Escolar Documentos
Profissional Documentos
Cultura Documentos
DNS in TCP/IP
For more information and to view logical diagrams illustrating how DNS fits
with other Windows Server 2003 technologies, see How DNS Works" in this
collection.
By default, Windows Server 2003 DNS is used for all name resolution in a
Windows Server 2003 network. In the most typical scenario, when a Windows
Server 2003 network user specifies the name of a network host or an internet
DNS domain name, the DNS Client service running on the Windows
Server 2003 computer of the user contacts a DNS server to resolve the name
to an IP address.
A lingering object is an object that is present on one replica, but on another replica
it has been deleted and removed from the directory by the garbage collection
process.
Action
Explanation
Unintended
Use repadmin to delete the lingering object on a domain controller that is
Replication
consistency
Explanation
Loose
Strict
Syntax
Repadmin /removelingeringobjects <Dest_DC_LIST> <Source DC GUID> <NC>
[/ADVISORY_MODE]
Parameter
Description
<Dest_DC_LIS
T>
<Source DC
GUID>
<NC>
/
ADVISORY_M
ODE
Read-only mode.
Duringlingering object removal, Event ID 1937 is logged to the Directory Service log.
This information includes the source domain controller, the objects that are
removed, and a total count of all the objects that are removed.
LDAP Service
a client needs to connect to the server known as the Directory System Agent, which
is set by default to use TCP port 389. After the connection is established, the client
and server exchange packets of data.
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server
SID
a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of
a user, user group, or other security principal. A security principal has a single SID
for life, and all properties of the principal, including its name, are associated with
the SID. This design allows a principal to be renamed (for example, from "John" to
"Jane") without affecting the security attributes of objects that refer to the principal.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: "S-1-5-213623811015-3361044348-30300820-1013";
The
string is
a SID.
The identifier
authority
value.
21-36238110153361044348-30300820
1013
0
1
2
3
4
5
9
Null Authority
World Authority
Local Authority
Creator Authority
Non-unique Authority
NT Authority
Resource Manager Authority
If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:
Service SIDs[edit]
Service SIDs are a feature of service isolation, a security feature introduced
in Windows Vista and Windows Server 2008.[7] Any service with the "unrestricted"
SID-type property will have a service-specific SID added to the access token of the
service host process.
The purpose of Service SIDs is to allow permissions for a single service to be
managed without necessitating the creation of service accounts, an administrative
overhead.
Each service SID is a local, machine-level SID generated from the service name
using the following formula:
S-1-5-80-{SHA-1(service name in upper case)}
The sc.exe utility can be used to generate an arbitrary service SID:
sc.exe showsid dnscache
NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-8633791491145462774-2388618682 STATUS: Active
The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT
SERVICE\dnscache").
SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is
controlled by the operating system.
Note By default, the Everyone group no longer includes anonymous users on a computer that is
running Windows XP Service Pack 2 (SP2).
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-2-0
Name: Local
Description: A group that includes all users who have logged on locally.
SID: S-1-2-1
Name: Console Logon
Description: A group that includes users who are logged on to the physical console.
Note Added in Windows 7 and Windows Server 2008 R2
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE). When the ACE is
inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces
this SID with the SID for the primary group of the object's creator. The primary group is used only
by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-4 Name: Owner Rights
Description: A group that represents the current owner of the object. When an ACE that carries
this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC
permissions for the object owner.
SID: S-1-5-80-0
Name: All Services
Description: A group that includes all service processes configured on the system. Membership is
Description: A group that includes all users that have logged on to a Terminal Services server.
Membership is controlled by the operating system.
SID: S-1-5-14
Name: Remote Interactive Logon
Description: A group that includes all users who have logged on through a terminal services
logon.
SID: S-1-5-15
Name: This Organization
Description: A group that includes all users from the same organization. Only included with AD
accounts and only added by a Windows Server 2003 or later domain controller.
SID: S-1-5-17
Name: This Organization
Description: An account that is used by the default Internet Information Services (IIS) user.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-19
Name: NT Authority
Description: Local Service
SID: S-1-5-20
Name: NT Authority
Description: Network Service
SID: S-1-5-21domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account
that is given full control over the system.
SID: S-1-5-21domain-501
Name: Guest
Description: A user account for people who do not have individual accounts. This user account
does not require a password. By default, the Guest account is disabled.
SID: S-1-5-21domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center (KDC) service.
SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default,
the Domain Admins group is a member of the Administrators group on all computers that have
joined a domain, including the domain controllers. Domain Admins is the default owner of any
object that is created by any member of the group.
SID: S-1-5-21domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a domain. When you
create a user account in a domain, it is added to this group by default.
SID: S-1-5-21domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the domain's built-in Guest
account.
SID: S-1-5-21domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-21domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the domain. New domain
controllers are added to this group by default.
SID: S-1-5-21domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an enterprise
certification authority. Cert Publishers are authorized to publish certificates for User objects in
Active Directory.
SID: S-1-5-21root domain-518
Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make schema changes in Active Directory. By default, the
only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-21root domain-519
Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make forest-wide changes in Active Directory, such as adding
child domains. By default, the only member of the group is the Administrator account for the
forest root domain.
SID: S-1-5-21domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy objects in Active
Directory. By default, the only member of the group is Administrator.
