Escolar Documentos
Profissional Documentos
Cultura Documentos
2. Mount
The mount command-line utility mounts the file system identified by ShareName exported
by the NFS server identified by ComputerName and associates it with the drive letter
specified by DeviceName or, if an asterisk (*) is used, by the first available driver letter.
Users can then access the exported file system as though it were a drive on the local
computer. When used without options or arguments, mount displays information about all
mounted NFS file systems.
The mount utility is available only if Client for NFS is installed.
The following options and arguments can be used with the mount utility.
Syntax :
mount [-o <Option>[...]] [-u:<UserName>] [-p:{<Password> | *}]
{\\<ComputerName>\<ShareName> | <ComputerName>:/<ShareName>} {<DeviceName> |
*}
Options, -o rsize=<buffersize> --> Sets the size in kilobytes of the read buffer. Acceptable
values are 1, 2, 4, 8, 16, and 32; the default is 32 KB.
-o wsize=<buffersize> --> Sets the size in kilobytes of the write buffer. Acceptable values are
1, 2, 4, 8, 16, and 32; the default is 32 KB.
-o timeout=<seconds> --> Sets the time-out value in seconds for a remote procedure call
(RPC). Acceptable values are 0.8, 0.9, and any integer in the range 1-60; the default is 0.8.
-o retry=<number> -->Sets the number of retries for a soft mount.Acceptable values are
integers in the range 1-10; the default is 1.
-u:<UserName> --> Specifies the user name to use for mounting the share. If username is
not preceded by a backslash (\), it is treated as a UNIX user name.
-p:<Password> --> The password to use for mounting the share. If you use an asterisk (*),
you will be prompted for the password.
Ref : http://technet.microsoft.com/en-us/library/cc733084(v=ws.10).aspx
3. nfsadmin
The nfsadmin command-line utility administers Server for NFS or Client for NFS on the
local or remote computer running Microsoft Services for Network File System (NFS). If you
are logged on with an account that does not have the required privileges, you can specify a
user name and password of an account that does. The action performed by nfsadmin depends
on the command arguments you supply.
Syntax:
nfsadmin server [ ComputerName ] [ -u UserName[-p Password]] -l
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] -r {client | all}
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] {start | stop}
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] config Option[...]
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] creategroup Name
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] listgroups
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] deletegroup Name
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] renamegroup OldName
NewName
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] addmembers Name
Host[...]
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] listmembers
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] deletemembers Group
Host[...]
nfsadmin client [ ComputerName ] [ -u UserName [-p Password]] {start | stop}
nfsadmin client [ ComputerName ] [ -u UserName [-p Password]] config Option[...]
4. Nfsshare
Without arguments, the nfsshare command-line utility lists all Network File System (NFS)
shares exported by Server for NFS. With ShareName as the only argument, nfsshare lists the
properties of the NFS share identified by ShareName. When ShareName and Drive:Path are
provided, nfsshare exports the folder identified by Drive:Path as ShareName. When
the /delete option is used, the specified folder is no longer made available to NFS clients.
Syntax :
nfsshare <ShareName>=<Drive:Path> [-o <Option=value>...]
nfsshare {<ShareName> | <Drive>:<Path> | * } /delete
5. Nfsstat
When used without the -z option, the nfsstat command-line utility displays the number of
NFS V2, NFS V3, and Mount V3 calls made to the server since the counters were set to 0,
either when the service started or when the counters were reset using nfsstat -z.
Syntax :
nfsstat [-z]
Ref : http://technet.microsoft.com/en-us/library/cc733084(v=ws.10).aspx
6. Rpcinfo
Lists programs on remote computers. The rpcinfo command-line utility makes a remote
procedure call (RPC) to an RPC server and reports what it finds.
Syntax:
rpcinfo [/p [<Node>]] [/b <Program Version>] [/t <Node Program> [<Version>]] [/u <Node
Program> [<Version>]]
Example:
rpcinfo /p [<Node>] - To list all programs registered with the port mapper
rpcinfo /b <Program Version> - To request a response from network nodes that have a
specified program
rpcinfo /t <Node Program> [<Version>] - To use Transmission Control Protocol (TCP) to call
a program
7. Showmount
The showmount command-line utility displays information about mounted file systems
exported by Server for NFS on the computer specified by Server. If Server is not provided,
showmount displays information about the computer on which the showmount command is
run.
Syntax :
showmount { -e | -a | -d} [Server]
-e Displays all file systems exported on the server.
-a Displays all Network File System (NFS) clients and the directories on the server each has
mounted.
-d Displays all directories on the server that are currently mounted by NFS clients.
8. Umount
The umount command-line utility disconnects the specified NFS-mounted drive. You must
supply at least one of the following options or arguments.
Syntax :
umount [-f] [{-a | DriveLetter:[...] | NetworkMount[...]}]
-f Forces deletion of Network File System (NFS) network drives.
-a Deletes all NFS network drives. If there are active connections, umount prompts you for
confirmation unless you also use the -f option.
DriveLetter - The letter of the logical drive to be disconnected.
NetworkMount - The network mount point to be disconnected. This mount must have been
created using the net use Windows command-line utility without specifying a drive letter.
Ref : http://technet.microsoft.com/en-us/library/cc733084(v=ws.10).aspx
Windows Server Backup Command Reference
1. Wbadmin enable backup
To configure or modify a daily backup schedule, you must be a member of either the
Administrators or Backup Operators group. In addition, you must run wbadmin from an
elevated command prompt.
Syntax for Windows Server 2008:
Creates a backup using specified parameters. If no parameters are specified and you have
created a scheduled daily backup, this subcommand creates the backup by using the settings
for the scheduled backup. If parameters are specified, it creates a Volume Shadow Copy
Service (VSS) copy backup and will not update the history of the files that are being backed
up.
To create a one-time backup with this subcommand, you must be a member of the Backup
Operators group or the Administrators group, or you must have been delegated the
appropriate permissions. In addition, you must run wbadmin from an elevated command
prompt.
Syntax for Windows Server 2008:
wbadmin start backup
[-backupTarget:{<BackupTargetLocation> | <TargetNetworkShare>}]
[-include:<VolumesToInclude>]
[-allCritical]
[-noVerify]
[-user:<UserName>]
[-password:<Password>]
[-noinheritAcl]
[-vssFull]
[-quiet]
Syntax for Windows Server 2008 R2:
Wbadmin start backup
[-backupTarget:{<BackupTargetLocation> | <TargetNetworkShare>}]
[-include:<ItemsToInclude>]
[-nonRecurseInclude:<ItemsToInclude>]
[-exclude:<ItemsToExclude>]
[-nonRecurseExclude:<ItemsToExclude>]
[-allCritical]
[-systemState]
[-noVerify]
[-user:<UserName>]
[-password:<Password>]
[-noInheritAcl]
[-vssFull | -vssCopy]
[-quiet]
Example:
Perform a one-time backup of f:\folder1 and h:\folder2 to volume d:.
Backup the system state
Make a copy backup so that the normally scheduled differential backup is not impacted.
wbadmin start backup backupTarget:d: -include:g\folder1,h:\folder2 systemstate -vsscopy
appropriate permissions. In addition, you must run wbadmin from an elevated command
prompt.
Syntax :
wbadmin get versions
[-backupTarget:{<BackupTargetLocation> | <NetworkSharePath>}]
[-machine:BackupMachineName]
Example : To see a list of available backups that are stored on volume h, type:
wbadmin get versions -backupTarget:h:
Lists the internal and external disks that are currently online for the local computer.
To list the disks that are online with this subcommand, you must be a member of the Backup
Operators group or the Administrators group, or you must have been delegated the
appropriate permissions. In addition, you must run wbadmin from an elevated command
prompt.
Syntax:
wbadmin get disks
Example :To create a system state backup and store it on volume f, type:
wbadmin start systemstatebackup -backupTarget:f:
adprep /rodcprep
2. Dcdiag
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to
help in troubleshooting.
As an end-user reporting program, dcdiag is a command-line tool that encapsulates detailed
knowledge of how to identify abnormal behavior in the system. Dcdiag displays command
output at the command prompt.
Dcdiag consists of a framework for executing tests and a series of tests to verify different
functional areas of the system. This framework selects which domain controllers are tested
according to scope directives from the user, such as enterprise, site, or single server.
Dcdiag is built into Windows Server 2008 R2 and Windows Server 2008. It is available if you
have the Active Directory Domain Services (AD DS) or Active Directory Lightweight
Directory Services (AD LDS) server role installed. It is also available if you install the Active
Directory Domain Services Tools that are part of the Remote Server Administration Tools
(RSAT).
Syntax :
dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* |
<Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>]
[/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]
Options, /s:<DomainController>--> Specifies the name of the server to run the command
against. If this parameter is not specified, the tests are run against the local domain controller.
This parameter is ignored for DcPromo and RegisterInDns tests, which can be run locally
only.
/n:<NamingContext>-->Uses NamingContext as the naming context to test. You can specify
domains in NetBIOS, Domain Name System (DNS), or distinguished name format.
/u:<Domain>\<UserName> /p:{* | <Password> | ""}-->Uses Domain\UserName. Dcdiag
uses the current credentials of the user (or process) that is logged on. If alternate credentials
are needed
1. Dcpromo
Installs and removes Active Directory Domain Services (AD DS).
Syntax:
2. Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that
store data in the comma-separated value (CSV) format. You can also support batch operations
based on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the %windir
%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight
Directory Services (AD LDS) server role installed.
Syntax :
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t
<PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}]
[-b <UserName> <Domain> {<Password> | *}]
Options,
-i - Specifies import mode. If not specified, the default mode is export.
-f <FileName> - Identifies the import or export file name.
using the supplied UserDistinguishedName and Password. By default, the command runs
using the credentials of the user who is currently logged on to the network.
-b [<UserName> <Domain> {<Password> | *}]
Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets the
command to run using the supplied Username, Domain, and Password. By default, the
command will run using the credentials of the user who is currently logged on to the network.
Hardware RAID Levels
RAID
Level
Minimum Description
Number
of Drives
Strengths
Weaknesses
RAID 0 2
Data striping
without
redundancy
Highest performance
RAID 1 2
Disk mirroring
Very high
performance; Very
high data protection;
Very minimal penalty
on write performance
RAID 3 3
RAID 4 3 (Not
widely
used)
RAID 4
0/1
RAID
4
1/0
RAID 0
RAID 1
RAID 5
=======================
AD, Win2K, and WS2K3 Monitoring Considerations
the information to identify problems on the network. This kind of artificial intelligence
represents the true value of network? monitoring software.
In order to ensure the health and availability of AD as well as other critical Windows network
services, organizations will need to regularly monitor a number of different services and
components.
Category Potential Problems
Domain controllers
/AD Low CPU or memory resources on domain controllers Low disk space on volumes
housing the Sysvol folder, the AD database (NTDS.DIT) file, and/or the AD transactional log
files Slow or broken connections between domain controllers Slow or failed client network
logon authentication requests Slow or failed LDAP query responses Slow or failed Key
Distribution Center (KDC) requests Slow or failed AD synchronization requests NetLogon
(LSASS) service not functioning properly Directory Service Agent (DSA) service not
functioning properly KCC not functioning properly? Excessive number of SMB connections
Insufficient RID allocation pool size on local server Problems with transitive or external
trusts to Win2K or down-level NT domains Low AD cache hit rate for name resolution
queries (as a result of inefficient AD design)
Replication
Failed replication (due to domain controller or network connectivity problems) .Slow
replication .Replication topology invalid/incomplete (lacks transitive closure/consistency)
.Replication using excessive network bandwidth.Too many properties being dropped during
replication Update Sequence Number (USN) update failures.Other miscellaneous replicationrelated failure events.
GC Slow or failed GC query responses.GC replication failures.
DNS
Missing or incorrect SRV records for domain controllers.Slow or failed DNS query
responses.DNS server zone file update failures.
Operation masters
(FSMOs) Inaccessibility of one or more operation master (FSMO) servers.Forest or domaincentric operation master roles not consistent across domain controllers within domain/forest
Slow or failed role master responses .
Miscellaneous problems
You can use the Event Viewer tool, located in the Administrative Tools folder, to monitor
DHCP activity. Event Viewer stores events that are logged in the system log, application log,
and security log. The system log contains events that are associated with the operating
system. The application log stores events that pertain to applications running on the computer.
Events that are associated with auditing activities are logged in the security log. All events
that are DHCP-specific are logged in the System log. The DHCP system event log contains
events that are associated with activities of the DHCP service and DHCP server, such as when
the DHCP server started and stopped, when DHCP leases are close to being depleted, and
when the DHCP database is corrupt.
A few DHCP system event log IDs are listed below:
Event ID 1037 (Information): Indicates that the DHCP server has begun to clean up
the DHCP database.
Event ID 1038 (Information): Indicates that the DHCP server cleaned up the DHCP
database for unicast addresses:
o
Event ID 1044 (Information): Indicates that the DHCP server has concluded
that it is authorized to start, and is currently servicing DHCP client
requests for IP addresses.
