Active Directory-Windows Server 2003

Block Policy Inheritance And No-Override in Windows Server 2003

Details Parent Category: Win2k3_AD_Section Created on Saturday, 23 January 2010 11:45 Written by Sachin Mehandiratta Hits: 1451 Group polices are designed to help administrator to customize user settings and place restriction on the types of actions that users can perform. Group policy can be applied on four levels in Windows Server 2000/Windows Server 2003. Site Domain Organizational Units (OUs) Local GPO on Site is on the highest level and will be applied to all Domains and servers within that site. GPO on Domain level will be assigned to all of the Users and Computers objects with the domain. GPO on OU levels is assigned to take advantages of the hierarchical structure of the Active Directory. What will happen if Group policies are applied on two different levels and policies are conflicting? For example, if Group policy on site level specifies that user must change their password every 30 days while one at the OU level specifies to change password at every 50 days. In this scenario, policies defined at the most specific level (in this case, OU) will override those at more general levels. A well planned and designed Group policy gives greater productivity and save lots of times which otherwise not possible. Users can be restricted from using any critical application and their profile can be configure so that they cannot access anything beyond their area.

We have seen lots of departments in any company, Group policy can be used with their best in such an environment. OUs provide us so much of control that we can apply GPO to each department by creating a new OU for each department. GPO configured on domain level will be applied to each object on that domain, like users, computer, groups, OUs and so on. GPO applied on site will make troubleshooting difficult.

Block Policy Inheritance By default, GPO applied on parent object is inherited by the child object. For example, if we apply any GPO on domain level, it will be inherited by all OUs within the domain. GPO applied on a parent OU will be inherited by the child OU within that OU. Block policy inheritance will block all polices to be inherited to child from parent. Once child select this checkbox, all policy applied on parent will be not inherited to the child.

If we select the check box "Block Policy Inheritance" on Marketing OU, then policies applied from Sales OU will not be inherited to Marketing and Advertising OU.

No-Override If all child select this check-box, then it will block all the GPO applied from parent to child. In this way, each client will start using this feature. As we know, parent object have full control on all its child objects. So, parent can

use No Override feature, where if child have blocked the inheritance, even then GPO will be applied to the child objects.

In this scenario, if Marketing OU has block inheritance, but Sales OU has marked the "Allow override" check box, then GPO will be forcibly applied to all child OUs.

Global Catalog in Windows server 2003

Details Parent Category: Win2k3_AD_Section Created on Saturday, 23 January 2010 11:42 Written by Sachin Mehandiratta Hits: 895
Global Catalog is used to search objects within domains or forests and this search is transparent to users. For example, when a user makes a search to find all of the printers available in a forest, this search is processed by the Global Catalog and then global catalog returns the results. Without a Global Catalog, queries would require a search of every domain in the forest which consumes a lot of time. It is recommended to have at least one global catalog in each domain. The global catalog contains attributes for every object in the active directory. Only the members of Schema Admins group can change the attributes stored in the global catalog. Global Catalog contains full and writable replica of its local domain and a partial, read-only replica of other domains. If a Global Catalog is not available when a user logs on to a domain running in Windows 2000 Native mode or Windows Server 2003 domain functional level, and

that domain does not host the user's account, the domain controller that processes the user's logon request denies that request, and the user cannot log on. There are many applications which require access to the Global Catalog. Always take into consideration the following guidelines which placing Global Catalog in sites: Provide enough WAN bandwidth Provide redundant Global Catalog Servers. Global Catalog server must have enough disk space. Ensure that Global Catalog server respond to authentication request immediately. Make all domain controllers Global Catalog if forest consists of only one domain.

Active Directory-Windows Server 2003

Active Directory Structure in Windows Server 2003
Details Parent Category: Win2k3_AD_Section Created on Saturday, 23 January 2010 11:40 Written by Sachin Mehandiratta Hits: 753 One must understand an Active Directory structure before implementing it in any environment. It provides flexibility and scalability in designing the current and future needs of an organization. Active Directory Logical Structure Domains Trees Forests Organizational Units Objects (users, groups, printers and so on) Physical Structure contains all logon and replication traffic information between domain controllers. Active Directory Physical Structure

