Active Directory Installation: Changes During dcpromo
The Windows NT domain model assigned each installed server a single, unchangeable role. Servers could only be a primary domain controller, backup domain controller, or server. To change a computer's role, reinstallation was necessary. This is not true for Windows 2000 or Windows Server 2003. Any Windows 2000 or Windows Server 2003 server can be promoted to become a domain controller, and any domain controller can be demoted and become a simple server. This change to server role is managed using the dcpromo command. The exception to this rule is the Windows Server 2003 web server edition, which cannot be promoted.When a server is promoted to domain controller, many changes occur:Chapter 8. |
| Network Configuration Operators | Make changes to TCP/IP settings. |
| Performance Monitor Users | Have the ability to remotely monitor the computer. |
| Performance Log Users | Have remote access to schedule logging of performance counters on the computer. |
| Pre-Windows 2000 Compatible Users | Read access on all users and groups in the domain. Provided for backward capability with Windows NT. The identity Everyone is a member of this group. Only add members to this group if you have Windows NT 4.0 member servers or BDCs in the domain. |
| Print Operators | Administer domain printers. |
| Remote Desktop Users | Right to log on remotely. |
| Replicator | Supports file replication. |
| Server Operators | Log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format disks, shut down the computer. |
| Users | Interactive and authenticated users groups and domain users are members of this group. Any user created in the domain becomes a member of this group. |
| Terminal Server License Servers | Can manage licenses for terminal services. |
| Windows Authorization Access Group | Access to the computed tokenGroupGlobalAndUniversal attribute on User Objects (membership=Enterprise Domain Controllers). |
Table 7-4. Groups Created During dcpromo in the Users Container
| Group | Privilege |
|---|
| Cert Publishers | Publish certificates for users and computers. |
| DNS Administrators | Created if DNS is installed. Can administer the DNS server. |
| DNSUpdate Proxy | Created if DNS is installed. Can update DNS records for other computers, such as DHCP servers. |
| Domain Admins | Full control of the domain member of administrators groups in all computers joined in the domain. |
| Domain Computers | All workstations and servers joined in the domain. |
| Domain Controllers | All domain controllers in the domain. |
| Domain Guests | All domain guests. |
| Domain Users | All domain users. |
| Enterprise Admins | This group only exists in the root domain of the forest. Full control of all domains in the forests. This group is a member of all domain administrator groups on all domain controllers in the domain. |
| Group Policy Creator Owners | Create and modify Group Policy in the domain. The Administrator account is a member of this group by default. |
| HelpServicesGroup | Used by the Help and Support Center. The Support_388945a0 account is a member. This account is used for remote assistance logon. When a remote assistance invitation is used to provide remote assistance, a password must be entered. This password is assigned to the Support_388945a0 account during the creation of the remote assistance invitation. The helper uses this account to log on to the user's desktop computer to provide remote assistance. This group may be used to contain accounts created by third-party products used in managing the computer. For example, owners of Dell computers may find a support account added here. |
| RAS and IAS Servers | Permitted access to user remote access properties. |
| Schema Admins | This group is only created in the root forest domain and can modify Active Directory Schema. The Administrator account is the default member of this group. |
| TelnetClients | Access to Telnet server on this system. |
Table 7-6. New Administrative Tools for Domain Controllers
| Tool | Description |
|---|
| Active Directory Domains and Trusts | Manage domains and trusts. |
| Active Directory Users and Computers | Manage users and computers, links to tools to manage Group Policy. |
| Active Directory Sites and Services | Manage sites and services. |
| DNS | Manage DNS (if DNS is installed during dcpromo). |
| Domain Controller Security Policy | Manage default domain controller security settings portion of GPO. |
| Domain Security Policy | Manage security settings portion of default Domain GPO. |
لطفا منتظر باشید ...
