Syngress knows what passing the exam means to
you and to your career. And we know that you
are often financing your own training and
certification; therefore, you need a system that is
comprehensive, affordable, and effective.
Boasting one-of-a-kind integration of text, DVD-quality
instructor-led training, and Web-based exam simulation, the
Syngress Study Guide & DVD Training System guarantees 100% coverage of exam
objectives.
The Syngress Study Guide & DVD Training System includes:
■
Study Guide with 100% coverage of exam objectives By reading
this study guide and following the corresponding objective list, you
can be sure that you have studied 100% of the exam objectives.
■
Instructor-led DVD This DVD provides almost two hours of virtual
classroom instruction.
■
Web-based practice exams Just visit us at www.syngress.com/
certification to access a complete exam simulation.
Thank you for giving us the opportunity to serve your certification needs. And
be sure to let us know if there’s anything else we can do to help you get the
maximum value from your investment. We’re listening.
www.syngress.com/certification
256_70-294_FM.qxd 9/6/03 10:19 AM Page i
256_70-294_FM.qxd 9/6/03 10:19 AM Page ii
Michael Cross
Jeffery A. Martin
Todd A. Walls
Martin Grasdal

004 Z6TDAA3HVY
005 P33JEET8MS
006 3SHX6SN$RK
007 CH3W7E42AK
008 9EU6V4DER7
009 SUPACM4NFH
010 5BVF3MEV2Z
PUBLISHED BY
Syngress Publishing, Inc.
800 Hingham Street
Rockland, MA 02370
Planning, Implementing, and Maintaining a Windows Server 2003 Active Directory Infrastructure Study
Guide & DVD Training System
Copyright © 2003 by Syngress Publishing, Inc. All rights reserved. Printed in the United States of
America. Except as permitted under the Copyright Act of 1976, no part of this publication may be
reproduced or distributed in any form or by any means, or stored in a database or retrieval system,
without the prior written permission of the publisher, with the exception that the program listings
may be entered, stored, and executed in a computer system, but they may not be reproduced for
publication.
Printed in the United States of America
1 2 3 4 5 6 7 8 9 0
ISBN: 1-931836-94-9
Technical Editors: Debra Littlejohn Shinder Cover Designer: Michael Kavish
Thomas W. Shinder Page Layout and Art by: Patricia Lupien
Technical Reviewer: Martin Grasdal Copy Editor: Beth Roberts
Acquisitions Editor: Jonathan Babcock Indexer: Rich Carlson
DVD Production: Michael Donovan DVD Presenter: Laura E. Hunter
256_70-294_FM.qxd 9/6/03 10:19 AM Page iv
vv
We would like to acknowledge the following people for their kindness and support in

fessional manner and under severe time constraints, but still keeps a good sense of humor.
Acknowledgments
256_70-294_FM.qxd 9/6/03 10:19 AM Page v
Michael Cross (MCSE, MCP+I, CNA, Network+) is an Internet Specialist /
Computer Forensic Analyst with the Niagara Regional Police Service. He performs
computer forensic examinations on computers involved in criminal investigations, and
has consulted and assisted in cases dealing with computer-related/Internet crimes. In
addition to designing and maintaining their Web site at www.nrps.com and Intranet,
he has also provided support in the areas of programming, hardware, network admin-
istration, and other services. As part of an information technology team that provides
support to a user base of over 800 civilian and uniform users, his theory is that when
the users carry guns, you tend to be more motivated in solving their problems.
Michael also owns KnightWare (www.knightware.ca), which provides computer-
related services like Web page design, and Bookworms (www.bookworms.ca), where
you can purchase collectibles and other interesting items online. He has been a free-
lance writer for several years, and is published over three dozen times in numerous
books and anthologies. He currently resides in St. Catharines, Ontario Canada with
his lovely wife Jennifer and his darling daughter Sara.
Eriq Oliver Neale is an Information Technology manager for a large manufacturing
company headquartered in the southwest. His IT career spans 16 years and just about
as many systems. He has contributed to a number of technical publications, including
several MCSE exam preparation titles. His article on MIDI, still considered one of the
seminal works on the topic, has been reprinted in hundreds of publications in mul-
tiple languages. Most recently, he has been focusing on electronic data privacy issues
in mixed platform environments.When not working in and writing about informa-
tion technology, Eriq spends time writing and recording music in his home studio for
clients of his music publishing company. On clear nights, he can be found gazing at
the moon or planets through his telescope, which he also uses for deep-space
astrophotography.
Todd A. Walls (CISSP, MCSE) is a Senior Security Engineer for COACT, Inc., pro-