Event ID 1042 (Warning): Indicates that the DHCP service running on the
server has detected the following servers on the network.
Event ID 1056 (Warning): Indicates that the DHCP service has determined
that it is running on a domain controller, and no credentials are configured
for DDNS registrations.
Event ID 1046 (Error): Indicates that the DHCP service running on the
server has determined that it is not authorized to start to service DHCP
clients.
Acks/sec indicates the rate at which DHCPACK messages are sent by the DHCP
server.
Active Queue Length indicates how many packets are in the DHCP queue for
processing by the DHCP server.
Conflict Check Queue Length indicates how many packets are in the DHCP queue
that are waiting for conflict detection.
Declines/sec indicates the rate at which the DHCP server receives DHCPDECLINE
messages.
Duplicaed Dropped/sec indicates the rate at which duplicated packets are being
received by the DHCP server.
Informs/sec indicates the rate at which the DHCP server receives DHCPINFORM
messages.
Milliseconds per packet (Avg.) indicates the average time which the DHCP server
takes to send a response.
Nacks/sec indicates the rate at which DHCPNACK messages are sent by the DHCP
server.
Packets Expired/sec indicates the rate at which packets are expired while waiting in
the DHCP server queue.
Packets Received/sec indicates the rate that the DHCP server is receiving packets.
The Network Monitor version included with Windows Server 2003: With this version
of Network Monitor, you can monitor network activity only on the local computer
running Network Monitor.
The Network Monitor version (full) included with Microsoft Systems Management
Server (SMS): With this version, you can monitor network activity on all devices on a
network segment. You can capture frames from a remote computer, resolve device
names to MAC addresses, and determine the user and protocol that is consuming the
most bandwidth.
Because of these features, you can use Network Monitor to monitor and troubleshoot DHCP
lease traffic. You can use the Network Monitor version included in Windows Server 2003 to
capture and analyze the traffic being received by the DHCP server. Before you can use
Network Monitor to monitor DHCP lease traffic, you first have to install it. The Network
Monitor driver is automatically installed when you install Network Monitor.
How to install Network Monitor
1. Click Start, and then click Control Panel.
2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click the Details button.
5. On the Management and Monitoring Tools dialog box, select the Network Monitor
Tools checkbox and click OK.
6. Click Next when you are returned to the Windows Components Wizard.
7. If prompted during the installation process for additional files, place the Windows
Server 2003 CD-ROM into the CD-ROM drive.
8. Click Finish on the Completing the Windows Components Wizard page.
Capture filters disregard frames that you do not want to capture before they are stored in the
capture buffer. When you create a capture filter, you define settings that can be used to detect
the frames that you do want to capture. You can design capture filters in the Capture Window
to only capture specific DHCP traffic, by selecting Filter from the Capture menu. You can
also create a display filter after you have captured data. A display filter enables you to decide
what is displayed.
How to start a capture of DHCP lease traffic in Network Monitor
1. Open Network Monitor.
2. Use the Tools menu to click Capture, and then click Start.
3. If you want to examine captured data during he capture, select Stop And View from
the Capture menu.
DHCP leasing
The DHCP server log file format is depicted below. Each log file entry has the fields listed
below, and in this particular order as well:
ID: This is the DHCP server event ID code. Event codes are used to describe
information on the activity which is being logged.
Date: The date when the particular log file entry was logged on your DHCP server.
Time: The time when the particular log file entry was logged on your DHCP server.
MAC Address: This is the MAC address used by the DHCP client's network adapter.
DHCP server log files use reserved event ID codes. These event ID codes describe
information on the activities being logged. The actual log file only describes event ID codes
which are lower than 50.
A few common DHCP server log event ID codes are listed below:
02 indicates the log was temporarily paused due to low disk space.
14 indicates a lease request could not be satisfied due to the scope's address pool
being exhausted.
22 indicates a BOOTP request could not be satisfied due to the address pool of the
scope for BOOTP being exhausted.
23 indicates a BOOTP IP address was deleted after confirming it was not being used.
The following DHCP server log event ID codes are not described in the DHCP log file.
TheseDHCP server log event ID codes relate to the DHCP server's Active Directory
authorization status:
50 Unreachable domain: The DHCP server could not locate the applicable domain
for its Active Directory installation.
52 Upgraded to a Windows Server 2003 operating system: The DHCP server was
recently upgraded to a Windows Server 2003 OS, therefore, the unauthorized DHCP
server detection feature (used to determine whether the server has been authorized in
Active Directory) was disabled.
53 Cached authorization: The DHCP server was authorized to start using previously
cached information. Active Directory was not visible at the time the server was started
on the network.
54 Authorization failed: The DHCP server was not authorized to start on the
network. When this even occurs, it is likely followed by the server being stopped.
56 Authorization failure: The DHCP server was not authorized to start on the
network and was shut down by Windows Server 2003 OS. You must first authorize
the server in the directory before starting it again.
57 Server found in domain: Another DHCP server exists and is authorized for
service in the same Active Directory domain.
58 Server could not find domain: The DHCP server could not locate the specified
Active Directory domain.
61 Server found that belongs to DS domain: Another DHCP server that belongs to
the Active Directory domain was found on the network.
62 Another server found: Another DHCP server was found on the network.
63 Restarting rogue detection: The DHCP server is trying once more to determine
whether it is authorized to start and provide service on the network.
64 No DHCP enabled interfaces: The DHCP server has its service bindings or
network connections configured so that it is not enabled to provide service.
When these events occur, one of the first tasks you need to perform is to determine whether
the connectivity issues occurred because of the actual DHCP client configuration, or whether
it occurred because of some other network issue. You do this by determining the address type
of the IP address of the DHCP client.
To determine the address type,
1. Use the Ipconfig command to determine if the client received an IP addresses lease
from the DHCP server.
2. The client received an IP address from the DHCP server if the Ipconfig /all output
displays:
3. You can also use the status dialog box for the network connection to
determine the IP address type for the client.
4. To view this information, double-click the appropriate network connection
in the Network Connections dialog box.
5. Click the Support tab.
6. The IP address type should be displayed as being Assigned By DHCP.
If after the above checks, you can conclude that the IP address was assigned to the client by
the DHCP server, some other network issue is the cause of the DHCP server connectivity
issues being experienced. The issue is not due to an IP addressing issue on the client.
When clients have the incorrect IP address, it was probably due o the computer not being
able to contact the DHCP server. When this occurs, the computer assigns its own IP address
through Automatic Private IP Addressing (APIPA).
Computers could be unable to contact the DHCP server for a number of reasons:
A problem might exist with the hardware or software of the DHCP server.
The DHCP server and the client are on different LANs and there is no DHCP Relay
Agent. A DHCP Relay Agent enables a DHCP server to handle IP address requests of
clients that are located on a different LAN.
When a DHCP client is assigned an IP address that is currently being used by another client,
then an address conflict has occurred.
The process that occurs to detect duplicate IP addresses is illustrated below:
1. When the computer starts, the system checks for any duplicate IP addresses.
2. The TCP/IP protocol stack is disabled on the computer when the system detects
duplicate IP addresses.
3. An error message is shown that indicates the hardware address of the other system
that this computer is in conflict with.
A warning message is displayed in the System log, which you can view in Event
Viewer.
You have competing DHCP servers in your environment: You can use the
Dhcploc.exe utility to locate any rogue DHCP servers. The Dhcploc.exe utility is
included with the Windows Support Tools. To solve the competing DHCP server
issue, you have to locate the rogue DHCP servers, remove the necessary rogue DHCP
servers, and then check that no two DHCP servers can allocate IP address leases from
the same IP address range.
A scope redeployment has occurred: You can recover from a scope redeployment
through the following strategy:
o
One of the following methods can be used to renew your DHCP client leases:
The Repair button of the status dialog box (Support tab) of the connection can
be used to renew the DHCP client lease.
When you click the Repair button of the status dialog box (Support tab) of
the connection to renew the DHCP client lease, the following process
occurs:
Use the Ipconfig /renew command or the Repair button of the status dialog box
(Support tab) of the connection to refresh the IP configuration of the client.
Following the above, verify that the DHCP server is enabled, and that a configured
DHCP Relay Agent exists in the broadcast range.
If the client still cannot obtain an IP address from the DHCP server, check that the
actual physical connection to the DHCP server, or DHCP Relay Agent is operating
correctly and is not broken.
Verify the status of the DHCP server and DHCP Relay Agent.
If the issue still persists after all the above checks have been performed, you might
have an issue at the DHCP server or a scope issue might exist.
heck whether all the available IP leases have already been assigned
to clients
A few troubleshooting strategies which you can use when a DHCP client obtains an IP
address from the incorrect scope are summarized below:
First determine whether competing DHCP servers exist on your network. Use the
Dhcploc.exe utility, included with the Windows Support Tools to locate rogue DHCP
servers that are allocating IP addresses to clients.
If no rogue DHCP servers are located through the Dhcploc.exe utility, your next step
is to verify that each DHCP server is allocating IP address leases from unique scopes.
There should be no overlapping of the address space.
If you have multiple scopes on your DHCP server, and the DHCP server is assigning
IP addresses to clients on remote subnets, verify that a DHCP Relay Agent that is used
to enable communication with the DHCP server has the correct address
Verify that the DHCP Server service is running on the particular server.
If you are using the Active Directory directory service, verify that the DHCP server is
authorized.
The DHCP server could be configured with the incorrect scope. Check that the scope
is correct on the DHCP server, and verify that it is active.
When you need to verify the configuration of the DHCP server, use the following process:
First check that the DHCP server is configured with the correct IP address. The
network ID of the address being used must be the same for the subnet for which the
DHCP server is expected to assign IP addresses to client.
Verify the network bindings of the DHCP server. The DHCP server must be bound to
the particular subnet. To check this,
Check that the DHCP server is authorized in Active Directory. You have to
authorize the DHCP server in Active Directory so that it can provide IP
addresses to your DHCP clients. To authorize the DHCP server:
1. Open the DHCP console.
2. In the console tree, expand the DHCP server node.
3. Click the DHCP server that you want to authorize.
4. Click the action menu, and then select Authorize.
Verify that the scope is configured with the correct IP address range.
Verify that there are available IP address leases which can be assigned to
your DHCP clients.
Verify the exclusions which are specified in the address pool. Confirm that
all exclusions are valid and necessary. You need to verify that no IP
addresses are being unnecessarily excluded.
Verify the reservations which are specified. If you have a client that cannot
obtain a reserved IP address, check whether the same address is also
defined as an exclusion in the address pool. All reserved IP addresses must
fall within the address range of the scope. Check too that the MAC
addresses were successfully registered for all IP addresses that are
reserved
If you have DHCP servers that contain multiple scopes, check that each of
these scopes is configured correctly.
Dhcp.mdb: This is considered the main DHCP database file because it contains all
scope information.
Dhcp.tmp: This file contains a backup copy of the database file which was created
during re-indexing of the DHCP database.
J50.log: This log file contains changes prior to it being written to the DHCP database.
J50.chk: This checkpoint file informs DHCP on those log files that still have to be
recovered.
If you need to change the role of the DHCP server, and move its functions to another server,
it is recommended that you migrate the DHCP database to the new DHCP server. This
strategy prevents errors that occur when you manually attempt to recreate information in the
DHCP database of the destination DHCP server.
To migrate an existing DHCP database to a new DHCP server,
1. Open the DHCP console.
2. Right-click the DHCP server whose database you want to move to a different server,
and select Backup from the shortcut menu.
3. When the Browse For Folder dialog box opens, select the folder to which the DHCP
database should be backed up. Click OK.
4. To prevent the DHCP server from allocating new IP addresses to clients once the
DHCP server database is backed up, you have to stop the DHCP server.
5. Open the Services console.
6. Double-click the DHCP server.
7. When the DHCP Server Properties dialog box opens, select Disable from the Startup
Type drop down list.
1. Proceed to copy the folder which contains the backup to the new DHCP server. You
now have to restore the DHCP backup at the destination DHCP server.
These sets of information are compared when scopes are reconciled. Before you can reconcile
the DHCP server's scopes, you first have to stop the DHCP service running on the server. You
can repair any inconsistencies which are detected by the comparison between the contents of
the DHCP database, and the contents of the Registry.
3. When the Reconcile All Scopes dialog box opens, click Verify to start the DHCP
database reconciliation process.
4. When no inconsistencies are reported, click OK.
5. When inconsistencies are detected, select the addresses which need to be reconciled,
and then click Reconcile.
6. The inconsistencies are repaired.
=====================
What is RPC ?
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed
client/server programs. RPC is an interprocess communication technique that allows client
and server software to communicate. The Microsoft RPC facility is compatible with the Open
Groups Distributed Computing Environment (DCE) specification for remote procedure calls
and is interoperable with other DCE-based RPC systems, such as those for HP-UX and IBM
AIX UNIXbased operating systems.
Computer operating systems and programs have steadily gotten more complex over the years.
