure 4-13 Special permissions for a folderFigure 4-13 Special permissions for a folder
Chapter 4
Troubleshooting TipTroubleshooting Tip
Deny permission supercedes other Deny permission supercedes other permissions, thus if there is a permissions, thus if there is a permissions conflict for one of your permissions conflict for one of your users, check the deny permissions users, check the deny permissions associated with that user’s accountassociated with that user’s account
Chapter 4
Services SecurityServices Security
Windows 2000 enables you to set up Windows 2000 enables you to set up security on individual services, such as security on individual services, such as DHCPDHCP
Chapter 4
Setting Services SecuritySetting Services Security
Figure 4-14 DHCP securityFigure 4-14 DHCP security
Chapter 4
Using GroupsUsing Groups
Set up security groups of user accounts Set up security groups of user accounts as a way to more easily manage as a way to more easily manage securitysecurity
Chapter 4
Setting Up Members of a GroupSetting Up Members of a Group
Figure 4-15 DHCP Administrators groupFigure 4-15 DHCP Administrators group
Chapter 4
Group PoliciesGroup Policies
Use group policies to manage security Use group policies to manage security for local servers, OUs, and domainsfor local servers, OUs, and domains
Employ security templates when you Employ security templates when you need to manage several different group need to manage several different group policiespolicies
Chapter 4
Example Areas Covered by Group Policies
Example Areas Covered by Group Policies
Account policesAccount polices Local server and domain policiesLocal server and domain policies Event log tracking policiesEvent log tracking policies Group restrictionsGroup restrictions Service access securityService access security Registry securityRegistry security File system securityFile system security
Chapter 4
Setting Up Security TemplatesSetting Up Security Templates
Figure 4-16 Security Templates snap-inFigure 4-16 Security Templates snap-in
Chapter 4
IP SecurityIP Security
IP security (IPSec): A set of IP-based IP security (IPSec): A set of IP-based secure communications and encryption secure communications and encryption standards created through the Internet standards created through the Internet Engineering Task Force (IETF)Engineering Task Force (IETF)
Chapter 4
IP Security PoliciesIP Security Policies
IP security (IPSec) can function in three IP security (IPSec) can function in three roles relative to a client:roles relative to a client: Client (Respond Only) in which the server Client (Respond Only) in which the server
uses IPSec, if the client is using it firstuses IPSec, if the client is using it first Server (Request Security) in which the server Server (Request Security) in which the server
uses IPSec by default, but will discontinue uses IPSec by default, but will discontinue using IPSec if it is not supported by the clientusing IPSec if it is not supported by the client
Secure Server (Require Security) in which the Secure Server (Require Security) in which the server only communicates via IPSecserver only communicates via IPSec
Chapter 4
Configuring IPSec Configuring IPSec
Figure 4-17 IP Security Policy WizardFigure 4-17 IP Security Policy Wizard
Chapter 4
Troubleshooting TipTroubleshooting Tip
On a network that uses IPSec, if you On a network that uses IPSec, if you are having trouble gathering network are having trouble gathering network performance information from some performance information from some older devices that do not support IPSec, older devices that do not support IPSec, omit the SNMP communications omit the SNMP communications protocol from IPSecprotocol from IPSec
Chapter 4
Chapter SummaryChapter Summary
Active Directory and security Active Directory and security implementation are interrelated implementation are interrelated
The Active Directory is a set of services The Active Directory is a set of services for managing Windows 2000 serversfor managing Windows 2000 servers
Use Active Directory elements such as Use Active Directory elements such as OUs, domains, trees, and forests to OUs, domains, trees, and forests to help manage server objects and help manage server objects and resourcesresources
Chapter 4
Chapter SummaryChapter Summary
Use sites to configure network Use sites to configure network communications for better performance communications for better performance through taking advantage of existing through taking advantage of existing subnetssubnets
Groups and group policies enable you Groups and group policies enable you to manage security to manage security