Windows Server 2003 Security: A Technical ReferenceBy
Table of Contents
| Index
If you''''re a working Windows administrator, security is your #1
challenge. Now there''''s a single-source reference you can rely on
for authoritative, independent help with every Windows Server
security feature, tool, and option: Windows Server 2003
SecurityRenowned Windows security expert Roberta Bragg has brought
together information that was formerly scattered through dozens of
books and hundreds of online sources. She goes beyond facts and
procedures, sharing powerful insights drawn from decades in IT
administration and security. You''''ll find expert implementation tips
and realistic best practices for every Windows environment, from
workgroup servers to global domain architectures. Learn how to:
Reflect the core principles of information security throughout
your plans and processes
Establish effective authentication and passwords
Restrict access to servers, application software, and
data
Make the most of the Encrypting File System (EFS)
Use Active Directory''''s security features and secure Active
Directory itself
Develop, implement, and troubleshoot group policies
Deploy a secure Public Key Infrastructure (PKI)
Secure remote access using VPNs via IPSec, SSL, SMB
signing,
LDAP signing, and more
Audit and monitor your systems, detect intrusions, and respond
appropriately
Maintain security and protect business continuity on an ongoing
basis"Once again, Roberta Bragg proves why she is a leading authority
in the security field! It''''s clear that Roberta has had a great deal
of experience in real-world security design and implementation. I''''m
grateful that this book provides clarity on what is often a
baffling subject!"James I. Conrad, MCSE 2003, Server+, Certified Ethical
Hacker
James@accusource.net"Full of relevant and insightful information. Certain to be a
staple reference book for anyone dealing with Windows Server 2003
security. Roberta Bragg''''s Windows Server 2003 Security is a
MUST read for anyone administering Windows Server 2003."Philip Cox, Consultant, SystemExperts Corporation
phil.cox@systemexperts.com"Few people in the security world understand and appreciate
every aspect of network security like Roberta Bragg. She is as
formidable a security mind as I have ever met, and this is
augmented by her ability to communicate the concepts clearly,
concisely, and with a rapier wit. I have enjoyed working with
Roberta more than I have on any of the other 20 some odd books to
which I have contributed. She is a giant in the field of network
security."Bob Reinsch
bob.reinsch@fosstraining.com"Windows Server 2003 Security explains why you should do
things and then tells you how to do it! It is a comprehensive guide
to Windows security that provides the information you need to
secure your systems. Read it and apply the information."Richard Siddaway, MCSE
rsiddaw@hotmail.com"Ms. Bragg''''s latest book is both easy to read and technically
accurate. It will be a valuable resource for network administrators
and anyone else dealing with Windows Server 2003 security."Michael VonTungeln, MCSE, CTT
mvontung@yahoo.com"I subscribe to a number of newsletters that Roberta Bragg
writes and I have ''''always'''' found her writing to be perfectly
focused on issues I ''''need'''' to know in my workplace when dealing
with my users. Her concise writing style and simple solutions bring
me back to her columns time after time. When I heard she had
written a guide on Windows 2003 security, I ''''had'''' to have it.Following her guidance on deployment, her advice on avoiding
common pitfalls, and her easy to follow guidelines on how to lock
down my network and user environments (those darned users!) has me
(and my clients) much more comfortable with our Win2k3 Server
deployments. From AD to GPO''''s to EFS, this book covers it all."Robert Laposta, MCP, MCSA, MCSE, Io Network Services, Sierra
Vista
AZrob.laposta@cox.net"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron, CPCU, CCP, AAI, Microsoft MVP - Windows
Security Information Technology Consultant
harrywaldronmvp@yahoo.com"Roberta Bragg''''s Windows Server 2003 Security offers more
than just lucid coverage of how things work, but also offers sound
advice on how to make them work better."Chris Quirk; MVP Windows shell/user
cquirke@mvps.org"This book is an invaluable resource for anyone concerned about
the security of Windows Server 2003. Despite the amount and
complexity of the material presented, Roberta delivers very
readable and clear coverage on most of the security-related aspects
of Microsoft''''s flagship operative system. Highly recommended
reading!"Valery Pryamikov, Security MVP, Harper Security Consulting
valery.pryamikov@harper.no"As long as you have something to do with Windows 2003, I have
four words for you: ''''Order your copy now.''''"Bernard Cheah, Microsoft IIS MVP, Infra Architect, Intel
Corp.
bernard@mvps.org"Roberta Bragg has developed a ''''must have'''' manual for
administrators who manage Microsoft Windows 2003 servers in their
organizations. The best practices for strengthening security
controls are well organized, with practical examples shared
throughout the book. If you work with Windows 2003, you need this
great resource."Harry L. Waldron
CPCU, CCP, AAI Microsoft MVPWindows Security Information
Technology Consultant
