Posts Tagged ‘70-291’

Remote Desktop for Administration is a component of Windows Server 2003 Terminal Services, which is designed for server management. It is a convenient and efficient service for remote management, as it can be used on an already busy server without noticeably affecting CPU performance. Administrators can fully administer computers running Windows Server 2003 family operating systems from computers running earlier versions of Windows by installing the Remote Desktop Connection.

Note: Remote Desktop for Administration does not require purchasing special licenses for client computers that access the server.

A forwarder is a DNS server that receives queries from other DNS servers on the network. To configure a forwarder in a network, DNS servers on the network are configured to send DNS queries to a particular DNS server. The DNS server acting as a forwarder need not require any special configuration. A forwarder has no secondary zones.

What are group policies?

Group policies specify how programs, network resources, and the operating system work for users and computers in an organization. They are collections of user and computer configuration settings that are applied on users and computers (not on groups). For better administration of group policies in the Windows environment, the group policy objects (GPOs) are used.

What is GPO?

Group policy object (GPO) is a collection of group policy settings. It can be created using a Windows utility known as the Group Policy snap-in. GPO affects the user and computer accounts located in sites, domains, and organizational units (OUs). Windows operating systems support two types of GPOs, local and non-local (Active Directory-based) GPOs.

Local GPOs

Local GPOs are used to control policies on a local server running Windows Server 2003/2008. On each Windows server, a local GPO is stored. The local GPO affects only the computer on which it is stored. By default, only Security Settings nodes are configured. The rest of the settings are either disabled or not enabled. The local GPO is stored in the %systemroot%SYSTEM32GROUPPOLICY folder.

Non-local GPOs

Non-local GPOs are used to control policies on an Active Directory-based network. A Windows server needs to be configured as a domain controller on the network to use a non-local GPO. Non-local GPOs must be linked to a site, domain, or organizational unit (OU) to apply group policies to the user or computer objects. Non-local GPOs are stored in %systemroot%SYSVOL<domain name>POLICIES<GPO GUID>ADM, where <GPO GUID> is the GPO’s globally unique identifier. Two non-local GPOs are created by default when the Active Directory is installed:

1. Default Domain Policy: This GPO is linked to the domain and affects all users and computers in the domain.
2. Default Domain Controllers Policy: This GPO is linked to the Domain Controllers OU and affects all domain controllers placed in this OU.

Multiple GPOs

When multiple group policy objects are assigned, the group policies are applied in the following order:

• The local group policy object is applied first.
• Then, the group policy objects linked to sites are applied.
  If multiple GPOs exist for a site, they are applied in the order specified by an administrator.
• GPOs linked to the domains are applied in the specified order.
• Finally, GPOs linked to OUs are applied.
  The OU group policy objects are set from the largest to the smallest organizational unit, i.e., first the parent OU and then the child OU.
  By default, a policy applied later overwrites a policy that was applied earlier. Hence, the settings in a child OU can override the settings in the parent OU.

Group policy settings are cumulative if they are compatible with each other. In case they conflict with each other, the GPO processed later takes precedence.

The following are the exceptions with regard to the above-mentioned settings:

1. No Override: Any GPO can be set to No Override. If the No Override configuration is set to a GPO, no policy configured in the GPO can be overridden. If more than one GPO has been set to No Override, then the one that is the highest in the Active Directory hierarchy takes precedence.
2. Block Policy Inheritance: The Block Policy Inheritance option can be applied to the site, domain, or OU. It deflects all group policy settings that reach the site, domain, or OU from the object higher in the hierarchy. However, the GPOs configured with the No Override option are always applied.
3. Loopback setting: By default, users settings override computer settings in case of any conflict in policy settings. By configuring the loopback setting, an administrator can reverse the process of the application of policies. When the Loopback option is configured, the computer settings take precedence on the users settings. The Looback option can be set as Not Configured, Enabled, or Disabled. The enabled Loopback option can be set in the following two modes:
• Replace mode: In this mode, the computer policy settings override the user policy settings.
• Merge mode: In this mode, the computer policy settings are appended to the user policy settings.

Note: The computers that are members of a workgroup are not affected by the non-local GPOs policy settings. They process only the local GPOs.

Group Policy Inheritance

The group policies are inherited from a parent to a child within a domain. They are not inherited from the parent domain to a child domain. The ollowing are the rules regarding group policy inheritance:

• A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is not configured for its child OUs. The child OUs inherit the parent’s policy.
• A policy setting is configured (Enabled or Disabled) for a parent OU, and the same policy setting is configured for its child OUs. The child OUs settings override the settings inherited from the parent’s OU.
• If any policy is not configured, no inheritance takes place.
• Compatible policy settings configured at the parent and child OUs are accumulated.
• Incompatible policy settings from the parent OU are not inherited.

Filtering Scope of GPOs

Although GPOs are linked to the site, domain, or OUs, and they cannot be linked to the security groups directly, applying permissions to the GPO can filter its scope. The policies in a non-local GPO apply only to users who have the Read and Apply Group Policy permissions set to Allow. By specifying appropriate permissions to the security groups, the administrators can filter a GPO’s scope for the computers and users.

Note: The Apply Group Policy permission is not available with the local GPO.

Replication Monitor is a tool that is used to monitor the status of Active Directory replication between domain controllers. If the zone information is stored within Active Directory, Replication Monitor enables users to monitor replication between DNS servers. By default, Replication Monitor is not installed on Windows Server 2003. It can be installed from the i386SupportsTolls directory on the Windows Server 2003 CD. Replication Monitor can be launched from the command prompt by using the REPLMON.EXE command after its installation.

Take the following steps to restore the DHCP database:

1. Run DHCP from Start Menu > Programs > Administrative Tools > DHCP.

   

2. In the DHCP console tree, click the applicable DHCP server.

   

3. In the Action menu, click Restore.

   

4. In the Browse For Folder dialog box, select the folder that contains the backup DHCP database, and click the OK button.

   

The synchronization log stores information about the synchronization of contents. The log contains the following synchronization information:

• The success and failure information for the overall synchronization operation.
• The time of the next synchronization if scheduled synchronization is enabled.
• The update packages that have been downloaded or updated since the last synchronization.
• The update packages that have failed synchronization.
• The time in which the last synchronization has occurred.

The synchronization log can be accessed from the SUS Administration console or can be directly accessed by using the text editor. The name of the synchronization log file is historySync.xml. The file is located in the SUS installation folder under VRootAutoUpdateAdministration.

Root hints are DNS data stored in a DNS server. A DNS server contains a list of preliminary resource records (root hints) that can be used by the DNS service to locate other DNS servers that are authoritative for the root of the DNS domain namespace tree. Root hints are used to prepare servers authoritative for non-root zones so that they can learn and discover authoritative servers that manage domains located at a higher level or in other subtrees of the DNS domain namespace. These hints are essential for servers authoritative at lower levels of the namespace when locating and finding servers under these conditions. The root hints are stored in the file CACHE.DNS, located in the systemrootSystem32Dns folder.