active directory - managed solution

All About Active Directory


Keeping track of everything on your network is a time-consuming task. Even on small networks, users tend to have difficulty finding network file and printer shares. Without some kind of network directory, medium and large networks are impossible to manage, and users will often have a difficult time finding resources on the network.
Previous versions of Microsoft Windows included services to help users and administrators find network resources. Network Neighborhood is useful in many environments, but users often complain about the clumsy interface, and its unpredictability baffles many administrators. The WINS Manager and Server Manager could be used to view a list of systems on the network, but they were not readily available to end users. Administrators utilized User Manager to add and delete users, an entirely different type of network object. These applications got the job done, but proved to be inefficient—especially in large networks.
All of these objects resided in a common container: the Microsoft Windows NT domain. Windows NT domains worked best in small-sized and medium-sized environments. Administrators of large environments were forced to partition their network into multiple domains interconnected with trusts. Microsoft Windows 2000 Server introduces Active Directory to replace domain functionality. Active Directory will continue to get the job done, but in a much more efficient way. Active Directory can be replicated between multiple domain controllers, so no single system is critical. In this way, the crucial data stored within Active Directory is both redundant and load-balanced.
A directory, in the most generic sense, is a comprehensive listing of objects. A phone book is a type of directory that stores information about people, businesses, and government organizations. Phone books typically record names, addresses, and phone numbers. Active Directory is similar to a phone book in several ways, and it is far more flexible. Active Directory will store information about organizations, sites, systems, users, shares, and just about any other network object that you can imagine. Not all objects are as similar to each other as those stored in the phone book, so Active Directory includes the ability to record different types of information about different objects. This chapter will teach you
  • What Active Directory is
  • How standard protocols like DNS dynamic update protocol and Lightweight Directory Access Protocol (LDAP) are used
  • How to plan for migrating to Active Directory
  • What objects, schema, object classes, and attributes are
  • How replication and partitioning work
  • What the global catalog is useful for and how to use it

Active Directory Components

As I mentioned in the introduction, Active Directory stores information about network components. It allows clients to find objects within its namespace. The term namespace (also known as console tree) refers to the area in which a network component can be located. For example, the table of contents of this book forms a namespace in which chapters can be resolved to page numbers. DNS is a namespace that resolves host names to IP addresses. Telephone books provide a namespace for resolving names to telephone numbers. Active Directory provides a namespace for resolving the names of network objects to the objects themselves. Active Directory can resolve a wide range of objects, including users, systems, and services on a network.
Everything that Active Directory tracks is considered an object. An object is any user, system, resource, or service tracked within Active Directory. The generic term object is used because Active Directory is capable of tracking a variety of items, and many objects can share common attributes.
Attributes describe objects in Active Directory. For example, all User objects share attributes to store a user name, full name, and description. Systems are also objects, but they have a separate set of attributes that include a host name, an IP address, and a location.
The set of attributes available for any particular object type is called a schema. The schema makes object classes different from each other. Schema information is actually stored within Active Directory, which allows administrators to add attributes to object classes and have them distributed across the network to all corners of the domain, without restarting any domain controllers.
A container is a special type of object used to organize Active Directory. It does not represent anything physical, like a user or a system. Instead, it is used to group other objects. Container objects can be nested within other containers.
Each object in an Active Directory has a name. These are not the names that you are accustomed to, like "Tony" or "Eric." They are LDAP distinguished names. LDAP distinguished names are complicated, but they allow any object within a directory to be identified uniquely regardless of its type. My distinguished name on the Microsoft network is "/O=Internet/DC=COM/DC=Microsoft/ DC=MSPress/CN=Users/CN=Tony Northrup"…but you can call me Tony.
The term tree is used to describe a set of objects within Active Directory. When containers and objects are combined hierarchically, they tend to form branches—hence the term. A related term is contiguous subtree, which refers to an unbroken branch of the tree.
Continuing the tree metaphor, the term forest describes trees that are not part of the same namespace but that share a common schema, configuration, and global catalog. Trees in a forest all trust each other, so objects in these trees are available to all users if the security allows it. Organizations that are divided into multiple domains should group the trees into a single forest.
A site is a geographical location, as defined within Active Directory. Sites correspond to logical IP subnets, and as such, they can be used by applications to locate the closest server on a network. Using site information from Active Directory can profoundly reduce the traffic on wide area networks.

Managing Active Directory

The Active Directory Users and Computers MMC snap-in is the most useful tool for administering your Active Directory. It is directly accessible from the Administrative Tools program group on the Start menu. It replaces and improves upon Server Manager and User Manager from Windows NT 4.0. Take a few minutes to familiarize yourself with this tool. It is very intuitive—just be sure not to make any modifications until you understand how Active Directory works.


Active Directory plays an important role in the future of Windows networking. Administrators must be able to protect their directory from attackers and users, while delegating tasks to other administrators where necessary. This is all possible using the Active Directory security model, which associates an access control list (ACL) with each container, object, and object attribute within the directory. Figure 11-1 shows a step from the Delegation Of Control wizard, a helpful utility for assigning permissions to Active Directory objects.


Figure 11-1: The Delegation Of Control wizard makes it simple to assign permissions to objects.
This high level of control allows an administrator to grant individual users and groups varying levels of permissions for objects and their properties. Administrators can even add attributes to objects and hide those attributes from certain groups of users. For example, the administrator could set the ACLs such that only managers can view the home phone numbers of other users. Nonmanagers would not even know that the attribute existed.
A concept new to Windows 2000 Server is delegated administration. This allows administrators to assign administrative tasks to other users, while not granting those users more power than necessary. Delegated administration can be assigned over specific objects or contiguous subtrees of a directory. This is a much more effective method of giving authority over the networks; rather than granting someone the all powerful Domain Administrator permissions, he or she can be given permissions for just those systems and users within a specific subtree. Active Directory supports inheritance, so any new objects inherit the ACL of their container.
Try to forget what you've learned about Windows NT domain trusts. The term trusts is still used, but trusts have very different functionality. There is no distinction between one-way and two-way trusts because all Active Directory trusts are bidirectional. Further, all trusts are transitive. So, if Domain A trusts Domain B, and Domain B trusts Domain C, then there is an automatic implicit trust between Domain A and Domain C. This new functionality is shown in Figure 11-2.