 Sites Domain Controllers Active Directory Partitions

Active Directory-Windows Server 2003

Active Directory Trusts in Windows server 2003
Details Parent Category: Win2k3_AD_Section Created on Saturday, 23 January 2010 11:39 Written by Sachin Mehandiratta Hits: 828 Tree-Root Trust This trust is automatically created when we add a new tree to an existing forest. This trust is transitive in nature. Parent-Child Trust This trust is automatically created when we add a new child in an existing domain. This trust is also transitive in nature. External Trust Administrator manually creates this trust between different forests or between Windows 2003 domain and Windows NT 4.0 domain. This trust is non-transitive in nature and can be one-way or two-way. Shortcut Trust This trust is manually created by administrator between two different domain which are on a long distance with each other. Shortcut trusts are transitive and can be one-way or two-way. Forest Trust This trust is manually created by administrator between two different forests having same functional level, Windows server 2003. Trust can be transitive between two forests trusts, but multiple forest trust cannot be transitive. Realm Trust

This trust is manually created by the administrator between a Windows 2003 domain and a non-Windows Kerberos 5 realm.

Flexible Single Masters Operation(FSMO) Role in Windows Server 2003

Details Parent Category: Win2k3_AD_Section Created on Saturday, 23 January 2010 11:32 Written by Sachin Mehandiratta Hits: 766 By-default, all roles are generated on the forest, where we run dcpromo command firstly in our network. We can transfer these roles to other domain controllers depending upon their loads and requirements. Active-Directory is a multi-master model which allows changes at any domain controller in the enterprise. 1. Schema Master Role This is forest specific role and found only in the forest root domain. There can only be only one Schema Master in the entire Active Directory forest which is responsible for replicating schema changes to all domain controllers in the forest. Only members of Schema Administrators groups can modify the schema. 2. Domain Naming Master Role This is also a forest specific role and found only in the forest root domain. We can add or remove a domain only from the domain controller which is having this role. There can only be one domain naming master role in a forest. This operation master role must be a Global Catalog server because it must have a record of all domains and objects to perform its function. Note: Schema Master role and Domain Naming Master role must be on the same domain controller to simplify the administration of these roles. 3. PDC Emulator Role As the name suggest, the domain controller having this role emulates the function of a Windows NT 4.0 PDC. This role is more crucial in mixed environment which consists of Windows NT 4.0 BDCs. This

functionality is not necessary when operating in Windows 2000 or Windows Server 2003 native mode. This role is domain specific. This role also synchronizes time between all Windows 2000/2003based computers. W32Time service is used by Kerberos for authentication. Microsoft recommends at least one PDC Emulator role per Active Directory domain. This role is heavily used in any environment, and so you must make sure that domain controller holding this role has sufficient hardware to perform its role smoothly. The PDC emulator holds the following roles: This role processes the account lockout policies. It performs all the functionalities of Windows NT 4.0 PDC. PDC Emulator gets authentication information when any user enters incorrect passwords.

4. Relative Identifier (RID) Master Role This is also a domain specific role. This role is responsible for generating GUID (Global Unique Identifier). GUID= Domain ID + Object ID Each domain has their unique ID which makes any new object created in any domain a unique Object. Every domain must have at least one RID role. If RID role is not working, we won't be able to create any object, like user or computer accounts and so on. Note: Microsoft recommends PDC Emulator role and RID Master role to be on the same domain controller. 5. Infrastructure Role This role is domain-specific and is used only in complex network which consists of multiple domains. This role keeps cross-domain references when we move any object between domains or OUs. If we have only domain in our environment, then this role is not used at all. Note: The Infrastructure Master role cannot be held on domain controller that is a Global Catalog.

FSMO roles can be seized or transferred depending upon the scenario. Perform seize operation only when the current operation master will never be available again. Before forcing the transfer, first determine the cause and the expected duration of the domain controller or network failure. Do not seize the operation master role if you can transfer it instead. To transfer or seize master roles, ntdsutil command can be used.
A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance). A good definition of each is as follows: No Override - This prevents child containers from overriding policies set at higher levels Block Inheritance - Stops containers inheriting policies from parent containers No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied. Also the highest No Override takes precedence over lower No Override's set. To block inheritance perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers) 2.Right click on the container you wish to stop inheriting settings from its parent and select Properties 3.Select the 'Group Policy' tab 4.Check the 'Block Policy inheritance' option Click here to view image 5.Click Apply then OK To set a policy to never be overridden perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers)