With each release, there are more features. The growing intricacy of systems makes it more
difficult for developers to avoid errors during the development process. Often, developers
create a solution for their system or application when a nearly identical solution has already
been devised. This duplication of effort consumes time and money and adds complexity to
already complex systems.
RPC is designed to mitigate these issues by providing a common interface between
applications. RPC serves as a gobetween for client/server communications. RPC is designed
to make client/server interaction easier and safer by factoring out common tasks, such as
security, synchronization, and data flow handling, into a common library so that developers
do not have to dedicate the time and effort into developing their own solutions.
Terms and Definitions
A process, such as a program or task, that requests a service provided by another program.
The client process uses the requested service without having to deal with many working
details about the other program or the service.
Server
The name, port, or group of ports on a host system that is monitored by a server program for
incoming client requests. The endpoint is a network-specific address of a server process for
remote procedure calls. The name of the endpoint depends on the protocol sequence being
used.
Endpoint Mapper (EPM)
Part of the RPC subsystem that resolves dynamic endpoints in response to client requests and,
in some configurations, dynamically assigns endpoints to servers.
Client Stub
Module within a client application containing all of the functions necessary for the client to
make remote procedure calls using the model of a traditional function call in a
standalone application. The client stub is responsible for invoking the marshalling engine and
some of the RPC application programming interfaces (APIs).
Server Stub
Module within a server application or service that contains all of the functions necessary for
the server to handle remote requests using local procedure calls.
RPC Dependencies and Interactions
RPC is a client/server technology in the most generic sense. There is a sender and a receiver;
data is transferred between them. This can be classic client/server (for example,
Microsoft Outlookcommunicating with a server running Microsoft Exchange Server) or
system services within the computer communicating with each other. The latter is especially
common. Much of the Windows architecture is composed of services that communicate with
each other to accomplish a task. Most services built into the Windows architecture use RPC
to communicate with each other.
The following table briefly describes the services in Windows Server 2003 that depend on the
RPC system service (RPCSS).
DESCRIPTION
Background
Intelligent Transfer Transfers data between clients and servers in the background.
Service
COM+ Event
System
COM+
Manages the configuration and tracking of COM+-based
SystemApplication components.
Cryptographic
Services
DHCP Server
Distributed Link
Tracking Client
Distributed Link
Tracking Server
Distributed Link
Transaction
Coordinator
DNS Server
Error Reporting
Service
File Replication
Service
Help and Support Enables Help and Support Center to run on the computer.
Human Interface
Device Access
Indexing Service
IPSec Services
Kerberos Key
Distribution
Center
Logical Disk
Manager
Detects and monitors new hard disk drives and sends disk
volume information to Logical Disk Manager Administrative
Service for configuration.
Logical Disk
Manager
Administrative
Service
Messenger
Microsoft Software
Manages software-based volume shadow copies taken by the
Shadow Copy
Volume Shadow Copy service.
Provider
Network
Connections
Print Spooler
Remote Desktop
Help Session
Manager
Remote Registry
Removable
Storage
Resultant Set of
Policy Provider
Routing and
Remote Access
Security Accounts Upon startup, signals other services that the Security
Manager
Accounts Manager (SAM) is ready to accept requests.
Shell Hardware
Detection
Task Scheduler
Telephony
Telnet
Virtual Disk
Service
Volume Shadow
Copy
Windows Audio
Windows Image
Acquisition (WIA)
Windows Installer
Windows Internet
Resolves NetBIOS names for TCP/IP clients by locating
Name Service
network services that use NetBIOS names.
(WINS)
Windows
Management
Instrumentation
Wireless
Configuration
DFS allows administrators to make it easier for users to access and manage file that are
physically distributed across a network.
With DFS, you can make files distributed across multiple servers. It may appear for users that
files actually reside in one place (computer) on the network.
Benefits of DFS
1. Easily access:
Users need not remember multiple locations form where they get data just by remembering
one location they get access to the data.
2. Fall tolerance:
For master DFS server we can have a replica (Target) on another DFS server. With the master
DFS server face users can still continue accessing the data from back up DFS (Target)
There is no interruption to accessing data.
3. Load balancing:
If all the DFS root servers and targets are working fine it leads to load balancing.
This is achieved by specifying locations for separate users.
4. Security:
We can implement security by using NTFS settings.
DFS Terminology:
1. DFS root
2. DFS links
3. DFS targets
4. Domain DFS root
5. Stand alone DFS root
Domain DFS root:
It is a server configurable in the domain and offers fall tolerance and load balancing. It is a
root server, which maintains links from other file servers
Requirements:
DC or Member Server
Stand-alone DFS root:
It is configurable work group model and does not provide fall tolerance &load balancing
DFS root:
DFS root is the beginning of a hierarchy of DFS links that points to shared folders.
DFS link:
A link from a DFS root to one or more shared file or folders.
Targets:
The mapping destination of a DFS root or links, which corresponds to a physical folder that
===================================
DiskPart commands Guide
DiskPart is a text-mode command interpreter that enables you to manage objects (disks,
partitions, volumes, or virtual hard disks) by using scripts or direct input from a command
prompt. Before you can use DiskPart commands, you must first list, and then select an object
to give it focus. When an object has focus, any DiskPart commands that you type will act on
that object.
You can list the available objects and determine an object's number or drive letter by using
the list disk, list volume, list partition, and list vdiskcommands. The list disk, list
vdisk and list volume commands display all disks and volumes on the computer. However,
the list partition command only displays partitions on the disk that has focus. When you use
the list commands, an asterisk (*) appears next to the object with focus.
When you select an object, the focus remains on that object until you select a different object.
For example, if the focus is set on disk 0 and you select volume 8 on disk 2, the focus shifts
from disk 0 to disk 2, volume 8. Some commands automatically change the focus. For
example, when you create a new partition, the focus automatically switches to the new
partition.
You can only give focus to a partition on the selected disk. When a partition has focus, the
related volume (if any) also has focus. When a volume has focus, the related disk and
partition also have focus if the volume maps to a single specific partition. If this is not the
case, focus on the disk and partition is lost.
The list of sub-commands for Diskpart are shown below. Some commands are not available
in Windows XP and they are indicates with an asterisk (*).
ACTIVE - Mark the selected partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume or disk attributes.*
ATTACH - Attaches a virtual disk file.*
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.*
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the disk.
COMPACT - Attempts to reduce the physical size of the file.*
CONVERT - Convert between different disk formats.
CREATE - Create a volume, partition or virtual disk. (No virtual disk management in
Windows XP.)
DELETE - Delete an object.
DETAIL - Provide details about an object.
DETACH - Detaches a virtual disk file.*
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
EXPAND - Expands the maximum size available on a virtual disk.*
FILESYSTEMS - Display current and supported file systems on the volume.*
FORMAT - Format the volume or partition.*
GPT - Assign attributes to the selected GPT partition.*
HELP - Display a list of commands.
IMPORT - Import a disk group.
Active Directory was introduced to the world in the mid-1990s by Microsoft as a replacement
for Windows NT-style user authentication. Windows NT included a flat and non-extensible
domain model which did not scale well for large corporations. Active Directory, on the other
hand, was created as a true directory service versus a flat user-management service that NT
had. Though it was introduced in the 1990s, it did not become a part of the Operating System
until Windows 2000 Server was released in 2000. Since then, Windows Server
2003 and Server 2008 have been introduced and Active Directory has gone under some
expansion.
This tutorial is based on Windows Server 2003 as it is currently the most widely installed
version of the Windows network Operating System (NOS), though in the future we will
release versions forWindows Server 2008 and future Windows releases as it becomes
necessary. Though this tutorial is not focused on Windows Server 2008, much of the basic
knowledge and instruction relates to either OS.
LDAP
Active Directory is based loosely on LDAP ? Lightweight Directory Access Protocol ? an
application protocol for querying and modifying directory services developed at the
University of Michigan in the early 1990s. An LDAP directory tree is a hierarchical structure
of organizations, domains, trees, groups, and individual units.
Active Directory is a Directory Sometimes, it?s easy to get lost in all of the technology and
functions that are provided with AD and forget that Active Directory is a directory. It is a
directory in both the common use of the term like a white pages (you can add in a person?s
first name, last name, phone number, address, email address, etc) and a directory of
information for use by applications and services (such as Microsoft Exchange for email). AD
is functionally a place to store information about people, things (computers, printers, etc),
applications, domains, services, security access permissions, and more. Applications and
services then use the directory to perform a function.
For example, Microsoft Windows uses Active Directory information to allow a user to login
to their computer and provide access to the security rights assigned in Active Directory.
Windows is accessing the directory and then providing rights based on what it finds. If a user
account is disabled in Active Directory, the directory itself is just setting a flag which
Windows uses to disallow a user from logging in.
We mentioned in the introduction that administrators use Active Directory to deploy
software ? this is an incomplete description. Administrators can set policies and information
that a certain software application should be deployed to a certain user ? AD itself does not
deploy the software, but a Windows service reads the information from Active Directory and
then installs the software.
======================
also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers
in a particular domain. When a DC creates a security principal object such as a user or group,
it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative
ID (RID) that is unique for each security principal SID created in a domain. Each DC in a
domain is allocated a pool of RIDs that it is allowed to assign to the security principals it
creates.
When a DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to the request
by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of
the requesting DC. At any one time, there can be only one domain controller acting as the
RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol.
All Windows 2000/2003-based computers within an enterprise use a common time. The
purpose of the time service is to ensure that the Windows Time service uses a hierarchical
relationship that controls authority and does not permit loops to ensure appropriate common
time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root
of the forest becomes authoritative for the enterprise, and should be configured to gather the
time from an external source.
All PDC FSMO role holders follow the hierarchy of domains in the selection of their inbound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains
the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is
reported to the user.
Schema
Domain Naming
RID
PDC Emulator
Infrastructure
Schema
Schema snap-in
Domain Naming
RID
PDC Emulator
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1.Open the Active Directory Users and Computers snap-in from the Administrative Tools
folder.
2.Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
3.Select the appropriate tab for the role you wish to view.
4.When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation
Masters.
8. Press the Close button.
security. In Windows 2000, the terminology used to refer to domain functional levels was
domain modes. Forests in Windows 2000 have one mode and domains can have the domain
mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory
came the introduction of the Windows Server 2003 interimfunctional level and
Windows Server 2003 functional level for both domains and forests. The four domain
functional levels that can be set for domain controllers are Windows 2000 mixed, Windows
2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain
functional level is Windows 2000 mixed. The three forest functional levels are Windows
2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional
level is Windows 2000.
When the Windows Server 2003 functional level is enabled in your environment,
additional Active Directory domain-wide and forest-wide features are automatically enabled.
Windows Server 2003functional level is enabled in your environment when all
domain controllers are running WindowsServer 2003. The Active Directory Domains And
Trusts console is used to raise the functional levels of domains and forests in Active
Directory.
Domain Functional Levels
When raising the domain functional level from Windows mixed to Windows 2000 native or
the Windows Server 2003 functional level, domain controllers are regarded as peers to each
other. What this essentially means is that the domain master concept no longer exists. It also
means that pre-Windows 2000 replication no longer exists. If you are considering raising the
domain functional level within your environment to Windows Server 2003, you should
remember that after the domain functional level is raised, you cannot add any Windows 2000
server to the particular domain.
Windows 2000 Mixed Domain Functional Level
Any newly installed domain controller operates in Windows 2000 mixed domain functional
level for the domain by default. This makes the Windows 2000 mixed domain functional
level the default functional level for all Windows Server 2003 domains. Windows 2000
mixed domain functional level enables the Windows Server 2003 domain controller to
operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain
controllers. The only Windows NT domain controllers supported are Windows NT backup
domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active
Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000
mixed domain functional level is usually used to migrate domain controllers from Windows
NT to Windows 2000 domain controllers.
You can raise Windows 2000 mixed domain functional level to
The Active Directory domain features that are available in Windows 2000 mixed domain
functional level are listed below:
Distribution Groups
The Active Directory domain features that are not supported in Windows 2000 mixed domain
functional level are listed below:
Universal Groups
SID History
Constrained delegation
The Windows 2000 native domain functional level enables Windows Server 2003 domain
controllers to operate with Windows 2000 domain controllers and Windows Server
2003 domain controllers. This domain functional level is typically used to support domain
controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup
domain controllers are not supported in the Windows 2000 native domain functional level.
Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain
functional level.
You can raise the Windows 2000 native domain functional level to
The Active Directory domain features that are available in Windows 2000 native domain
functional level are listed below:
Distribution Groups
Universal Groups
SID History
The Active Directory domain features that are not supported in Windows 2000 native domain
functional level are listed below:
Constrained delegation
Windows Server 2003 interim domain functional level enable domain controllers running
WindowsServer 2003 to function in a domain containing both Windows NT 4.0 domain
controllers and Windows Server 2003 domain controllers. Domain controllers running
Windows 2000 are not supported in this domain functional level. You can only set this
domain functional level when upgrading from Windows NT to Windows Server 2003. In fact,
the Windows Server 2003 interimdomain functional level can only be raised to
Windows Server 2003 domain functional level. WindowsServer 2003 interim domain
functional level is also typically used when you are not going to immediately upgrade
your Windows NT 4.0 backup domain controllers to Windows Server 2003, and when your
existing Windows NT domain has groups consisting of over 5,000 members.
