What is the difference between a domain and a workgroup?

Computers on a network can be part of a workgroup or a domain. The

main difference between workgroups and domains is how resources on the network
are managed. Computers on home networks are usually part of a workgroup, and
computers on workplace networks are usually part of a domain.
What is a domain?
domain is a sub network made up of a group of clients and servers under the control of one
central security database. Within a domain, users authenticate once to a centralized server
known as a domain controller, rather than repeatedly authenticating to individual servers and
services.
What is Active Directory?

Active Directory is a database that keeps track of all the user accounts and passwords
in your organization. It allows you to store your user accounts and passwords in one
protected location, improving your organization's security. Active Directory is
subdivided into one or more domains.
What is User Principal Name (UPN)

In the Windows operating system's Active Directory, a User Principal Name (UPN) is
the name of a system user in an e-mail address format. The user name (or
"username") is followed by the "at sign" followed by the name of the Internet domain
with which the user is associated.

What is service principal name?

A service principal name (SPN) is the name by which a client uniquely
identifies an instance of a service. If you install multiple instances of a
service on computers throughout a forest, each instance must have its own
SPN. A given service instance can have multiple SPNs if there are multiple
names that clients might use for authentication. For example, an SPN always
includes the name of the host computer on which the service instance is
running, so a service instance might register an SPN for each name or alias
of its host.

What are different active directory roles?

The Roles
There are five FSMO roles, two per forest, three in every Domain. A brief summary of the role is
below.

Forest Wide Roles:

Schema Master

The schema is shared between every Tree and Domain in a forest and must be consistent between all
objects. The schema master controls all updates and modifications to the schema.

Domain Naming

When a new Domain is added to a forest the name must be unique within the forest. The Domain
naming master must be available when adding or removing a Domain in a forest.

Domain Wide Roles:

Relative ID (RID) Master

Allocates RIDs to DCs within a Domain. When an object such as a user, group or computer is created
in AD it is given a SID. The SID consists of a Domain SID (which is the same for all SIDs created in
the domain) and a RID which is unique to the Domain.
When moving objects between domains you must start the move on the DC which is the RID master of
the domain that currently holds the object.

PDC Emulator

The PDC emulator acts as a Windows NT PDC for backwards compatibility, it can process updates to a
BDC.
It is also responsible for time synchronising within a domain.
It is also the password master (for want of a better term) for a domain. Any password change is
replicated to the PDC emulator as soon as is practical. If a logon request fails due to a bad password

the logon request is passed to the PDC emulator to check the password before rejecting the login
request.

Infrastructure Master

The infrastructure master is responsible for updating references from objects in its domain to objects
in other domains. The global catalogue is used to compare data as it receives regular updates for all
objects in all domains.
Any change to user-group references are updated by the infrastructure master. For example if you
rename or move a group member and the member is in a different domain from the group the group
will temporarily appear not to contain that member.

what are the prerequisites for installing a domain controller?

Processor Minimum: Single processor with 1.4 GHz (x64 processor) or 1.3GHz (Dual Core)
Memory Minimum: 512 MB RAM
Disk Space Requirements Minimum: 32 GB or greater
(Not mentioned on the website)
Network : 100Mb is a reasonable minimum network connection,

what is server manager?

The Windows Server 2008 operating system eases the task of managing
and securing multiple server roles in an enterprise with the new Server
Manager console. Server Manager in Windows Server 2008 provides a single
source for managing a server's identity and system information, displaying
server status, identifying problems with server role configuration, and
managing all roles installed on the server.
Server Manager replaces several features included with
Windows Server 2003, including Manage Your Server, Configure Your
Server, and Add or Remove Windows Components.

Server Manager also eliminates the requirement that administrators run the
Security Configuration Wizard before deploying servers; server roles are
configured with recommended security settings by default, and are ready to
deploy as soon as they are installed and properly configured.

what are the post installation checks for domain controller?

Net accountsprimary
Std containers.

What are different ways of joining a member computer to a domain?