Figure 11-2: Windows 2000 Server trusts are bidirectional and transitive.

Figure 11-2: Windows 2000 Server trusts are bidirectional and transitive.
Another Active Directory security feature is auditing. Just as you can audit NTFS partitions, objects and containers within Active Directory can be audited. This is a useful way to determine who is attempting to access objects, and whether or not they succeed.

Use of DNS (Domain Name System)

Domain Name System, or DNS, is necessary to any Internet-connected organization. DNS provides name resolution between common names, such as mspress.microsoft.com, and the raw IP addresses that network layer components use to communicate. Active Directory makes extensive use of DNS technology and relies on DNS to locate objects within Active Directory. This is a substantial change from previous Windows operating systems that require NetBIOS names to be resolved to IP addresses, and to rely on WINS or another NetBIOS name resolution technique.
Active Directory works best when used with Windows 2000–based DNS servers. Microsoft has made it easy for administrators to transition to Windows 2000–based DNS servers by providing migration wizards that walk the administrator through the process. Other DNS servers can be used, but administrators will need to spend more time managing the DNS databases. If you decide not to use Windows 2000–based DNS servers, you should make sure your DNS servers comply with the new DNS dynamic update protocol. Active Directory servers rely on dynamic update to update their pointer records, and clients rely on these records to locate domain controllers. If dynamic update is not supported, you will have to update the databases manually.
Note: DNS dynamic update protocol is defined in RFC 2136.
Windows domains and Internet domains are now completely compatible. A domain name such as mspress.microsoft.com will identify Active Directory domain controllers responsible for the domain, so any client with DNS access can locate a domain controller. Active Directory clients can use DNS resolution to locate any number of services because Active Directory servers publish a list of addresses to DNS using the new features of dynamic update. These addresses identify both the domain and the service being provided and are published via Service Resource Records (SRV RRs). SRV RRs follow this format:
Active Directory servers provide the LDAP service for object location, and LDAP relies on TCP as the underlying transport-layer protocol. Therefore, a client searching for an Active Directory server within the mspress.microsoft.com domain would look up the DNS record for ldap.tcp.mspress.microsoft.com.

Global Catalog

Active Directory provides a global catalog (GC). No, this does not mean that you can find any piece of information on the planet—but it is still very significant. Active Directory provides a single source to locate any object within an organization's network.
The global catalog is a service within Windows 2000 Server that allows users to find any objects to which they have been granted access. This functionality far surpasses that of the Find Computer application included in previous versions of Windows, because users can search for any object within Active Directory: servers, printers, users, and applications. For example, Figure 11-3 shows how a user can search for all color printers in his or her building that have the capability to print double-sided documents.


Figure 11-3: The global catalog helps users find network resources.
This feature is especially important because of the complexity of LDAP names. Older versions of Windows relied on 15-character NetBIOS computer names, which users could often remember. Few people would be able to recall LDAP names, such as the following:
/O=Internet/DC=COM/DC=Microsoft /DC=MSPress/CN=Computers/CN=Server1.
Because users can easily search for objects, remembering names is much less important.
The GC is an index stored on Active Directory servers. It contains the names of all objects in the Active Directory server, regardless of how the server has been partitioned. The GC also contains a handful of searchable attributes for each object. For example, the GC would store the distinguished names, first names, and last names of all users—allowing someone to search for anyone named Tony and find the distinguished name of the user. The global catalog is a subset of Active Directory, and stores only those attributes that users tend to search on. Useful defaults are provided by Microsoft, and administrators can specify other attributes to be searchable by using the Active Directory Schema, described later in this chapter.

Not All Indexes Are Created Equal!

If you have done any database administration, you already know that some types of information are more useful to index than other types. Naturally, you should index attributes that will be searched for often, but there are other factors involved. Indexes take up space, so it is not efficient to index everything. Indexes also slow down updates and inserts—if an indexed attribute is modified, the index must be modified as well. Indexing works better when the data being stored varies from user to user. Therefore, never index true or false attributes or any attribute with less than five possible values. Names are an excellent attribute to index since they are almost unique for each user. Finally, don't index attributes that aren't usually filled in. If few users enter a value for their middle name, the indexing of that attribute is a waste.
As new objects are created in Active Directory, they are assigned a unique number called a GUID (globally unique identifier). The GUID is useful because it stays the same for any given object, regardless of where the object is moved. The GUID is a 128-bit identifier, which isn't particularly meaningful to users, but applications that reference objects in Active Directory can record the GUIDs for objects and use the global catalog to find them even after they've moved.


Administrators who implement Active Directory will quickly discover that their network relies heavily on its services. This reliance means that Active Directory must be available on multiple servers—so that if a single server fails, clients can contact a server with duplicate services and information. Unlike the Windows NT domain databases used with previous versions of Windows NT, updates to the database can be sent to any of the Active Directory servers. While this complicates the replication process, it eliminates the possibility that the failure of a single domain controller would stop updates to the databases. It also reduces the high load placed on Windows NT 4.0 primary domain controllers.
Windows 2000 Server includes a replication component within the suite of Active Directory services that makes this a simple task for administrators. Simply adding domain controllers to an Active Directory domain is sufficient to begin the replication process.
One of the most complex parts of making redundant servers work properly is replicating the information and ensuring that all servers have the most up-to-date content. Active Directory uses multimaster replication, which is another way of stating that updates can occur on any Active Directory server. Each server keeps track of which updates it has received from which servers, and can intelligently request only necessary updates in case of a failure.