The Active Directory domain features that are available in Windows Server
2003 interim domain functional level are listed below:
Distribution groups
The Active Directory domain features that are not supported in Windows Server
2003 interim domain functional level are listed below:
Universal Groups
SID History
Constrained delegation
Windows Server 2003 domain functional level is the highest level that can be specified for a
domain.All domain controllers in the domain are running Windows Server 2003. This
basically means thatWindows NT 4 and Windows 2000 domain controllers are not supported
these domains. Once the domain level is set as Windows Server 2003 domain functional
level, it cannot be lowered to any of the previous domain functional levels.
All Active Directory domain features are available in Windows Server 2003 domain
functional level:
Distribution Groups
universal Groups
SID History
Constrained delegation
How to check which domain function level is set for the domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want verify,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current
domain functional level.
How to raise the domain functional level to the Windows 2000 native domain functional
level or Windows Server 2003 domain functional level
Before you can raise the domain functional level to Windows Server 2003 domain functional
level, each domain controller in the domain has to running Windows Server 2003.
To raise the domain functional level for a domain,
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want to raise,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the
domain functional level for the domain.
5. Click Raise
6. Click OK
The Active Directory forest features that are not supported in Windows 2000 forest functional
level are listed below:
Domain renaming
Forest Trust
Application groups
InetOrgPerson objectClass
The Active Directory forest features that are not supported in Windows Server 2003 interim
forest functional level are listed below:
Domain renaming
Forest Trust
Application groups
InetOrgPerson objectClass
Domain renaming
Forest Trust
Application groups
InetOrgPerson objectClass
How to check which forest functional level is set for the forest
1. Open the Active Directory Domains And Trusts console
2. Right-click Active Directory Domains and Trusts in the console tree, and
select Raise Forest Functional Level from the shortcut menu.
3. The Raise Forest Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current
forest functional level.
How to raise the forest functional level to Windows Server 2003 forest functional level
Each domain controller in the forest has to be running Windows Server 2003 before you can
change the forest functional level to Windows Server 2003. When you raise the forest
functional level, all domains in the forest will automatically have their domain functional
level raised to Windows Server 2003.
To raise the forest functional level for a forest,
1. Open the Active Directory Domains And Trusts console
2. Right-click Active Directory Domains And Trusts in the console tree, and
select Raise forest Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. Click Raise
5. Click OK
Windows 2000 native route: This approach involves raising the domain
functional level to Windows native, and then raising the forest functional
level to Windows Server 2003.
Windows Server 2003 route: This approach involves raising the domain
functional level to Windows native, and then to the Windows Server 2003
functional level. The forest functional level has to lastly be changed to
Windows Server 2003.
========================
Windows Active directory Groups !
Groups in AD
Groups are containers that contain user and computer objects within them as members. When
security permissions are set for a group in the Access Control List on a resource, all members
of that group receive those permissions. Domain Groups enable centralized administration in
a domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and group
scopes. The group type determines the type of task that you manage with the group. The
group scope determines whether the group can have members from multiple domains or a
single domain.
Group Types
Group Scopes
Group scope normally describe which type of users should be clubbed together in a way
which is easy for there administration. Therefore, in domain, groups play an important part.
One group can be a member of other group(s) which is normally known as Group nesting.
One or more groups can be member of any group in the entire domain(s) within a forest.
Global Group: Users with similar function can be grouped under global
scope and can be given permission to access a resource (like a printer or
shared folder and files) available in local or another domain in same forest.
To say in simple words, Global groups can be use to grant permissions to
gain access to resources which are located in any domain but in a single
forest as their memberships are limited. User accounts and global groups
can be added only from the domain in which global group is created.
Nesting is possible in Global groups within other groups as you can add a
global group into another global group from any domain. Finally to provide
permission to domain specific resources (like printers and published
folder), they can be members of a Domain Local group. Global groups exist
in all mixed, native and interim functional level of domains and forests.
Universal Group Scope: these groups are precisely used for email
distribution and can be granted access to resources in all trusted domain
as these groups can only be used as a security principal (security group
type) in a windows 2000 native or windows server 2003 domain functional
level domain. Universal group memberships are not limited like global
groups. All domain user accounts and groups can be a member of
universal group. Universal groups can be nested under a global or Domain
Local group in any domain.
======================
Windows Server 2003 - NTDSutil Guide
NTDSutil is a Windows utility for configuring the heart of Active Directory. Ntdsutil.exe is a
command-line tool that provides management facilities for Active Directory .Use Ntdsutil to
perform database maintenance of Active Directory, to manage and control single master
operations, and to remove metadata left behind by domain controllers that were removed
from the network without being properly uninstalled. By default, Ntdsutil is installed in the
Winnt\System32 folder.
Preparation for NTDSutil
Begin by logging on at a Windows Server 2003 or 2008. We suggest that you create a new
folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt
change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual
executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.
Key NTDSutil command
When you are experimenting with NTDSutil, if you get stuck remember these four little
words, they will make the difference between success and frustration:
Connect to Server Server3 (Substitute your server for Server3)
Don't shorten the command to: Connect Server3 (Remember the words 'to' and 'server').
Tip: NTDSutil help tip If ever you are stuck in NTDSutil, simply type help.
Variety of NTDSutil tasks
Authoritative Restore - Major project, needs careful planning.
Configurable Settings - Not very interesting.
Domain Management - Specialist area. Create Naming Contexts and add replicas to the
Application Directory Partition of DNS.
Files - Available only if you boot the server into Directory Restore Mode. Checks the
integrity of NTDS.DIT and moves associated databases.
Roles = FSMO Maintenance. Which Domain Controller has which Single Operations
Master? Seize roles such as PDC Emulator. Good news, for once you do get a message
detailing the transfer you are about to make. My advice is to use Roles in conjunction with
netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying
who holds which FSMO role with NTDSutil.
Reset DSRM password. If you don't know the server's Directory Service account password,
then here is your change to reset to a password that you will remember.
Security Account Management. Check for duplicate SIDs
Example 1: Security Account Management (Maintenance)
Let us start gently and check for duplicate SIDs. This experiment is more for gaining
experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This
is what I typed at the command prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server Server3
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:
1) In the above session I typed the full command security accounts management. However
you can shorten commands thus: 'sec acc man'
Incidentally, I am inventing these shorthand commands in the sense that NTDSutil also
understands:
sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is
only one possible interpretation then it fills in the gaps and returns the service that you asked
for. For example plain, 'se' will not work because there is another command which begins
with se, Semantic....
2) When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server Server3'. Be aware that even though I am
sitting at Server3's console, I must remember this command : connect to server xyz.
3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot
shorten the command to 'chk dup sd'. Please just accept you need the full words here.
4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil,
or use Explorer before you can attempt to read dupsid.log. My point is that you cannot issue a
command : 'notepad dupsid.log' from within NTDSutil.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server Server3
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil: quit
E:\ntdsutil>
1) The key command type: 'reset password on Server3'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you
are in the correct place.
2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to
the command prompt.
======================
It is best to avoid seizing roles. The decision to seize an operations master role depends upon
the role and the expected length of the outage.
Primary Domain Controller Emulator Failures
The loss of a domain controller that is the primary domain controller emulator role can be
visible to any user, either users or administrators. Specifically, an end user running Windows
NT Workstation3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active
Directory client, cannot change their password without communicating with the
primary domain controller emulator. If the users password has expired, the user is not able to
log on.
Therefore, you might need to repair a primary domain controller emulator failure quickly.If
the primary domain controller emulator is offline for a significant period of time and the
domain has users running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95,
or Windows 98 without the Active Directory client, or domain controllers running earlier
versions of Windows NT, you should seize the primary domain controller emulator role to the
Standby operations masterdomain controller.
The user interface for this seizure is similar to that of a normal operations master role
transfer, except it requires an extra confirmation from you. Agree to the confirmation only if
you know the current primary domain controller emulator will be offline for a significant
period. Later, when the original primary domain controller emulator domain controller comes
back online, transfer the role back to the original role owner.
Infrastructure Master Failures
Temporary loss of a domains infrastructure master is not visible to end users, and is not
visible to you, as an administrator, unless you recently moved or renamed a large number of
accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a
problem worth fixing. If you anticipate a long outage of a domains infrastructure master and
you need to repair it, first select a domain controller that is not a Global Catalog server and
that has good network connectivity to a Global Catalog server located in any domain.
Ideally, the domain controller you have chosen should be within the same site as a Global
Catalog server. It is not important that the new infrastructure master be near the previous one.
When you have selected the domain controller, seize the infrastructure master role to
this domain controller.
The user interface for this seizure is similar to that of a normal operations master role
transfer, except it requires an extra confirmation from you. Agree to the confirmation only if
you know that the current infrastructure master will be offline for a very long period. Later,
when the original infrastructure master comes back online, transfer the role back to the
original role owner.
Other Operations Master Failures
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not
visible to end users, and does not usually inhibit your work as an administrator. Therefore,
this is usually not a problem worth fixing. However, if you anticipate an extremely long
outage of the domain controller holding one of these roles, you can seize that role to the
Standby operations master domain controller.
But, seizing any of these roles is a drastic step; one that you would take only when the outage
is permanent, as in the case when a domain controller is physically destroyed and cannot be
restored from backup media. A domain controller whose schema master, domain
naming master, or RID master role is seized must never come back online. Before proceeding
with the role seizure, you must ensure that the outage of this domain controller is permanent
by physically disconnecting the domain controller from the network.
The domain controller that seizes the role should be fully up-to-date with respect to updates
performed on the previous role owner. Because of replication latency, it is possible that
the domain controllermight not be up-to-date.
To check the status of updates for a domain controller, you can use the Repadmin commandline tool. The Repadmin command-line tool is a Resource Kit tool that performs replication
diagnostics. It is available on the Microsoft Windows 2000 Server installation CD. Repadmin
can determine whether a domain controller has the most current updates.
For more information about using the Repadmin tool, see Windows 2000 Support Tools Help,
which is included on the Windows 2000 Server CD and Active Directory Diagnostics,
Troubleshooting, and Recovery in this book.
For example, to make sure a domain controller is fully up-to-date, suppose that server05 is
the RID master of the domain reskit.com, server10 is the Standby operations
master domain controller, and server12 is the only other domain controller in the
reskit.com domain. Using the Repadmin tool, you would issue the following commands:
C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
Note
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10s up-to-date status value with
respect to server05 (server05 @ USN 2604) is larger than server12s up-to-date status value
with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the
RID master role formerly held by server05. If the up-to-date status value for server10
was less than the value for server12, you would wait for normal replication to update
server10, or use the Repadmin tools /sync/force commands to make the replication happen
immediately.
After you have determined that the role owner is fully up-to-date, you can seize the
operations master role using the Ntdsutil tool as in the following example:
C:\> ntdsutil
ntdsutil: roles
fsmo maintenance: connections
server connections: connect to server10.reskit.com
binding to server10.reskit.com
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server server10.reskit.com knows about 5 roles
Schema CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see
Windows 2000 Support Tools Help, which is included on the Windows 2000
Server installation CD.
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool
might be more convenient for operations master transfers and seizures than the graphical user
interface tools, because it is simpler and quicker to enter commands than to use multiple
windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the
Ntdsutil tool is the required method.
When you use the Ntdsutil command-line tool to seize an operations master role, the tool
attempts a transfer from the current role owner first. Then, if the existing operations master is
unavailable, it performs the seizure. The Ntdsutil tool provides help information when you
type a question mark (?). The following is an example showing the transfer of the domain
naming master role (with user input shown in bold type):
C:\> ntdsutil
ntdsutil: ?
? Print this help information
Authoritative restore Authoritatively restore the DIT database
Domain management Prepare for new domain creation
Files Manage NTDS database files
Help Print this help information
IPDeny List Manage LDAP IP Deny List
LDAP policies Manage LDAP protocol policies
Metadata cleanup Clean up objects of decommissioned servers
Popups %s (en/dis)able popups with on or off
Quit Quit the utility
Roles Manage NTDS role owner tokens
Security account management Manage Security Account Database Duplicate SID
Cleanup
Semantic database analysis Semantic Checker
ntdsutil: roles
fsmo maintenance: ?
? Print this help information
Connections Connect to a specific domain controller
Help Print this help information
Quit Return to the prior menu
Seize domain naming master Overwrite domain role on connected server
Seize infrastructure master Overwrite infrastructure role on connected server
Seize PDC Overwrite PDC role on connected server
Seize RID master Overwrite RID role on connected server
Seize schema master Overwrite schema role on connected server
Select operation target Select sites, servers, domains, roles and Naming Contexts
Transfer domain naming master Make connected server the domain naming master
Transfer infrastructure master Make connected server the infrastructure master
Transfer PDC Make connected server the PDC
Transfer RID master Make connected server the RID master
Transfer schema master Make connected server the schema master
confirmation pop-up window (not shown) displays for the transfer domain naming master
operation.