A domain is a collection of computers on a network with common rules and procedures that
are administered as a unit. Each domain has a unique name. Typically, domains are used for
workplace networks. To connect your computer to a domain, you'll need to know the name
of the domain and have a valid user account on the domain.
1.

Open System by clicking the Start button

clicking Properties.

2.

Under Computer name, domain, and workgroup settings, click Change

settings.
If you're prompted for an administrator password or confirmation, type
the password or provide confirmation.

3.

Click the Computer Name tab, and then click Change. Alternatively, click Network
ID to use the Join a Domain or Workgroup wizard to automate the process of
connecting to a domain and creating a domain user account on your computer.

4.

Under Member of, click Domain.

, right-clicking Computer, and then

The Computer Name/Domain

Changes dialog box
5.

Type the name of the domain that you want to join, and then click OK.
You will be asked to type your user name and password for the domain.
Once you are successfully joined to the domain, you will be prompted to restart your
computer. You must restart your computer before the changes take effect.

What Is Offline Domain Join?

This article explains a new feature in Windows Server 2008 R2 called "Offline Domain
Join". This article applies to Windows Server 2008 R2 only.
Windows 7 or Windows Server 2008 R2 computers can use the new feature called
"Offline Domain Join". This process requires the Windows 7 or Windows Server 2008
R2. This step requires two steps: First the computer account is created or provisioned
on the domain controller and the resulting information is stored in the metadata, and
then this information is transferred to the joining computer. The workstation then
performs the joining part without having the connectivity with the domain controller.

You need to use Djoin.exe on the domain controller to accomplish above. Please use
Djoin.exe /? to see the syntaxes.
An example is given below:
Djoin.exe /provision
/domain Name_Of_the_Domain_To_Be_Joined /machine Client_Computer_Name /sa
vefileFile_Name.txt

What Is Server Core?

Server Core is a minimal server installation option for computers running on the Windows
Server 2008 R2 operating system. Server Core provides a low-maintenance environment
capable of providing core server roles.
Server Core is designed to provide an environment that reduces:

Servicing requirements

Management requirements

Attack surface

Disk space usage

To accomplish its core, critical roles, the Server Core installation option only installs the
binaries required by its supported roles. For example, the Explorer shell is not installed with
Server Core. Instead, the Server Core user interface is the command prompt.
When configured, Server Core can be managed locally and remotely using Windows
PowerShell, by using a terminal server connection from a command line, as well as remotely,
by using the Microsoft Management Console (MMC) or command line tools that support
remote usage.

How to configure settings for server core?

One of the first tasks an administrator must do after building a Windows
Server Core machine is set the network address and configure the machine
name and domain membership. There are command line tools for all of
those individual features but Microsoft included a useful command called
sconfig that allows you to quickly configure basic server settings.

Simply type in sconfig on the command prompt and follow the on screen
instructions:

Using Server Configuration you will be able to:

Configure machine name.

Join a domain or set workgroup name.

Configure local administrator accounts.

Configure Remove Management settings.

Enable Automatic Windows Update.

Manually install Windows Updates.

Enable/Disable Remote Desktop.

Configure Network Settings such as IP address and DNS servers.

Set the date and time.

Logoff, restart and shutdown the server.

How to convert server core to gui?

Windows Server 2012 Core boasts many enticing enhancements which include reducing the
installation footprint, attack surface and management overhead. Features on Demand allows the
administrator to remove roles which are not needed to help reduce the disk size required for the
installation. By default all features are stored in the %windir%\winsxs directory, but administrators can
use the uninstall-windowsfeature <featurename> remove command to delete the files associated
with that feature from the winsxs directory.
If you install Server Core edition or have removed the Server-Gui-Shell feature from Windows Server
2012 and want to convert to full GUI, you have some additional tasks that you will need to perform. I
attempted to just execute the widely published PowerShell command to convert to full GUI and
received the following message.
The installation froze for some time at this stage before showing the error message.

The error message says it cannot find the source files to perform the installation.

