Welcome to this evening’s TechNet Event

We would like to bring your attention to the key elements of the TechNet programme; the central information andcommunity resource for IT professionals in the UK:

• FREE bi-weekly technical newsletter• FREE regular technical events hosted across the UK• FREE weekly UK & US led technical webcasts• FREE comprehensive technical web site• Monthly CD / DVD subscription with the latest technical tools & resources • FREE quarterly technical magazine

To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technet or speak to a Microsoft representative during the break

New Features of Windows Server 2003 Active Directory - Scenario Based

John Howard, IT Pro Evangelist, Microsoft UKJohn Howard, IT Pro Evangelist, Microsoft UK

What we will cover:

• Active Directory Administration

• Forest Trusts

• Active Directory in Small and Remote Offices

• Group Policy Management Console

• Software Restriction Policies

Prerequisite Knowledge

• Familiarity with NT 4.0• Familiarity with NT 4.0 Domains• Familiarity with Windows 2000• Familiarity with Active Directory• Experience supporting Microsoft Networks• Experience supporting end-users

Level 200Level 200

Agenda

• Simplifying Management

• Connecting Forests

• Connecting Small Offices

• Managing Group Policies

Simplifying ManagementGoals

• Make every-day tasks easier

• Make the UI friendlier

• Easier to locate objects– Users and groups you manage

• Make automation easier– Provide tools that make scripting easier– Automate repetitive tasks

Simplified ManagementDrag and Drop

• Drag and drop is now supported– Active Directory Users and Computers– Active Directory Sites and Services

• Friendlier UI– Works like other administrative tools

• Drag and drop users into:– New containers or OUs– Groups

Simplified ManagementDrag and Drop Scenarios

• Scenarios:– Updating accounts

• Adding users or groups to groups• Moving a server to a new site

• Benefits:– Don’t need to open user properties– Fewer clicks accomplish the same task– Operates like other standard tools

Simplified ManagementSaved Queries

• A query saved in the Active Directory Users and Computers– Accessed like a folder

• Only displays a specific set of objects based on the query

• Example – define queries to display accounts based on: – User\Group name or description– Account and password status– Days since last logon

Simplified ManagementCreating Saved Queries• Create in Active Directory Users and

Computers• New Query:

– Define Query Root – Start of search– Search users, printers, shares, etc.– Define variables

• Queries can be exported– Import into other AD Users and Computers

consoles

Simplified ManagementSaved Queries Graphic

Simplified ManagementSaved Queries Scenarios

• Scenarios:– Display users and groups you manage– Display user accounts:

• That are disabled • That haven’t been logged onto in 120 days• That have non expiring passwords

• Benefits:– Perform tasks from the Saved Queries folder– You don’t have to navigate through the domain,

OU, and container hierarchy to locate objects

Simplified ManagementCommand Line Tools

• Automate common or repetitive administrative tasks– Add/remove accounts – Query for account properties– Move and modify

• Run from the command line or through scripts

Simplified ManagementActive Directory Tools

• DSAdd: – Adds AD object such as user, group, OU, etc.

• DSGet– Displays attributes of an AD object

• DSMod – Modifies an existing AD object

• DSMove– Moves or renames an AD object

• DSQuery– Queries and lists AD objects

• DSRM– Deletes AD objects

Simplified ManagementCommand Line Tools Scenarios

• Scenarios:– Create scripts that helpdesk can use

• Perform complex tasks without error– Make bulk changes rapidly

• Add users to groups etc.• Move entire department to new OU

– Run reports• Query for expired accounts• Document user group memberships

• Benefits:– No need to manually perform repetitive tasks– Perform complex tasks without error

Simpler Active Directory Simpler Active Directory Administration Administration

Drag and Drop ManagementDrag and Drop Management

Saved QueriesSaved Queries

Command Line ToolsCommand Line Tools

demonstrationdemonstration

Agenda

• Simplifying Management

• Connecting Forests

• Connecting Small Offices

• Managing Group Policies

Connecting ForestsGoals

• Need a way to allow forest-to-forest connectivity

• Many companies have separate forests– Independent business units– Acquisitions or mergers– Business partners