Note
You must have sufficient permissions to execute commands using the Ntdsutil tool. For more
information about controlling access to operations master role placements, see Controlling
Access to Role Placements later in this chapter.
It is also possible to view the current operations master role owner using the Ntdsutil
command-line tool from the Select Operation Target menu located under the Roles option. By
using the List roles for connected server command, a list displays of all of the current
operations master role owners.
For more information about using the Ntdsutil command-line tool, see Windows 2000
Support Tools Help, which is included on the Windows 2000 Server installation CD.
================
Transitive trusts: With transitive trusts, trust is applicable for each trusted
domain. What this means is where Domain1 trusts Domain2, and Domain2
trusts Domain3; Domain1 would also trust Domain3.
Nontransitive trust: The defined trust relationship ends with the two domains
between which the particular trust is created.
Tree Root trust: A tree root trust relationship can be configured between root domains
in the same forest. The root domains do not have a common DNS namespace. This
trust relationship is established when a new tree root domain is added to a forest.
Shortcut trust: This trust relationship can be configured between two domains in
different domain trees but within the same forest. Shortcut trust is typically utilized to
improve user logon times.
External trust: External trust relationships are created between an Active Directory
domain and a Windows NT4 domain.
Realm trust: A realm trust relationship exists between an Active Directory domain and
a non-Windows Kerberos realm.
Forest trust: Forest trust can be created between two Active Directory forests.
==================
Before you can create any shortcut trusts, you must be a member of the Enterprise Admin or
Domain Admin groups in each domain in the forest. Another requirement is that the domains
you are creating shortcut trust for, are Windows Server 2003 domains that reside in the same
forest. As mentioned earlier, Shortcut trust is usually created to speed up authentication
between two domains in different trees but within the same forest.
Shortcut trust can be one-way transitive trust, or two-way transitive trust. What shortcut trust
essentially does is it shortens the trust path traversed for authentication requests made
between domains of different trees. Shortcut trust is typically configured in an intricate forest
where users continually need to access resources of domains belonging to different trees.
Shortcut trust improves query response performance as well.
You would need to create one-way shortcut trust when the optimized tust path is only
needed for one of the domains in the trust. The other domain's users would need to transverse
the full trust path when handling authentication requests.
You would need to create two-way shortcut trust when the users in each domain need
to use the shortened trust path for authentication requests.
The Active Directory tool that you use to create shortcut trust is the Active Directory
Domains and Trusts console. The console enables you to specify selective authentication for
incoming shortcut trust and outgoing shortcut trust. What this means is that you can set
authentication differently for the two forms of trust. When you set selective authentication for
incoming shortcut trust, you would need to specify permissions for every resource that users
in the other domain should be able to access. If domain wide authentication is specified on
the incoming shortcut trust, users in the other domain and users in the local domain have the
identical permissions to network resources.
Realm Trust
In order to create realm trust, you should have Enterprise Admin or Domain Admin
permissions for the Windows Server 2003 domain, and you should have the permissions
required for the non-Windows Kerberos version 5 realm. You would typically create realm
trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5
Kerberos realm. You can create Realm trust as either transitive or nontransitive trust, and as
either be one-way trust or two-way.
External Trust
You need to be a member of Enterprise Admins or Domain Admins of the Windows Server
2003 domain and you need to be a member Enterprise Admins or Domain Admins of the
other domain, to create one-way External trust or two-way External trust.
Recall from an earlier discussion, that External trust is always nontransitive in nature, and is
typically used to enable trust between an Active Directory domain and a down-level
Windows NT 4 domain. When the External trust is created, security principals (Users,
Groups, Computers) from the external domain are able to access network resources in the
internal domain (Windows Server 2003 domain). The foreign security principals can be
examined in the Active Directory Users And Computers console. The only requirement is that
Advanced Features are enabled. You can explicitly define different authentication for
incoming External trusts and outgoing External trusts.
Forest Trust
You need to belong to the Enterprise Admins groups in each forest that you want to create
forest trust between. In addition to this, the domains within each forest and each particular
forest have to be raised to the Windows Server 2003 functional level.
Forest trust is typically created when enterprises merge or takeovers occur, and each company
within the enterprise still needs to maintain some form of administrative independence. This
trust relationship enables users to access Active Directory objects between all domains
impacted by the particular forest trust relationship. Forest trust is transitive, and can be oneway or two-way trust. You would create one-way Forest trusts when users in the trusted forest
need to access Active Directory objects in the trusting forest, but those users in the trusting
forest do not need to access resources in the trusted forest. You would create two-way Forest
trust in cases where users in either one of the forests need to access resources hosted in the
other forest.
================
Introduction
This document is part of a set of step-by-step guides that introduce IT managers and system
administrators to the features of the Windows 2000 operating system. This document
presents a brief overview of Group Policy, and shows how to use the Group Policy snap-in to
specify policy settings for groups of users and of computers. It includes information on:
In Windows 2000, administrators use Group Policy to enhance and control users' desktops. To
simplify the process, administrators can create a specific desktop configuration that is applied
to groups of users and computers. The Windows 2000 Active Directory service enables
Group Policy. The policy information is stored in Group Policy objects (GPOs), which are
linked to selected Active Directory containers: sites, domains, and organizational units (OUs).
A GPO can be used to filter objects based on security group membership, which allows
administrators to manage computers and users in either a centralized or a de-centralized
manner. To do this, administrators can use filtering based on security groups to define the
scope of Group Policy management, so that Group Policy can be applied centrally at the
domain level, or in a decentralized manner at the OU level, and can then be filtered again by
security groups. Administrators can use security groups in Group Policy to:
Filter the scope of a GPO. This defines which groups of users and
computers a GPO affects.
Administrators use the Group Policy Microsoft Management Console (MMC) snap-in to
manage policy settings. Group Policy includes various features for managing these policy
settings. In addition, third parties can extend Group Policy to host other policy settings. The
data generated by Group Policy is stored in a Group Policy object (GPO), which is replicated
in all domain controllers within a single domain.
The Group Policy snap-in includes several MMC snap-in extensions, which constitute the
main nodes in the Group Policy snap-in. The extensions are as follows:
Security settings. You use the Security Settings extension to set security
options for computers and users within the scope of a Group Policy object.
You can define local computer, domain, and network security settings.
Scripts. You can use scripts to automate computer startup and shutdown
and user logon and logoff. You can use any language supported by
Windows Script Host. These include the Microsoft Visual Basic
development system, Scripting Edition (VBScript); JavaScript; PERL; and
MS-DOS-style batch files (.bat and .cmd).
Figure 1 below shows how Group Policy objects use the Active Directory hierarchy for
deploying Group Policy.
The default order of precedence follows the hierarchical nature of the Active Directory: sites
are first, then domains, and then each OU. A GPO can be associated with more than one
Active Directory container or multiple containers can be linked to a single GPO.
Prerequisites and Initial Configuration
Prerequisites
Note that this document does not describe all of the possible Group Policy scenarios. Please
use this instruction set to begin to understand how Group Policy works and begin to think
about how your organization might use Group Policy to reduce its TCO. Other Windows
2000 features, including Security Settings and Software Installation and Maintenance, are
built on Group Policy. To learn how to use Group Policy in those specific scenarios, refer to
the white papers and Windows 2000 Server online help on Windows 2000 Security and
Software Installation and Maintenance, which are available on the Windows 2000 Web site.
Important Notes
The example company, organization, products, people, and events depicted in this guide are
fictitious. No association with any real company, organization, product, person, or event is
intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company
name and DNS name used in the common infrastructure are not registered for use on the
Internet. Please do not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show
how Windows 2000 Change and Configuration Management works and functions with Active
Directory. It was not designed as a model for configuring an Active Directory service for any
organizationfor such information see the Active Directory documentation.
Group Policy Snap-in Configuration
Group Policy is tied to the Active Directory service. The Group Policy snap-in extends the
Active Directory management tools using the Microsoft Management Console (MMC) snapin extension mechanism.
The Active Directory snap-ins set the scope of management for Group Policy. The most
common way to access Group Policy is by using the Active Directory User and Computers
snap-in, for setting the scope of management to domain and organizational units (OUs). You
can also use the Active Directory Sites and Services snap-in to set the scope of management
to a site. These two tools can be accessed from the Administrative Tools program group; the
Group Policy snap-in extension is enabled in both tools. Alternatively, you can create a
custom MMC console, as described in the next section.
Configuring a Custom Console
The examples in this document use the custom MMC console that you can create by
following the procedure in this section. You need to create this custom console before
attempting the remaining procedures in this document.
Note: If you want more experience building MMC consoles, run through the procedures
outlined in "Step-by-Step Guide to Microsoft Management Console"
To configure a custom console
Click Start, click Run, type mmc, and then click OK.
In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure
that the Add all extensions check box is checked for each primary
extension added to the MMC console (these are checked by default).
Click OK.
You can use the appropriate Active Directory tools to access Group Policy while focused on
any site, domain, or OU.
To open Group Policy from Active Directory Sites and Services
In the GPWalkthrough MMC console, in the console tree, click the + next
to Active Directory Sites and Services.
In the console tree, right-click the site for which to access Group Policy.
In the console tree in the GPWalkthrough MMC console, click the + next
to Active Directory Users and Computers.
In the console tree, right-click either the reskit domain or the OU for
which to access Group Policy.
To access Group Policy scoped to a specific computer (or the local computer), you must load
the Group Policy snap-in into the MMC console namespace targeted at the specific computer
(or local computer). There are two major reasons for these differences:
Sites, domains, and OUs can have multiple GPOs linked to them; these
GPOs require an intermediate property page to manage them.
A GPO for a specific computer is stored on that computer and not in the
Active Directory.
Scoping a Domain or OU
To scope the domain or OU, use the GPWalkthrough MMC console that you saved earlier.
To scope Group Policy for a domain or OU
This displays a property page where the GPOs associated with the selected Active Directory
container can be managed. You use this property page to add, edit, delete (or remove), and
disable GPOs; to specify No Override options; and to change the order of the associated
GPOs. Selecting Edit starts the Group Policy snap-in. More information on using the Group
Policy property page and the Group Policy snap-in can be found later in this document.
Note: The Computers and Users containers are not organizational units; therefore, you cannot
apply Group Policy directly to them. Users or computers in these containers receive policies
from GPOs scoped to the domain and site objects only. The domain controller container is an
OU, and Group Policy can be applied directly to it.
To access Group Policy for a local or a remote computer, you add the Group Policy snap-in to
the MMC console, and focus it on a remote or local computer. To access Group Policy for the
local computer, use the GPWalkthrough console created earlier in this document, and choose
the Local Computer Policy node. You can add other computers to the console namespace by
adding another Group Policy snap-in to the GPWalkthrough console, and clicking
the Browsebutton when the Select Group Policy object dialog box is displayed.
Note: Some of the Group Policy extensions are not loaded when Group Policy is run against
a local GPO.
Creating a Group Policy Object
The Group Policy settings you create are contained in a Group Policy Object (GPO) that is in
turn associated with selected Active Directory objects, such as sites, domains, or
organizational units (OUs).
To create a Group Policy Object (GPO)
Click the + next to Active Directory Users and Computers, and click
the reskit.com domain.
Click Close
Best Practice You can further refine a GPO by using user or computer membership in
security groups and then setting DACLs based on that membership. This is covered in the
Security Group Filtering section below.
Managing Group Policy
To manage Group Policy, you need to access the context menu of a site, domain, or OU,
select Properties, and then select the Group Policy tab. This displays the Group Policy
Properties page. Please note the following:
This page displays any GPOs that have been associated with the currently
selected site, domain, or OU. The links are objects; they have a context
menu that you can access by right-clicking the object. (Right-clicking the
white space displays a context menu for creating a new link, adding a link,
or refreshing the list.)
This page also shows an ordered GPO list, with the highest priority GPO at
the top of the list. You can change the list order by selecting a GPO and
then using the Up or Down buttons.
To edit an existing GPO in the list, select the GPO and click
the Edit button, or just double-click the GPO. This starts the Group Policy
snap-in, which is how the GPO is modified. This is described in more detail
later in this document.
To permanently delete a GPO from the list, select it from the list and click
the Delete button. Then, when prompted, select Remove the link and
delete the Group Policy object permanently. Be careful when deleting
an object, because the GPO may be associated with another site, domain,
or OU. If you want to remove a GPO from the list, select the GPO from the
links list, click Delete, and then when prompted, select Remove the link
from the list.
The No override check column marks the selected GPO as one whose
policies cannot be overridden by another GPO.
Note: You can enable the No Override property on more than one GPO. All GPOs that are
marked as No override will take precedence over all other GPOs not marked. Of those GPOs
marked as No override, the GPO with the highest priority will be applied after all the other
similarly marked GPOs.
The Disabled check box simply disables (deactivates) the GPO without
removing it from the list. To remove a GPO from the list, select the GPO
from the links list, click Delete, and then select Remove the link from
the list in the Delete dialog box.
