Active Directory Installation: Changes During dcpromo The Windows NT domain model assigned each installed server a single, unchangeable role. Servers could only be a primary domain controller, backup domain controller, or server. To change a computer's role, reinstallation was necessary. This is not true for Windows 2000 or Windows Server 2003. Any Windows 2000 or Windows Server 2003 server can be promoted to become a domain controller, and any domain controller can be demoted and become a simple server. This change to server role is managed using the dcpromo command. The exception to this rule is the Windows Server 2003 web server edition, which cannot be promoted.When a server is promoted to domain controller, many changes occur:Chapter 8. |
Network Configuration Operators | Make changes to TCP/IP settings. |
Performance Monitor Users | Have the ability to remotely monitor the computer. |
Performance Log Users | Have remote access to schedule logging of performance counters on the computer. |
Pre-Windows 2000 Compatible Users | Read access on all users and groups in the domain. Provided for backward capability with Windows NT. The identity Everyone is a member of this group. Only add members to this group if you have Windows NT 4.0 member servers or BDCs in the domain. |
Print Operators | Administer domain printers. |
Remote Desktop Users | Right to log on remotely. |
Replicator | Supports file replication. |
Server Operators | Log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format disks, shut down the computer. |
Users | Interactive and authenticated users groups and domain users are members of this group. Any user created in the domain becomes a member of this group. |
Terminal Server License Servers | Can manage licenses for terminal services. |
Windows Authorization Access Group | Access to the computed tokenGroupGlobalAndUniversal attribute on User Objects (membership=Enterprise Domain Controllers). |
Table 7-4. Groups Created During dcpromo in the Users Container
Group | Privilege |
---|
Cert Publishers | Publish certificates for users and computers. |
DNS Administrators | Created if DNS is installed. Can administer the DNS server. |
DNSUpdate Proxy | Created if DNS is installed. Can update DNS records for other computers, such as DHCP servers. |
Domain Admins | Full control of the domain member of administrators groups in all computers joined in the domain. |
Domain Computers | All workstations and servers joined in the domain. |
Domain Controllers | All domain controllers in the domain. |
Domain Guests | All domain guests. |
Domain Users | All domain users. |
Enterprise Admins | This group only exists in the root domain of the forest. Full control of all domains in the forests. This group is a member of all domain administrator groups on all domain controllers in the domain. |
Group Policy Creator Owners | Create and modify Group Policy in the domain. The Administrator account is a member of this group by default. |
HelpServicesGroup | Used by the Help and Support Center. The Support_388945a0 account is a member. This account is used for remote assistance logon. When a remote assistance invitation is used to provide remote assistance, a password must be entered. This password is assigned to the Support_388945a0 account during the creation of the remote assistance invitation. The helper uses this account to log on to the user's desktop computer to provide remote assistance. This group may be used to contain accounts created by third-party products used in managing the computer. For example, owners of Dell computers may find a support account added here. |
RAS and IAS Servers | Permitted access to user remote access properties. |
Schema Admins | This group is only created in the root forest domain and can modify Active Directory Schema. The Administrator account is the default member of this group. |
TelnetClients | Access to Telnet server on this system. |
Table 7-6. New Administrative Tools for Domain Controllers
Tool | Description |
---|
Active Directory Domains and Trusts | Manage domains and trusts. |
Active Directory Users and Computers | Manage users and computers, links to tools to manage Group Policy. |
Active Directory Sites and Services | Manage sites and services. |
DNS | Manage DNS (if DNS is installed during dcpromo). |
Domain Controller Security Policy | Manage default domain controller security settings portion of GPO. |
Domain Security Policy | Manage security settings portion of default Domain GPO. |