Ben’s Blog

Having to log onto multiple domains can be a time and bandwidth hog — in order to make our lives easier, Microsoft introduced with Windows 2000 the ability to have Global Catalogs.  Global Catalogs keep copies of the objects within their own domain and partial copies of other domain’s objects in order to make their access easier.  We saw the effect of this by logging on (using UPN, or user@child.domain.local) before and after raising our domain functional levels.  When we were operating at Windows 2000 Mixed, we were able to log on with no problems, the domain controller simply asked the child domain if the credentials were legit and then we were let in.  On a large scale, this can create bandwidth and efficiency issues.

Upgrading to Windows 2000 Native mode moves the responsibility of authentication from the domains to the Global Catalog servers.  We turned off our GCS and tried to log in using UPN.  This time, it didn’t work.

In addition, we also talked about server roles and how to transfer/seize them.  Remember that the tool you’re looking for is NTDSUTIL.

After a blood drive, we came back and light-headedly moved our way through Users and Groups.  The main thing I want you to pull away from this lesson is to know what the two types of groups are (Security and Distribution) and the three types of scopes there are (Domain Local, Global, Universal).  Microsoft’s best practices dictate that Domain Local groups are to be used for resource access while universal groups are to be used to hold users.  So, for example, if I want all 100 users in the Finance department to be able to print to a particular printer, I would first create a Global Security group for the Finance users and then a Domain Local group for the Printer.  I would then give the Print permission to the Domain Local group, and add the Global Security group to the Domain Local group in order to facilitate that.  Making sense?

Homework:

• Chapter Four: Review Questions
• Chapter Five: Review Questions