SID: S-1-5-21domain-553
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members. Servers in this group
have Read Account Restrictions and Read Logon Information access to User objects in the Active
Directory domain local group.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only
member of the group is the Administrator account. When a computer joins a domain, the Domain
Admins group is added to the Administrators group. When a server becomes a domain controller,
the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only
member is the Authenticated Users group. When a computer joins a domain, the Domain Users
group is added to the Users group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest account. The Guests
group allows occasional or one-time users to log on with limited privileges to a computer's builtin Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power users can create local
users and groups; modify and delete accounts that they have created; and remove users from
the Power Users, Users, and Guests groups. Power users also can install programs; create,
manage, and delete local printers; and create and delete file shares.
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. By default, Account Operators have permission to create, modify, and delete accounts
for users, groups, and computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account Operators do not have
permission to modify the Administrators and Domain Admins groups, nor do they have
permission to modify the accounts for members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. Server Operators can log on to a server interactively; create and delete network
shares; start and stop services; back up and restore files; format the hard disk of the computer;
and shut down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By default, the only member
is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back
up and restore all files on a computer, regardless of the permissions that protect those files.
Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on domain controllers. By
default, the group has no members. Do not add users to this group.
SID: S-1-5-64-10
Name: NTLM Authentication
Description: A SID that is used when the NTLM authentication package authenticated the client
SID: S-1-5-64-14
Name: SChannel Authentication
Description: A SID that is used when the SChannel authentication package authenticated the
client.
SID: S-1-5-64-21
Name: Digest Authentication
Description: A SID that is used when the Digest authentication package authenticated the client.
SID: S-1-5-80
Name: NT Service
Description: An NT Service account prefix
SID: S-1-5-80-0
SID S-1-5-80-0 = NT SERVICES\ALL SERVICES
Name: All Services
Description: A group that includes all service processes that are configured on the system.
Membership is controlled by the operating system.
Note Added in Windows Server 2008 R2
SID: S-1-5-83-0
Name: NT VIRTUAL MACHINE\Virtual Machines
Description: A built-in group. The group is created when the Hyper-V role is installed. Membership
in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the
"Create Symbolic Links" right (SeCreateSymbolicLinkPrivilege), and also the "Log on as a
Service" right (SeServiceLogonRight).
Note Added in Windows 8 and Windows Server 2012
SID: S-1-16-0
Name: Untrusted Mandatory Level
Description: An untrusted integrity level. Note Added in Windows Vista and Windows Server
2008
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-4096
Name: Low Mandatory Level
Description: A low integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8192
Name: Medium Mandatory Level
Description: A medium integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8448
Name: Medium Plus Mandatory Level
Description: A medium plus integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-12288
Name: High Mandatory Level
Description: A high integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-16384
Name: System Mandatory Level
Description: A system integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-20480
Name: Protected Process Mandatory Level
Description: A protected-process integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-28672
Name: Secure Process Mandatory Level
Description: A secure process integrity level.
SID: S-1-5-32-554
Name: BUILTIN\Pre-Windows 2000 Compatible Access
Description: An alias added by Windows 2000. A backward compatibility group which allows read
access on all users and groups in the domain.
SID: S-1-5-32-555
Name: BUILTIN\Remote Desktop Users
Description: An alias. Members in this group are granted the right to logon remotely.
SID: S-1-5-32-556
Name: BUILTIN\Network Configuration Operators
Description: An alias. Members in this group can have some administrative privileges to manage
configuration of networking features.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts to this forest.
SID: S-1-5-32-558
Name: BUILTIN\Performance Monitor Users
Description: An alias. Members of this group have remote access to monitor this computer.
SID: S-1-5-32-559
Name: BUILTIN\Performance Log Users
Description: An alias. Members of this group have remote access to schedule logging of
performance counters on this computer.
SID: S-1-5-32-560
Name: BUILTIN\Windows Authorization Access Group
Description: An alias. Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers. When Windows Server 2003
Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562
Name: BUILTIN\Distributed COM Users
Description: An alias. A group for COM to provide computerwide access controls that govern
access to all call, activation, or launch requests on the computer.
The following groups appear as SIDs until a Windows Server 2008 or Windows Server 2008 R2 domain
controller is made the primary domain controller (PDC) operations master role holder. The "operations
master" is also known as flexible single master operations (FSMO). The following additional built-in
groups are created when a Windows Server 2008 or Windows Server 2008 R2 domain controller is
added to the domain:
SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local
machine.
SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification
Authorities in the enterprise.
The following groups appear as SIDs until a Windows Server 2012 domain controller is made the
primary domain controller (PDC) operations master role holder. The "operations master" is also known
as flexible single master operations (FSMO). The following additional built-in groups are created when a
Windows Server 2012 domain controller is added to the domain:
SID: S-1-5-21-domain-522
Name: Cloneable Domain Controllers
Description: A Global group. Members of this group that are domain controllers may be cloned.
SID: S-1-5-32-575
Name: BUILTIN\RDS Remote Access Servers
Description: A Builtin Local group. Servers in this group enable users of RemoteApp programs
and personal virtual desktops access to these resources. In Internet-facing deployments, these
servers are typically deployed in an edge network. This group needs to be populated on servers
running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the
deployment need to be in this group.
SID: S-1-5-32-576
Name: BUILTIN\RDS Endpoint Servers
Description: A Builtin Local group. Servers in this group run virtual machines and host sessions
where users RemoteApp programs and personal virtual desktops run. This group needs to be
populated on servers running RD Connection Broker. RD Session Host servers and RD
Virtualization Host servers used in the deployment need to be in this group.
