- Active Directory (AD) uses DNS as its locator service to support the various types of services that AD offers, such as Global Catalog (GC), Kerberos, and Lightweight Directory Access Protocol (LDAP)
- _msdcs hosts only DNS SRV records that are registered. It also contains GUID of all domains in the forest and lists on the GC servers. The _msdcs subdomain also includes the globally unique identifier (GUID) for all domains in the forest and a list of GC servers. If you install a new forest on a system that runs Windows Server 2003 and let the dcpromo wizard configure DNS, Dcpromo will actually create a separate zone called “_msdcs.
- GC (Global Catalogue) Is the first DC in the forest and you don't actually move the GC between servers. Instead, you simply enable the GC on a new server, then look for event ID 1119, and then disable the current GC. If your workstation can not find the Global Catalog server, which it needs to check the uniqueness of the UPN resolve the problem by stop and restart the Netlogon service on the GC to force registration of the GC in DNS
- Global Catalog (GC)-less logon (also known as universal group caching) Universal group caching lets Windows 2003 domain controllers (DCs) cache a user's universal group memberships in the msDS-Cached-Membership attribute of an AD user account object. To enable universal group caching, open the snap-in, select a site object, then open the site object's NTDS Site Settings Properties dialog box, and select the Enable Universal Group Membership Caching check box near the bottom.
- NTLM is a challenge/response-based authentication protocol that is the default authentication protocol of Windows NT 4.0 and earlier Windows versions. For backward compatibility reasons, Microsoft still supports NTLM in Windows Vista, Windows Server 2003 and Windows 2003 R2, Windows 2000, and Windows XP. Starting with Win2K, Microsoft implements Kerberos as the default authentication protocol for the Windows OS. This means that besides an NTLM authentication provider, every Windows OS since Win2K also includes a client Kerberos authentication provider.
- Kerberos refers to several things: Kerberos is the Authentication Service (AS); the protocol that AS uses; and the code that implements AS. Kerberos version 5 authentication issues tickets for accessing services on the network. Kerberos is also an Internet standard
- LDAP (Lightweight Directory Access Protocol)
- Application directory partition is different from a domain partition in that it is not allowed to store security principla objects such as user accounts and is not stored in the global catalogue.
- User Principal Name (UPN) A user account/logon name) and a domain name identifying the domain in which the user account is located. The format is user@domain.com.
- Windows 2003 AD object quotas determine the number of objects that a particular security principal can own in an AD naming context (NC) or directory partition. These quotas can help prevent Denial of Service (DoS) attacks on AD domain controllers (DCs). Without them, an authorized user can bring down an AD server by creating AD objects until a DC runs out of storage space. You can specify and administer AD object quotas for each AD NC and directory partition, but you can't define them for the schema NC. You can define a default quota for every AD NC and directory partition. However, if you don't explicitly set a default quota on an NC or partition, the default quota for that NC or partition will be unlimited.
-