I was building a new lab environment and didnt have the ability to stage the installation files on the
network, but that is an option. My environment was inside a Hyper-V environment on my Windows 8
system, so I needed to pull the files from the disk. As you know the installation files are located inside
the /sources/install.wim file. To get the Full GUI running, I performed the following steps:
1.

Mount the Windows Server 2012 ISO to the host.

2.

open an administrative command prompt

3.

mkdir c:\mount

4.

dism /mount-wim /wimfile:d:\sources\install.wim /index:4 /mountdir:c:\mount /readonly

5.

powershell (enter PowerShell prompt)

6.

install-windowsfeature server-gui-mgmt-infra,server-gui-shell restart source

c:\mount\windows\winsxs

How to Turn the GUI Off and On in Windows Server 2012?

When Server Core originally shipped, a lot of Windows admins avoided it because you could
only use the command line, but this changes with Windows Server 2012 which enabled the use
of a hybrid mode.
Turning the GUI Off
In Windows Server 8 the GUI has kept with the modular nature of recent Windows Server
Operating Systems and in turn has become a Feature. This makes removing the GUI very
easy. To get started launch Server Manager.

Click on Manage, and then select Remove Roles or Features from the menu.

Click next to skip past the before you begin page, then select your server from the server pool
and click next.

Since the GUI is not a Role, we can just click next again to skip past the Roles section.

When you reach the Features page, you need to uncheck the box next to the User Interfaces
and Infrastructure option, and then click next.

Now tick the Restart Destination Server box, then click remove.

The GUI will now be removed.

After the binaries are removed your server will automatically reboot.

Once it comes back up, and you log in, you will only be able to use the command line.

Turning the GUI On

Once the GUI has been turned off, you will want to know how to get it back. To do this we use
SConfig, so go ahead and type SConfig into the command line and hit enter.

You can see near the bottom of the screen that we can use 12 to Restore the GUI, so type 12
and hit enter.

You will be warned that enabling the GUI requires a reboot, click the yes button.

That will kick off DISM which will start to add the binaries for the GUI Shell.

When its finished you will be asked if you would like to restart the computer now, type y and hit
enter to reboot.
GUI Off with PowerShell
You can do the same thing as we did in the GUI much quicker with a PowerShell cmdlet. To do
so, open Server Manager, click on Tools and launch PowerShell.

We can use the Remove-WindowsFeature cmdlet to remove the feature:

Remove-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
Since Remove-WindowsFeature is just an alias, you could also use:
Uninstall-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

Not long after you have hit the enter key, the removal will begin.

When its done, you will be notified that you need to restart your server to complete the process,
which can be easily done from the current PowerShell window by running:
Shutdown r -t 0

When your machine restarts you will only have the command line to work with .

GUI On with PowerShell

The first thing we need to do is get into PowerShell, so type PowerShell and hit enter.

Now we need to use the Add-WindowsFeature to add the components back:

Add-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra
Again this is just an alias for:
Install-WindowsFeature Server-Gui-Shell, Server-Gui-Mgmt-Infra

When its done, we will need to restart our server by using the Shutdown command:

Shutdown r -t 0

When your server reboots you will have the GUI back.

How to establish a broken trust of member computer with active

directory?

Earlier this week I saw a situation in which someone with a small, single-domain controller
network performed a restoration of their domain controller. This restoration effectively
reverted the Active Directory to a previous version. In doing so, they accomplished basically
the same thing that they would have if they had performed an authoritative restoration on a
domain controller in a larger organization.
Although the restore operation succeeded, it had some unforeseen consequences. After the
restoration, all of the other servers in the domain displayed an error message at log in. This
error message stated that the trust relationship between the workstation and the primary
domain failed. You can see the actual error message in Figure 1.

Figur
e 1. An authoritative domain controller restoration can trigger this error on
workstations and member servers.

The reason why this problem happens is because of a "password mismatch." Passwords
are typically thought of as something that is assigned to a user account. However, in Active
Directory environments each computer account also has an internal password. If the copy
of the computer account password that is stored within the member server gets out of sync
with the password copy that is stored on the domain controller then the trust relationship will
be broken as a result.

