Microsoft server 2003 management and maintenance book

The flexible, best-of-class test engine on CD features practice questions and pre-assessment and post-assessment capabilities. Choose timed or untimed testing mode, generate random tests, or focus on discrete objectives or chapters, and get detailed explanations for right and wrong answers-including pointers back to the book for further study-making this kit an exceptional value and a great career investment. You can work through hundreds of questions using multiple testing modes to meet your specific learning needs.

You get detailed explanations for right and wrong answers-including a customized learning path that describes how and where to focus your studies. For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook. Microsoft Press. The Kerberos protocol is explained in detail in Chapter 8. Although a forest can comprise multiple domain trees, it represents one enterprise.

The creation of the forest enables all member domains to share information through the availability of the Global Catalog. You might be wondering how domain trees within a forest establish relationships that enable the entire enterprise represented by the forest to function as a unit. Good question; the answer is best provided by an explanation of trust relationships. Perhaps the most important difference between Windows NT 4 domains and Windows or Windows Server domains is the application and configuration of trust relationships between domains in the same organization.

Rather than establishing a mesh of one-way trusts as in Windows NT 4 , Windows and Windows Server implement transitive trusts that flow up and down the new domain tree structure. This model simplifies Windows network administration, as I will demonstrate by providing a numerical example.

The following two equations bear with me--the equations are more for illustration than pain-inducing memorization exemplify the management overhead introduced with each approach; the equations represent the number of trust relationships required by each domain trust approach, where n represents the number of domains:.

The combining of domain trees for Iseminger. With Windows and Windows Server domains, the trusts are created and implemented by default. If the administrator does nothing but install the domain controllers, trusts are already in place. This automatic creation of trust relationships is tied to the fact that Windows and Windows Server domains unlike Windows NT 4 domains are hierarchically created; that is, there is a root domain and child domains within a given domain tree, and nothing else.

That enables Windows and Windows Server to automatically know which domains are included in a given domain tree, and when trust relationships are established between root domains, to automatically know which domain trees are included in the forest. In contrast, administrators had to create and subsequently manage trust relationships between Windows NT domains, and they had to remember which way the trust relationships flowed and how that affected user rights in either domain.

The difference is significant, the management overhead is sliced to a fraction, and the implementation of such trusts is more intuitive--all due to the new trust model and the hierarchical approach to domains and domain trees.

In Windows and Windows Server , there are three types of trust relationships, each of which fills a certain need within the domain structure. The trust relationships available to Windows and Windows Server domains are the following:. Transitive trusts establish a trust relationship between two domains that is able to flow through to other domains, such that if domain A trusts domain B, and domain B trusts domain C, domain A inherently trusts domain C and vice versa, as Figure illustrates.

Transitive trust among three domains Transitive trusts greatly reduce the administrative overhead associated with the maintenance of trust relationships between domains because there is no longer a mesh of one-way nontransitive trusts to manage. In Windows and Windows Server , transitive trust relationships between parent and child domains are automatically established whenever new domains are created in the domain tree.

Transitive trusts are limited to Windows or Windows Server domains and to domains within the same domain tree or forest; you cannot create a transitive trust relationship with down-level Windows NT 4 and earlier domains, and you cannot create a transitive trust between two Windows or two Windows Server domains that reside in different forests.

One-way trusts are not transitive, so they define a trust relationship between only the involved domains, and they are not bidirectional. You can, however, create two separate one-way trust relationships one in either direction to create a two-way trust relationship, just as you would in a purely Windows NT 4 environment.

Note, however, that even such reciprocating one-way trusts do not equate to a transitive trust; the trust relationship in one-way trusts is valid between only the two domains involved. One-way trusts in Windows and Windows Server are just the same as one-way trusts in Windows NT and are used in Windows or Windows Server in a handful of situations. A couple of the most common situations are described below. First, one-way trusts are often used when new trust relationships must be established with down-level domains, such as Windows NT 4 domains.

Since down-level domains cannot participate in Windows and Windows Server transitive trust environments such as trees or forests , one-way trusts must be established to enable trust relationships to occur between a Windows or a Windows Server domain and a down-level Windows NT domain.

Throughout the course of a migration from Windows NT 4 to Windows or Windows Server , trust relationships that you have established are honored as the migration process moves toward completion, until the time when all domains are Windows or Windows Server and the transitive trust environment is established.

There's a whole lot more detail devoted to the migration process in Chapter 11, "Migrating to Active Directory Services. You can use one-way trust relationships between domains in different Windows or Windows Server forests to isolate the trust relationship to the domain with which the relationship is created and maintained, rather than creating a trust relationship that affects the entire forest.

Let me clarify with an example. Imagine your organization has a manufacturing division and a sales division. The manufacturing division wants to share some of its process information stored on servers that reside in its Windows or Windows Server domain with a standards body. The sales division, however, wants to keep the sensitive sales and marketing information that it stores on servers in its domain private from the standards body. Perhaps its sales are so good that the standards body wants to thwart them by crying, "Monopoly!

To provide the necessary access to the standards body, you establish a one-way trust between the manufacturing domain and the standards body's domain, and since one-way trusts aren't transitive, the trust relationship is established only between the two participating domains.

Also, since the trusting domain is the manufacturing domain, none of the resources in the standards body's domain would be available to users in the manufacturing domain. Of course, in either of the one-way trust scenarios outlined here, you could create a two-way trust out of two separate one-way trust relationships. Cross-link trusts are used to increase performance. With cross-link trusts, a virtual trust-verification bridge is created within the tree or forest hierarchy, enabling faster trust relationship confirmations or denials to be achieved.

That's good for a short version of the explanation, but to really understand how and why cross-link trusts are used, you first need to understand how interdomain authentications are handled in Windows and Windows Server When a Windows or Windows Server domain needs to authenticate a user or otherwise verify an authentication request to a resource that does not reside in its own domain, it does so in a similar fashion to DNS queries.

Windows and Windows Server first determine whether the resource is located in the domain in which the request is being made. If the resource is not located in the local domain, the domain controller specifically, the Key Distribution Service [KDC] on the domain controller passes the client a referral to a domain controller in the next domain in the hierarchy up or down, as appropriate. The next domain controller continues with this "local resource" check until the domain in which the resource resides is reached.

This referral process is explained in detail in Chapter 8. While this "walking of the domain tree" functions just fine, that virtual walking up through the domain hierarchy takes time, and taking time impacts query response performance. To put this into terms that are perhaps more readily understandable, consider the following crisis: You're at an airport whose two terminal wings form a V.

The flexible, best-of-class test engine on CD features practice questions and pre-assessment and post-assessment capabilities. Choose timed or untimed testing mode, generate random tests, or focus on discrete objectives or chapters, and get detailed explanations for right and wrong answers-including pointers back to the book for further study-making this kit an exceptional value and a great career investment.

You can work through hundreds of questions using multiple testing modes to meet your specific learning needs. You get detailed explanations for right and wrong answers-including a customized learning path that describes how and where to focus your studies. For customers who purchase an ebook version of this title, instructions for downloading the CD files can be found in the ebook.

Microsoft Press.