It is also possible to disable only the User or Computer portion of the GPO.
To do this, right-click the GPO, clickProperties, click either Disable
computer configuration settings or Disable user configuration
settings, and then click OK. These options are available on the
GPO Properties page, on the General tab.
The Block policy inheritance check box has the effect of negating all
GPOs that exist higher in the hierarchy. However, it cannot block any GPOs
that are enforced by using the No override check box; those GPOs are
always applied.
Note: Policy settings contained within the local GPO that are not specifically overridden by
domain-based policy settings are also always applied. Block Policy Inheritance at any level
will not remove local policy.
Editing a Group Policy Object
You can use the custom console to edit a GPO. You will need to log on to the HQ-RES-DC01 server as an Administrator, if you have not already done so.
To edit a Group Policy Object (GPO)
This opens the Group Policy snap-in focused on a GPO named HQ Policy, which is linked to
the OU named Headquarters. It should appear as in Figure 5 below:
Figure 5: HQ Policy
Adding or Browsing a Group Policy Object
The Add a Group Policy Object Link dialog box shows GPOs currently associated with
domains, OUs, sites, or all GPOs without regard to their current associations (links). The Add
a Group Policy Object Link dialog box is shown in Figure 6 below.
GPOs are stored in each domain. The Look In drop-down box allows you to
select a different domain to view.
In the Domains/OUs tab, the list box displays the sub-OUs and GPOs for
the currently selected domain or OU. To navigate the hierarchy, doubleclick a sub-OU or use the Up one level toolbar button.
Alternatively, you can create a new GPO by clicking the All tab, rightclicking in the open space, and selectingNew on the context menu, or by
using the Create New GPO toolbar button.
The Create New GPO
toolbar button is only active in the All tab. To create a new GPO and link it
to a particular site, domain, or OU, use the New button on the Group Policy
Property page.
Note: It is possible to create two or more GPOs with the same name. This is by design and is
because the GPOs are actually stored as GUIDs and the name shown is a friendly name
stored in the Active Directory.
In the Sites tab, all GPOs associated with the selected site are displayed.
Use the drop-down list to select another site. There is no hierarchy of sites.
The All tab shows a flat list of all GPOs that are stored in the selected
domain. This is useful when you want to select a GPO that you know by
name, rather than where it is currently associated. This is also the only
place to create a GPO that does not have a link to a site, domain, or OU.
To create an unlinked GPO, access the Add a Group Policy Link dialog
box from any site, domain, or OU. Click the All tab, select the toolbar
button or right-click the white space, and select New. Name the new GPO,
and clickEnter, and then click Canceldo not click OK . Clicking OK links
the new GPO to the current site, domain, or OU. Clicking Cancel creates
an unlinked GPO.
Registry-based Policies
The user interface for registry-based policies is controlled by using Administrative Template
(.adm) files. These files describe the user interface that is displayed in the Administrative
Templates node of the Group Policy snap-in. These files are format-compatible with the
.adm files used by the System Policy Editor tool (poledit.exe) in Microsoft Windows NT 4.0.
With Windows 2000, the available options have been expanded.
Note: Although it is possible to add any .adm file to the namespace, if you use an .adm file
from a previous version of Windows, the registry keys are unlikely to have an effect on
Windows 2000, or they actually set preference settings and mark the registry with these
settings; that is, the registry settings persist.
By default, only those policy settings defined in the loaded .adm files that exist in the
approved Group Policy trees are displayed; these settings are referred to as true policies. This
means that the Group Policy snap-in does not display any items described in the .adm file that
set registry keys outside of the Group Policy trees; such items are referred to as Group
Policy preferences. The approved Group Policy trees are:
\Software\Policies
\Software\Microsoft\Windows\CurrentVersion\Policies
The .adm file consists of a hierarchy of categories and subcategories that together define how
options are organized in the Group Policy user interface.
To add administrative templates (.adm files)
o
In the Group Policy properties page, select the Group Policy Object
you want to edit from the Group Policy objects links list, and
click Edit to open the Group Policy snap-in.
In the Group Policy console, click the plus sign (+) next to
either User Configuration or Computer Configuration. The .adm
file defines which of these locations the policy is displayed in, so it
doesn't matter which node you choose.
Click Add. This shows a list of the available .adm files in the
%systemroot%\inf directory of the computer where Group Policy is
being run. You can choose an .adm file from another location. Once
chosen, the .adm file is copied into the GPO.
Click Start Menu & Taskbar. Note that the details pane shows all
the policies as Not configured.
Note the Previous Policy and Next Policy buttons in the dialog box. You can use
these buttons to navigate the details pane to set the state of other policies. You can
also leave the dialog box open and click another policy in the details pane of the
Group Policy snap-in. After the details pane has the focus, you can use
the Up and Downarrow keys on the keyboard and press Enter to quickly browse
through the settings (or Explain tabs) for each policy in the selected node.
o
Click OK. Note the change in state in the Setting column, in the
details pane. This change is immediate; it has been saved to the
GPO. If you are in a replicated domain controller (DC) environment,
this action sets a flag that triggers a replication cycle.
You can set up scripts to run when users log on or log off, or when the system starts
up or shuts down. All scripts are Windows Script Host (WSH)-enabled. As such, they
may include Java Scripts or VB Scripts, as well as .bat and .cmd files. Links to more
information on the Windows Script Host are located in the More Information section
at the end of this document.
Setting up a Logon Script
Use this procedure to add a script that runs when a user logs on.
Note: This procedure uses the Welcome2000.js script described in Appendix A of this
document, which includes instructions for creating and saving the script file. Before
performing the procedure for setting up logon scripts, you need to create the
Welcome2000.js script file and copy it to the HQ-RES-DC-01 domain controller.
To set up logon scripts
o
To add a new script to the list, click the Add button. This
displays the Add a Script dialog box. Browsing from this
dialog allows you to specify the name of an existing script
located in the current GPO or to browse to another location
and select it for use in this GPO. The script file must be
accessible to the user at logon or it does not run. Scripts in
the current GPO are automatically available to the user. You
can create a new script by right-clicking the empty space and
selecting New, then selecting a new file.
Note: If the View Folder Options for this folder are set to Hide file extensions for
known file types, the file may have an unwanted extension that prevents it from being
run.
In the Logon Properties dialog box, click the Show Files button,
and paste the Welcome2000.js script into the default file location. It
should appear as in Figure 9 below:
Figure 9: Welcome2000.js
o
Click Open.
In the Add a Script dialog box, click OK (no script parameters are
needed), and then click OK again.
You can then logon to a client workstation that has a user in the Headquarters OU,
and verify that the script is run when the user logs on.
Setting Up a Logoff or Computer Startup or Shutdown Script
You can use the same procedure outlined in the preceding section to set up scripts that
run when a user logs off or when a computer starts up or is shut down. For logoff
scripts, you would select Logoff in step 4.
Other Script Considerations
By default, Group Policy scripts that run in a command window (such as .bat or .cmd
files) run hidden, and legacy scripts (those defined in the user object) are by default
visible as they are processed (as was the case for Windows NT 4.0), although there is
a Group Policy that allows this visibility to be changed. The policy for users is
called Run logon scripts visible or Run logoff scripts visible, and is accessed in
the User Configuration\Administrative Templates node,
under System\Logon/Logoff. For computers, the policy is Run startup scripts
visible and can be accessed in the Computer Configuration\Administrative
Templates node, under System\Logon.
Security Group Filtering
You can refine the effects of any GPO by modifying the computer or user membership
in a security group. To do this, you use the Security tab to set Discretionary Access
Control Lists (DACLs) for the properties of a GPO. DACLs are used for performance
reasons, the details of which are contained in the Group Policy technical paper
referenced earlier in this document. This feature allows for tremendous flexibility in
designing and deploying GPOs and the policies they contain.
By default, all GPOs affect all users and machines that are contained in the linked site,
domain, or OU. By using DACLs, the effect of any GPO can be modified to exclude
or include the members of any security group.
You can modify a DACL using the standard Windows 2000 Security tab, which is
accessed from the Properties page of any GPO.
To access a GPO Properties page from the Group Policy Properties page of a
Domain, or OU
o
In the Properties page, click the Security tab. This displays the
standard Security properties page.
You will see security groups and users based on the Common Infrastructure. For more
information, see the Windows 2000 step-by-step guide, A Common Infrastructure for
Change and Configuration Management. Make sure that you have completed the
appropriate steps in that document before continuing.
o
At this point, everyone in the Authenticated Users group has this GPO applied,
regardless of having added the Management group to the list, as shown in Figure 10
below..
By changing the ACEs that are applied to different groups, administrators can
customize how a GPO affects the users or computers that are subject to that
GPO. Write access is required for modifications to be made; Readand Allow Group
Policy ACEs are required for a policy to affect a group (for the policy to apply to the
group).
Use the Deny ACE with caution. A Deny ACE setting for any group has precedence
over any Allow ACE given to a user or computer because of membership in another
group. Details of this interaction may be found in the Windows 2000 Server online
Help by searching on Security Group.
Figure 11 belows shows an example of the security settings that allow everyone to be
affected by this GPO exceptthe members of the Management group, who were
explicitly denied permission to the GPO by setting the Apply Group Policy ACE
to Deny. Note that if a member of the Management group were also a member of a
group that had an explicit Allow setting for the Apply Group Policy ACE,
the Deny would take precedence and the GPO would not affect the user.
Note: You can use these same types of security options with the Logon scripts you set
up in the preceding section. You can set a script to run only for members of a
particular group or for everyone except the members of a specific group.
Security group filtering has two functions: the first is to modify which group is
affected by a particular GPO, and the second is to delegate which group of
administrators can modify the contents of the GPO by restricting Full Control to a
limited set of administrators (by a group). This is recommended because it limits the
chance of multiple administrators making changes at any one time.
Blocking Inheritance and No Override
The Block inheritance and No override features allow you to have control over the
default inheritance rules. In this procedure, you set up a GPO in the Accounts OU,
which applies by default to the users (and computers) in the Headquarters, Production,
and Marketing OUs.
You then establish another GPO in the Accounts OU and set it as No override. These
settings apply to the children OUs, even if you set up a contrary setting in a GPO
scoped to that OU.
You then use the Block inheritance feature to prevent Group policies set in a parent
site, domain, or OU (in this case, the Accounts OU) from being applied to the
Production OU.
A description of how to disable portions of a GPO to improve performance is also
included.
Setting Up the Environment
You must first set up the environment for the procedures in this section.
To set up the GPO environment
o
Select the Enforced Users Policies GPO, and click the Up button
to move it to the top of the list. The Enforced Users Policies GPO
should have the highest precedence. Note that this step only serves
to demonstrate the functionality of the Up button; an enforced GPO
always takes precedence over those that are not enforced.
You can now log on to a client workstation as any user in any of the OUs under the
Accounts OU. Note that you cannot run the Task Managerthe tab is unavailable
from both CTRL+SHIFT+ESC and CTRL+ALT+DEL. In addition, the Active
Desktop cannot be enabled. When you right-click on Desktop and select Properties,
you will see that the Web tab is missing.
As an extra step, you can reverse the setting of the Disable Task Manager policy in a
GPO that is linked to any of the child OUs of the Accounts OU (Headquarters,
Production, Marketing). To do this, change the radio button for that policy.
Note: Doing this has no effect while the Enforced User Policies GPO is enabled in the
Accounts OU.
Disabling Portions of a GPO
Because these GPOs are used solely for user configuration, the computer portion of
the GPO can be turned off. Doing so reduces the computer startup time, because the
Computer GPOs do not have to be evaluated to determine if any policies exist. In this
procedure, no computers are affected by these GPOs. Therefore, disabling a portion of
the GPO has no immediate benefit. However, since these GPOs could later be linked
to a different OU that may include computers, you may want to disable the computer
side of these GPOs.
To disable the Computer portion of a GPO
Note that the General properties page includes two check boxes for disabling
a portion of the GPO.
Blocking Inheritance
You can block inheritance so that one GPO does not inherit policy from
another GPO in the hierarchy. After you block inheritance, only those settings
in the Enforced User Policies affect the users in this OU. This is simpler than
reversing each individual policy in a GPO scoped at this OU.
To block inheritance of Group Policy for the Production OU
To verify that inherited settings are now blocked, you can logon as any user in
the Production OU. Notice that the Web tab is present in the Display setting
properties page. Also, note that the task manager is still disabled, as it was set
to No Override in the parent OU.
Linking a GPO to Multiple Sites, Domains, and OUs
This section demonstrates how you can link a GPO to more than one container
(site, domain, or OU) in the Active Directory. Depending on the exact OU
configuration, you can use other methods to achieve similar Group Policy
effects; for example, you can use security group filtering or you can block
inheritance. In some cases, however, those methods do not have the desired
affects. Whenever you need to explicitly state which sites, domains, or OUs
need the same set of policies, use the method outlined below:
To link a GPO to multiple sites, domains, and OUs
Select the Linked Policies GPO, and click the Edit button.