So how can you fix this error? Unfortunately, the simplest fix isn't always the best option.
The easy fix is to blow away the computer account within the Active Directory Users and
Computers console and then rejoin the computer to the domain. Doing so reestablishes the
broken-trust relationship. This approach works really well for workstations, but it can do
more harm than good if you try it on a member server.
The reason for this has to do with the way that some applications use the Active Directory.
Take Exchange Server, for example. Exchange Server stores messages in a mailbox
database residing on a mailbox server. However, this is the only significant data that is
stored locally on Exchange Server. All of the Exchange Server configuration data is stored
within the Active Directory. In fact, it is possible to completely rebuild a failed Exchange
Server from scratch (aside from the mailbox database) simply by making use of the
configuration data that is stored in the Active Directory.The reason why I mention this
particular example is that the Exchange Server configuration data is stored within the
computer object for that server. So with that in mind, imagine that a trust relationship was

accidentally broken and you decided to fix the problem by deleting the Exchange Server's
computer account and rejoining the computer to the domain. By doing so, you would lose all
of the configuration information for that server. Worse yet, there would still be orphaned
references to the computer account scattered elsewhere in the Active Directory (you can
see these references by using the ADSIEdit tool). In other words, getting rid of a computer
account can cause some pretty serious problems for your applications.
A better approach is to simply reset the computer account. To do so, open the Active
Directory Users and Computers console and select the Computers container. Right click on
the computer that you are having trouble with. Select the Reset Account command from the
shortcut menu, as shown in Figure 2. When you do, you will see a prompt asking you if you
are sure that you want to reset the computer account. Click Yes and the computer account
will be reset.

[Click on image for larger

view.] Figure 2. You can reset the computer account through the Active Directory
Users and Computers console.

In case you are wondering, computer accounts can also be reset through PowerShell
(version 2 or higher). The cmdlet used for doing so is Reset-ComputerMachinePassword.
In my experience, broken trust relationships probably aren't something that you will have to
worry about on a day-to-day basis, but they can happen as a result of using backup
software or imaging software to revert a server to a previous state. When this happens, the
best course of action is to reset the computer account.

What Is Domain re-Join?

Is it possible to rename a domain controller?

I know renaming an AD Server Hostname sounds bad @ seem like a bad idea, but in some cases you
have to.. and thats why as a Server Admin, you need to take time and think about what the domain
hostname should be for the company.
But mistakes happen (sometime in my class alsoggrrrrrr..) or you just have a bunch of clients that
have AD Hostname for their environment and need to be changed. For example, in this exercise I want to
show you how to rename AD Server Hostname from LON-DC1.adatum.com to MIZI01.cpx.local..
Now, if their domain controllers are running 2012 server you are good-to-go, because starting with 2003,
you can rename the domain name.
** Domain Controllers configured as a Certificate Authority (CA) cannot be renamed
So.. lets get started..
1 Here what I have is a Server 2012 call LON-DC1.adatum.com, and i going torename it to
MIZI01.cpx.local.. this Windows Server 2012 previous domain name was adatum.com and if you want
to know how to change domain name, please refer to my last post
here https://mizitechinfo.wordpress.com/2013/06/10/simple-guide-how-to-rename-domain-name-inwindows-server-2012/

2 Next, open CMD.. and this is the SYNTAX : netdom computername <currentDC FQDN>
/add:<newDCName FQDN>
so in your cmd, type netdom computername LON-DC1.adatum.com/add:MIZI01.cpx.local

3 After you get The command completed successfully, the next syntax is : netdom
computername <currentDC FQDN> /makeprimary:<newDCName FQDN>
so in your cmd, type netdom computername LONDC1.adatum.com/makeprimary:MIZI01.cpx.local
After you get The command completed successfully.. Restart your Server..

4 After your Windows Server 2012 domain server reboot.. go to System Properties and confirm that
the new server hostname is listed.

