Professional Windows Server 1002003 Security A Technical Reference [Electronic resources]

Roberta Bragg

نسخه متنی -صفحه : 194/ 73
نمايش فراداده

Active Directory Installation: Changes During dcpromo

The Windows NT domain model assigned each installed server a single, unchangeable role. Servers could only be a primary domain controller, backup domain controller, or server. To change a computer's role, reinstallation was necessary. This is not true for Windows 2000 or Windows Server 2003. Any Windows 2000 or Windows Server 2003 server can be promoted to become a domain controller, and any domain controller can be demoted and become a simple server. This change to server role is managed using the dcpromo command. The exception to this rule is the Windows Server 2003 web server edition, which cannot be promoted.

When a server is promoted to domain controller, many changes occur:Chapter 8.

Network Configuration Operators

Make changes to TCP/IP settings.

Performance Monitor Users

Have the ability to remotely monitor the computer.

Performance Log Users

Have remote access to schedule logging of performance counters on the computer.

Pre-Windows 2000 Compatible Users

Read access on all users and groups in the domain. Provided for backward capability with Windows NT. The identity Everyone is a member of this group. Only add members to this group if you have Windows NT 4.0 member servers or BDCs in the domain.

Print Operators

Administer domain printers.

Remote Desktop Users

Right to log on remotely.

Replicator

Supports file replication.

Server Operators

Log on interactively, create and delete shared resources, start and stop some services, back up and restore files, format disks, shut down the computer.

Users

Interactive and authenticated users groups and domain users are members of this group. Any user created in the domain becomes a member of this group.

Terminal Server License Servers

Can manage licenses for terminal services.

Windows Authorization Access Group

Access to the computed tokenGroupGlobalAndUniversal attribute on User Objects (membership=Enterprise Domain Controllers).

Table 7-4. Groups Created During dcpromo in the Users Container

Group

Privilege

Cert Publishers

Publish certificates for users and computers.

DNS Administrators

Created if DNS is installed. Can administer the DNS server.

DNSUpdate Proxy

Created if DNS is installed. Can update DNS records for other computers, such as DHCP servers.

Domain Admins

Full control of the domain member of administrators groups in all computers joined in the domain.

Domain Computers

All workstations and servers joined in the domain.

Domain Controllers

All domain controllers in the domain.

Domain Guests

All domain guests.

Domain Users

All domain users.

Enterprise Admins

This group only exists in the root domain of the forest. Full control of all domains in the forests. This group is a member of all domain administrator groups on all domain controllers in the domain.

Group Policy Creator Owners

Create and modify Group Policy in the domain. The Administrator account is a member of this group by default.

HelpServicesGroup

Used by the Help and Support Center. The Support_388945a0 account is a member. This account is used for remote assistance logon. When a remote assistance invitation is used to provide remote assistance, a password must be entered. This password is assigned to the Support_388945a0 account during the creation of the remote assistance invitation. The helper uses this account to log on to the user's desktop computer to provide remote assistance. This group may be used to contain accounts created by third-party products used in managing the computer. For example, owners of Dell computers may find a support account added here.

RAS and IAS Servers

Permitted access to user remote access properties.

Schema Admins

This group is only created in the root forest domain and can modify Active Directory Schema. The Administrator account is the default member of this group.

TelnetClients

Access to Telnet server on this system.

Table 7-5. User Accounts Established During dcpromo

User

Description

Administrator

All powerful root account.

Guest

Access to domain resources (disabled by default).

Support_388945a0

This group allows signed scripts to interact with the Help and Support Service. It can be used so that ordinary users can run signed scripts from links in the Help and Support Service. The scripts are programmed to use this account instead of the user's account to perform administrative functions on the computer. This account is used by the Remote Assistance program.

New administrative tools are present (Table 7-6), and the ability to manage items such as local users and groups is removed.

Table 7-6. New Administrative Tools for Domain Controllers

Tool

Description

Active Directory Domains and Trusts

Manage domains and trusts.

Active Directory Users and Computers

Manage users and computers, links to tools to manage Group Policy.

Active Directory Sites and Services

Manage sites and services.

DNS

Manage DNS (if DNS is installed during dcpromo).

Domain Controller Security Policy

Manage default domain controller security settings portion of GPO.

Domain Security Policy

Manage security settings portion of default Domain GPO.

The SYSVOL and sysvol folders and sysvol and netlogon shares are created.

The sample AD database or template, ntds.dit, is copied from the %windir%\system32 folder to the %windir%\NTDS folder. Ntds.dit contains the basic active directory structure and includes the default policies for domain controllers and the domain.

If the option to install DNS is selected, DNS is installed.

The domain controller attempts to register itself with the DNS server that is authoritative for the domain. If DNS is created on the domain controller, it will become authoritative for the domain. In addition to an A, or host record, the SRV records are created for _ldap, _Kerberos, and _gc.

Additional services are enabled and started, including FRS, the distributed file system (DFS), and the Kerberos Key Distribution Service (KDS).

The defltdc.inf (default domain controller) security template is applied. (Security templates hold security settings; when applied to a computer, the security settings in the template become the local Group Policy settings for the computer.)

If this is not the first domain controller in the domain, Active Directory data and Group Policy files and folders are replicated from another domain controller.

If this is not the first domain controller in the domain, the Domain Security Policy and Domain Controller Security Policy, in addition to any additional GPOs linked to the domain or Domain Controller OU, are applied.

In the first domain controller in the domain, the Default Domain Policy (GPO) is created and linked to the root of the domain, and the Default Domain Controller Policy (GPO) is created and linked to the Domain Controller's OU.