How Active Directory Replication Works

Active Directory replication will seem logical if you're already familiar with how replication works in Windows NT 4.0 domains. Each update is assigned its own 64-bit unique sequence number (USN) from a counter that is incremented whenever a change is made. These updates are system-specific, so every Active Directory server maintains a separate counter.
When a server replicates an update to other Active Directory servers, it sends the USN along with the change. Each server maintains an internal list of replication partners and the highest USN received from them. The server receiving the update requests only those changes with USNs higher than previously received. This method has the added benefit of stopping updates from propagating endlessly between multiple Active Directory servers.
One problem inherent in any multimaster replication scheme is that updates to a single object can occur in multiple places at the same time. For example, if an administrator in Boston changes a user's name from "Curt" to '"Kurt" and an administrator in Chicago simultaneously changes that same user's name from "Curt" to "Kirk," a replication collision will occur. There are two problems to deal with when a collision occurs: detecting the collision and resolving the collision.
Active Directory stores property version numbers to allow replication collision detection. These numbers are specific to each property of every object within Active Directory and are updated every time the property is modified. These numbers are propagated through Active Directory along with the change, so a server that receives two different updates to the same property with the same property version number can conclude that a replication collision has occurred.
Active Directory servers resolve collisions by applying the update with the later timestamp. The timestamp is created by the server that initiated the change, so it is very important to keep system time synchronized between Windows 2000 servers.
Note: Use the built-in distributed time synchronization service to keep all servers working together!


Large networks can contain hundreds of thousands of objects. Windows NT required multiple domains to allow that many objects to be manageable. Administrators often divided users and resources into separate domains and created a trust between the domains. The structure of the databases simply did not allow them to grow to hundreds of thousands of objects. These size limitations are less a factor in Active Directory domains, thankfully. However, supporting a very large Active Directory could be an incredible burden to any single domain controller.
Active Directories can be partitioned to lessen this load. Partitioning allows different domain controllers to manage different sections of the database, reducing the load on any individual server. The clients can use resources located within different Active Directory partitions transparently. Therefore, administrators can manage massive Active Directory domains without requiring domain controllers to handle the entire database.

Schema: Attributes and Object Classes

As I defined the term earlier, a schema is a set of attributes used to describe a particular object class in Active Directory. Different types of information need to be tracked for different object classes, and that's why the schema is so important. For example, the Users object class needs attributes for a first name, last name, phone number, e-mail address, and mailing address. The Printer object class must have many different attributes—users will want to know how fast a printer is and whether it can duplex or print in color. These attributes can be viewed and edited using the Active Directory Schema MMC snap-in, as shown in Figure 11-4. The Active Directory Schema does not have an icon within the Start menu; you must launch the MMC interface and add the snap-in named Active Directory Schema.


Figure 11-4: The Active Directory Schema allows classes and attributes to be modified.
By default, object classes come with a logical set of attributes that will fit most organization's needs. However, many organizations will need to track additional information about particular object classes. For example, if employees are assigned a badge number, it is useful to track that information in the object class. The first step is to create an attribute called BadgeID, as shown in Figure 11-5 on the next page. The second step is to make the new attribute optional for the Users class.

Figure 11-5: Attributes can be added with the Active Directory Schema snap-in.

Figure 11-5: Attributes can be added with the Active Directory Schema snap-in.
The schema is stored within Active Directory just like other objects. Therefore, the schema inherits the ability to be automatically replicated throughout a domain. It also benefits from the security features of Active Directory, and allows administrators to delegate authority over the schema to different users and groups. By changing the ACLs on a schema object, an administrator can allow any user to add or modify attributes for an object class. The example in Figure 11-6 shows that the group East Coast Administrators has been granted full control over the schema.

Editing the Schema Isn't All That Easy!

By default, Active Directory servers do not allow the schema to be edited. Before this can be done, you must add a REG_DWORD value to the Registry named Schema Update Allowed and set it to 1. This value should be added to the following Registry key:

Figure 11-6: Modifying the schema can be delegated to groups and users.

Figure 11-6: Modifying the schema can be delegated to groups and users.
New attributes have several properties that must be set. The user creating a new attribute must define a name for the attribute (such as Badge ID #), the type of data to be stored (such as a string or a number), and the range limits (such as string length). A unique Object Identifier (OID) must also be provided. New attributes can be indexed, which adds the attributes to the global catalog. Indexes should be created for attributes that users will search with. In this example, if security needs to look up user accounts by the Badge ID number, this attribute should be indexed. For a search to occur on a nonindexed attribute, a slow and processor-intensive walk of the directory tree must be done.
You cannot delete a class or an attribute with the Active Directory Schema or any other tool. Once you create them, they will exist forever within your Active Directory. The only option you have is to deactivate a class, which stops it from being used in the future. You cannot deactivate a class or an attribute that has dependencies within Active Directory. For example, if an attribute is still used by an active class, that attribute must remain active.

Where Do Object Identifiers Come From?

The only way to ensure Object Identifiers are globally unique is to have a central agency that assigns OIDs. This is already common practice on the Internet; the InterNIC assigns domain names and the Internet Assigned Numbers Authority (IANA) assigns IP subnets. Object Identifiers are assigned by a National Registration Authority, or NRA. NRAs vary from country to country. In the United States, the American National Standards Institute (ANSI) provides NRA services. For a modest fee, ANSI can supply your organization with a root OID. Any objects created by your organization will have this root OID as the prefix, ensuring that Object Identifiers are globally unique.
A list of NRAs can be found at the International Standards Organization's Web site, at http://www.iso.ch.
The schema is cached by Active Directory servers for performance reasons. It will take up to five minutes for the cache to be updated after you change the schema. So, wait a few minutes before you try to create objects based on your new object classes and attributes. If you must reload the cache immediately, add the attribute schemaUpdateNow to the root object (the object without a distinguished name), and set the value to 1.
Extending the schema of Active Directory is a powerful capability. However, most administrators will never need to use anything but the classes and attributes Microsoft has provided by default.


