Technical Blog of Jason Olson

·          Active Directory under Windows Server 2003 supports four levels of domain functionality:

o    Windows 2000 mixed: Pre-windows 2000 domain controllers and servers

o    Windows 2000 native: All domain controllers windows 2000 or greater

o    Windows Server 2003 interim: All domain controllers are Windows 2003 or greater (only used for NT 4 upgrades to server 2003)

o    Windows Server 2003: All domain controllers are Windows 2003 or greater

·          Switching domain functionality is a one way operation only: upgrade

·          Windows Server 2003 Supports three levels of Active Directory Forrest functionality:

o    Windows 2000: Base level, all domain controllers are Windows NT 4 or greater

o    Windows 2003 interim: All domain controllers are Windows NT4 or 2003 – not Server 2000 DC’s

o    Windows 2003: All domain controllers are Windows 2003 or greater

·          You can create a user account in three different ways:

o    Create the user in AD using ADUC (Active Directory Users and Computers) MMC

o    CSVDE.exe command line tool

o    LDIFe.exe command line tool

·          CSVde.exe can be used to import users from a CSV file, as well as import and export data from Active Directory

·          LDIFde.exe exports/imports data from Active Directory using the LDAP Data Interchange Format (LDIF).

·          You can create a computer account in three ways:

o    Logon to each workstation and join it to the domain

o    Pre-stage the computer in AD using the ADUC (Active Directory User and Computer) MMC

o    Pre-stage the computer using DSADD.exe command line utility

·          A non-administrator can join up to 10 workstations to the domain using their ordinary credentials

·          You need to restart the computer account (in Active Directory) if:

o    The session setup from the computer domain member failed to authenticate: “The following error occurred: access is denied.”

o    NETLOGON event: 3210: failed to authenticate with \\domaindc.

·          Groups can be assigned as:

o    Security groups, which define logical groups of objects, which may be nested, and also be an e-mail distribution group.

o    Distribution groups, which are used specifically for the purpose of e-mail distribution and cannot be applied security permissions.

o    You can change the designation at any time provided the domain is functioning in Server 2000 Native or higher.

·          You can assign security groups in universal groups in Windows 2000 native or higher.

·          Single-domain: A-G-DL-P: Accounts placed in Global groups, placed in Domain Local groups, and Permissions are assigned to resources from the domain local groups.

·          Multi-domain: A-G-U-DL-P: Accounts placed in Global groups, which are then included in Universal groups, which are then placed in Domain Local groups, and assigned Permissions to local resources.

Please follow and like us:

Leave a Reply