5 Next, open CMD and the next syntax is : netdom computername <newDCName FQDN>
/remove:<oldDCName FQDN>
This command is to remove old Server Hostname which is LOC-DC1..
so in your CMD type this : netdom computername MIZI01.cpx.local/remove:LONDC1.adatum.com and press enter

6 your last step, do confirm that your Domain Server running without any issue, on the CMD run this
command : dcdiag

Is it possible to rename a domain name?

For Server Admin who familiar with Windows Server 2000 & 2003, you maybe still remember
about RENDOM utility, which is this use to rename Windows 2000 @ 2003 domain name and have to
install manually.
But in Windows Server 2012 domain you dont have to separately install Rendom utility.
It gets installed as part of Active Directory Domain Services role when you promote a server to the DC
role. And It can be found here : %windir%\system32\rendom.exe.
For this time Simple Guide, I will show you all how to rename domain name in Windows Server 2012, the
process is straightforward.. but as usual.. backup any necessary information @ Server before you

proceed & I always advice especially to my students, please do this exercises in LAB Environment
(Hyper-V). Dont simply take any risk by doing this is production environment unless you have to!!.
For this exercises, Im using MCT courseware from 20410B (Installing and Configuring Windows
Server 2012).
The existing domain is ADATUM.COM and I will rename it to CPX.LOCAL.
** for those who want to built your own AD and try this exercises, please refer to my previous
post https://mizitechinfo.wordpress.com/2013/06/09/simple-guide-how-to-built-active-directory-inwindows-server-2012/.
So, let get started
1 Open your System Properties and check your existing domain name, if you see from my Windows
Server 2012 system properties, my existing domain name isAdatum.com. This will be change
to cpx.local in the short while.

2 Next, open your Server Dashboard, go to Tools & click DNS to open DNS Manager..

3 on the DNS Manager, you must create the New DNS Zone (cpx.local), this is to make sure that after
whole process successfully, your member server @ Windows clients can join to new Domain name.
** to create new DNS Zone, Right Click Forward Lookup Zone, and click New Zone

4 On the Welcome to the New Zone Wizard, just click Next button..

5 On the Zone Type, Click Primary Zone and click Next..

6 On the Active Directory Zone Replication Scope, click button To all DNS servers running on
domain controllers in this domain:Adatum.com and click Next

7 In the Zone Name, key in your new Domain Name, my new Domain Name iscpx.local

8 On the Dynamic Update, Click Allow only secure dynamic updates (recommended for Active
Directory), and click Next

9 On the completing the New Zone Wizard, click Finish to complete the process.

10 On DNS Manager, you can see my new Domain Name is listed (cpx.local)

11 Next, open Command Prompt, run as administrator..

12 In CMD, type rendom /list and press enter this command use to generate a state file
named Domainlist.xml. This file contains the current forest configuration.

13 Next, open computer and browse to C:\Users\Administrator folder to get your Domainlist.xml.

14 Once you see the Domainlist.xml, right click the file name & choose Edit.. I going to change the
DNSname and NetBiosName in this Domainlist.xml file.

15 Once the Domainlist.xml open, you can see there are few existing Domain name, change this
existing domain name to new domain name.. refer to picture:

16 once you change to new Domain name, make sure you save the Domainlist.xml file..

17 After you save the Domainlist.xml file, close it and return to CMD. On the CMD, type rendom
/showforest. This is to show the potential changes; this step does not make any changes.

18 Next, type rendom /upload. This is to upload the rename instructions (Domainlist.xml) to the
configuration directory partition on the domain controller holding the domain naming operations master
role.

19 Next, type rendom /prepare. This use to verify the readiness of each DC in the forest to carry out
the rename instructions. This should contact all DCs successfully and return no errors before proceed to
next process.

20 Next, type rendom /execute. This is to verifies readiness of all DCs and then preforms the rename
action on each one.
** Remember also there will be a service interruption during this process. Once the process
successful, your DC Server will be restarted.

