Windows Tips & Tricks UPDATE, January 5, 2004, —brought to you by the Windows & .NET Magazine Network and the Windows 2000 FAQ site
This Issue Sponsored By
Windows & .NET Magazine VIP Web Site/Super CD
- Q. What types of trust relationships does Windows Server 2003 support?
- Q. What are some common reasons for adding domains in a Windows 2000 or later environment?
- Q. If I have only one domain, which servers should be Global Catalog (GC) servers?
- Q. What does the infrastructure Flexible Single Master Operation (FSMO) role do?
- Q. Why won't the game Max Payne 2 run on my Windows installation?
- Register for Windows & .NET Magazine Connections!
- The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
- New--Microsoft Security Strategies Roadshow!
5. Contact Us
- See this section for a list of ways to contact us.
Sponsor: Windows & .NET Magazine VIP Web Site/Super CD
The Windows & .NET Magazine Network VIP Web Site/Super CD Has It All!
If you want to be sure you're getting everything the Windows & .NET Magazine Network has to offer, then you need a subscription to the VIP Web site/Super CD. You'll get online access to all of our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all at 25% off!
by John Savill, FAQ Editor, [email protected]
This week, I tell you what types of trust relationships exist in Windows Server 2003, when you might need to add domains in a Windows 2000 or later environment, and which servers should be Global Catalog (GC) servers when you only have one domain. I also explain what the infrastructure Flexible Single Master Operation (FSMO) role does and why you might not be able to get the game Max Payne 2 to work on your Windows installation.
Q. What types of trust relationships does Windows Server 2003 support?
A. Windows 2003 supports six types of trusts (although the OS doesn't support all types for all forest modes):
- Tree-root trust--Windows 2003 automatically creates a transitive, two-way trust when you add a new tree-root domain to an existing forest. Tree-root trusts let every domain in different trees in the same forest implicitly trust one another.
- Parent-child trust--Windows 2003 automatically creates a transitive, two-way trust when you add a child domain to an existing domain. This trust lets every domain in a particular tree implicitly trust one another.
- Shortcut trust--When domains that authenticate users are logically distant from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way.
- External trust--Administrators can manually create an external trust between domains in different forests or from a Windows 2003 domain to a Windows NT 4.0 or earlier domain controller (DC). External trusts are nontransitive and can be one way or two way.
- Forest trust--When two forests have a functional level of Windows 2003, you can use a forest trust to join the forests at the root. An administrator can manually create a two-way forest trust that lets all domains in both forests transitively trust each other. Forest trusts can also be one way, in which case the domains in only one of the forests would trust the domains in the other forest. Multiple forest trusts aren't transitive. Therefore, if forest A has a forest trust to forest B and forest B has a forest trust to forest C, forest A does not implicitly trust forest C.
- Realm trust--An administrator can manually create a realm trust between a Windows 2003 domain and a non-Windows Kerberos 5 realm. Realm trusts can be transitive or nontransitive and one way or two way.
This figure shows two forests connected by a forest trust. In the first forest, a tree-root trust connects two separate trees and a parent-child trust connects each domain in each tree. Additionally, the figure shows a shortcut trust connecting two logically distant domains and an external trust connecting a Windows 2003 domain to an NT 4.0 domain.
Q. What are some common reasons for adding domains in a Windows 2000 or later environment?
A. Many of the original reasons for adding domains under Windows NT 4.0 (e.g., delegation of authority, the 40,000-object limit) no longer apply to Win2K and later OSs. When possible, you should try to limit the number of domains and rely on organizational units (OUs) and sites in Active Directory (AD). However, you might need to create domains in certain situations.
- If you have limited bandwidth for replication traffic--for example, because of slow network connections between sites--you might need to add domains, especially if your sites are distributed across vast geographic regions. Even if you use sites and limit when data can be replicated, you might need to add domains to handle the volume of replication data if your domain is very large.
- If you have only SMTP connectivity between sites, you must add domains because domain information can't replicate across site links that use SMTP.
- If you use different password/lockout/Kerberos policies; you can set those policies only at the domain level because the client OS ignores the OU policy except when a user logs on with a local user account.
- If you restrict administrative permissions (e.g., legal reasons to restrict access).
- If you want to implement decentralized administration.
- If you use a namespace other than the default.
- If you want to ease migration of multiple domains.
- If you want to put the schema master in a domain separate from the domain that hosts users and resources.
- If you want to maintain an existing domain structure.
- If you need an isolated or autonomous domain--depending on your requirements, you might need a separate forest if the domain can't share items such as the schema.