Many people are initially confused by the relationship between object classes, attributes, and the objects themselves. Objects are created based on an object class. Attributes describe an object class. When an object is created, it inherits all the attributes of its object class. Here's where it gets tricky: object classes and attributes are also objects in Active Directory. Fortunately, most user interfaces hide this fact.
An object can be either a reference to something concrete or the actual useful information itself. For example, every bit of information about a user account is stored within Active Directory. However, only a reference to a disk volume is stored in Active Directory. While the reference is not useful by itself, it is used to locate the volume on the file server. When creating new object classes, carefully consider whether the object will store a reference to something external or whether all necessary information will be contained in the object's attributes. While Active Directory is extremely convenient, it should not be used to store large amounts of information, constantly changing information, or rarely used information.
Anytime you add a user or a computer to Active Directory, you are creating an object. Creating an object is often referred to as publishing, because it kicks off a process of replicating the new information across all Active Directory servers in the domain.

Standard Object Classes

Windows 2000 Server relies on Active Directory to store a great deal of useful information about users, groups, and machine accounts, which are of particular interest to administrators because they will be the most commonly accessed parts of Active Directory. The new user interface might not seem intuitive if you're an administrator of previous versions of Windows NT, but once you spend some time with it, things will be easier.


User accounts are no longer managed using a dedicated utility. Instead, administrators use the Active Directory Users and Computers MMC snap-in, as shown in Figure 11-7 on the next page. The user accounts themselves have changed significantly, as well. Windows NT 4.0 simply tracks the user name, full name, description, password, and a handful of other attributes for each user. Windows 2000 Server takes advantage of Active Directory to extend these attributes. You can now use Active Directory to track a great deal of personal information about people, including phone number, address, and manager name. All of this additional information is entirely optional.


Figure 11-7: The Active Directory Users and Computers snap-in replaces the User Manager.


Active Directory groups are similar to user groups in previous versions of Windows NT. However, they have a couple of new features as well. The newest version of Microsoft Exchange allows groups to be used as e-mail distribution lists. To make this more useful, e-mail accounts can be added to the groups to allow distribution to users who are not members of the same Active Directory tree. Groups can also be nested within each other. This will greatly reduce the amount of time administrators spend managing users and groups.
There are now three distinct types of user groups. Universal Groups will be the most commonly used type, and can contain users and other groups from anywhere in the forest. They are replicated outside of the domain and appear in the global catalog. Global Groups can only contain users and groups from the same domain. Global Groups are listed in the global catalog, but their membership list does not leave the domain. Domain Local Groups can only be applied to ACLs (access control lists) within the same domain but can contain users and groups from other domains. They are neither replicated outside of the domain nor listed in the global catalog. Any of these types of groups can participate in domain security or merely function as a distribution list.
Many groups are provided by Windows 2000 Server by default. These groups are called the built-in groups, and are pictured in Figure 11-8. Administrators can use these default groups for most purposes, and can add their own groups as needed.


Figure 11-8: Windows 2000 Server provides many built-in groups.

Machine Accounts

Systems that join a domain are automatically given a computer account in Active Directory. This is similar to adding a system to a Windows NT 4.0 domain. However, systems can be added to the domain even if they do not participate in domain security. For example, a computer object can be created for a UNIX system to help the administrators track that system.

Lightweight Directory Access Protocol (LDAP)

Active Directory reflects Microsoft's trend toward relying on standard protocols. The Lightweight Directory Access Protocol (LDAP) is a product of the IETF (Internet Engineering Task Force). It defines how clients and servers exchange information about a directory. LDAP version 2 and version 3 are used by Windows 2000 Server's Active Directory.

Distinguished Names

It is very important to understand the structure of distinguished names, as you will be referring to them often in the course of your job. My distinguished name is /O=Internet/DC=COM/DC=Microsoft/ DC=MSPress/CN=Users/CN=Tony Northrup. Consider Figure 11-9, which shows how I fit into a sample Active Directory tree. The distinguished name I gave starts to make some sense—it identifies each container from the very top down to my specific object. Each container is separated by a slash and an identifier. For example, COM, Microsoft, and MSPress are each preceded by /DC=. The DC stands for Domain Component, which identifies a DNS domain.


Figure 11-9: Distinguished names describe the location of an object in a tree.
To simplify distinguished names, relative distinguished names can also be used. The relative distinguished name of the previous example is CN=Tony Northrup, identifying the user name but not the context in which it resides. The context must be known already for the relative distinguished name to be an effective identifier.

User Principal Name

Distinguished names are great for computers but too cumbersome for people to remember. People have grown accustomed to e-mail addresses, so Active Directory provides these addresses as a shortcut to the full object name. In Figure 11-9, Tony Northrup is a user of the mspress.microsoft.com domain. An administrator could create a user principal name within the microsoft.com domain to allow simpler access to my user account and hold a place for my e-mail address, like northrup@microsoft.com.
Users will rely on their user principal name to log onto their Windows 2000 systems. In other words, user principal names will replace the user names used in older Windows networks. Obviously, this helps the users by saving them the trouble of typing their distinguished names. However, it also benefits users because the user principal name will stay the same even if administrators move or rename the underlying user account.