for Sodexho at Granite School District Food Services in Salt Lake City, UT. He
currently manages around 90 sites using a lot of remote management tools, inter-
networking Microsoft Windows desktops with Novell networks and ZENworks
for Desktops.
Troy has been a consultant, trainer, and writer since 1997 and has published
items both on the Internet and with this publisher. He has authored student cur-
ricula and helped design training material and labs for students trying to pass the
Microsoft MCSE exams. He holds a bachelor’s degree from the University of
Phoenix in e-Business.Troy currently resides in Salt Lake City, UT with his wife
Kim and eight children:“My family is the reason for taking on extra projects and
256_70-294_FM.qxd 9/6/03 10:19 AM Page vii
viii
I am grateful for their support! I love you Kim, Jett, Ryan, Rachael, James, McKay,
Brayden, Becca and Hannah.”
Debra Littlejohn Shinder (MCSE) is a technology consultant, trainer, and writer
who has authored a number of books on networking, including Scene of the
Cybercrime: Computer Forensics Handbook, published by Syngress Publishing (ISBN:
1-931836-65-5), and Computer Networking Essentials, published by Cisco Press. She
is co-author, with her husband Dr.Thomas Shinder, of Troubleshooting Windows
2000 TCP/IP (ISBN: 1-928994-11-3), the best-selling Configuring ISA Server 2000
(ISBN: 1-928994-29-6), and ISA Server and Beyond (ISBN: 1-931836-66-3). Deb is
also a technical editor and contributor to books on subjects such as the Windows
2000 MCSE exams, the CompTIA Security+ exam, and TruSecure’s ICSA certifi-
cation. She edits the Brainbuzz A+ Hardware News and Sunbelt Software’s WinXP
News and is regularly published in TechRepublic’s TechProGuild and
Windowsecurity.com. Deb specializes in security issues and Microsoft products. She
lives and works in the Dallas-Fort Worth area and can be contacted at
or via the website at www.shinder.net.
Thomas W. Shinder M.D. (MVP, MCSE) is a computing industry veteran who
has worked as a trainer, writer, and a consultant for Fortune 500 companies

related to server technologies. Martin lives in Edmonton,Alberta, Canada with his
wife Cathy and their two sons. Martin’s past authoring and editing work with
Syngress has included the following titles: Configuring and Troubleshooting Windows
XP Professional (ISBN: 1-928994-80-6), Configuring ISA Server 2000: Building
Firewalls for Windows 2000 (ISBN: 1-928994-29-6
), and Dr.Tom Shinder’s ISA Server
& Beyond: Real World Security Solutions for Microsoft Enterprise Networks (ISBN: 1-
931836-66-3).
Technical Editor and Contributor
Technical Reviewer
256_70-294_FM.qxd 9/6/03 10:19 AM Page ix
x
Laura E. Hunter (CISSP, MCSE, MCT, MCDBA, MCP, MCP+I, CCNA, A+,
Network+, iNet+, CNE-4, CNE-5) is a Senior IT Specialist with the University
of Pennsylvania, where she provides network planning, implementation and trou-
bleshooting services for various business units and schools within the University.
Her specialties include Microsoft Windows NT and 2000 design and implementa-
tion, troubleshooting and security topics. As an “MCSE Early Achiever” on
Windows 2000, Laura was one of the first in the country to renew her Microsoft
credentials under the Windows 2000 certification structure. Laura’s previous expe-
rience includes a position as the Director of Computer Services for the Salvation
Army and as the LAN administrator for a medical supply firm. She also operates
as an independent consultant for small businesses in the Philadelphia metropolitan
area and is a regular contributor to the TechTarget family of Web sites.
Laura has previously contributed to the Syngress Publishing’s Configuring
Symantec Antivirus, Corporate Edition (ISBN: 1-931836-81-7). She has also con-
tributed to several other exam guides in the Syngress Windows Server 2003
MCSE/MCSA DVD Guide and Training System series as a DVD presenter, con-
tributing author, and technical reviewer.
Laura holds a bachelor’s degree from the University of Pennsylvania and is a