If you have multiple domains, Microsoft recommends using a dedicated root domain containing only the default objects, the forest master roles (schema and domain naming), and the forest administrative groups (enterprise and schema). In this scenario, because the root domain has little content, it's quick to back up and uses little bandwidth for replication.
Q. If I have only one domain, which servers should be Global Catalog (GC) servers?
A. If you have just one domain, Microsoft recommends that you make all the domain controllers (DCs) GC servers so that your network won't incur any extra space usage or processing. In essence, the infrastructure Flexible Single Master Operation (FSMO) role still checks the GC for many operations. By making all DCs GC servers, you can spread the FSMO's request load to all DCs and prevent one DC from asking another DC for information that the first DC already has. Although the FSMO can't typically reside on a GC, you won't encounter any problems as long as only one domain exists because the FSMO won't need to keep track of any external domain objects.
Q. What does the infrastructure Flexible Single Master Operation (FSMO) role do?
A. The infrastructure FSMO role is one of the three "per domain" Operations Masters. The infrastructure FSMO keeps its domain's references to objects in other domains up-to-date by comparing its data with information in the Global Catalog (GC). As a result, the infrastructure FSMO doesn't usually work if it's a GC because the FSMO's information would always be the same as the GC's information. If the infrastructure FSMO's data becomes out-of-date, the FSMO will request updated information from the GC, then replicate the update to all domain controllers (DCs) in its domain. Where possible in the same site, the infrastructure FSMO needs to have a good connection to the GC. The infrastructure FSMO can reside on a GC server only when every DC in a domain is a GC (because every DC would have up-to-date information) or when only one domain exists in the forest.
The primary purpose of the infrastructure FSMO is to update group memberships for users who reside in domains other than the group's domain. If you rename a user or move a user who belongs to a different domain, the group might exhibit some strange behavior. For example, the group might temporarily appear to not contain the user or the user icon might appear with gray hair because the group contains the user's SID and globally unique identifier (GUID), not just the distinguished name (DN). This collection of attributes is known as a phantom record in the group's domain. When you view the group's members, the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in verifies the DN with the user's domain. Because the DN has changed as the result of a rename or move operation, the snap-in doesn't find a match and gives the user's icon gray hair.
After the infrastructure FSMO runs and detects the user rename or move (i.e., checks all phantom entries), it updates the group with the correct name and location by querying the GC for the new DN of the stored GUID. Then, the user will again appear as a regular member of the group.
Q. Why won't the game Max Payne 2 run on my Windows installation?
A. I recently purchased Max Payne 2 for the PC. After I installed and attempted to start the game, nothing happened. I downloaded a patch from the vendor's Web site and applied it, but the game still wouldn't start, even with the CD-ROM present. After searching the Internet, I discovered that many people have experienced the same problem and that the only solution is to download a game crack from the Web that disables the need to have the CD-ROM inserted in the drive to play the game. After I applied the crack, the game worked.
The problem occurs because the game code uses copy protection that doesn't detect some types of CD/DVD drives. I typically don't condone applying game cracks, but you might not otherwise be able to play the game. The developers shouldn't have implemented this type of protection without sufficient testing to ensure that people who had purchased the game could actually play it.
(from Windows & .NET Magazine and its partners)
Windows & .NET Magazine Connections will be held April 4-7, 2004, in Las Vegas, Nevada. Complete details about workshops, breakout sessions, and speakers are now online. Save $200 if you hurry and register before the early bird discount expires. Register now on the Web or by calling 203-268-3204 or 800-505-1201.
With a VIP Web site/Super CD subscription, you'll get online access to all of our publications, a print subscription to Windows & .NET Magazine, and a subscription to our VIP Web site, a banner-free resource loaded with articles you can't find anywhere else. Click here to find out how you can get it all at 25% off!
(brought to you by Windows & .NET Magazine)
We've teamed with Microsoft, Avanade, and Network Associates to bring you a full day of training to help you get your organization secure and keep it secure. You'll learn how to implement a patch-management strategy; lock down servers, workstations, and network infrastructure; and implement security policy management. Register now for this free, 20-city tour.
Get your free kit for creating an enhanced risk-management plan.
5. Contact Us
Here's how to reach us with your comments and questions:
- About the newsletter — [email protected]
- About technical questions — http://www.winnetmag.com/forums
- About product news — [email protected]
- About your subscription — [email protected]
- About sponsoring UPDATE — [email protected]
This weekly email newsletter is brought to you by Windows & .NET Magazine, the leading publication for Windows professionals who want to learn more and perform better. Subscribe today.
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.