SID: S-1-5-32-577
Name: BUILTIN\RDS Management Servers
Description: A Builtin Local group. Servers in this group can perform routine administrative
actions on servers running Remote Desktop Services. This group needs to be populated on all
servers in a Remote Desktop Services deployment. The servers running the RDS Central
Management service must be included in this group.
SID: S-1-5-32-578
Name: BUILTIN\Hyper-V Administrators
Description: A Builtin Local group. Members of this group have complete and unrestricted access
to all features of Hyper-V.
SID: S-1-5-32-579
Name: BUILTIN\Access Control Assistance Operators
Description: A Builtin Local group. Members of this group can remotely query authorization
attributes and permissions for resources on this computer.
SID: S-1-5-32-580
Name: BUILTIN\Remote Management Users
Description: A Builtin Local group. Members of this group can access WMI resources over
management protocols (such as WS-Management via the Windows Remote Management
service). This applies only to WMI namespaces that grant access to the user.
RID
In a Windows Active Directory (AD) domain, the process of generating unique Relative IDs (RIDs) is a
single-master operation that's assigned to one specific domain controller (DC). This DC is then referred
to as the RID master of the domain.
The RID master gives a pool of RIDs to each of the other DCs in the domain and keeps track of the sets
of allocated RIDs for each DC. The domain-level RID pool controlled by the RID master can hold
approximately one billion RIDs.
RIDs are never reused because the RID can't be reclaimed after a security principal is deleted. Reusing
a RID could lead to unauthorized access to resources if the resources' access control settings referred
to previously issued security IDs (SIDs) and RIDs.
To reduce the chance of running out of RIDs, you can increase the number of RIDs that are allocated by
the RID master to each DC's RID pool by adjusting the RID Block Size value (REG_DWORD) on the RID
master DC. The RID Block Size value is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values
Users, computers, and groups stored in Active Directory are collectively known as security
principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID
includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID)
that uniquely identifies the security principal within the domain. The RID is a monotonically increasing
number at the end of the SID.
Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller
that holds the RID master role (also known as flexible single master operations or FSMO) in each Active
Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID
operations master) is responsible for issuing a unique RID pool to each domain controller in its domain.
By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum
of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly
promoted domain controllers must acquire a RID pool before they can advertise their availability to
Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID
allocations in order to continue creating security principals when their current RID pool becomes
depleted.
An Authoritative restore consists of running the NTDSUTIL after the restore is complete. Running
NTDSUTIL updates the USN (updated sequence numbers) to be greater than any other member
domain controller to which the machine formerly replicated. After restoring Authoritatively, the
domain controller will replicate its new changes to its member domain controllers, updating them
to the point where the backup last took place. Use this option if a number of users were
accidentally deleted through Active Directory.
At NTDSUTIL.EXE enter to active instance ntds and then go to authoritative restore option, then restore
subtree/object with path.
A Non-Authoritative restore is any System State restore, Active Directory or not, overwriting the
System State to the point at which it was backed up. This is the recommended way of fully
restoring a machine from a File-by-File backup. If the machine's registry is damaged or corrupt,
but bootable into "Safe Mode," the machine may have its System State restored instead of reinstalling the operating system.
A Primary Restore is performed when the first domain controller in a domain that is being entirely
rebuilt, and when no other domain controllers are present on the network. You may also use this
type of restore when the machine is the only functioning server in a replicated data set. For
instance, the SYSVOL directory is considered a replicated data set, as it is automatically
replicated to other domain controllers via the file replication service.
Reference here.
Get Domain Functional Level using dsquery:
dsquery * "DC=lab,DC=local" -scope base -attr msDS-Behavior-Version ntMixedDomain
Conversion table:
0, 0 = Windows 2000 Native
0, 1 = Windows 2000 Mixed
2, 0 = Windows 2003
3, 0 = Windows 2008
4, 0 = Windows 2008 R2
5, 0 = Windows 2012
Reference here.
Get the Active Directory Schema version using dsquery:
dsquery * "CN=Schema,CN=Configuration,DC=lab,DC=local" -scope base -attr objectVersion
13 = Windows 2000 Server
30 = Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with
Service Pack 2
31 = Windows Server 2003 R2
44 = Windows Server 2008 RTM
47 = Windows Server 2008 R2
56 = Windows Server 2012 RTM
Schema information contains - definitional details about objects and attributes that one
CAN store in the AD. Replicates to all domain controllers. Static in nature.
Configuration information contains - configuration data about forest and trees. Replicates
to all domain controllers. Static as your forest is.
Domain information contains - object information for a domain. Replicates to all domain
controllers within a domain. The object portion becomes part of Global Catalog.
Application Partition contains - information about applications in Active Directory. E.g.
when AD integrated DNS is used there are two application partitions for DNS zones
ForestDNSZones and DomainDNSZones.
Aging
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS
record is considered as stale once both are elapsed.
Scavenging
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.
stub zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify the
authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names
between separate DNS namespaces. This type of resolution may be necessary when a corporate
merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in
both namespaces.
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue
A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
The master servers for a stub zone are one or more DNS servers authoritative for the child zone,
usually the DNS server hosting the primary zone for the delegated domain name.