find the sections that directly support particular
objectives, we’ve listed all of the exam objectives
below, and mapped them to the Chapter number in
which they are covered. We’ve also assigned num-
bers to each objective, which we use in the subse-
quent Table of Contents and again throughout the
book to identify objective coverage. In some chapters,
we’ve made the judgment that it is probably easier for the
student to cover objectives in a slightly different sequence than
the order of the published Microsoft objectives. By reading this study guide and fol-
lowing the corresponding objective list, you can be sure that you have studied 100%
of Microsoft’s MCSE 70-294 Exam objectives.
256_70-294_Obj.qxd 9/6/03 10:24 AM Page xi
xii Exam Objective Map
Objective Chapter
Number Objective Number
1.3.3 Create and configure Application Data 4
Partitions.
1.3.4 Install and configure an Active Directory 7
domain controller.
1.3.5 Set an Active Directory forest and domain 4
functional level based on requirements.
1.3.6 Establish trust relationships. Types of trust 5
relationships might include external trusts,
shortcut trusts, and cross-forest trusts.
1.4 Implement an Active Directory site topology. 6
1.4.1 Configure site links. 6
1.4.2 Configure preferred bridgehead servers. 6
1.5 Plan an administrative delegation strategy. 5
1.5.1 Plan an organizational unit (OU) structure 5

2.5.2 Diagnose and resolve issues related to
operations master role failure. 7
2.5.3 Diagnose and resolve issues related to the 11
Active Directory database.
3 Planning and Implementing User,Computer, 2
and Group Strategies
3.1 Plan a security group strategy. 3
3.2 Plan a user authentication strategy. 3
3.2.1 Plan a smart card authentication strategy. 3
3.2.2 Create a password policy for domain users. 3
3.3 Plan an OU structure. 5
3.3.1 Analyze the administrative requirements for 5
an OU.
3.3.2 Analyze the Group Policy requirements for an 5
OU structure.
3.4 Implement an OU structure. 5
3.4.1 Create an OU. 5
3.4.2 Delegate permissions for an OU to a user or 5
to a security group.
3.4.3 Move objects within an OU hierarchy. 5
4 Planning and Implementing Group Policy 9
4.1 Plan Group Policy strategy. 9
4.1.1 Plan a Group Policy strategy by using Resultant 9
Set of Policy (RSoP) Planning mode.
4.1.2 Plan a strategy for configuring the user 9
environment by using Group Policy.
4.1.3 Plan a strategy for configuring the computer 9
environment by using Group Policy.
256_70-294_Obj.qxd 9/6/03 10:24 AM Page xiii
xiv Exam Objective Map

256_70-294_Obj.qxd 9/6/03 10:24 AM Page xiv
Contents
xv
Foreword xxxi
Chapter 1 Active Directory Infrastructure Overview 1
Introduction …………………………………………………………2
1 Introducing Directory Services ………………………………………2
Terminology and Concepts ………………………………………5
Directory Data Store …………………………………………5
Policy-Based Administration …………………………………9
Directory Access Protocol ……………………………………10
Naming Scheme ……………………………………………11
Installing Active Directory to Create a Domain Controller …15
1 Understanding How Active Directory Works ………………………19
Directory Structure Overview …………………………………19
Sites ………………………………………………………………20
Domains …………………………………………………………21
Domain Trees ……………………………………………………22
Forests ……………………………………………………………24
Organizational Units ……………………………………………25
Active Directory Components …………………………………26
Logical vs. Physical Components ………………………………27
Domain Controllers …………………………………………28
Schema ………………………………………………………31
Global Catalog ………………………………………………31
Replication Service …………………………………………32
1 Using Active Directory Administrative Tools …………………………34
Graphical Administrative Tools/MMCs …………………………35
Active Directory Users and Computers ………………………38
Active Directory Domains and Trusts ………………………40