21 Once your DC Server restarted, log in using the new Domain name as administrator.

22 Next, after you successfully log in, open System Properties and check your old Domain Name is
now gone.. replace by new Domain name

23 Next, open CMD again, and type gpfixup /olddns:adatum.com/newdns:cpx.local. This is to

refresh all intradomain references and links to group policy objects.

24 Next, type gpfixup /oldnb:lon-dc1 /newnb:cpx..

25 Next, type rendom /clean. This is to remove references of the old domain name from AD.

26 Next, type rendom /end. This is to unfreeze the forest configuration and allow further changes. This
was frozen during the rendom /upload step.

27 Next, Open DNS Manager, click your new created domain (cpx.local), here you can see your own IP
listed but we still have long way to go to make sure this DNS Zone is working..

28 Next, turn on your client PC, for this exercise Im using Windows 8 as a client. Open System
Properties and join to new Domain (cpx.local). in case you getting an error, dont get scared!!.. just
click OK and you Windows Security box will show up and now key in administrator and domain
password and click OK (Welcome to the cpx.local domain). Refer pictures..

29 After your Windows 8 restart, log in as a domain administrator.

30 Once you log in, double check Windows 8 System Properties. Now yourWindows 8
successfully join in to new Domain (cpx.local).

31 Now, go to the Server 2012 and open DNS Manager, you can see now yourWindows 8 Client is
listed in DNS.

32 You can also check in Active Directory Users & Computers that your Windows 8 Client now also
listed.

Why are the group accounts necessary in active

directory?
A group is a collection of user and computer accounts, contacts and other groups that can
be managed as a single unit. Users and computers that belong to a particular group are
referred to as group members.
Using groups can simplify administration by assigning a common set of permissions and
rights to many accounts at once, rather than assigning permissions and rights to each
account individually. For an overview of permissions and rights, see Access control overview.
Groups can be either directory-based or local to a particular computer. Groups in Active
Directory are directory objects that reside within a domain and organizational unit container
objects. Active Directory provides a set of default groups upon installation, and also allows
the option to create groups. For more information, see Default groups.
Local groups, which exist on local computers and not in Active Directory, are discussed
in Default local groups.
Groups in Active Directory allow you to:

Simplify administration by assigning permissions on a shared resource to a group,

rather than to individual users. This assigns the same access on the resource to all
members of that group.

Delegate administration by assigning user rights once to a group through Group

Policy, and then adding necessary members to the group that you want to have the
same rights as the group.

Create e-mail distribution lists. For more information, see Group types.

Groups are characterized by their scope and their type. The scope of a group determines the
extent to which the group is applied within a domain or forest. For information about group
scope, see Group scope. The group type determines whether a group can be used to assign
permissions from a shared resource (for security groups) or if a group can be used for e-mail
distribution lists only (for distribution groups). For information about security groups and
distribution groups, see Group types.
There are also groups for which you cannot modify or view the memberships. These groups
are referred to as special identities and are used to represent different users at different
times, depending on the circumstances. For example, the Everyone group represents all
current network users, including guests and users from other domains. For more information,
see Special identities.

What are the different types of groups?

There are two types of groups in Active Directory: distribution groups and security groups.
You can use distribution groups to create e-mail distribution lists and security groups to
assign permissions to shared resources.

Distributions groups
Distribution groups can be used only with e-mail applications (such as Exchange) to send email to collections of users. Distribution groups are not security-enabled, which means that
they cannot be listed in discretionary access control lists (DACLs). If you need a group for
controlling access to shared resources, create a security group.

Security groups
Used with care, security groups provide an efficient way to assign access to resources on
your network. Using security groups, you can:

Assign user rights to security groups in Active Directory

User rights are assigned to security groups to determine what members of that group
can do within the scope of a domain (or forest). User rights are automatically
assigned to some security groups at the time Active Directory is installed to help
administrators define a person's administrative role in the domain. For example, a
user who is added to the Backup Operators group in Active Directory has the ability
to backup and restore files and directories located on each domain controller in the
domain.