A stub zone zone contains NS RECORDS of the master zone which is updated regularly. Stub zones can be used in
the following situations:
In case you have multiple levels of domain hiearchy you can use stub zones to simplify name resolution instead of
DNS servers querying the root server. It can replace secondary zones when configuring fault tolerance. They can
facilitate DNS connectivity across domains. Consider this example you have forest contoso.com and the following
domain tree ny.contoso.com (with acc.ny.contoso.com as sub domain) and sa.contoso.com (with fin.sa.contoso.com
as sub domains).
So if a client in acc.ny.contoso.com tries to access resources in fin.sa.contoso.com and stub zones are not
configured then multiple dns servers will have to be contacted i.e in following order
(acc.ny.contoso.com>ny.contoso.com>contoso.com>sa.contoso.com>fin.sa.contos.com)
Instead if a stub zone was created in acc.ny.contoso.com then it contains the list of authoritative DNS servers for
the zone and queries from acc.ny.contoso.com can be directly sent to fin.sa.contos.com.
You could argue that same thing can be configured through conditional fowarding but if there are changes in DNS
records then conditional fowarding would fail. Conditional fowarding can be used in situations where you want to
resolve Internet names or if you have a DNS server in your organisation that is responsible for your entire
namespace. Stub zones can be used in sites to avoid querying other DNS servers to
reduce DNS related traffic.
Also stub zones help in delegation. For example when a parent zone contains information about a child zone i.e
contains NS records for 2 DNS servers configured for the child zone. If the administrator of the child adds additional
DNS servers or makes changes to existing DNS infrastructure then the Parent zone won't know about this change.
Instead if the parent DNS server is configured with a stub zone for its child zone then all changes made to the child
zone DNS server's NS records would become available to the parent zone.
Stub zones are dynamic and the name servers for the zone are automatically updated in the stub zone.
The most common BSoD is on a 2580 screen which is the operating system's way of reporting
an interrupt caused by a processor exception; it is a more serious form of the general protection
fault dialog boxes. The memory address of the error is given and the error type is a hexadecimal
number from 00 to 11 (0 to 17 decimal). The error codes are as follows:[17]
Problems that occur with incompatible versions of DLLs: Windows loads these
DLLs into memory when they are needed by application programs; if versions
are changed, the next time an application loads the DLL it may be different
from what the application expects. These incompatibilities increase over time
as more new software is installed, and is one of the main reasons why a
freshly-installed copy of Windows is more stable than an "old" one.
Hardware incompatibilities
Schema Master/FSMO unavailable: this is not visible to users directly as users do not
need it. Only admins need this FSMO to extend the AD schema. When not available
you cannot extend the AD schema to support your custom extensions or other
extensions to support other (Microsoft) products (e.g. Exchange, OCS/Lync, etc).
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
Domain Naming Master/FSMO unavailable: this not visible to users directly as users
do not need it. Only admins need this FSMO to add new partitions/naming contexts
(e.g. AD domains, application partitions) and cross-references to other partitions
outside the AD forest. When not available you cannot do what I mentioned earlier.
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
RID Master/FSMO unavailable: this is not visible to users directly as users do not need
it. Only admins and provisioning systems need this FSMO to be available to be able to
created security principals (groups, computers, users). In time, every RWDC (RODCs
do not!) has two RID pools, the current RID pool and the reserve RID pool and each is
a block of 500 RIDs. When the current RID pool is exhausted, the DC copies the value
of the reserve RID pool to the current RID pool. When the current RID pool is
exhausted for at least 50%, the RWDC requests a new RID pool from the RID FSMO
and stores the value in the reserve RID pool, etc., etc. When the RID FSMO is not
available, RWDCs cannot request RID pools. You can still create security principals on
a RWDC as long as its RID pools are not fully exhausted. When the RID pools are fully
exhausted on any RWDC, you can still use any other RWDC as long as its RID pools
are not fully exhausted. When the RID pools of all RWDCS in the AD domain are fully
exhausted. Did you know that the domain RID pool is limited? If you did not, it
actually is! The top limit is "1073741823" (over 1 billion RIDs!). Also see " RID Master
FSMO Explained".
PDC Master/FSMO unavailable: the RWDC with the PDC FSMO role is the most busy
FSMO as it performs all kinds of functions. This is actually also the FSMO role that will
impact users most. The PDC FSMO performs the following functions: [1] act as the
central time sync authority within an AD forest (this only applies to the PDC FSMO in
the forest root AD domain). For this also see "Configuring And Managing The
Windows Time Service (Part 1)", "Configuring And Managing The Windows
Time Service (Part 2)", "Configuring And Managing The Windows Time
Service (Part 3)" and "Configuring And Managing The Windows Time Service
(Part 4)", [2] Any password changes or account lockouts that occur on any DC are
communicated to the RWDC with the PDC FSMO over the secure channel directly, [3]
When a logon is attempted against a RWDC that fails (because of an incorrect
password), that RWDC will check with the RWDC hosting the PDC FSMO if it has a
newer password, [4] Editing GPOs by default occur against the RWDC with the PDC
FSMO, [5] When root scalability mode is not enabled (the default), DFS root servers
get updates from the RWDC with the PDC FSMO. When root scalability is enabled, DFS
root servers get updates from the closest DC instead, [5] The PDC FSMO is the only
DC that applies the Password policy settings and the account lockout policy settings
specified at domain level and writes the information to the domain NC, [6] The
AdminSDHolder process is not executed to check protected groups/users and
reconfigure the ACLs if needed, [7] If you have NT style applications that want/need
to target the PDC, those apps will probably break as soon as the PDC is not available.