Domain Controller Renaming Tool …………………………70
Domain Rename Utility ……………………………………70
Forest Trusts …………………………………………………70
Dynamically Links Auxiliary Classes …………………………70
Disabling Classes ……………………………………………70
Replication …………………………………………………70
Summary of Exam Objectives ………………………………………72
Exam Objectives Fast Track …………………………………………73
Exam Objectives Frequently Asked Questions ………………………75
Self Test ………………………………………………………………76
Self Test Quick Answer Key …………………………………………81
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xvi
Contents xvii
Chapter 2 Working with User, Group,
and Computer Accounts 83
Introduction …………………………………………………………84
3 Understanding Active Directory Security Principal Accounts ………84
Security Principals and Security Identifiers ……………………85
Tools to View and Manage Security Identifiers ………………90
Naming Conventions and Limitations …………………………92
3 Working with Active Directory User Accounts ……………………99
Built-In Domain User Accounts ………………………………101
Administrator ………………………………………………102
Guest ………………………………………………………103
HelpAssistant ………………………………………………104
SUPPORT_388945a0 ………………………………………104
InterOrgPerson ……………………………………………104
Creating User Accounts ………………………………………105
Creating Accounts Using
Active Directory Users and Computers …………………105

Creating Computer Accounts Using the DSADD Command 155
Managing Computer Accounts …………………………………156
3 Managing Multiple Accounts ………………………………………162
Implementing User Principal Name Suffixes …………………162
Moving Account Objects in Active Directory …………………164
Moving Objects with Active Directory Users and Computers 164
Moving Objects with the DSMOVE Command …………165
Moving Objects with the MOVETREE Command ………166
Troubleshooting Problems with Accounts ……………………168
Summary of Exam Objectives ………………………………………170
Exam Objectives Fast Track …………………………………………171
Exam Objectives Frequently Asked Questions ……………………173
Self Test ……………………………………………………………174
Self Test Quick Answer Key ………………………………………179
Chapter 3 Creating User and Group Strategies 181
Introduction ………………………………………………………182
Creating a Password Policy for Domain Users ……………………182
Creating an Extensive Defense Model …………………………183
Strong Passwords ……………………………………………184
System Key Utility …………………………………………185
Defining a Password Policy ……………………………………187
Applying a Password Policy …………………………………187
Modifying a Password Policy ………………………………190
Applying an Account Lockout Policy ………………………190
Creating User Authentication Strategies ……………………………192
Need for Authentication ………………………………………193
Single Sign-On …………………………………………………194
Interactive Logon ……………………………………………194
Network Authentication ……………………………………195
Authentication Types ………………………………………………195

Designing a Group Strategy for a Multiple Domain Forest 226
Summary of Exam Objectives ………………………………………230
Exam Objectives Fast Track …………………………………………232
Exam Objectives Frequently Asked Questions ……………………233
Self Test ……………………………………………………………235
Self Test Quick Answer Key ………………………………………241
Chapter 4 Working with Forests and Domains 243
Introduction ………………………………………………………244
Understanding Forest and Domain Functionality …………………244
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xix
xx Contents
The Role of the Forest …………………………………………246
New Forestwide Features ……………………………………247
The Role of the Domain ………………………………………254
New Domainwide Features …………………………………256
Domain Trees …………………………………………………259
Forest and Domain Functional Levels …………………………259
Domain Functionality ………………………………………260
Forest Functionality …………………………………………265
1.3.5 Raising the Functional Level of a Domain and Forest ……………270
Domain Functional Level …………………………………270
Forest Functional Level ……………………………………272
Optimizing Your Strategy for Raising Functional Levels …273
1.3/2.1 Creating the Forest and Domain Structure …………………………275
Deciding When to Create a New DC …………………………275
Installing Domain Controllers …………………………………276
1.3.1 Creating a Forest Root Domain ……………………………278
Creating a New Domain Tree in an Existing Forest ………285
1.3.2 Creating a New Child Domain in an Existing Domain ……288
Creating a New DC in an Existing Domain ………………293