This is possible because by default, the user rights Back up files and
directories and Restore files and directories are automatically assigned to the Backup
Operators group. Therefore, members of this group inherit the user rights assigned to
that group. For more information about user rights, see User rights. For more
information about the user rights assigned to security groups, see Default groups.
You can assign user rights to security groups, using Group Policy, to help delegate
specific tasks. You should always use discretion when assigning delegated tasks
because an untrained user assigned too many rights on a security group can
potentially cause significant harm to your network. For more information,
see Delegating administration. For more information about assigning user rights to
groups, see Assign user rights to a group in Active Directory.

Assign permissions to security groups on resources

Permissions should not be confused with user rights. Permissions are assigned to the
security group on the shared resource. Permissions determine who can access the
resource and the level of access, such as Full Control. Some permissions set on
domain objects are automatically assigned to allow various levels of access to default
security groups such as the Account Operators group or the Domain Admins group.
For more information about permissions, see Access control in Active Directory.
Security groups are listed in DACLs that define permissions on resources and objects.
When assigning permissions for resources (file shares, printers, and so on),
administrators should assign those permissions to a security group rather than to
individual users. The permissions are assigned once to the group, instead of several
times to each individual user. Each account added to a group receives the rights
assigned to that group in Active Directory and the permissions defined for that group
at the resource.

What are the different types of group scopes?

Group scope
Any group, whether it is a security group or a distribution group, is characterized by a scope
that identifies the extent to which the group is applied in the domain tree or forest. The
boundary, or reach, of a group scope is also determined by the domain functional level
setting of the domain in which it resides. There are three group scopes: universal, global,
and domain local.
The following table describes the differences between the scopes of each group.

Group
scope

Univers
al

Global

Group can include as members

Accounts from any domain within

the forest in which this Universal
Group resides

Global groups from any domain

within the forest in which this
Universal Group resides

Universal groups from any domain

within the forest in which this
Universal Group resides

Accounts from the same domain

as the parent global group

Global groups from the same

domain as the parent global group

Group can be
assigned
permissions in
Any domain or forest

Member permissions
can be assigned in
any domain

Group scope
can be
converted to

Domain
local

Global (as
long as no
other
universal
groups
exist as
members

Universal (as
long as it is not a
member of any
other global
groups)

Domain
local

Accounts from any domain

Global groups from any domain

Universal groups from any domain

Domain local groups but only from

the same domain as the parent
domain local group

Member permissions
can be assigned only
within the same
domain as the parent
domain local group

Universal (as
long as no other
domain local
groups exist as
members)

When to use groups with domain local scope

Groups with domain local scope help you define and manage access to resources within a
single domain. For example, to give five users access to a particular printer, you can add all
five user accounts in the printer permissions list. If, however, you later want to give the five
users access to a new printer, you must again specify all five accounts in the permissions list
for the new printer.
With a little planning, you can simplify this routine administrative task by creating a group
with domain local scope and assigning it permission to access the printer. Put the five user
accounts in a group with global scope, and then add this group to the group having domain
local scope. When you want to give the five users access to a new printer, assign the group
with domain local scope permission to access the new printer. All members of the group with
global scope automatically receive access to the new printer.

When to use groups with global scope

Use groups with global scope to manage directory objects that require daily maintenance,
such as user and computer accounts. Because groups with global scope are not replicated
outside their own domain, you can change accounts in a group having global scope
frequently without generating replication traffic to the global catalog. For more information
about groups and replication, see How replication works.
Although rights and permissions assignments are valid only within the domain in which they
are assigned, by applying groups with global scope uniformly across the appropriate
domains, you can consolidate references to accounts with similar purposes. This simplifies
and rationalizes group management across domains. For example, in a network with two
domains, Europe and UnitedStates, if you have a group with global scope called
GLAccounting in the UnitedStates domain, create a group called GLAccounting in the Europe
domain (unless the accounting function does not exist in the Europe domain).
It is strongly recommended that you use global groups or universal groups instead of domain
local groups when you specify permissions on domain directory objects that are replicated to
the global catalog. For more information, see Global catalog replication.

