70-290 Concepts: User/Groups/Computers

Posted on by

·          Active Directory under Windows Server 2003 supports four levels of domain functionality:

o    Windows 2000 mixed: Pre-windows 2000 domain controllers and servers

o    Windows 2000 native: All domain controllers windows 2000 or greater

o    Windows Server 2003 interim: All domain controllers are Windows 2003 or greater (only used for NT 4 upgrades to server 2003)

o    Windows Server 2003: All domain controllers are Windows 2003 or greater

·          Switching domain functionality is a one way operation only: upgrade

·          Windows Server 2003 Supports three levels of Active Directory Forrest functionality:

o    Windows 2000: Base level, all domain controllers are Windows NT 4 or greater

o    Windows 2003 interim: All domain controllers are Windows NT4 or 2003 – not Server 2000 DC’s

o    Windows 2003: All domain controllers are Windows 2003 or greater

·          You can create a user account in three different ways:

o    Create the user in AD using ADUC (Active Directory Users and Computers) MMC

o    CSVDE.exe command line tool

o    LDIFe.exe command line tool

·          CSVde.exe can be used to import users from a CSV file, as well as import and export data from Active Directory

·          LDIFde.exe exports/imports data from Active Directory using the LDAP Data Interchange Format (LDIF).

·          You can create a computer account in three ways:

o    Logon to each workstation and join it to the domain

o    Pre-stage the computer in AD using the ADUC (Active Directory User and Computer) MMC

o    Pre-stage the computer using DSADD.exe command line utility

·          A non-administrator can join up to 10 workstations to the domain using their ordinary credentials

·          You need to restart the computer account (in Active Directory) if:

o    The session setup from the computer domain member failed to authenticate: “The following error occurred: access is denied.”

o    NETLOGON event: 3210: failed to authenticate with \\domaindc.

·          Groups can be assigned as:

o    Security groups, which define logical groups of objects, which may be nested, and also be an e-mail distribution group.

o    Distribution groups, which are used specifically for the purpose of e-mail distribution and cannot be applied security permissions.

o    You can change the designation at any time provided the domain is functioning in Server 2000 Native or higher.

·          You can assign security groups in universal groups in Windows 2000 native or higher.

·          Single-domain: A-G-DL-P: Accounts placed in Global groups, placed in Domain Local groups, and Permissions are assigned to resources from the domain local groups.

·          Multi-domain: A-G-U-DL-P: Accounts placed in Global groups, which are then included in Universal groups, which are then placed in Domain Local groups, and assigned Permissions to local resources.