2.Right click on the container you wish to set a Group Policy to not be overridden and select Properties 3.Select the 'Group Policy' tab 4.Click Options 5.Check the 'No Override' option A. Group Policies can be applied at multiple levels (Sites, domains, organizational Units) and multiple GP's for each level. Obviously it may be that some policy settings conflict hence the application order of Site - Domain - Organization Unit and within each layer you set order for all defined policies but you may want to force some polices to never be overridden (No Override) and you may want some containers to not inherit settings from a parent container (Block Inheritance). A good definition of each is as follows: No Override - This prevents child containers from overriding policies set at higher levels Block Inheritance - Stops containers inheriting policies from parent containers No Override takes precedence over Block Inheritance so if a child container has Block Inheritance set but on the parent a group policy has No Override set then it will get applied. Also the highest No Override takes precedence over lower No Override's set. To block inheritance perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers) 2.Right click on the container you wish to stop inheriting settings from its parent and select Properties 3.Select the 'Group Policy' tab 4.Check the 'Block Policy inheritance' option Click here to view image 5.Click Apply then OK To set a policy to never be overridden perform the following: 1.Start the Active Directory Users and Computer snap-in (Start - Programs Administrative Tools - Active Directory Users and Computers)

2.Right click on the container you wish to set a Group Policy to not be overridden and select Properties 3.Select the 'Group Policy' tab 4.Click Options 5.Check the 'No Override' option 6.Click OK 7.Click Apply then OK Troubleshooting Group Policy Infrastructure As mentioned previously, the underlying operating system and network connectivity can influence whether Group Policy settings are applied to users and computers. The system components within the underlying operating system that should be examined when Group Policy fails are: The DNS service should be running and configured correctly on the domain controller(s) within the Active Directory environment. If DNS is not running and is not configured correctly, the Active Directory clients are unable to find domain controllers and ultimately access any GPOs. DNS also plays a role in Group Policys folder redirection feature. A client needs DNS to locate the redirected system folders network location. For a user or computer to fall within a GPOs scope, he/she has to be a member of the site, domain, or OU that the particular GPO is linked to. To access Group Policy templates, clients require access to the SYSVOL share located on the domain controllers. Ensure that clients have the correct permission to access the SYSVOL share. Problems with replication can also result in clients experiencing problems accessing Group Policy templates. Ensure that Active Directory and file system replication are occurring as they should. The tools that users can use to assist with troubleshooting the underlying operating system components that Group Policy depends on are: Replmon, which can verify Active Directory and file system replication. Group Policy Management Console (GPMC) assists with troubleshooting GPO behavior. Users can use the GPMC to determine which GPOs are enabled and being processed, and the manner in which GPOs are linked to sites, domains, and OUs.

Because processing GPOs rely on network connectivity between the client workstation and the domain controller(s) that are members of the sites or domains within Active Directory, network connectivity loss can result in no Group Policy settings being processed. A few issues that should be addressed when network connectivity problems are being experienced are: Verify that the TCP/IP protocol is installed and running within ones environment. For GPOs to be processed, the TCP/IP protocol must be running. GPOs are also dependent on the Internet Control Message Protocol (ICMP) for slow network link detection. The firewall configuration within ones environment determines whether ICMP packets should be enabled between the domain controllers and network clients. Verify that the time and date on the network client is in sync with the time and date of the domain controllers and the remainder of the network clients. The Windows Time Service is normally used to ensure that the time and date of clients and domain controllers are synchronized. If a clients clock is not synchronized, authentication problems occur and the client may not be able to access any GPOs. The tools listed below can be used to verify network connectivity between network clients and Active Directory domain controllers: Netstat utility Ping utility Using Resultant Set of Policy (RSOP) to Troubleshoot Group Policy The Resultant Set Of Policy Wizard and the Gpresult command-line utility can be used to create RSoP queries that determine the RSoPs for any users and computers that are defined in the RSoP query. The Resultant Set Of Policy feature is new in Windows Server 2003 and can assist in greatly reducing the quantity of time spent on troubleshooting GPOs. Through RSoP, users can query the existing policies that they linked to a site, domain, or OU and that are applied to users and computers. RSoP can generate information on the following Group Policy settings: Administrative Templates Folder Redirection Security Settings Software Installation Scripts Internet Explorer Maintenance

