1. Welcome to this evening’s TechNet Event We would like to bring your attention to the key elements of the TechNet programme; the central information and community resource for IT professionals in the UK: FREE bi-weekly technical newsletter FREE regular technical events hosted across the UK FREE weekly UK & US led technical webcasts FREE comprehensive technical web site Monthly CD / DVD subscription with the latest technical tools & resources FREE quarterly technical magazine To subscribe to the newsletter or just to find out more, please visit www.microsoft.com/uk/technetwww.microsoft.com/uk/technet or speak to a Microsoft representative during the break

2. New Features of Windows Server 2003 Active Directory - Scenario Based John Howard, IT Pro Evangelist, Microsoft UK

3. What we will cover: Active Directory Administration Forest Trusts Active Directory in Small and Remote Offices Group Policy Management Console Software Restriction Policies

4. Prerequisite Knowledge Familiarity with NT 4.0 Familiarity with NT 4.0 Domains Familiarity with Windows 2000 Familiarity with Active Directory Experience supporting Microsoft Networks Experience supporting end-users Level 200

5. Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies

6. Simplifying Management Goals Make every-day tasks easier Make the UI friendlier Easier to locate objects –Users and groups you manage Make automation easier –Provide tools that make scripting easier –Automate repetitive tasks

7. Simplified Management Drag and Drop Drag and drop is now supported –Active Directory Users and Computers –Active Directory Sites and Services Friendlier UI –Works like other administrative tools Drag and drop users into: –New containers or OUs –Groups

8. Simplified Management Drag and Drop Scenarios Scenarios: –Updating accounts Adding users or groups to groups Moving a server to a new site Benefits: –Don’t need to open user properties –Fewer clicks accomplish the same task –Operates like other standard tools

9. Simplified Management Saved Queries A query saved in the Active Directory Users and Computers –Accessed like a folder Only displays a specific set of objects based on the query Example – define queries to display accounts based on: –User\Group name or description –Account and password status –Days since last logon

10. Simplified Management Creating Saved Queries Create in Active Directory Users and Computers New Query: –Define Query Root – Start of search –Search users, printers, shares, etc. –Define variables Queries can be exported –Import into other AD Users and Computers consoles

11. Simplified Management Saved Queries Graphic

12. Simplified Management Saved Queries Scenarios Scenarios: –Display users and groups you manage –Display user accounts: That are disabled That haven’t been logged onto in 120 days That have non expiring passwords Benefits: –Perform tasks from the Saved Queries folder –You don’t have to navigate through the domain, OU, and container hierarchy to locate objects

13. Simplified Management Command Line Tools Automate common or repetitive administrative tasks –Add/remove accounts –Query for account properties –Move and modify Run from the command line or through scripts

14. Simplified Management Active Directory Tools DSAdd: –Adds AD object such as user, group, OU, etc. DSGet –Displays attributes of an AD object DSMod –Modifies an existing AD object DSMove –Moves or renames an AD object DSQuery –Queries and lists AD objects DSRM –Deletes AD objects

15. Simplified Management Command Line Tools Scenarios Scenarios: –Create scripts that helpdesk can use Perform complex tasks without error –Make bulk changes rapidly Add users to groups etc. Move entire department to new OU –Run reports Query for expired accounts Document user group memberships Benefits: –No need to manually perform repetitive tasks –Perform complex tasks without error

16. Simpler Active Directory Administration Simpler Active Directory Administration Drag and Drop Management Saved Queries Command Line Tools demonstration demonstration

17. Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies

18. Connecting Forests Goals Need a way to allow forest-to-forest connectivity Many companies have separate forests –Independent business units –Acquisitions or mergers –Business partners Forest trusts allow these forests to share resources

19. Connecting Forests Forest Trusts New trust type Allows all domains in one forest to trust all domains in another forest –Trust between domains both forests is transitive –Can be one-way or two-way trusts Trusts between forests are NOT transitive –Forest A trusts forest B –Forest A trusts forest C –Forest C does not trust forest B transitively

20. Connecting Forests Forest Trusts Graphic Intranet Division B Forest Division C Forest Division A Forest Users Trust

21. Connecting Forests Namespaces and Forest Trusts Forests publish namespaces Namespaces are UPN suffixes –WorldWideImporters.com –Streetmarket.net Namespaces used to determine where trusted accounts come from –Logon with a UPN logon when accessing resources in a trusted forest –Example: user@worldwideimporters.com Forests are trusted to be authoritative for published namespaces

22. Connecting Forests Creating Forest Trusts Create in Active Directory Domains and Trusts: –Use the New Trust Wizard –Confirm incoming and outgoing trust –Can confirm both sides of the trust Prerequisites –Both forests must be at Windows Server 2003 forest functional level

23. Connecting Forests Forest Trust Scenarios Scenarios: –Large, decentralized organization Government, military, conglomerates –Organizations that are partnering –Organizations that must remain legally separate –Mergers and acquisitions Benefits: –Simplifies access to resources in both forests –Single sign-on

24. Forest Trusts Forest Trusts Create a Forest Trust Access Forest Resources demonstration demonstration

25. Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies

26. Connecting Small Offices Goals Address issues common to small offices –Low speed WAN links –Low amount of available bandwidth –No local Global Catalog server Make it easier to configure domain controllers Make is easier for users to logon

27. 128K Connecting Small Offices Create Domain Controller from Replica Option for creating additional DCs in sites connected via slow links Back up system state on DC and copy to CD Restore data on system that will become new DC –Run “DCPromo /adv” Decreases initial replication of domain data Large Site Branch Office

28. Connecting Small Offices DC from Media Scenarios Scenarios: –DC needed at remote office –Useful for low bandwidth sites Benefits: –Allows Active Directory data to be restored rather than replicated across network

29. Connecting Small Offices Universal Group Membership Caching128K Univ Groups Large Office GCGC Query Branch Office DC Universal Group 1 Universal Group 2 Logon is faster because group memberships are cached locally!

