The following is a collection of expert responses to reader questions by Laura Hunter.
What is the difference between the Global Catalog and the Infrastructure Master?
Laura Hunter: The Global Catalog server maintains a partial, read-only copy of every domain in a forest, and is used for universal group storage and logon processing, among other things.
The Infrastructure Master is a Flexible, Single-Master Operations role-holder in each Active Directory domain that maintains internal references to objects that reside in other domains. See this article by fellow TechTarget expert Dean Wells for an in-depth look at the relationship between these two Active Directory components.
Is there a command in Windows to assign UNIX attributes to Active Directory users? I need to have around 20,000 Active Directory users to have Unix attributes.
LH: If you are running Windows Server 2003 R2 Active Directory, you may be able to use the built-in Identity Management for UNIX services to meet your needs; see this link from Microsoft for more information. If you haven't made the move to R2 yet, consider Services For Unix 3.5, a free download from the Microsoft website.
My question is, what permissions must one set for a service to run an application after booting, using the system account without requiring a user to login? I'm a developer and need the application to be active at all times, but our support section doesn't know what to set on AD.
LH:Windows services can be configured to run using the BUILTINLOCAL SERVICE account, the BUILTINNETWORK SERVICE account, or a dedicated local or domain service account. I would recommend coordinating with your Active Directory administrators to ensure that you are maintaining least-privilege when developing and implementing any application; you can refer to _Writing Secure Code, Second Edition_ (ISBN 0735617228) and the MSDN website as good starting points.
I know very little about Active Directory structure and its functionality and am very eager to learn. Do you recommend any specific books/manuals/IT schools that might be helpful for someone like myself?
LH:There are any number of good books and resources available for you to learn about Active Directory and other Microsoft technologies. Perhaps the best thing you can do is to install a test server for yourself and start trying different things to see what happens -- you can download a trial version of the Windows Server 2003 software from the Microsoft website. I would also recommend subscribing to the ActiveDir list-serv, hosted at ActiveDir.org, where you will find wit and wisdom from many Active Directory experts. You'll also find a lot of useful information on the Microsoft website itself; there are entire sub-sections of the site dedicated to different technologies including AD, DNS, and other networking and directory technologies.
Laura E. Hunter (CISSP, MCSE: Security, MCDBA, Microsoft MVP) is a senior IT specialist with the University of Pennsylvania, where she provides network planning, implementation and troubleshooting services for business units and schools within the university. Hunter is a two-time recipient of the prestigious Microsoft "Most Valuable Professional" award in the area of Windows Server-Networking. She is the author of the Active Directory Field Guide (APress Publishing). You can contact her at email@example.com.