• Forest trusts allow these forests to share resources

Connecting ForestsForest Trusts

• New trust type• Allows all domains in one forest to trust all

domains in another forest– Trust between domains both forests is transitive – Can be one-way or two-way trusts

• Trusts between forests are NOT transitive– Forest A trusts forest B– Forest A trusts forest C– Forest C does not trust forest B transitively

Connecting ForestsForest Trusts Graphic

IntranetIntranet

Division B ForestDivision B Forest

Division C ForestDivision C Forest

Division A ForestDivision A Forest

UsersUsers

TrustTrust

Connecting ForestsNamespaces and Forest Trusts

• Forests publish namespaces• Namespaces are UPN suffixes

– WorldWideImporters.com– Streetmarket.net

• Namespaces used to determine where trusted accounts come from– Logon with a UPN logon when accessing

resources in a trusted forest– Example: user@worldwideimporters.com

• Forests are trusted to be authoritative for published namespaces

Connecting ForestsCreating Forest Trusts

• Create in Active Directory Domains and Trusts:– Use the New Trust Wizard– Confirm incoming and outgoing trust– Can confirm both sides of the trust

• Prerequisites– Both forests must be at Windows Server

2003 forest functional level

Connecting ForestsForest Trust Scenarios• Scenarios:

– Large, decentralized organization• Government, military, conglomerates

– Organizations that are partnering– Organizations that must remain legally separate– Mergers and acquisitions

• Benefits:– Simplifies access to resources in both forests– Single sign-on

Forest TrustsForest Trusts

Create a Forest TrustCreate a Forest Trust

Access Forest ResourcesAccess Forest Resources

demonstrationdemonstration

Agenda

• Simplifying Management

• Connecting Forests

• Connecting Small Offices

• Managing Group Policies

Connecting Small OfficesGoals

• Address issues common to small offices– Low speed WAN links– Low amount of available bandwidth– No local Global Catalog server

• Make it easier to configure domain controllers

• Make is easier for users to logon

128K

Connecting Small Offices Create Domain Controller from Replica

Option for creating additional DCs Option for creating additional DCs in sites connected via slow linksin sites connected via slow links

• Back up system state on DC and copy to CD• Restore data on system that will become new DC

– Run “DCPromo /adv”

• Decreases initial replication of domain data

Large SiteLarge Site

Branch OfficeBranch Office

Connecting Small OfficesDC from Media Scenarios

• Scenarios:– DC needed at remote office– Useful for low bandwidth sites

• Benefits:– Allows Active Directory data to be restored

rather than replicated across network

Connecting Small OfficesUniversal Group Membership Caching

128K128KUniv G

roups

Large OfficeLarge Office

GCGC GCGC

Query

Branch OfficeBranch Office

DCDC

Universal Group 1

Universal Group 2

Logon is faster because group memberships are cached locally!

Connecting Small OfficesUGMC Scenarios

• Scenarios:– Small or branch offices connected to a

Global Catalog server with a low speed WAN link

– Offices experiences slow logons due to Universal Group Membership processing

• Benefits:– Faster logon without a Global Catalog

server in the site

Enabling Active Directory Enabling Active Directory in Small and Remote Offices in Small and Remote Offices

Create a Domain Controller from Backup MediaCreate a Domain Controller from Backup Media

Enable UGMCEnable UGMC

demonstrationdemonstration

Agenda

• Simplifying Management

• Connecting Forests

• Connecting Small Offices

• Managing Group Policies

Managing Group Policies Goals • Problem: Group Policy is too hard

• Existing UI confusing and limited

• Core capabilities missing – Reporting of GPO settings– Backup/restore of GPOs– Import/export of GPOs

• Existing capabilities not scriptable

Managing Group Policies Group Policy Management Console (GPMC)

• What is the GPMC? – New admin tool for managing Group Policy:

