First thing, know the domain function level [MS DaDDaSS p 210-211]. This is important if you are trying to figure out questions related to group nesting. The answer changes depending on the domain function level due to the requirement in some cases to be backward compatible with Windows NT domains.
- Windows 2000 mixed
Allows for Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. Because Windows NT 4 had no concept of Universal groups, they are not available, nor are domain group nesting options. Default when installing first domain in forest. - Windows Server 2003 interm
Allows for Windows NT 4.0 and Windows Server 2003, but NOT Windows 2000 domain controllers. Same restrictions as Windows 2000 mixed. I'm not too clear why this even exists. I vaguely remember seeing something about migrating Windows NT 4 to Windows Server 2003. This requires more investigation. - Windows 2000 native
Allows for Windows 2000 and Windows Server 2003. Because there is no requirement to accomodate Windows NT 4 domain controllers all of the features introduced in Windows 2000 Active Directory are enabled: Universal groups, AD group nesting, etc. - Windows Server 2003
Allows Windows Server 2003, but not Windows 2000 domain controllers. New features unique to Windows Server 2003 Active Directory introduced: renaming of domain controllers, renaming domains not allowed (see below), inetOrgPerson can be used for authentication for other LDAP directories (eDirectory, OpenLDAP, etc), redirect new user and computer accounts to a specific OU, etc.
Of course this should not be confused with forest fuction levels [MS DaDDaSS p 212-213].
- Windows 2000
Allows Windows NT 4, Windows 2000 and Windows Server 2003 domain controllers. All default Active Directory features -- need to know that this means. - Windows Server 2003 interm
Allows Windows NT 4 and Windows Server 2003 domain controllers. Advanced features: all default, linked value replication (???), improved replication (KCC) algorithims and scalability, more attributes added to GCs (Global Catalogues). - Windows Server 2003
Allows Windows Server 2003 domain controllers only. Advanced features: convert inetOrgPerson to User object and back again, deactivation/redifinition of attributes and classes in schema, forest (vs. domain) trusts, rename domain name, etc.
Second, now that domain and forest function levels have been defined we move on to the break down of groups. One way of breaking down groups is to look at the scope. [MS DaDDaSS ch 15]
- Local (machine) group
All Windows NT based operating systems (Windows NT 3.x, Windows NT 4, Windows 2000, Windows XP, Windows Server 2003, Windows Vista, Windows Server 2008) allow you to create users and groups that are local to the computer. So by definition they are not visible in the domain.
Distinction of domain or forest function level is irrelevent. (Maybe.)
Members: Users from the same machine (computer) only.
Members: Users, Groups from any trusted domain. (This needs to be verified for other domains in the same forest.)
Member of: None. - Domain Local group
Membership information is stored in the Domain Local group's domain.
For Windows 2000 mixed and Windows Server 2003 interm domains
Members: Due to the limitations of Windows NT 4 domain controller compatibility, these groups can contain Users, Computers, Global groups from any domain in the same forest or a trusted domain in another forest. (I need to see if this applies to both explicit domain trusts and forest trusts).
Member of: Due to the limitations of Windows NT 4 domain controller compatibility, these groups are local to the domain controllers only. (I need to do some testing to verify that 2000 & 2003 behave like NT 4).
For Windows 2000 native and Windows Server 2003 domains
Members: Can contain Users, Computers, Global groups, Universal groups from any domain in the same forest or a trusted domain in another forest.
Members: Can contain Domain Local groups from the same domain only. DL(n) > DL(m), where n<>m.
Member of: Domain Local group from same domain only. DL(n) > DL(m), where n<>m.
Member of: Windows Server 2003 Resource in the same domain only. (I need to verify this.) - (Domain) Global group
Membership information is stored in the Global group's domain.
For Windows 2000 mixed and Windows Server 2003 interm domains
Members: Due to the limitations of Windows NT 4 domain controller compatibility, these groups can contain Users, Computers from the same domain only.
Member of: Domain Local group from the same forest or a trusting domain in an other forest. (Need to verify this too.)
For Windows 2000 native and Windows Server 2003 domains
Members: Can contain Users, Computers, Global groups from the same domain only. As with Domain Local groups G(n) > G(m), where n<>m. (What about Universal groups?)
Member of: Global groups from the same domain only. As with Domain Local groups G(n) > G(m), where n<>m. (What about Universal groups?)
Member of: Domain Local group from any domain in the same forest or a trusting domain in another forest. - Universal groups
Membership information is stored in Global Catalogues only.
For Windows 2000 mixed and Windows Server 2003 interm domains
Because Windows NT domains have no concept of Universal groups they are not available.
For Windows 2000 native and Windows Server 2003 domains
Members: Users, Computers, Global groups, Universal groups of any domain in the same forest. (What about trusted domains/forests?)
Member of: Domain Local groups, Universal groups from of any domain in the same forest. (Again, what about trusted domains/forests?)
Thirdly, the next breakdown of groups is the group type: security or distribution list. Security groups are used when providing access (ACLs in Permissions), distribution lists are used by Microsoft Exchange 2000, 2003, 2007. The group type can be switched from security to distribution list and back again. This is usefull for temporarily disabling security groups by converting them to a distribution list. They retian thier membership information but are no longer valid for access [MS DaDDaSS p719].
MS DaDDaSS = Microsoft Designing and Deploying Directory and Security Services, ISBN 0-7356-1486-5
No comments:
Post a Comment