Because numerous GPOs are typically applied in Active Directory, the RSoP feature can be used to determine which policies are applied to the user or computer being troubleshooted. RSoP also indicates which Group Policy settings have precedence. RSoP can assist in determining whether security templates have been applied correctly. It also points out instances when any settings are overwritten because of conflicting policy settings. The four types of information that can be viewed in the RSoP console are: Individual Group Policy settings The list of GPOs associated with the RSoP query The scope of management associated with the RSoP query GPO revision information RSoP has two modes: Logging mode: The RSoP logging mode determines which existing policy settings have been applied to a user or computer. Logging mode basically generates information on the existing Group Policy settings. Logging mode should be used for the purposes listed below: Determine how security groups and local policy are affecting policy settings. Discover failed and overwritten Group Policy settings. Planning mode: RSoP planning mode is used to simulate the effects of new Group Policy settings before implementing the GPOs in a production environment. Planning mode should be used for the purposes listed below: To test policy precedence To simulate GPO processing over a slow network link To simulate loopback processing How to create and run an RSoP query to troubleshoot existing policy settings for a specified user and computer: 1.Click Start, Run, and enter mmc in the Run dialog box. Click OK. 2.Click Add/Remove Snap-in on the File menu. 3.Click the Standalone tab then click Add. 4.Select Resultant Set of Policy and click Add. Click Close. 5.Click OK.

6.In the MMC, right click Resultant Set of Policy and select Generate RSoP Data on the shortcut menu. 7.Click Next on the the Resultant Set Of Policy Wizards initial page. 8.Select Logging mode on the Mode Selection page. Click Next. 9.When the Computer Selection page opens, either run the RSoP query on This Computer or Another Computer. 10.The user may also select the Do not display policy settings for the selected computer in the results | display user policy settings only checkbox. Click Next. 11.When the User Selection page opens, either select that the query uses the Current User or the Select A Specific User option. 12.The user may also select the Do not display policy settings for the selected user in the results | display computer policy settings only checkbox. Click Next. 13.Verify the parameters set for the RSoP query on the Summary Of Selections page. Click Next. 14.Click Finish on the Completing The Resultant Set Of Policy Data Wizard page. 15.The RSoP console displays the data that resulted from running the RSoP query. Using Gpresult.exe to Troubleshoot Group Policy The Gpresult.exe command-line utility available in Windows Server 2003 can be used to create RSoP queries that can collect and report RSoP data or information on users and computers. Gpresult.exe can be used to gather the information listed below, which can be useful when Group Policy has to be troubleshooted: Information on the OS, computer, and user. Group Policy information, including: When Group Policy was last applied The domain controller that applied Group Policy Information on all GPOs that are applied and their details Information on the Registry settings that are applied and their details Scripts Software management information and details on published and assigned applications

Disk quota information Internet Protocol (IP) security settings Redirected folder information and their details The Gpresult commands syntax and parameters are listed below: gpresult [/s computer [/u domainuser /p password]] [/user username] [/scope {user| computer}] [/v] [/z] /s computer defines the IP address/remote computers name. The local computer is used by default. /u domainuser specifies the user account that should be used to run the command. The user permissions currently logged on are used by default. /p password the user accounts password /user username the user name for which RSoP information should be shown. /scope {user|computer used to define that user or computer settings should be displayed. Both are displayed by default. /v indicates output to show verbose policy information /z indicates output to show all policy information Using Gpupdate.exe to Troubleshoot Group Policy The Gpupdate.exe command-line utility can be used to perform the following tasks: To refresh GPOs immediately if they are not being processed correctly To refresh a GPO immediately after a change has been made to its Group Policy settings. The Gpupdate.exe command-line utility is new in Windows Server 2003. It replaces the Secedit refresh policy command that was used in Windows 2000. The Gpupdate commands syntax and parameters are listed below: Gpupdate [/Target:{Computer | User}] [/Force] [/Wait:<value>] [/Logoff] [/Boot] [/Sync] /Target:{Computer | User}- indicates whether only the computer policy setting or only the user policy settings are refreshed. Both types of policy settings are refreshed by default.