Note

When the domain functional level is set to Windows 2000 mixed, members of global groups can i

When to use groups with universal scope

Use groups with universal scope to consolidate groups that span domains. To do this, add
the accounts to groups with global scope, and then nest these groups within groups that
have universal scope. When you use this strategy, any membership changes in the groups
that have global scope do not affect the groups with universal scope.
For example, in a network with two domains, Europe and UnitedStates, and a group that has
global scope called GLAccounting in each domain, create a group with universal scope called
UAccounting that has as its members the two GLAccounting groups,
UnitedStates\GLAccounting and Europe\GLAccounting. The UAccounting group can then be
used anywhere in the enterprise. Any changes in the membership of the individual
GLAccounting groups will not cause replication of the UAccounting group.
If the forest functional level is Windows Server 2003 or higher, changes to the membership
of universal groups are replicated to each global catalog server using linked-value
replication. This means that only the changed membership is replicated, rather than the

entire group. If the forest functional level is lower than Windows Server 2003, you should not
change the membership of a group with universal scope frequently because any changes to
these group memberships cause the entire membership of the group to be replicated to
every global catalog in the forest. For more information about universal groups and
replication, see Global catalogs and sites. For more information about linked value
replication, see How the Active Directory Replication Model Works.

Note

When the domain functional level is set to Windows 2000 mixed, you cannot create security grou

Changing group scope

When you create a new group, by default the new group is configured as a security group
with global scope, regardless of the current domain functional level. Although changing a
group scope is not allowed in domains with a domain functional level of Windows 2000
mixed, the following conversions are allowed in domains with the domain functional level of
Windows 2000 native or Windows Server 2003:

Global to universal. This conversion is allowed only if the group that you want to
change is not a member of another global scope group.

Domain local to universal. This conversion is allowed only if the group that you
want to change does not have another domain local group as a member.

Universal to global. This conversion is allowed only if the group that you want to
change does not have another universal group as a member.

Universal to domain local. There are no restrictions for this operation.

For more information, see Change group scope.

Groups on client computers and stand-alone

servers
Some group features, such as universal groups, group nesting, and the distinction between
security groups and distribution groups, are available only on Active Directory domain
controllers and member servers. Group accounts on Windows 2000 Professional, Windows XP
Professional, Windows 2000 Server, and stand-alone servers running Windows Server 2003
work the same way as in Windows NT 4.0:

Only local groups can be created locally on the computer.

A local group that is created on one of these computers can be assigned permissions
only on that one computer.

what is group nesting in active directory

Nesting groups
Using nesting, you can add a group as a member of another group. You nest groups to
consolidate member accounts and reduce replication traffic.
Nesting options depend on whether the domain functionality of your Windows Server 2003
domain is set to Windows 2000 native or Windows 2000 mixed.
By default, when you nest a group within another group, user rights are inherited. For example, if
you make Group_1 a member of Group_2, users in Group_1 have the same permissions as the
users in Group_2.
Groups in domains set to the Windows 2000 native functional level or distribution groups in
domains set to the Windows 2000 mixed functional level can have the following members:

Groups with universal scope can have the following members: accounts,
computer accounts, other groups with universal scope, and groups with
global scope from any domain.

Groups with global scope can have the following members: accounts from the
same domain and other groups with global scope from the same domain.

Groups with domain local scope can have the following members: accounts,
groups with universal scope, and groups with global scope, all from any
domain. This group can also have as members other groups with domain
local scope from within the same domain.

Security groups in domains set to the Windows 2000 mixed functional level are restricted to the
following types of membership:

Groups with global scope can have as their members only accounts.

Groups with domain local scope can have as their members other groups with
global scope and accounts.

Security groups with universal scope cannot be created in domains with the domain functional
level set to Windows 2000 mixed because universal scope is supported only in domains where
the domain functional level is set to Windows 2000 native or Windows Server 2003.

Note

You cannot add the default groups that are located in the Builtin container as members to other groups. Ho
located in the Builtin container.