Microsoft's article gives a quick run-down on how to enable/disable a GC, a plain-english article on computerperformance.co.uk summarizes the role of a GC, and a particularly helpful TechNet article discusses GCs. If you logon w/ a UPN (email address), your workstation contacts the GC for a DC to authenticate to.
Learned how to set a different UPN (User Principle Name) suffix so that people can sign into their computers or OWA using their email address! After adding the alternate UPN, you can select multiple user accounts in ADUC & set their UPN all at once. For future AD installations I think I'll always use email addresses as sign-ons. This is really nice.
- Computer Config \ Admin Templates pertains to HKEY_Local_Machine
- User Config \ Admin Templates pertains to HKEY_Current_User
- Microsoft's policy templates (ADM files) can be "fully managed", that is, they are removed when the GPO is removed. On the other hand, "preferences" (from 3rd party developers) "tatoo" the registry, meaning they are not automatically removed when the policy is removed.
- You can have the group policy editor display ONLY configured policies.
I was troubleshooting GP application on a wireless desktop client today & disjoined/rejoined the domain, but could not get my group policy to be recognized. The event log said no domain controller could be found, so GP processing was aborted. I wonder if a wireless router between the client and domain controller is the culprit. Item #1 on GPOGuy's FAQ says that GP processing requires specific ports which are sometimes blocked by firewalls.
RSoP can be easily accessed from within Active Directory to see what policies apply to a workstation/user. To immediately test a GPO, first run GPUPDATE on the domain controller, then run GPUPDATE on the workstation.
Software distribution via GPO:
You can install MSI packages via GPO by "assigning" them to computers (full install) or users (installed at first use). Assigned packages are installed during Windows startup, before the login screen is shown. You can also make MSI packages available in the Control Panel via GPO by "publishing" them to users. For a walk-through on how to do this, see Brian Posey's article. To create your own MSI, check out this list of installers. I should try out the free Advanced Installer.
To learn more...
http://www.gpoguy.com/ - news, free tools and training videos
http://www.gpanswers.com/ - message board w/ an emphasis on advanced concepts
-If user and computer policies conflict, the user policy takes precedence.
-Folder redirection in a GPO takes precedence over user profile settings in AD.
Many third parties offer extensions to group policy.
If you have a GPO w/ user settings that have to be applied no matter who is logging into a particular computer, you can use loopback processing.
An impressive tool for evaluating disk usage is TreeSize.
Domain and forest functional levels:
- 2000 mixed (compatible w/ NT 4.0)
- 2000 native (allows nested and universal security groups; SID history)
- 2003 (lets you rename domain controller)
- RID (relative IDs, required for new objects)
- PDC (syncs domain passwords and clocks)
- Infrastructure (object moves/renames and group membership)
- Domain Naming Master (ensures unique domain names in a forest)
- Schema Master (maintains the schema for a forest)
If you have multiple DCs in a domain, your global catalog server should not be the infrastructure master as well (causes infrastructure replication problems).
Active Directory Migration Tool:
- So cool. Lets you move users, groups, and computers from one domain to another.
Practiced renaming a domain controller with instructions from petri.co.il The author said that it's undesirable, but didn't say why. Renaming a DC which also happens to be a certificate authority is a very bad idea (it invalidates your existing certificates and prevents new ones from being issued).
- netdom computername <oldserverFQD> /add:<newserverFQD>
- netdom computername <oldserverFQD> /makeprimary:<newserverFQD>
- netdom computername <newserverFQD> /remove:<oldserverFQD>
- I manually removed the old server name from DNS at this point.
Also started learning about how to setup a trust between domains & heard of the Active Directory Migration tool. That's exciting. BTW, an intransitive trust is like only talking to your spouse; while a transtive trust lets you talk to the spouse's family and friends (other trusted domains).
Two free utilities that I've found useful are ISO Recorder and Folder2ISO.
I'm using Parallels Virtual Machine for this, but if you are working on a real server w/ no floppy disk drive, you can use the free (32-bit) Virtual Floppy Drive 2.1 to fool NTBackup.
Unfortunately, there doesn't seem to be a good way to schedule ASR backups - I have no idea why. However, a program called Firestreamer-RM ($60) claims to schedule ASR backups, auto-initialize tape media, and even email the results to you. The last two reasons are why my employer standardized on NovaBackup instead of NTBAckup.
What's the difference between an ASR backup and a normal backup + system state? ASR seems to speed up the process because the restoration of your system is integrated right into Windows setup - instead of having to go through the whole Windows setup and then do a restore.
For future reference, this page has a nice overview of restoring an Exchange server
My 70-293 had a few questions about DHCP, DNS, WINS, NLB, clustering, backup, routing, and security templates...and a lot of questions about certificates, IPSec, and RRAS.
Last night I learned about Network Load Balancing (NLB) which sounds like it's best for webservers and SQL databases. With "client affinity" enabled it can even maintain a session between a single client and a single server in the background (needed for databases). Clustering is only available in 2003 Enterprise ($800+ on eBay) and DataCenter editions. Clustering is more for high availability of changing network resources and requires a single point of storage that all the clustered servers can access. That point is called a quorum (probably a SAN or RAID setup).
Distributed File System (DFS) is used to organize file shares from multiple servers into a single point of access (e.g. a drive letter). It can also replicate data placed in one space into another geographical site (for faster access) or to a different server (for seamless failover/backup). It seems kind of clunky though and I have a hard time envisioning a really good use of DFS apart from fault tolerance for non-clustered file servers.
Registered for Microsoft's second shot offer (valid until January 30, 2008) which gives you one free retake on each $125 exam that you fail. I hope I don't need it!
Helpful thoughts on NLB unicast vs. multicast.
I read about Fibre Channel in Wikipedia & it sounds like it's a bus technology that is just a bit (25%) faster than SATA (and probably a lot more expensive). You would need need 2-3x 1Gb NICs teamed together to completely harness the power of a single SATA drive.
There's no built-in way in Windows 2000/2003 to restrict concurrent domain logins. To address this problem, there's a free utility available from Microsoft and a commercial utility is available from Sonarware.