· Active Directory under Windows Server 2003 supports four levels of domain functionality:
o Windows 2000 mixed: Pre-windows 2000 domain controllers and servers
o Windows 2000 native: All domain controllers windows 2000 or greater
o Windows Server 2003 interim: All domain controllers are Windows 2003 or greater (only used for NT 4 upgrades to server 2003)
o Windows Server 2003: All domain controllers are Windows 2003 or greater
· Switching domain functionality is a one way operation only: upgrade
· Windows Server 2003 Supports three levels of Active Directory Forrest functionality:
o Windows 2000: Base level, all domain controllers are Windows NT 4 or greater
o Windows 2003 interim: All domain controllers are Windows NT4 or 2003 – not Server 2000 DC’s
o Windows 2003: All domain controllers are Windows 2003 or greater
· You can create a user account in three different ways:
o Create the user in AD using ADUC (Active Directory Users and Computers) MMC
o CSVDE.exe command line tool
o LDIFe.exe command line tool
· CSVde.exe can be used to import users from a CSV file, as well as import and export data from Active Directory
· LDIFde.exe exports/imports data from Active Directory using the LDAP Data Interchange Format (LDIF).
· You can create a computer account in three ways:
o Logon to each workstation and join it to the domain
o Pre-stage the computer in AD using the ADUC (Active Directory User and Computer) MMC
o Pre-stage the computer using DSADD.exe command line utility
· A non-administrator can join up to 10 workstations to the domain using their ordinary credentials
· You need to restart the computer account (in Active Directory) if:
o The session setup from the computer domain member failed to authenticate: “The following error occurred: access is denied.”
o NETLOGON event: 3210: failed to authenticate with \\domaindc.
· Groups can be assigned as:
o Security groups, which define logical groups of objects, which may be nested, and also be an e-mail distribution group.
o Distribution groups, which are used specifically for the purpose of e-mail distribution and cannot be applied security permissions.
o You can change the designation at any time provided the domain is functioning in Server 2000 Native or higher.
· You can assign security groups in universal groups in Windows 2000 native or higher.
· Single-domain: A-G-DL-P: Accounts placed in Global groups, placed in Domain Local groups, and Permissions are assigned to resources from the domain local groups.
· Multi-domain: A-G-U-DL-P: Accounts placed in Global groups, which are then included in Universal groups, which are then placed in Domain Local groups, and assigned Permissions to local resources.