For more information about FSMO failures, see "Responding to operations master
failures"
not seize the operations master role if you can transfer it instead. For more information,
see Transferring operations master roles.
Note
The operations master roles are sometimes called flexible single master operations (FSMO)
roles.
Before forcing the transfer, first determine the cause and expected duration of the computer or
network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait
for the role holder to become available again. If the domain controller that currently holds the role has
failed, you must determine if it can be recovered and brought back online.
In general, seizing an operations master role is a drastic step that should be considered only if the
current operations master will never be available again. The decision depends upon the role and how
long the particular role holder will be unavailable. The impact of various role holder failures is
discussed in the following topics.
A domain controller whose schema master role has been seized must never be brought back
online.
For procedures on how to seize the schema master role, see Seize the schema master role.
A domain controller whose domain naming master role has been seized must never be brought
back online.
For procedures on how to seize the domain naming master role, see Seize the domain naming master
role.
A domain controller whose RID master role has been seized must never be brought back
online.
For procedures on how to seize the RID master role, see Seize the RID master role.
For procedures on how to seize the PDC emulator role, see Seize the PDC emulator role.
soon as there is a change to any file under the Sysvol folder structure, replication is triggered and
entire file get replicated
Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT
(Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT
path, GUID of the GPO, version information, WMI filter information, and a list of components that have
settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)
\System\Policies
Group policy container (GPC) is replicated through Active Directory replication
Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all
administrators can work on the same domain controller, if you want a different Domain controller you can change
through Group Policy Management console (GPMC)
I will try to explain step by step, let say you modify the Policy A from Server001 and
how this change get replicated to Server002 (Server002 is a downstream replication
partner for server001)
Once you modify the Policy A from server001, the corresponding GPT folder on
SYSVOL gets updated on the server001 (also updates the Group policy containers in
Active Directory on server001)
NTFS will change the USN journal according to the file and folder change.
FRS monitors the USN journal for changes on the SYSVOL folder
FRS updates the inbound log on server001, FRS not only updates the local changes
on inbound log, also updates the inbound log for the changes from entire upstream
replication partner (all inbound partners)
FRS creates a file in staging folder on server001 by using APIs (backup application
programming interfaces) based on the change.
This change has been updated on outbound log on server001 by FRS. And also send
change notification to entire downstream replication partner about the change (all
outbound partners)
Server002 get the change notification from Server001 and store the change order in
inbound log, Server002 copies the staging file from Server001 to the staging folder
on Server002. Server002 then update outbound log so other outbound partners can
pick up the change
Using Restore APIs, Server002 reconstructs the file and folder in the preinstall
folder, and then FRS renames the file or folder into the replica tree
In FRS replication process the entire changed file and folder get replicate to source
to destination server
What is NTFS USN journal?
Logs all the changes to an NTFS volume, including file creations, deletions, and
changes, Separate log on each NTFS volume and it has a size limit (Windows server
2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up
to 2 TB, however MS Recommends increasing by 128 MB for every 100,000
files/folders
What happens when the NTFS USN change journal fills up?
If the USN journal log fills up then NTFS will be overwrite the old entrys, thats why
in some scenarios before the change get updated, NTFS delete the entries in USN
journal log, its called journal_wrap
USN journal wrap Error
An error that occurs when large numbers of files change so quickly that the USN
journal must remove the oldest changes (before FRS has a chance to detect the
changes) to stay within the specified size limit, to resolve this issue you have to
perform a non-authoritative restore also called D2
Morphed folder
Replication conflict will occur if identically named directories are created in different
servers, to resolve this conflict FRS create a folder and this folder called morphed
folder
Lets say two identical directories are created in different replication members, FRS
identifies the conflict during replication, and the receiving member protects the
original copy of the folder and renames (morphs) the later inbound copy of the
folder. The morphed folder names have a suffix of _NTFRS_xxxxxxxx, where
xxxxxxxx represents eight random hexadecimal digits.
Version vector join (vvjoin)
Till now we are discussing about the SYSVOL replication, how the SYSVOL replication
works for the newly added replication partner, newly added replication member
doesnt have any updates, and it should build the folder structure from the
beginning, this process is called vvjoin, in which a downstream partner joins with an
upstream partner for the first time.
Vvjoin is a CPU-intensive operation that can affect the performance of the server
and increase the replication traffic
Distributed File System (DFS)
Now we are coming to the point, how the SYSVOL replicating using DFS and how its
been improved to provide better replication performance, to use this feature you
should have Windows Server 2008 domain functional level that means all the
domain controller has to be Windows Server 2008
SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)
DFSR is a multimaster replication engine and changes that occur on one of the
replication member are then replicated to all of the other servers in the replication
group
DFSR also monitors the NTFS for the update sequence number (USN) journal to
detects changes on the volume, and then DFSR replicate the changes only after the
file closed
And before sending or receiving a file, DFSR uses a staging folder to stage the file
If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR
replicates only the changes blocks and not the entire file, sounds like a attribute
level Active Directory replication, it compare the source and destination file using
remote differential compression (RDC), it reduce the SYSVOL replication traffic
Other Difference between DFRS and FRS
DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR
always heals itself hence no Journal Wrap error
Morphed files and folders automatically taken care of
FRS silently fails if the volume SYSVOL resides on < 1GB of free space
Copies the changes on files and folder not entire files and folder
Uses Version Vector tables to confirm the changes, also to resolve the conflicts
Support read-only replication on a particular members in which users cannot add or
change files
You can also make the changes to the SYSVOL folder of an RODC
DFSR does not require the version vector join (vvjoin) operation
DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active
Directory replication topology requires that DNS is properly designed and deployed so
that domain controllers can correctly resolve the DNS names of replication partners.