30. Connecting Small Offices UGMC Scenarios Scenarios: –Small or branch offices connected to a Global Catalog server with a low speed WAN link –Offices experiences slow logons due to Universal Group Membership processing Benefits: –Faster logon without a Global Catalog server in the site

31. Enabling Active Directory in Small and Remote Offices Create a Domain Controller from Backup Media Enable UGMC demonstration demonstration

32. Agenda Simplifying Management Connecting Forests Connecting Small Offices Managing Group Policies

33. Managing Group Policies Goals Problem: Group Policy is too hard Existing UI confusing and limited Core capabilities missing –Reporting of GPO settings –Backup/restore of GPOs –Import/export of GPOs Existing capabilities not scriptable

34. Managing Group Policies Group Policy Management Console (GPMC) What is the GPMC? –New admin tool for managing Group Policy: Set of scriptable objects for managing GP MMC Snap-in, built on these objects Standalone Web release shortly after Windows Server 2003 RTM GPMC Design goals –Unify management of Group Policy –Address key deployment issues –Provide better UI for visualization –Enable programmatic access to GP

35. Policy Managing Group Policies Copy and Import Policy Division A Forest Division B Forest Forest Trust Copy Policy Import Policy Administrator

36. Managing Group Policies Backup and Restore Backup / Export: –Transfers any live GPO to the file system –Backs up policy settings, ACLs, links to WMI filters Restore: –Puts things back exactly as before –GPO must be in the same domain Scenario: –Restore a policy to return to original settings

37. Managing Group Policies Group Policy Modeling Group Policy Modeling Wizard –Replaces Resultant Set of Policies (RSoP) – Planning Mode Select user and computer OUs –Or select specific accounts Displays winning policy settings –See effects of GPOs prior to deployment –Avoid conflicts and unexpected results View results in Web based report

38. Managing Group Policies Group Policy Modeling Output

39. Managing Group Policies GPMC Scenarios Centralized management of policies –Even across domain and forest boundaries Group Policy deployment planning Sharing and reusing GPOs across domain/forest boundaries Centralized GPO backup and restore All Group Policy Management tasks

40. Managing Group Policies GPMC Benefits A single tool for managing GPOs –Multiple domains and forests can be managed –Single tool for all policy management Plan with Group Policy Modeling –View effects of polices prior to deployment –Avoid policy conflicts or unexpected behavior Troubleshoot with Group Policy Results –Identify existing policy conflicts Share and reuse GPOs –Import and Copy GPOs across domains and forests

41. Managing Group Policies Software Restriction Policy Goals New feature of Group Policies Allow or restrict access to software –Set default to allow or disallow software –Create rules to bypass the default –Specify affected file extensions Prevent: –Viruses –Unapproved or non-standard applications –Any applications you wish to restrict

42. Managing Group Policies Software Restriction Policy Rules Certificate Rules –Verify digital certificate Hash Rules –Identifies software with unique hash Internet Zone Rules –Applies to Windows Installer packages Path Rules –Define specific path for software

43. Managing Group Policies Software Restriction Policies Scenarios Scenarios: –Prevent problematic file types (.vbs, etc) –Restrict access to non-standard software Benefits: –Helps prevent viruses and unstable or conflicting software installations –Flexible rules structure –Consistent, automated deployment through Group Policies

44. Group Policy Management Group Policy Management GPMC Modeling Wizard Software Restriction Policies demonstration demonstration

45. Session Summary Simpler Active Directory administration. Access forest resources with Forest Trusts Easier Active Directory installation in small or remote offices Streamline GPO deployment and administration with the GPMC

46. For More Information… Visit TechNet at www.microsoft.com/technet For additional information on books, courses and other community resources that support this session visit www.microsoft.com/technet/tnt1-124

47. MS Press Inside information for IT Professionals To find the latest IT Professional related titles visit www.microsoft.com/mspress/it/

48. 3rd Party Publications Supplementary publications for IT Pro’s These books can be found and purchased at all good book stores and on-line retailers

49. Training Training Resources for IT Professionals Updating Support Skills from Windows NT 4.0 to Windows Server 2003 Family –Course Number: 2270 –Availability: Current –Detailed Syllabus: www.microsoft.com/traincert To locate a training provider, please access www.microsoft.com/traincert Microsoft Certified Technical Education Centers are Microsoft’s premier partners for training services

50. What is TechNet? Put the right answers at your fingertips –The comprehensive collection of resources to help IT pros plan, deploy and manage Microsoft products successfully  Monthly updates delivered on DVD or CD  The definitive resource to help you evaluate, deploy and maintain Microsoft products TechNet Subscription  Accessible at www.microsoft.com/technetwww.microsoft.com/technet  Online resources and community  Subscriber-only Online Services TechNet Web Site  Biweekly e-newsletter  Security updates, new resources, and special offers TechNet Flash  Briefings on the latest Microsoft products and technologies  Hands-on, “how to” information TechNet Events and Webcasts  User Groups  Managed Newsgroups TechNet Communities

51. Where Can I Get TechNet? Visit TechNet Online at www.microsoft.com/technet Register for the TechNet Flash www.microsoft.com/technet/usingtn/register/flash.asp Join the TechNet Online forum at www.microsoft.com/technet/itcommunity Become a TechNet Subscriber at www.microsoft.com/technet/buynow/subscribe Attend More TechNet Events or view on-line www.microsoft.com/technet/tcevents/itevents