Next you will link the Linked Policies GPO to another OU.
In the Add a Group Policy Object Link dialog box, click the
down arrow on the Look in box, and select
theAccounts.reskit.com OU.
You have now linked a single GPO to two OUs. Changes made to the GPO in
either location result in a change for both OUs. You can test this by changing
some policies in the Linked Policies GPO, and then logging onto a client in
each of the affected OUs, Headquarters and Production.
Loopback Processing
This section demonstrates how to use the loopback processing policy to enable
a different set of user type Group Policies based on the Computer being
logged onto. This policy is useful when you need to have user type policies
applied to users of specific computers. There are two methods for doing this.
One allows for the policies applied to the user to be processed, but to also
apply user policies based on the computer that the user has logged onto. The
second method does not apply the user's settings based on where the user
object is, but only processes the policies based on the computer's list of GPOs.
Details on this method can be found in the Group Policy white paper referred
to earlier.
To use the Loopback processing policy
In the GPWalkthrough console, double-click the Active
Directory User and Computers node, double-click
thereskit.com domain, and then double-click
the Resources OU.
Policy
Setting
Enabled
Enabled
Enabled
Enabled
Enabled
Not configured
Enabled
Enabled
Enabled
Enabled
Click OK when you have set the last policy from the list
in step 5.
Policy
Setting
Enabled
Enabled
Enabled
Enabled
Enabled
Enabled
Click OK when you have set the last policy from the list
in step 7.
=================
Global Catalog
Because AD is the central component of a Windows network, network clients and servers
frequently query it. In order to increase the availability of AD data on the network as well as
the efficiency of directory object queries from clients, AD includes a service known as the
GC. The GC is a separatedatabase from AD and contains a partial, read-only replica of all the
directory objects in the entire AD forest.
Only Windows servers acting as domain controllers can be configured as GC servers. By
default, the first domain controller in a Windows forest is automatically configured to be a
GC server (this designation can be moved later to a different domain controller if desired;
however, every forest must contain at least one GC). Like AD, the GC uses replication in
order to ensure updates
between the various GC servers within a domain or forest. In addition to being a repository of
commonly queried AD object attributes, the GC plays two primary roles on a Windows
network:
Network logon authentication?In native-mode domains (networks in which all domain
controllers have been upgraded to Win2K or later, and the domain?s functional level has been
manually set to the appropriate level), the GC facilitates network logons for ADenabled
clients. It does so by providing universal group membership information to the account
sending the logon request to a domain controller. This applies not only to regular users but
also to every type of object that must authenticate to AD (including computers).In multidomain networks, at least one domain controller acting as a GC must be available in order for
users to log on. Another situation that requires a GC server occurs when a user attempts to log
on with a user principal name (UPN) other than the default. If a GC server is not available in
these circumstances, users will only be able to logon to the local computer (the one exception
is members of the domain administrators group, who do not require a GC server in order to
log on to the network).
Directory searches and queries With AD, read requests such as directory searches and
queries, by far tend to outweigh write-oriented requests such as directory updates (for
example, by an administrator or during replication). The majority of AD-related network
traffic is comprised of requests from users, administrators, and applications about objects in
the directory. As a result, the GC is essential to the network infrastructure because it allows
clients to quickly perform searches acrossall domains within a forest.
(Although mixed-mode Win2K domains do not require the GC for the network logon
authentication process, GCs are still important in facilitating directory queries and searches
on these networks and should therefore be made available at each site within the network.)
========================
=====================
1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type
ntdsutil
and then press ENTER.
2. Type
metadata cleanup
and then press ENTER. Based on the options given, the administrator can perform the
removal, but additional configuration parameters need to be specified before the removal can
occur.
3. Type
connections
and press ENTER. This menu is used to connect to the specific server on which the changes
occur. If the currently logged on user does not have administrative permissions, alternate
credentials can be supplied by specifying the credentials to use before making the connection.
To do so, type
set creds domain nameusernamepassword
and press ENTER. For a null password, type null for the password parameter.
4. Type
connect to server servername
and then press ENTER. You should receive confirmation that the connection is successfully
established. If an error occurs, verify that the domain controller being used in the connection
is available and the credentials you supplied have administrative permissions on the server.
Note: If you try to connect to the same server that you want to delete, when you try to delete
the server that step 15 refers to, you may receive the following error message:
Error 2094. The DSA Object cannot be deleted0x2094
Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
5. Type
quit
and then press ENTER. The Metadata Cleanup menu appears.
6. Type
select operation target
and press ENTER.
7. Type
list domains
and press ENTER. A list of domains in the forest is displayed, each with an associated
number.
8. Type
select domain number
and press ENTER, where number is the number associated with the domain to which the
server you are removing is a member. The domain you select is used to determine if the
server being removed is the last domain controller of that domain.
9. Type
list sites
and press ENTER. A list of sites, each with an associated number, is displayed.
10. Type
select site number
and press ENTER, where number is the number associated with the site to which the server
you are removing is a member. You should receive a confirmation listing the site and domain
you chose.
11. Type
list servers in site
and press ENTER. A list of servers in the site, each with an associated number, is displayed.
12. Type
select server number
where number is the number associated with the server you want to remove. You receive a
confirmation listing the selected server, its Domain Name Server (DNS) host name, and the
location of the server's computer account you want to remove.
13. Type
quit
and press ENTER. The Metadata Cleanup menu appears.
14. Type
remove selected server
and press ENTER. You should receive confirmation that the removal completed successfully.
If you receive the following error message:
Error 8419 (0x20E3) The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as the result of
another administrator removing the NTDS Settings object, or replication of the successful
removal of the object after running the DCPROMO utility.
Note: You may also see this error when you attempt to bind to the domain controller that is
going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is
going to be removed with metadata cleanup.
15. Type
quit
at each menu to quit the NTDSUTIL utility. You should receive confirmation that the
connection disconnected successfully.
16. Remove the cname record in the _msdcs.root domain of forest zone in DNS.
Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings
object is created with a new globally unique identifier (GUID) and a matching cname
record in DNS. You do not want the DC's that exist to use the old cname record.
As best practice you should delete the hostname and other DNS records. If the lease time that
remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server
is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain
Controllers,DC=domain...
Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a
child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume
(SYSVOL share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias)
record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host)
record in DNS.
5. If the deleted computer was the last domain controller in a child domain and the child
domain was also deleted, use ADSIEdit to delete the trustDomain object for the child
in CN=System, DC=domain, DC=domain, Domain NC.
=================
Netdom Guide
Netdom is a command-line tool that is built into Windows Server 2008 and Windows
Server 2008 R2. It is available if you have the Active Directory
Domain Services (AD DS) server role installed. It is also available if you install the
Active Directory Domain Services Tools that are part of the Remote
Server Administration Tools (RSAT).
You can use netdom to:
(a shortcut trust).
Syntax
Netdom uses the following general syntaxes:
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] NetDom help
<Operation>
Commands
Command
Description
Netdom add
Netdom
computername
Netdom join
Netdom move
Netdom query
Netdom remove
Netdom
movent4bdc
Netdom
renamecomputer
Netdom reset
Netdom resetpwd
Netdom trust
Netdom verify
Remarks
A one-way trust relationship between two domains means that one domain
(the trusting domain) allows users who have accounts on theother domain
(the trusted domain), access to its resources.
If you specify the /verbose parameter, the output lists the success or
failure of each transaction that is necessary to perform the operation. For
example, this time when you use the Join operation, you see output similar
to the following:
success: adding machine account for mywksta to mycompany domain success: configuring
lsa on mywksta success: mywksta joined to mycompany domain
The /reboot parameter specifies that the computer being acted upon by
the specified netdom operation is shut down and automatically rebooted
after the completion of the operation. When you specify the /reboot
parameter, the following message and a countdown timer display on the
workstation screen, prior to the Restart operation:
The system is shutting down. Please save all work in progress and logoff. Any unsaved
changes will be lost. This shutdown was initiated because the domain which this machine
belongs to was changed by nnn.
For nnn, netdom substitutes the name of the administrator that you enter
by using the /uo parameter.
==================
Replmon.exe Command
Replmon is the first tool you should use when troubleshooting Active Directory replication
issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose of this document is to guide
you in how to use it, list some common replication errors and show some examples of when
replication issues can stop other network installation actions.
Symptoms of Replication Faults
Failure to extend the schema The Active Directory schema has to be extended for
many reasons. Two of the most common are:
o When installing an Exchange 200x server (by running setup.exe /forestprep
and /domainprep)
o When adding a 2003 Domain Controller to a Windows 2000 Active Directory
network (by running adprep /forestprep and /domainprep).
If there is a replication issue with any of the domain controllers on the Schema
partition, the Schema will not allow any extension.
Installation of Active Directory aware software Software that creates a new user
account per network or writes to the Active Directory could fail or produce
ambiguous errors when replication issues exist on the network.
Any recent warnings or errors in the File Replication Service log in Event Viewer
Any recent NTDS Replication Errors in the Directory Service log in Event
Viewer
Right click on the Monitored Servers icon and select Add Monitored Server...
Select the Search the directory for the server to add radio button.
Ensure the correct domain populates in drop down list, and click Next.
If you know you are experiencing issues with a particular domain controller, choose
that server.
If you are checking general replication, or are not sure where the fault lies, choose the
Forest Root.
On larger networks, you will need to choose more than one server depending on the
replication topology.
(For information on viewing the replication topology, see Appendix A) and click
Finish.
If your Active Directory contains only Windows 2000 domain controllers, you will see three
Directory partitions.
If your Active Directory Forest Root is Windows 2003 you will see five Directory partitions.
By expanding the + on each directory partition you will be able to see each of the servers
replication partners. Selecting one on the left shows the last replication attempt in the right
hand pane.
If there are any replication issues the partitions on the domain controller the server cannot
replicate with will show a red x.
Highlighting one of the problem replication partner servers will then show more verbose
error messages in the logs pane explaining why it could not replicate.
Then refresh the Tree view by pressing F5. Re-check the replication status in the right hand
logs pane.
Step 3: General IP checks
Doesnt matter if youve done them, do them all again now! From a command prompt:
Can you ping the IP address of the destination server? e.g. Ping 192.168.3.201
If not: The issue will either be hardware (cable, switch, NIC, check all physical
connections) or incorrect configuration of a servers (either destination or host server)
IP details. Check the NICs IP address and Subnet Mask.
Can you ping the netbios name of the destination server? e.g. Ping Replicadc1
If not: The issue will be a name resolution issue. Check there is an A host entry in the
domains Forward Lookup zone. Check the NIC IP properties and ensure the Forest
Root IP is entered as the Preferred DNS Server.
Can you ping the FQDN of the destination server? e.g. Ping
Replicadc1.RMTDS.Internal
If not: The issue will be a DNS issue. Check as above, also check the NICs IP
Advanced Properties and ensure the correct DNS Suffix is being used. Open the DNS
admin console and ensure there is a populated Forward Lookup zone for the domain.
Can you reverse lookup the IP of the destination server? e.g. Ping a 192.168.3.201
If not: You have a reverse lookup zone issue. Open the DNS admin console and check
for the existence of a Reverse Lookup zone per Class C IP range. e.g.
10.0.0.x Subnet
10.0.1.x Subnet
Check there is a valid PTR record for each of the Domain Controllers in the relevant
Reverse lookup zone.
Appendix A Other Replmon functions
By right clicking the server you have selected to view Replication agreements from, you will
see a range of options. A few of them are detailed below.
Update Status This will recheck the replication status of the server. The time of the
updated status is logged and displayed in the right hand pane.
Check Replication Topology This will cause the Knowledge Consistency Checker (KCC)
to recalculate the replication topology for the server.
Synchronize Each Directory Partition with All Servers This will start immediate
replication for all of the servers directory partitions with each replication partner.
Generate Status Report - Creates and saves a verbose status report in the form of a log file.
Show Domain Controllers in Domain will show a list of all known Domain Controllers.
Show Replication Topologies - will show a graphical view of the replication topology. Click
View on the menu and select Connection Objects only. Then right click each server, and
select Show Intra/Inter-site connections.
Show Group Policy Object Status shows a list of all the Domains Group Policies and
their respective AD and Sysvol version numbers.
========================
Manually Undeleting Objects in Active Directory
An administrator might sometime need to restore deleted objects from the Active Directory
database. You see, when an object is deleted from Active Directory, it is not immediately
erased, but is marked for future deletion. The marker used to designate that an AD object
scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted
property has be set to True, and it indicates that the object has been deleted but not removed
from the directory, much like a deleted file is removed from the file allocation table but the
data is not actually removed from the drive. The directory service moves tombstoned objects
to the Deleted Objects container, where they remain until the garbage collection process
removes the objects. The length of time tombstoned objects remain in the directory service
before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days
for Windows Server 2003 SP1 Active Directory (by default).
There are several methods of reanimating tombstoned objects from the Active Directory.
Some are listed on my "Recovering Deleted Items in Active Directory" article. Another
method is to manually recover these items, a process called "Reanimation".