DNS also stores service (SRV) resource records that provide site affinity information
to clients searching for domain controllers, including domain controllers that are
searching for replication partners. Every domain controller registers these records so
that they can be located according to site.
RPC. Active Directory replication requires IP connectivity and RPC to transfer updates
between replication partners within sites. RPC is required for replication between two
sites containing domain controllers in the same domain, but SMTP is an alternative
where RPC cannot be used and domain controllers for the same domain are all
located in one site so that intersite replication of domain data is not required.
2 types of replication.
1> AD replication
2> Sysvol replication
AD replication uses RPC.
Sysvol uses DFS Replication (DFSR) service, if Domain is at2008 functional level and all DCs
are WIndows Server2008 or higher OS version. If domain functional level is2003, Sysvol uses
NT File Replication Service (NTFS).
File replication service is responsible for replication of sysvol folders and distributed
file system between replica servers. it will replicate what ever changes which
happends to sysvol with replica servers. ntdutil command line tool is used to
monitor replication process.
Below 2008 R2 Forest Function Level (FFL) --> "Windows File Replication Service".
After raising the FFL to at least2008 R2, then migrating your SYSVOL folder from "File
Replication Service" to "Distributed File System Replication (DFS-R)" then another service
will be found in the DC which is DFSR "Distributed File System Replication service"
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain
and forest data consistent among domain controllers that store the same directory partitions.
Intrasite replication or Replication within site:
The KCC creates separate replication topologies to transfer Active Directory updates within a site
and between all configured sites in the forest. The connections that are used for replication within
sites are created automatically with no additional configuration. Intrasite replication takes advantage
of LAN network speeds by providing replication as soon as changes occur, without the overhead of
data compression, thus maximizing CPU efficiency. Intrasite replication connections form a ring
topology with extra shortcut connections where needed to decrease latency. The fast replication of
updates within sites facilitates timely updates of domain data. In deployments where large
datacenters constitute hub sites for the centralization of mission-critical operations, directory
consistency is critical.
requirements. Site link settings can be managed to optimize replication routing over WAN links. The
connections that are created between sites form a spanning tree for each directory partition in the
forest, merging where common directory partitions can be replicated over the same connection.
What is FRS?
File Replication service (FRS) is related to Active Directory replication because it requires the Active
Directory replication topology. FRS is a multimaster replication service that is used to replicate files
and folders in the system volume (SYSVOL) shared folder on domain controllers and in Distributed
File System (DFS) shared folders. FRS works by detecting changes to files and folders and then
replicating the updated files and folders to other replica members, which are connected in a
replication topology.
FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all
domain controllers in the domain. SYSVOL files are required by all domain controllers for Active
Directory to function.
SMTP
Simple Mail Transfer Protocol (SMTP) is a packaging protocol that can be used
as an alternative to the remote procedure call (RPC) replication transport.
SMTP can be used to transport nondomain replication over IP networks in
mail-message format. Where networks are not fully routed, e-mail is
sometimes the only transport method available
Replication transports provide the wire protocols that are required for data
transfer. There are three levels of connectivity for replication of Active
Directory information:
Uniform high-speed, synchronous RPC over IP within a site.
Point-to-point, synchronous, low-speed RPC over IP between sites.
Low-speed, asynchronous SMTP between sites.
Replication between sites can use either RPC over IP or SMTP over IP.
Replication between sites over SMTP is supported for only domain
controllers of different domains. Domain controllers of the same domain must
replicate by using the RPC over IP transport. Therefore, replication between
sites over SMTP is supported for only schema, configuration, and global
catalog replication, which means that domains can span sites only when
point-to-point, synchronous RPC is available between sites.
What is FRS?
The File Replication service (FRS) is a multi-threaded, multi-master replication
engine that replaces the LMREPL (LanMan Replication) service in the 3.x/4.0
versions of Microsoft Windows NT. Windows 2000 domain controllers and
servers use FRS to replicate system policy and logon scripts for Windows
2000 and earlier clients that are located in the System Volume (Sysvol).
FRS can also replicate content between Windows 2000 servers hosting the
same fault-tolerant Distributed File System (DFS) roots or child node replicas.
In Windows 2008 and Windows 2012 Active Directory, FRS has been replaced
by DFS.
changes to files and folders for FRS replicated trees may have taken place
while the service was turned off, and no record of the change exists in the
USN journal. To guard against data inconsistency, FRS asserts into a journal
wrap state.
UDP
TCP
LDAP
389
389
LDAP
636
LDAP
3268
Kerboros
88
88
DNS
53
53
smb over IP
445
445
ldap start queries from port no 3268 & after that it goes to 368
636 is LDAP on SSL
2. Synchronizes a specified domain controller with all replication partners, and reports if the
sync was successful or not
repadmin /syncall /e
repadmin /syncall /Aped
A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )
3. Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound
replication topology
repadmin /kcc *
4. Find the last time your DCs were backed up, by reading the DSASignature attribute from all
servers
Repadmin /showbackup *
6. Displays inbound replication requests that the domain controller has to issue to become
consistent with its source replication partners.