/Force specifies that all policy settings be reapplied. Only the policy settings that have changed from the last Group Policy refresh are refreshed by default. /Wait:<value> specifies the number of seconds to wait for all policy processing to finish. The default value is 600 seconds. A value of 0 indicates to Gpupdate not to wait, while a value of 1 indicates to Gpupdate to wait indefinitely. /Logoff compels the user to logoff the computer after the Group Policy settings are refreshed. /Boot results in a reboot after the Group Policy settings are refreshed. /Sync results in the next policy application occurring synchronously on computer startup or user logon. Using the Group Policy Management Console (GPMC) to Troubleshoot Group Policy The Group Policy Management Console (GPMC) incorporates numerous Group Policy operations into one management console and therefore enables the user to manage Group Policy settings within his/her environment from one location. The GPMC can be used to examine all sites, domains, OUs, and GPOs within an enterprise. The GPMC consists of an MMC, a set of automated scripts that can be run from the command line, and a set of batch files. The scripts included in the Group Policy Management Console (GPMC) can be used to list and view the following GPO information: Information on a GPO All the GPOs in a domain All disabled GPOs View unlinked GPOs in a domain View GPOs by policy extension View GPOs by security group View GPOs with duplicate names View GPOs with no security filtering View scope of management information Because of the information that can be viewed on the GPMC, it can be of assistance when GPO behavior needs to be troubleshooted. It allows users to examine a specific GPOs settings and can also be used to determine how a users GPOs are linked to sites, domains, and OUs. To access the GPMC, click Start, Administrative Tasks, and Group Policy Management. The Group Policy Results report collects

information on a computer and user to list the policy settings that are enabled. To create a Group Policy Results report, right click Group Policy Results and select Group Policy Results Wizard on the shortcut menu. This launches the Group Policy Results Wizard, which guides the user through various pages to set parameters for the information that should be displayed in the Group Policy Results report. Troubleshooting Policy Inheritance To successfully troubleshoot policy inheritance issues, the user must thoroughly understand how policy inheritance affects the application of Group Policy settings within GPOs. The user also needs to understand how enabling the Block Policy Inheritance and No Override options affect policy inheritance. Inheritance signifies that Group Policy settings that affect user and computer configurations are the resultant set of policies inherited from parent containers. Policies are usually passed down from a parent container to its associated child containers. When a parent OUs policy setting is set to Enabled or Disabled and the child OU does not have the same policy setting configured, the child OUs inherit its parent OUs policy setting. The exception is that a Group Policy setting defined for a child OU overrides the same setting that it inherited from its parent OU. Group policy settings are processed in the order specified below: 1.Local GPO: Because the local GPO is applied first, it means that policies defined at the local computer have the least priority. 2.Site GPO: Site GPOs are GPOs that are linked to sites. The Administrator determines and defines the order of the different site GPOs. 3.Domain GPOs: Domain GPOs are applied next. GPOs linked to a domain have precedence over site GPOs and local GPOs. 4.OU GPOs linked to the OU highest in the Active Directory hierarchy are applied before any other OUs. OU GPOs linked to the OU closest to the user or computer are then applied. When the OU that contains the user or computer has a GPO linked to it, that GPO is applied last. Block Policy Inheritance can be explicitly specified for a site, domain, or OU and is not applied to any GPOs or GPO links. When enabled for a site, domain, or OU, it prevents any Group Policy settings from passing down from higher up in the tree to the particular site, domain, or OU for which it is enabled. The only exception is that any GPO links that have the No Override settings enabled are not blocked, but are applied. When the No Override setting is enabled for a GPO that is linked to a site, domain, or OU, no other GPOs override Group Policy settings contained in that particular GPO. Because of the hierarchical manner in which GPOs are applied and there happens to be more than one GPO that has the No Override setting enabled, the GPO highest in the tree has precedence.

A few techniques for troubleshooting Group Policy inheritance are: GPOs can only be linked to sites, domains, and OUs then applied to users and computers. While child OUs inherit their associated parent OUs Group Policy Settings by default, child domains do not inherit Group Policy settings from parent domains. A factor to consider when troubleshooting policy inheritance is that when both the Block Inheritance and No Override options are enabled, the No Override option has precedence. Remember that the Block Inheritance applies to the entire site, domain, or OU and can therefore prevent Group Policy settings from being applied. In a situation where a particular GPO is not being applied, verify that the GPO is not being blocked. Verify that the user or computer belong to a security group that has the Allow.