Full of I.T.

Kevin Remde's IT Pro WebLog

Best of Questions and Answers from Webcast: Active Directory Fundamentals (May 30, 2006)

AD FundamentalistsBelow I’ve pasted an edited and cleaned up copy of most of the Q&A from today’s webcast on Active Directory Fundamentals. 

HUGE thank you to Chris Henley, John BakerJohn Weston for handling the Q&A on the back-end, and who’s work this really represents.

Also – here is the resource page I put together for this topic also.


Questions and Answers:

“Where can I find a step by step guide to setup this on my network?”

is the best place to start for step by step guides

“One thing I did not understand is which machine do you use to manage the active directory. Is it a seperate server which has access to all machines on network?”

You can manage AD from any DC or any workstation or server that has the Adminpak installed and has access to a DC. http://www.microsoft.com/downloads/details.aspx?familyid=c16ae515-c8f4-47ef-a1e4-a8dcbacff8e3&displaylang=en

“Doesn’t the OU security customization defeat the overall purpose of AD? restriction vs. transitive trust?”

Good Question. The OU customization does not defeat the purpose because of the heirarchical structure of AD. Each Level of OU structure can provide the benefits of inheritance and granular control for security purposes while the trust relationships can provide access at the forest and domain levels above.

“What are the differences between OU’s and Containers?”

An organizational unit is a heirarchical object component of Active Directory while a container is simply a holding area for objects until we decide which OU they should be a part of. 
Another benefit of OUs over Containers is that OUs can have policy (Group Policy) applied to them; containers can not.  And you can delegate administration to OUs, but not to containers.

“Where can I download the GPMC?”


“So we might have objects that reside both in OU’s and Containers or can they be present only in one of these at any point in time ?”

Object can only reside in ONE OU or container at any time. It can’t exist in both places.

“Is the extention .com required or necessary in AD naming? Is .you or .org allowable? .com implies an HTTP protocol, doesn’t it?”

There are several schools of thought on this.  The reality of it is that there is no restriction on what you use for your AD domain names.  Many companies use their DNS namespace as a part of their AD domain name root.  For example, Contoso might have Contoso.com as their external domain space for their WWW site and other applications, but internally they may have “corp.Contoso.com” as the root of their Active Directory namespace. 

“Is there a way to get a report on who is in which OU?”

I think you’d have to create a custom script. Check this link for scripts for managing OU’s http://www.microsoft.com/technet/scriptcenter/scripts/ad/ous/default.mspx

“Back to group policy for a moment… I understand distributing software packages via the AD infrastructure is also supported. What are the possible deployment targets? Only OUs, or can these packages be targeted at single users or computers, or the entire domain?”

Group Policy can be applies at 3 levels. Sites, Domains, or OU’s. When planning software deployments generally we deploy them to the OU level. It is possible to filter group policies so that only a single user or group of users receive the software you are deploying.

“I just missed the part of how to create the active directory, can you give the direction?”

Active directory can be installed by using the “dcpromo” command from a command line.

“AD replication site need ports ???”

Check this link and scroll down to Active Directory Communication http://www.microsoft.com/technet/prodtechnol/exchange/DE/Guides/E2k3FrontBack/f9733398-a21e-4b40-8601-cfb452da82ad.mspx?mfr=true

“There’s a minimal number of DNS server that I must have in my infraestructure, or only one by domain is the recommended ?”

The minimum number of DNS servers necessary to allow active directory to function is 1. Depending on the structure and connectivity of your organization you might implement any number of strategies to supply DNS resolution for Active Directory. There is no specific rule on number of DNS servers per domain.

“What kind of objects can dynamically register in DNS?”

Forests, Domains, and computers from the active directory. Other services might also register such as the Kerberos Key distribution Center.

“What is a cost value?”

A site link is a connection object between two or more sites. A site link allows the administrator to assign cost, a replication schedule, and a transport for replication. Cost is an arbitrary value selected by the administrator to reflect the relative speed and reliability of the physical connection between the sites; the lower the cost, the more desirable is the connection. See link and scroll to “Site Links” http://www.microsoft.com/technet/archive/windows2000serv/technologies/activedirectory/deploy/adguide/adplan/adpch03.mspx?mfr=true

“Is there a way to assign static IPs to workstations through AD or GPOs?”

No, how would the machine be able to get GPO if is didnt already have an IP address?  You need to do this using DHCP.
Another option, though a bit odd (not sure why you would need to do this) would be to use a WMI script – maybe as part of the startup or login script.  You can use WMI commands to configure the NIC.  But.. again, the first time it’s run you’d have to first have it dynamically get an address, then the script could launch to reset it to a static address. 

“Can you give a typical rule of thumb figure in bps of how much BW is used for intersite replication?”

It really depends on the number of changes that are made at each individual site and the replication interval between the sites. There is really no standard figure.

“Can users and computers be migrated from one domain to another?”


“Has anything changed around Active Directory in Vista? Is there anything to mention about any of the following scenarios? (1) Connecting Vista clients to Win2k3 DCs (2) Connecting XP/Win2k3 clients to Vista Server DCs (3) Connecting Vista clients to Vista Server DCs.”

Watch some of the great webcasts on Windows Vista that are currently available on the webcast archives, or in up-coming webcasts.

“Is the KCC automatically run or is there some manual process that needs to occur there?”


“Is there a ‘best practices’ guide on how to audit Active Directory?”

I would use the active directory deployment guides here http://www.microsoft.com/windowsserver2003/technologies/directory/activedirectory/default.mspx

“Thanks Kevin – Great talk! Although not necessarily within the scope of the talk, I do have some additional questions around how flexible the software deployment options are through Active Directory. Are there ways to deploy things other than single MSI packages? What are .ZAP files, and what does AD do with them?”

As promised, here are some software deployment resources for you:
Using Active Directory –
Using Microsoft Systems Management Server 2003 (SMS 2003) –

“I’m running classrooms and a lab in an elementary school, and wanadd a file server. Do I lose anything if I don’t use Active Directory?”

I guess it depends on how you’re handling authentication for the sake of securing the files or other resources. If you’re okay with leaving things wide open, then you’re fine. If you’re only managing a few computers, then doing peer-to-peer authentication is okay. But any more resources than that become difficult to manage without some central directory. I highly recommend you look at Small Business Server 2003.

“What are the core differences between Win2k and Win2k3 AD features based on today’s presentation?”

GREAT question.  Here’s a really good “What’s new” chat, with additional links to resources that should make it pretty clear: http://www.microsoft.com/technet/community/chats/trans/windowsnet/wnet0630.mspx