• Set of scriptable objects for managing GP• MMC Snap-in, built on these objects

• Standalone Web release shortly after Windows Server 2003 RTM

• GPMC Design goals– Unify management of Group Policy– Address key deployment issues– Provide better UI for visualization– Enable programmatic access to GP

PolicyPolicy

PolicyPolicy

Managing Group Policies Copy and Import

PolicyPolicy

Division A ForestDivision A Forest

Division B ForestDivision B Forest

Forest TrustForest Trust

Copy PolicyCopy Policy

Import Policy

Import Policy

AdministratorAdministrator

Managing Group Policies Backup and Restore

• Backup / Export:– Transfers any live GPO to the file system– Backs up policy settings, ACLs, links to WMI

filters

• Restore:– Puts things back exactly as before– GPO must be in the same domain

• Scenario:– Restore a policy to return to original settings

Managing Group Policies Group Policy Modeling

• Group Policy Modeling Wizard– Replaces Resultant Set of Policies (RSoP) –

Planning Mode• Select user and computer OUs

– Or select specific accounts• Displays winning policy settings

– See effects of GPOs prior to deployment– Avoid conflicts and unexpected results

• View results in Web based report

Managing Group Policies Group Policy Modeling Output

Managing Group Policies GPMC Scenarios

• Centralized management of policies– Even across domain and forest boundaries

• Group Policy deployment planning

• Sharing and reusing GPOs across domain/forest boundaries

• Centralized GPO backup and restore

• All Group Policy Management tasks

Managing Group Policies GPMC Benefits

• A single tool for managing GPOs– Multiple domains and forests can be managed– Single tool for all policy management

• Plan with Group Policy Modeling– View effects of polices prior to deployment– Avoid policy conflicts or unexpected behavior

• Troubleshoot with Group Policy Results– Identify existing policy conflicts

• Share and reuse GPOs– Import and Copy GPOs across domains and forests

Managing Group Policies Software Restriction Policy Goals

• New feature of Group Policies• Allow or restrict access to software

– Set default to allow or disallow software– Create rules to bypass the default– Specify affected file extensions

• Prevent:– Viruses– Unapproved or non-standard applications– Any applications you wish to restrict

Managing Group Policies Software Restriction Policy Rules

• Certificate Rules– Verify digital certificate

• Hash Rules– Identifies software with unique hash

• Internet Zone Rules– Applies to Windows Installer packages

• Path Rules– Define specific path for software

Managing Group Policies Software Restriction Policies Scenarios

• Scenarios:– Prevent problematic file types (.vbs, etc)– Restrict access to non-standard software

• Benefits:– Helps prevent viruses and unstable or conflicting

software installations– Flexible rules structure– Consistent, automated deployment through Group

Policies

Group Policy Management Group Policy Management

GPMCGPMC

Modeling WizardModeling Wizard

Software Restriction PoliciesSoftware Restriction Policies

demonstrationdemonstration

Session Summary• Simpler Active Directory administration.• Access forest resources with Forest Trusts• Easier Active Directory installation in small or remote

offices • Streamline GPO deployment and administration with

the GPMC

For More Information…

• Visit TechNet at www.microsoft.com/technet• For additional information on books, courses and other

community resources that support this session visit

www.microsoft.com/technet/tnt1-124www.microsoft.com/technet/tnt1-124

What is TechNet?• Put the right answers at your fingertips

– The comprehensive collection of resources to help IT prosplan, deploy and manage Microsoft products successfully

Monthly updates delivered on DVD or CD The definitive resource to help you evaluate, deploy and

maintain Microsoft products

TechNet Subscription

Accessible at www.microsoft.com/technet Online resources and community Subscriber-only Online Services

TechNet Web Site

Biweekly e-newsletter Security updates, new resources, and special offers

TechNet Flash

Briefings on the latest Microsoft products and technologies Hands-on, “how to” information

TechNet Eventsand Webcasts

User GroupsManaged Newsgroups

TechNet Communities