ADSI (Active Directory Service Interface)

ADSI (Active Directory Service Interface) allows applications to interact with any directory service without being forced to know the internal details of the underlying protocols. Administrators can write programs and scripts that make use of ADSI to read or write to legacy Windows NT 4.0 directories, NetWare NDS directories, NetWare 3 binderies, and LDAP directories such as Active Directory. Developers can even create applications that make use of directories at the customer's site, without previous knowledge of the type of directory being used.
For example, the following Microsoft Visual Basic code uses ADSI to display a list of users in the debug window:
Set ou = GetObject("LDAP://dcserver/OU=Sales, DC=ArcadiaBay,DC=COM") For Each obj In ou Debug.Print obj.Name Next
As you can see, gathering a list of users is much simpler than in previous Windows operating systems. ADSI makes use of the Component Object Model (COM), so almost any Windows development environment can immediately make use of the interface. Developers will be interested to know that they can access Active Directory through the LDAP C API and through MAPI, though ADSI is the preferred interface.
Note: The LDAP C API is defined in RFC 1823.

Planning Your Network for Active Directory

Clients rely on site information to identify the closest Active Directory server. Because sites correspond to IP subnets, you should place Active Directory servers on each subnet. You should also make sure that all systems on the same logical subnet are connected via LAN hardware. Some routing technologies, such as Proxy Address Resolution Protocol (ARP), can allow systems to be on the same logical subnet but different physical network segments. This setup will trick clients into thinking systems are closer than they really are, so it's best to stick to standard routing techniques. If this isn't making much sense, that's okay—your network is probably set up just fine.
Make sure you have planned your Active Directory structure before you start migrating your network. You'll be given the option of creating a new tree or joining an existing tree. Obviously, if you're the first domain in the network to be migrated, you'll want to create a new tree. However, if you are merging multiple domains into a single Active Directory domain, you will want to join as a child of the existing tree.
Always migrate the Windows NT 3.51 or 4.0 PDC (Primary Domain Controller) to Windows 2000 Server Active Directory first. Users and groups from your current domain will be automatically transferred into Active Directory, and existing clients will interface with the new domain controller exactly as if it were still a PDC. As long as you have both Active Directory servers and legacy BDCs (backup domain controllers) in operation simultaneously, your domain will function as a mixed mode domain, as illustrated in Figure 11-10. Mixed domains cannot take full advantage of the new Active Directory features because Active Directory must ensure backward compatibility. For example, you cannot use nested groups in mixed mode domains.

Figure 11-10: Mixed mode domains are used when legacy BDCs still exist.

Figure 11-10: Mixed mode domains are used when legacy BDCs still exist.
You should migrate the BDCs once you are sure the mixed mode domain is functioning completely. When all domain controllers have been migrated, you can switch the domain to native mode, reboot the domain controllers, and take full advantage of the new features. Member servers and workstations are completely supported and require no changes to interact with Active Directory servers. You will realize more benefits by upgrading the member servers as well, but always start by upgrading domain controllers.
Windows NT Workstation clients should be upgraded to Windows 2000 Professional to take advantage of the new features of Active Directory. A service pack will be made available for Microsoft Windows 95 and Windows 98 clients that will make them Active Directory–aware and allow them to participate in Kerberos security.


The addition of Active Directory to Windows 2000 Server is the most significant reason to upgrade your network. Active Directory combines Windows NT domains with Internet domains and makes them scalable to enterprise proportions. While the most significant benefit will be the reduced cost of ownership, users will directly benefit from the advanced search capabilities of the global catalog.
Active Directory is both standards-based and flexible. It's based on the LDAP standard, which has already been adopted by Cisco for use on network hardware and UNIX systems. The flexibility will be appreciated by any administrator who needs more functionality than is provided out of the box.
Microsoft wants it to be as easy as possible to migrate to Active Directory. Wizards are provided to transfer DNS responsibilities to Microsoft DNS dynamic update protocol servers. Users and groups from legacy Windows NT domains are automatically imported. Finally, every aspect of Active Directory setup is intuitive and GUI-oriented, and handles most complexities automatically.
The above article is courtesy of Microsoft Press. Copyright 1999, Microsoft Corporation.
We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages. All prices for products mentioned in this document are subject to change without notice.



How to Survive Cyber Monday

Cyber Monday brings a lot of great things, like crazy discounts, free shipping codes, and the best deals for online shopping.  The holiday also brings a  lot of bad things, like data breaches and server crashes.  As your employees (and customers) may be online shopping all day, don't let your company data go unprotected.  A Backup and Disaster Recovery (BDR) solution can keep your business safe while the sales commence.

[/vc_column_text][/vc_column][/vc_row][vc_row parallax="content-moving" css=".vc_custom_1465945819577{background-color: #e98922 !important;}"][vc_column][vc_column_text css_animation="appear"]

Securing productivity, collaboration and enterprise data is critically important as organizations digitally transform.

3 Obvious Reasons You Need A Backup & Disaster Recovery Plan

  • You need to protect your company data from security threats and hackers. Did you see all the recent news of political breaches by hackers who exposed “secure” data?
  • Natural disasters do occur and 90% of companies that experience one week of data downtime go out of business within 12 months.
  • Systems do crash, data gets erased or corrupted, viruses attack.
With vast quantities of vital data moving through your business, even with limited resources and budget, it is critical for an organization to have a true business continuity and disaster recovery plan in place. This is the only solution to deliver an advanced insurance policy against loss of data and downtime.
Managed Solution provides a Business Continuity/Backup & Disaster Recovery Service to protect data from loss and prevent costly downtime in the event of a catastrophic server failure.