Self Test Quick Answer Key ………………………………………387
Chapter 5 Working with Trusts and Organizational Units 389
Introduction ………………………………………………………390
1.3.6/ Working with Active Directory Trusts ……………………………390
2.1.1
Types of Trust Relationships ……………………………………394
Default Trusts ………………………………………………395
Shortcut Trust ………………………………………………395
Realm Trust …………………………………………………396
External Trust ………………………………………………396
Forest Trust …………………………………………………397
Creating, Verifying, and Removing Trusts ………………………398
Securing Trusts Using SID Filtering ……………………………400
3.3.1/ Working with Organizational Units ………………………………401
3.4.3
Understanding the Role of Container Objects ………………402
3.4/ 3.4.1 Creating and Managing Organizational Units ……………………402
Applying Group Policy to OUs ………………………………406
3.4.2 Delegating Control of OUs …………………………………407
1.5/1.5.1/ Planning an OU Structure and Strategy for Your Organization ……408
3.3/3.3.2
Delegation Requirements ………………………………………409
Security Group Hierarchy ………………………………………410
Summary of Exam Objectives ………………………………………412
Exam Objectives Fast Track …………………………………………413
Exam Objectives Frequently Asked Questions ……………………414
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxi
xxii Contents
Self Test ……………………………………………………………416
Self Test Quick Answer Key ………………………………………423

Creating a Replication Topology ……………………………456
Managing Replication Topology ……………………………456
Configuring Replication between Sites ………………………457
Configuring Replication Frequency ………………………457
Configuring Site Link Availability …………………………458
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxii
Contents xxiii
Configuring Site Link Bridges ………………………………458
1.4.2 Configuring Bridgehead Servers ……………………………459
2.3 Troubleshooting Replication Failure …………………………459
Troubleshooting Replication ………………………………460
2.3.1 Using Replication Monitor …………………………………461
Using Event Viewer …………………………………………461
Using Support Tools …………………………………………462
2.3.2 Monitoring File Replication Service Replication ……………463
Summary of Exam Objectives ………………………………………465
Exam Objectives Fast Track …………………………………………465
Exam Objectives Frequently Asked Questions ……………………467
Self Test ……………………………………………………………468
Self Test Quick Answer Key ………………………………………474
Chapter 7 Working with Domain Controllers 475
Introduction ………………………………………………………476
1.3.4 Planning and Deploying Domain Controllers ………………………476
Understanding Server Roles ……………………………………476
Function of Domain Controllers ………………………………480
Determining the Number of Domain Controllers ……………481
Using the Active Directory Installation Wizard ………………484
Creating Additional Domain Controllers ………………………494
Upgrading Domain Controllers ………………………………500
Placing Domain Controllers within Sites ………………………502

Customizing the GC Using the Schema MMC Snap-In ………543
Creating and Managing GC Servers ……………………………545
Understanding GC Replication ………………………………547
Universal Group Membership ………………………………547
Attributes in GC ……………………………………………547
1.1 Placing GC Servers within Sites ………………………………548
1.1.1 Bandwidth and Network Traffic Considerations ………………549
1.1.2 Universal Group Caching …………………………………550
Troubleshooting GC Issues ……………………………………552
2.1.2 Working with the Active Directory Schema ………………………551
Understanding Schema Components …………………………553
Classes ………………………………………………………554
Attributes ……………………………………………………555
Naming of Schema Objects …………………………………559
Working with the Schema MMC Snap-In ……………………560
Modifying and Extending the Schema …………………………561
Deactivating Schema Classes and Attributes ……………………562
Troubleshooting Schema Issues …………………………………563
Summary of Exam Objectives ………………………………………564
Exam Objectives Fast Track …………………………………………565
Exam Objectives Frequently Asked Questions ……………………566
Self Test ……………………………………………………………567
Self Test Quick Answer Key ………………………………………573
256_70-294_TOC.qxd 9/5/03 6:33 PM Page xxiv