Repadmin / queue *
8. Identifies domain controllers that are failing inbound replication or outbound replication, and
summarizes the results in a report.
Repadmin /replsummary
9. Displays calls that have not yet been answered, made by the specified server to other servers
repadmin /showoutcalls *
12. Displays a list of failed replication events detected by the Knowledge Consistency Checker
(KCC).
repadmin /failcache *
14. Displays the replication features for, a directory partition on a domain controller.
repadmin /bind *
15. Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any
problems to help in troubleshooting
dcdiag /c /e /v
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
LDAP
LDAP SSL
LDAP GC
LDAP GC SSL
Kerberos
DNS
AD DS Web Services
SOAP
File Replication
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of
10.19.174.98, then the RR records created during the installation process will be:
dcsA.corp.mycompany.com. A 10.19.174.98
_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
If you don't see these records in DNS for each DC, then you need to manually correct or add them.
The NetLogon Service will register various SRV DNS records for the DC depending on what services or
capabilities the system hosts:
(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for
the actual globally unique identifier for the domain.)
_ldap._tcp.corp.mycompany.com
(used for finding an LDAP server) - registered by all DCs and servers
_ldap._tcp.SITE._sites.corp.mycompany.com
(used for finding an LDAP server in a particular site) - registered by all DCs
_ldap._tcp.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain) - registered by all DCs
_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain and site) - registered by all DCs
_ldap._tcp.pdc._msdcs.corp.mycompany.com
(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators
_ldap._tcp.gc._msdcs.mycompany.com
(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers
_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com
(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers
_gc._tcp.mycompany.com
(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server
_gc._tcp.SITE._sites.mycompany.com
(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC
server
_ldap._tcp.GUID.domains._msdcs.mycompany.com
(used for finding a domain using a GUIDused only if the domain name has been changed) - registered
by all DCs
_kerberos._tcp.corp.mycompany.com
(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers
with Kerberos
_kerberos._udp.corp.mycompany.com
(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos
_kerberos._tcp.SITE._sites.corp.mycompany.com
(used for finding a KDC in the domain and site) - registered by all servers with Kerberos
_kerberos._tcp.dc._msdcs.corp.mycompany.com
(used for finding a KDC in the domain) - registered by all DCs with Kerberos
_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos
_kpasswd._tcp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers
with Kerberos
_kpasswd._udp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by
all servers with Kerberos
any of its TCP/IP client properties, for any of its active network connections. If a DNS server
that can accept dynamic update of the service location (SRV) resource record is contacted,
the configuration process is complete. (This is also true for other resource records that are
related to registering AD DS as a service in DNS.)
If, during the installation, a DNS server that can accept updates for the DNS domain name
that is used to name your directory is not found, the wizard can install a DNS server locally
and automatically configure it with a zone to support the Active Directory domain.
When a host that is specified in an host (A) resource record in the same zone must be renamed
When a generic name for a well-known server, such as www, must resolve to a group of
individual computers (each with individual host (A) resource records) that provide the same
service, for example, in a group of redundant Web servers.
You can manually create a host (A) resource record for a static TCP/IP client computer by using
DNS Manager.
Windows clients and servers use the DNS Client service to dynamically register and update
their own host (A) resource records in DNS when an IP configuration change occurs.
Dynamic Host Configuration Protocol (DHCP)enabled client computers running earlier versions
of Microsoft operating systems can have their host (A) resource records registered and updated
by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000,
Windows Server 2003, and Windows Server 2008 DHCP Server service support this feature.)
Stub zone
A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces
Type
DNS Record
Requirements
SRV
_ldap._tcp.pdc._msdcs.<DnsDomainNa
me>
SRV
_ldap._tcp.gc._msdcs.<DnsForestName
>
GcIpAddre
ss
_gc._msdcs.<DnsForestName>
DsaCname
CNAM
E
<DsaGuide>._msdcs.<DnsForestName
>
Kdc
SRV
_kerberos._tcp.dc._msdcs.<DnsDomain
Name>
Dc
SRV
_ldap._tcp.dc._msdcs.<DnsDomainNam
e>
<DomainControllerFQDN>
GC
Adprep-Related Errors
Adprep is a utility that you run to prepare an existing Active Directory (AD) environment for
the first DC that runs a newer OS, such as Server 2008 R2. If you have an AD environment
in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that
runs Server 2008 R2, then you need to run certain Adprep commands:
1. Run adprep /forestprep on the schema master.
2. Run adprep /domainprep on each domain's infrastructure master.
3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to
run adprep /rodcprep for every domain that will have an RODC.
4. adprep32 /domainprep /gpprep
The primary domain controller (PDC) in a Windows NT 3.51 or Windows NT 4.0 domain is
responsible for the following:
If you don't have a PDC Emulator role, users won't be able to change their domain passwords.
The RID master helps to create unique GUIDs for new Objects and the infrastructure master
updates references from objects to objects in other domains.
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only
with NT 4.0 BDC's complain, but also there will be no time
synchronization. Another problem is that you probably will not be able
to change or troubleshoot group policies as the default setting is for the
PDC emulator also to be the group policy master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates
with some of the other roles. Quickly seize PDC role from another
machine.