Learn More About Backup & Disaster Recovery



IoT security suffers from a lack of awareness

By Clint Boulton as written on cio.com
As consumers we have become obsessed with connected devices. We like the idea of smart homes, smart cars, smart TVs, smart refrigerators or any machine that can be automated with sensors and an IP address. Yet fewer tasks in IT today inspire more fear than the prospect of protecting corporate networks from this proliferating wave of connected devices. The internet of things phenomenon expands the threat surface exponentially, in turn boosting business risk.
But CIOs often aren’t aware of all of the devices that make inviting targets for hackers. "One of the fundamental issues that faces the internet of things is knowing that they're there and giving them some identity,” says Gartner analyst Earl Perkins. "You can't manage what you can't see."
Factor in the hiding-in-plain-sight machines and BYOD devices, as well as emerging technologies that control office light fixtures, temperature and even window tint, and it's easy to see how vetting what's on the network will only get harder for CIOs. Securing internet of things is a primary focus of this week’s Black Hat USA conference, whose organizers told the Wall Street Journal that they received 50 proposals for seminars related to infiltrating devices, including how a computer worm could spread smart lightbulbs, how to hack medical systems, and a new kind of ATM skimming device.
Matt Kraning, CTO of security software startup and DARPA spinoff Qadium, says CIOs are focusing on locking down devices operating on the network as a result of BYOD policies while the mundane teleconference systems are ignored. There are tens of thousands of such unified communications and collaboration systems installed in executive boardrooms around the world. These systems use dated protocols, such as Session Initiation Protocol (SIP), aren't encrypted and are rarely kept current on patches.
Imagine this scenario: The entire C-suite huddles with the board for their quarterly meeting. The IP-enabled video conferencing system doesn't work so they call IT in. Turns out the system was properly blocked by the corporate firewall, consistent with corporate policy. But rather than cancel the meeting, the execs order IT to break through the firewall to get the system to work. The big no-no occurs when the IT team doesn't put the firewall back around the equipment, leaving the system open to an enterprising hacker who may eavesdrop on executive meetings.
"They grew up when the phone was just a phone," Kraning says of executives who don't realize the threat that such systems pose. "Most have no insider awareness of IoT and that persists the myth that the problem is not already here." He says mail servers are also potential threat vectors.

IoT security: a victim of market economics?

The enterprise is naturally only a subset of the broader world – one in which the increasing drumbeat of connected devices poses an even greater threat. Gartner forecasts that 6.4 billion connected things will be in use worldwide in 2016 and will reach 20.8 billion by 2020. Protecting those devices, from smart cars to smart hot water heaters to smart TVs, remains a big problem partly because of a misalignment of economics, says security expert Bruce Schneier.
PCs and cell phones churn every 18 to 24 month so the companies that produce them have financial incentive to constantly refine the security of those devices. But people replace cars every 10 years, refrigerators every 20 and thermostats "never," says Schneier. "There exists no mechanism to patch them because it's not economically viable for third-parties," Schneier says.
The problems will mount as new devices emerge and they, along with the sensors and software used in conjunction with them get cheaper and last longer. “You don’t have the same ecosystem of upgrade in terms of patching, devices and operating system -- none of these things that in a computer world makes them better,” Schneier says. “When your furnace becomes part of the IoT and they say you have to replace the hardware on your furnace every two years... people are not going to do it.”
Assigning fault also plays a big hand in the complex market dynamics. When a perpetrator infiltrates a network through a software vulnerability, we point to the flawed software. But with connected devices forming what is essentially a digital daisy chain, it is difficult to attribute fault. "If you're refrigerator interacts with your router and hacks your Google account, whose fault is it?" Schneier says. "The market economy actually works against securing IoT."
Such security threats can snowball quickly, as Schneier wrote in a blog post last week: “Vulnerabilities on one system cascade into other systems, and the result is a vulnerability that no one saw coming and no one bears responsibility for fixing. The internet of things will make exploitable vulnerabilities much more common.”

An IoT security model

Qadium is tackling the IoT security problem with “global internet sensing” software that scours hundreds of terabytes of data generated by devices configured by a given organization. Indexing a hundred different protocols, calling out to all of the devices that reside on a customer’s network and gauging their responses for anomalies. It finds dark spaces in corporate networks CIOs didn’t even know existed.
“We look at the entire internetperpetually and turn it into an analytics challenge,” Kraning says. The goal is to say, “We know where all devices of interest to a company are.” Qadium’s customers include the U.S. Cyber Command and the Navy.
According to Perkins, who says Qadium competes with Bastile Networks, Great Bay Software and ForeScout Technologies, such technologies play a useful role in helping CIOs discover what’s on what he calls the “network of entities.” However, the challenge doesn’t end there. A second set of technologies is required to isolate and neutralize malware or other network incursions. Securing connected devices, he says, requires a multi-layer approach that involves providing the proper policy enforcement for existing devices and those that will come onto the network in the future. This is no trivial task.
"We've reached an era in computing now where we are able to project a pervasive digital presence into the edges of business and into the edges of life -- on the human body, in the human body, in the house, in the car,” Perkins says. Gartner estimates spending security technologies to protect the Internet of Things will top $840.5 million by 2020.
What does the future of IoT security look like? Schneier, who has closely watched the cybersecurity market evolve over the last three decades, says the federal government must provide regulatory oversight into cybersecurity by establishing a new federal agency – ideally a Department of Technology Policy – to regulate the industry, similar to how the FCC was created to regulate airwaves and the FAA guides airlines. For now, Schneier says the government remains woefully behind on IoT awareness.
Yet Schneier remains cautiously optimistic about the industry’s chances to solve the complex challenges – like it always has – over time and through trial and error. The solutions “will be like everything we do in computer security to date -- a hodgepodge of things that work pretty well," Schneier says. "We'll muddle through, screw it up and get better."


[vc_row][vc_column][vc_column_text][vc_single_image image="11015" img_size="900x500" alignment="center"]

How Azure SQL Threat Detection acts as your built-in security expert

By Ron Matchoro as written on blogs.msdn.microsoft.com
Azure SQL Database Threat Detection has been in preview for a few months now. We’ve on-boarded many customers and received some great feedback. We would like to share a couple of customer experiences that demonstrate how SQL Threat Detection helped to address their concerns about potential threats to their database.

What is SQL Threat Detection?

SQL Threat Detection is a new security intelligence feature built into the Azure SQL Database service. Working around the clock to learn, profile and detect anomalous database activities, SQL Threat Detection identifies potential threats to the database. Security officers or other designated administrators can get an immediate notification about suspicious database activities as they occur. Each notification provides details of the suspicious activity and recommends how to further investigate and mitigate the threat.
Currently, SQL Threat Detection on Azure SQL Database detects potential vulnerabilities and SQL injection attacks, as well as anomalous database access patterns.  The following customer feedback attests to how SQL Threat Detection warned them about these threats as they occurred and helped them improve their database security.


Case #1: Attempted database access by former employee

Borja Gómez, architect & development lead at YesEnglish
SQL Threat Detection is a useful feature that allows us to detect and respond to anomalous database activities, which were not visible to us beforehand.  As part of my role designing and building Azure-based solutions for global companies in the Information and Communication Technology field, we always turn on SQL Auditing and Threat Detection, which are built-in and operate independently of our code.  A few months later, we received an email alert that “Anomalous database activities from unfamiliar IP (location) was detected”. The threat came from a former employee trying to access one of our customer’s databases, which contained sensitive data, using old credentials.  Because SQL Threat Detection allowed us to detect this threat as it occurred, we were able to remediate the threat immediately by locking down the firewall rules and changing credentials, thereby preventing any damage. Such is the simplicity and power of Azure.

Case #2: Preventing SQL Injection attacks

Richard Priest, Architectural Software Engineer at Feilden Clegg Bradley Studios and head of the collective at Missing Widget:
Thanks to SQL Threat Detection, we were able to detect and fix code vulnerabilities to SQL injection attacks and prevent potential threats to our database. I was extremely impressed how simple it was to enable threat detection policy using the Azure portal, which required no modifications to our SQL client applications. A while after enabling SQL Threat Detection, we received an email notification about ‘An application error that may indicate a vulnerability to SQL injection attacks’.  The notification provided details of the suspicious activity and recommended concrete actions to further investigate and remediate the threat.  The alert helped me to track down the source my error and pointed me to the Microsoft documentation that thoroughly explained how to fix my code.  As the head of IT for an information technology and services company, I now guide my team to turn on SQL Auditing and Threat Detection on all our projects, because it gives us another layer of protection and is like having a free security expert on our team.”

Case #3: Anomalous access from home to production database

Manrique Logan, architect & technical lead at ASEBA:
“SQL Threat Detection is an incredible feature, super simple to use, empowering our small engineering team to protect our company data without the need to be security experts.  Our non-profit company provides user-friendly tools for mental health professionals, storing health and sales data in the cloud. As such we need to be HIPAA and PCI compliant, and SQL Auditing and Threat Detection help us achieve this.  These features are available out of the box, and simple to enable too, taking only a few minutes to configure.  We saw the real value from these not long after enabling SQL Threat Detection, when we received an email notification that ‘Access from an unfamiliar IP address (location) was detected’.  The alert was triggered as a result of my unusual access to our production database from home.  Knowing that Microsoft is using its vast security expertise to protect my data gives me incredible peace of mind and allows us to focus our security budget on other issues.  Furthermore, knowing the fact that every database activity is being monitored has increased security awareness among our engineers.  SQL Threat Detection is now an important part of our incident response plan.  I love that Azure SQL Database offers such powerful and easy-to-use security features.

How to turn on SQL Threat Detection

SQL Threat Detection is incredibly easy to enable. You simply navigate to the Auditing & Threat Detection configuration blade for your database in the Azure management portal. There you switch on Auditing and Threat Detection, and configure at least one email address for receiving alerts.

Managed Solution is a full-service technology firm that empowers business by delivering, maintaining and forecasting the technologies they’ll need to stay competitive in their market place. Founded in 2002, the company quickly grew into a market leader and is recognized as one of the fastest growing IT Companies in Southern California.


We specialize in providing full Microsoft solutions to businesses of every size, industry, and need.



Europe eyes new rules for online platforms

By Natasha Lomas as written on techcrunch.com
The European Union’s executive body has today set out a series of proposals for new rules that would apply to a broad range of online platforms, from the likes of YouTube to Google to eBay, as part of ongoing efforts to boost competitiveness in the region under its Digital Single Market Strategy.
The proposals follow a year long assessment by the European Commission of online platforms, after which it says it has concluded that a ‘one-size-fits-all’ approach is not appropriate to maximize consumer benefits while ensuring effective regulation across all the different types of platforms — so it says it will rather look at each area where it can act “from telecoms to copyright rules, to address any specific problems in a future-proof way for all market players”.
Among the proposed changes is a new set of audiovisual rules — with the stated aim of achieving a better balance between rules that apply to traditional broadcasters vs online video-on-demand providers and video-sharing platforms like YouTube. Key among the EC’s concerns here is safeguarding minors.
It says it wants video-sharing platforms to help come up with a code of conduct for the industry relating to protecting minors online. For the most harmful content (gratuitous violence and pornography) it wants to strict control measures applied to online platforms, such as age verification or pin codes.
Under the proposals there would also be a stronger role for audiovisual regulators.
At this stage the EC is not including social network platforms such as Facebook — where plenty of video-sharing and viewing now takes place of course — in its definition of online platforms but it does say this could change in future.  “If a particular social media provider meets all the characteristics of a video-sharing platform, they will be covered as such,” it notes.
These proposals are an update to the existing Audiovisual Media Services Directive (AMSD), which has governed audiovisual media in the region for almost 30 years. The existing directive also includes stipulations to encourage cultural diversity and the free circulation of content within Europe, which the EC wants to see bleeding over to the online platforms that viewers are increasingly turning to in the digital era.
Under current rules, for example, TV broadcasters are obliged to broadcast at least 50 per cent share of European works (including national content) in viewing time. This proportion will remain unchanged under the proposal but VOD services would get more formal obligations — with a proposed requirement that they have at least a 20 per cent share of European content in their catalogues, and give good visibility to European content in any offers.
Elsewhere, the Commission has also been looking at the rules around ad content, and says it wants greater flexibility for online platforms to use product placement and sponsorship — with the caveat that they must keep viewers informed at the start or end of a program. Product placement will still be forbidden in content with a significant children’s audience.
Also today the Commission has set out additional proposals for updating ecommerce rules — with a push to prevent unjustified geoblocking, such as discriminating on price based on nationality or residency, by online platforms.
In moves aimed at boosting trust in ecommerce it also wants search engines to be required to “clearly distinguish” paid placements from organic search results. And the industry to step-up voluntary efforts to tackle fake/misleading online reviews.
Increasing price-transparency and regulatory oversight of cross-border parcel delivery services to boost regional ecommerce is another priority.
The Commission is also focusing on controlling the spread of hate speech on online platforms — an issue which has again bubbled to the fore in Europe in recent times, following the refugee crisis.
A code of conduct the EC has been working on with online platforms is due to be presented in the coming weeks, it said today.
The package of measures are proposals at this stage with European law requiring EU Member States to vote on and agree them, and transpose them into national legislation — a process that can take multiple years.