RID Master
One Domain Controller is responsible for giving all the rest of the
Domain Controllers a pack of unique numbers so that no two new
objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing
Domain Controllers will have enough unused RIDs to last a week or so
do not be in a hurry to seize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects
with the same RID would be disastrous. So if the original is found it
must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
If you lose the Schema Master, then long term it is serious because you
cannot install Exchange 2003 or extend the schema. However, short
term no-one will notice a missing Schema Master, so try and repair the
old one rather than seize the role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or
repaired, it must be completely rebuilt rather than allowed into the
forest.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and
new trees. Unless you are going to run DCPROMO, then you will not
miss this FSMO role, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild
before you let the machine back in the forest.
Exchange 2010
That means that MAPI clients no longer connect directly to a Mailbox server when opening a mailbox. Instead they
connect to the RPC Client Access service which then talks to Active directory and Mailbox server. For directory
information, Outlook connects to an NSPI endpoint on the Client Access Server, and NSPI then talks to the Active
Directory via the Active Directory driver. The NSPI endpoint replaces the DSProxy component as we know from
Exchange 2007.
Some of you might wonder what the benefits of the RPC Client Access service are. There are several actually. First,
with MAPI and directory connections moved to the Client Access Server role in the middle tier layer, Exchange now
has a single common path through which all data access occurs. This not only improves the consistency, when
applying business logic to clients, but also provides a much better client experience during switch-over and fail-overs
when you have deployed a highly available solution that makes use of the new Database Availability Group (DAG)
HA feature which I will cover in-depth in a future article. If the Outlook client user will even notice a disconnection, it
will not occur for more than approximately 30 seconds compared to disconnection in Exchange 2007 that could take
several minutes, heck even up to 30 minutes if it was a complex AD topology consisting of many AD sites and
Domain Controllers throughout which DNS has to replicate.
Lastly having a single common path for all data access, will allow for more concurrent connections and mailboxes per
mailbox server. In Exchange 2007 a Mailbox server could handle 64.000 connections compared to Exchange 2010
which will increase that number to a 250.000 RPC context handle limit.
At heigher level, Active Directory replication replicates *only* AD database including doman,
configuration, schema, and ADLS partitions. Where in FRS is legacy replication technology used in
windows to replication SYSVOL and other information in active directory structure. The latest of FRS is
DFS which is more efficient.
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
LDAP
LDAP SSL
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Port
21
23
25
25
53
67
80
80
LDAP GC
Kerberos
DNS
AD DS Web Services
SOAP
File Replication
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
Protocol
TCP
TCP
TCP
TCP
TCP
UDP
TCP
TCP
Network Service
FTP control
Telnet
SMTP
SMTP
DNS
DHCP Server
HTTP
HTTP
LDAP GC SSL
System Service
FTP Publishing Service
Telnet
Simple Mail Transport Protocol
Exchange Server
DNS Server
DHCP Server
Windows Media Services
World Wide Web Publishing
Service
System Service
Logical Name
MSFtpsvc
TlntSvr
SMTPSVC
DNS
DHCPServer
WMServer
W3SVC
88
110
110
123
135
135
135
135
135
135
135
135
137
TCP
TCP
TCP
UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
137
UDP
137
UDP
137
UDP
138
UDP
138
UDP
139
TCP
143
270
TCP
TCP
Kerberos
POP3
POP3
NTP
RPC
RPC
RPC
RPC
RPC
RPC
RPC
RPC
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Datagram
Service
NetBIOS Datagram
Service
NetBIOS Session
Service
IMAP
MOM 2004
Kdc
POP3SVC
Server
lanmanserver
WINS
Net Logon
Netlogon
389
443
443
TCP
TCP
TCP
LDAP Server
HTTPS
HTTPS
445
636
995
143
3
170
1
172
3
181
2
239
3
239
4
253
5
272
TCP
TCP
TCP
TCP
SMB
LDAP SSL
POP3 over SSL
SQL over TCP
Exchange Server
Microsoft Operations Manager
2004
Local Security Authority
HTTP SSL
World Wide Web Publishing
Service
Print Spooler
Local Security Authority
Exchange Server
Microsoft SQL Server
UDP
L2TP
RemoteAccess
TCP
PPTP
RemoteAccess
UDP
IAS
TCP
RADIUS
Authentication
OLAP Services 7.0
TCP
UDP
MADCAP
DHCPServer
TCP
SQL Analysis
W32Time
RpcSs
CertSvc
ClusSvc
DFS
Eventlog
NtFrs
TermServLicensing
Browser
LicenseService
Net Logon
Netlogon
MOM
LSASS
HTTPFilter
W3SVC
Spooler
LSASS
SQLSERVR
5
326
8
326
9
338
9
338
9
TCP
Services
Global Catalog
Server
Global Catalog
Server
Terminal Services
TCP
Terminal Services
TCP
TCP
LSASS
LSASS
mnmsrvc
TermService
Can you explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authenticationworks?
When a user enters a user name and password, the computer sends the username to the KDC. The KDC
contains a master database of unique long termkeys for every principal in its realm. The KDC looks up the
user's master key(KA), which is based on the user's password. The KDC then creates two items:a session key
(SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the
user name, and an expirationtime. The KDC encrypts this ticket by using its own master key (KKDC), whichonly
the KDC knows. The client computer receives the information from theKDC and runs the user's password
through a one-way hashing function, whichconverts the password into the user's KA. The client computer now
has asession key and a TGT so that it can securely communicate with the KDC. Theclient is now authenticated
to the domain and is ready to access otherresources in the domain by using the Kerberos protocol.