Recently confirmed Myspace hack could be the largest yet

By Sarah Perez as written on techcrunch.com
You might not have thought of – much less visited – Myspace in years. (Yes, it’s still around. Time, Inc. acquired it and other properties when it bought Viant earlier this year.) But user data never really dies, unfortunately. For Myspace’s new owner, that’s bad news, as the company confirmed just ahead of the Memorial Day holiday weekend in the U.S., that it has been alerted to a large set of stolen Myspace username and password combinations being made available for sale in an online hacker forum.
The data is several years old, however. It appears to be limited to a portion of the overall user base from the old Myspace platform prior to June 11, 2013, at which point the site was relaunched with added security.
Time, Inc. didn’t confirm how many user accounts were included in this data set, but a report from LeakedSource.com says that there are over 360 million accounts involved. Each record contains an email address, a password, and in some cases, a second password. As some accounts have multiple passwords, that means there are over 427 million total passwords available for sale.
Despite the fact that this data breach dates back several years, the size of the data set in question makes it notable. Security researchers at Sophos say that this could be the largest data breach of all time, easily topping the whopping 117 million LinkedIn emails and passwords that recently surfaced online from a 2012 hack.
That estimation seems to hold up –  while there are a number of other large-scale data breaches, even some of the biggest were not of this size. The U.S. voter database breach included 191 million records, Anthem’s was 80 million, eBay was 145 million, Target was 70 million, Experian 200 million, Heartland 130 million, and so on.
The issue with these older data breaches is that they’re from an era where security measures were not as strong as today. That means these passwords are easily cracked. LeakedSource notes that the top 50 passwords from those cracked account for over 6 million passwords – or 1.5 percent of the total, to give you a sense of scale.
The passwords were stored as unsalted SHA-1 hashes, as LinkedIn’s were, too.
That allowed Time, Inc. to date the data breach to some extent, as the site was relaunched in June 2013 with strengthened account security, including double-salted hashes to store passwords. It also confirmed that the breach has no effect on any of its other systems, subscriber information, or other media properties, nor did the leaked data include any financial information.
Myspace is notifying users and has already invalidated the passwords of known affected accounts.
The company is also using automated tools to attempt to identify and block any suspicious activity that might occur on Myspace accounts, it says.
“We take the security and privacy of customer data and information extremely seriously—especially in an age when malicious hackers are increasingly sophisticated and breaches across all industries have become all too common,” said Myspace’s CFO Jeff Bairstow, in a statement. “Our information security and privacy teams are doing everything we can to support the Myspace team.”
However, while the hack itself and the resulting data set may be old, there could still be repercussions. Because so many online users simply reuse their same passwords on multiple sites, a hacker who is able to associate a given username or email with a password could crack users’ current accounts on other sites.
Of course, it’s not likely users even remember what password they used on Myspace years ago, which makes protecting your current accounts more difficult. A better option is to always use more complicated passwords, reset them periodically, and take advantage of password management tools like Dashlane or LastPass to help you keep track of your logins.
Myspace also confirmed that the hack is being attributed to the Russian cyberhacker who goes by the name “Peace.” This is the same person responsible for the LinkedIn and Tumblr attacks, too. In Tumblr’s case, some 65 million plus accounts were affected. But these passwords were “salted,” meaning they are harder to crack.
Myspace is working with law enforcement as this case is still under investigation, the company says.



Technology Leader's Guide to Azure Active Directory

Identity and Access Management as a Service boosts organizational effectiveness

There’s no question that cloud offerings present businesses with ample opportunity to lower their costs while increasing efficiency and agility. But these organizations will reap these benefits only if they can overcome some of the challenges cloud technology presents.

Chief among the challenges is maintaining proper security for cloud-based applications and data. An important consideration is having an effective IAM strategy that spans both on-premises and cloud-based resources.

Azure Active Directory Premium offers a solution enabling SMBs to easily extend the AD platform with which they are already familiar to also handle cloud solutions. Not using AD? Azure AD Premium also works with myriad other directory offerings.

With Azure AD Premium, businesses can reduce their risk while improving the productivity of their IT group and ensuring compliance with internal and external policies and regulations. Azure Active Directory extends your on-premises directories into the cloud, providing a truly global identity and access management solution that delivers effective, secure and modern IT services.



Managed Solution is in the top 1% of Microsoft Cloud Service Providers worldwide, and a premier partner aligned with Microsoft’s mission to empower every person and every organization on the planet to achieve more.


Contact us Today!

Chat with an expert about your business’s technology needs.