To manually undelete objects in a deleted object's container, follow these steps:
1. Click Start, click Run, and then type LDP.exe.
Note: If the LDP.exe utility is not installed, install the support tools from the Windows Server
2003 installation CD, or get them from Windows 2003 SP1 Support Tools.
2. Use the Connection menu in LDP to perform the connect operations and
the bindoperations to a Windows Server 2003 domain controller. Specify domain
administrator credentials during the bind operation.
5. Click View > Tree. Now type the distinguished name path of the deleted objects
container in the domain where the deletion occurred, and then click OK.
Note: The distinguished name path is also known as the DN path. For example, if the deletion
occurred in the petri.local domain, the DN path would be the following path:
cn=deleted Objects,dc=petri,dc=local
6. In the left pane of the window, double click the Deleted Object Container.
Note: As a search result of LDAP query, only 1000 objects are returned by default. For
example, if more than 1000 objects exist in the Deleted Objects container, not all objects
appear in this container. If your target object does not appear, use NTDSUTIL, and then set
the maximum number by using maxpagesize to get the search results, as described in the
following KB article: How to view and set LDAP policy in Active Directory by using
Ntdsutil.exe - 315071 7. Double-click the object that you want to undelete or to reanimate.
8. Right-click the object that you want to reanimate, and then click Modify.
9. Next, change the value for the isDeleted attribute and the DN path in a single Lightweight
Directory Access Protocol (LDAP) modify operation.
To configure the Modify dialog, follow these steps:
a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank.
b. Click the DELETE option button, and then click Enter to make the first of two entries in
the Entry List dialog.
Note: If you want to reanimate a deleted object to its original container, append the value of
the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN
path in the Values box.
d. In the Operation box, click REPLACE. Click ENTER.
e. Click to select the Synchronous check box, and the Extended check box.
f. Click RUN. Note the results pane on the right side showing you that the operation was
successful.
10. After you reanimate the objects, click Options > Controls and click the Check
Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
11. Open Active Directory Users and Computers, and reset the user account passwords,
profiles, home directories and group memberships for the deleted users. You need to do this
because when the object was deleted, all the attribute values except SID, ObjectGUID,
LastKnownParent and SAMAccountName were stripped.
12. Enable the reanimated account in Active Directory Users and Computers.
Note: The restored object has the same primary SID as it had before the deletion, but the
object must be added again to the same security groups to have the same level of access to
resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory
attribute on reanimated user accounts, computer accounts, and security groups, however,
Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted
objects.
13. If you do not reset the reanimated user account's password you will get an error saying:
Windows cannot enable object TestUser because:
Unable to update the password. The value provided for the new password does
not meet the length,
complexity, or history requirement of the domain.
For organizations using Exchange 2003 you need to remove Microsoft Exchange attributes
and reconnect the user to the Exchange mailbox.
In order to do so follow these steps:
In Active Directory Users and Computers, right-click the restored user and
select Exchange Tasks.
Select Remove Exchange Attributes and click Ok all the way till the end of
the wizard.
Type the reanimated user's name. Press Check Names, then click Ok.
You can automate some or all of these recovery steps by using the following methods:
===========================How to Restore
Windows Server 2003 Active Directory
Windows Server 2003 OS, we can restore the Active Directory database if it get corrupted /
destroyed because of hardware or software failures. We must restore the Active Directory
database when objects in Active Directory are changed / deleted.
Tombstone : In Windows Server 2003 there is an option to restore Active Directory objects
that have been deleted and are in a "tombstone". These items are hidden from the GUI and
await their cleanup by a process called "garbage collection".
Below are the three methods available to restore Active Directory from backup media:
Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
Primary Restore: This rebuilds the first domain controller in a domain when
there is no other way to rebuild the domain. Perform a primary restore only when
all the domain controllers in the domain are lost, and you want to rebuild the
domain from the backup. Members of the Administrators group can perform the
primary restore on local computer. On a domain controller, only members of the
Domain Admins group can perform this restore
Normal Restore: This reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Example, if you inadvertently delete or modify objects in Active Directory, and those objects
were thereafter replicated to other DCs, you will need to authoritatively restore those objects
so they are replicated or distributed to the other servers. If you do not authoritatively restore
the objects, they will never get replicated or distributed to your other servers because they
will appear to be older than the objects currently on your other DCs. Using the NTDSUTIL
utility to mark objects for authoritative restore ensures that the data you want to restore gets
replicated or distributed throughout your organization.
On the other hand, if your system disk has failed or the Active Directory database is
corrupted, then you can simply restore the data normally without using NTDSUTIL. After
rebooting the DC, it will receive newer updates from other DCs.
=========================
Normal Restore: This reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Example, if you inadvertently delete or modify objects in Active Directory, and those objects
were thereafter replicated to other DCs, you will need to authoritatively restore those objects
so they are replicated or distributed to the other servers. If you do not authoritatively restore
the objects, they will never get replicated or distributed to your other servers because they
will appear to be older than the objects currently on your other DCs. Using the NTDSUTIL
utility to mark objects for authoritative restore ensures that the data you want to restore gets
==================
2. Reboot the domain controller, select the appropriate installation from the
boot menu, and press F8 to display the Windows 2000 Advanced Options
menu. Choose Directory Services Restore Mode and press ENTER.
Press ENTER again to start the boot process.
3. Log on using the Administrator account with the password defined for the
local Administrator account in the offline SAM. For more information about
the use of the offline SAM database.
6. Type info, and then press ENTER. This displays current information about
the path and size of the Active Directory database and its log files. Note
the path.
7. Establish a location that has enough drive space for the compacted
database to be stored.
10.Type quit, and then press ENTER. Type quit again to return to the
command prompt.
11.If defragmentation succeeds without errors, follow the Ntdsutil.exe onscreen instructions. Delete all the log files in the log directory by typing
the following command:
del drive :\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active
Directory database path that you noted in step 6.
Note You do not have delete the Edb.chk file.
12.Restart the computer normally.
=====================
1. Click, Start, click Run, type ntdsutil, and then click OK.
=====================
A site is a region of your network with high bandwidth connectivity, and by definition is a
collection of well-connected computersbased on Internet Protocol (IP) subnets. Because
sites control how replication occurs, changes made with the Sites and Service snap-in affect
how efficiently domain controllers (DC) within a domain (but separated by great distances)
can communicate.
A site is separate in concept from Windows 2000-based domains because a site may span
multiple domains, and a domain may span multiple sites. Sites are not part of your domain
namespace. Sites control replication of your domain information and help to determine
resource proximity. For example, a workstation will select a DC within its site with which to
authenticate.
To ensure that the Active Directory service in the Windows 2000 operating system can
replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all
DCs and automatically establishes connections between individual computers in the same
site. These are known as Active Directory connection objects. An administrator can establish
additional connection objects or remove connection objects, but at any point where
replication within a site becomes impossible or has a single point of failure, the KCC steps in
and establishes as many new connection objects as necessary to resume Active Directory
replication.
Replication between sites is assumed to occur on either higher cost or slower speed
connections. As such, the mechanism for inter-site (between site) replication permits the
selection of alternative transports, and is established by creating Site Links and Site Link
Bridges.
Default-First-Site
Your first site was set up automatically when you installed Windows 2000 Server on the first
domain controller in your enterprise. The resulting first site is called Default-First-Site. You
can rename this site later or leave it as is.
The replication topology of sites on your network controls:
All newly promoted Domain Controllers are placed in the Site container that applies to them
at time of installation. For example, a server bound for California might have been initially
built and configured in the Maui, Hawaii data centertherefore the Configure Your Server
wizard places the server in the Maui site. After it arrives in California, the server object can
be moved to the new site using the Sites and Services snap-in.
You can use the sites portion of Sites and Services snap-in to:
Display the valid sites within an enterprise. As an example, Default-FirstSite might be a site name such as Headquarters. You can create, delete, or
rename sites.
Display the servers that participate in a site. You can delete or move
servers between sites. (Note: Although you can also manually add
servers, the task of adding a server is typically performed automatically
during Domain Controller setup.)
Display the applications that use site knowledge. The Active Directory
topology is rooted at Sites\Default-First-Site\Servers. This contains just
those servers participating in a specific site, regardless of domain. To view
the connections for any given server, display Sites\Default-FirstSite\Servers\{server}\NTDS Settings. For each server, there are
connections and schedules that control replication to other servers in this
site.
o
Prerequisites
At a minimum, you need to set up two Windows 2000 domain controllers (DCs). Each DC
should host a different domain partition (host different Windows 2000 domains) and be
members of the same forest. This step-by-step guide assumes a parent/child relationship
between the two Windows 2000 domains.
You can create this base configuration by running through the Common
Infrastructure and Setting up Additional Domain step-by-step guides before going through the
instructions in this document.
If you are not using the common infrastructure, you need to make the appropriate changes to
this instruction set.
1. Right-click Sites in the left pane of the console, and then click New Site.
2. In the New ObjectSite dialog box, type a name for the new site
3. Select a site link object that contains the new site. If presented with a
Default Site Link, you might associate this site to it at this time. Site Links
are explained later in this document. Then click OK.
4. When the Active Directory message box appears, click OK.
You can now move computers from other sites into this site, under the NTDS Settings
container.
To move computers into a site
1. In the Active Directory Sites and Services snap-in, right-click the
computer you want to move in the left pane, click Move, and the Move
Server box appears.
2. Select the site to move the computer to, and click OK.
Adding a Subnet
To define subnets for a particular site
1. In the left pane of the console, right-click Subnets under the site name.
2. On the Action menu, click New Subnet.
3. In the New ObjectSubnet box, type the subnet address and subnet
mask numbers.
4. Select a Site object for this subnet in the lower pane and click OK.
If you have correctly entered the subnet, it will appear in the Subnets folder.
To associate the subnet with a site
1. Right-click the subnet in the right pane of the console, and then
click Properties.
2. In the Properties dialog box, select a site to associate with this subnet
from the list box.
3. Click the Location tab, and enter the name of the city; in this
example, Renton. Click OK.
For scheduled replication to occur between multiple sites, both sites must agree on a transport
to communicate. This will more than likely be IP-based.
1. Click the + next to Inter-Site Transports in the left pane to expand it (if
it is not already expanded). Right click IP, and click New Site Link.
1
Enter a name for the Site Link in the New ObjectSite Link dialog box,
shown in Figure 7 below.
Click OK when all the sites you want to include in this site link are added
to the right pane list.
The process for creating a Site Link Bridge is identical to creating a Site Link; however,
instead of providing Site names for the link, youre now providing Site Link names for the
bridge.
========================
Adding Custom Attributes in Active Directory
Pre-requisites
Click CN=DisplaySpecifiers
Click CN=409.
20. In the right-pane, locate and right-click CN=user-display, and select Properties.
21. Select AdminContextMenu and click EDIT
22. In the Edit Attribute box, type the following:
23. Enter the following in the Empty box and Click Add
3,&ROLL NUMBER, c:\EnterAttrib.vbs
Note:
3 is the serial number
&ROLL NUMBER is the Attribute which will appear in User and Computers context Menu
C:\EnterAttrib.vbs is the script which will add the value to attribute
Please do not change the Syntax
24. Click OK to close all window popups
25. Select Configuration in ADSIEDIT panel and Right Click
26. Click UPDATE SCHEMA NOW
27. These steps configure the options ROLL NUMBER on the context menu for a user in the
Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
28. You must write and place the following scripts on your C drive or somewhere else in your
file path:
Dim oVar
Dim oUsr
Dim tmp
Set oVar = Wscript.Arguments
Set oUsr = GetObject(oVar(0))
tmp = InputBox("The Roll Number of the user is: " & oUsr.ROLLNUMBER & vbCRLF &
vbCRLF & Enter the new Roll Number Below)
if tmp <> "" then oUsr.Put "ROLLNUMBER",tmp
oUsr.SetInfo
Set oUsr = Nothing
WScript.Quit
=========================
Changing the Tombstone Lifetime Attribute in Active Directory
The tombstone lifetime must be substantially longer than the expected replication latency
between the domain controllers. The interval between cycles of deleting tombstones must be
at least as long as the maximum replication propagation delay across the forest.
Because the expiration of a tombstone lifetime is based on the time when an object was
deleted logically, rather than on the time when a particular server received that tombstone
through replication, an object's tombstone is collected as garbage on all servers at
approximately the same time. If the tombstone has not yet replicated to a particular domain
controller, that DC never records the deletion. This is the reason why you cannot restore a
domain controller from a backup that is older than the tombstone lifetime.
By default, the Active Directory tombstone lifetime is sixty days. This value can be changed
if necessary. To change this value, the tombstoneLifetime attribute of the CN=Directory
Service object in the configuration partition must be modified. This object is located here:
cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=
Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the
local directory of a disconnected DC beyond the time when the object is permanently deleted
from online DCs. The tombstone lifetime is not changed automatically when you upgrade to
Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after
the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a
default tombstone lifetime of 180 days.
You can check your tombstone lifetime attribute by using the following command:
dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc="
-scope base -attr tombstonelifetime
There are several ways of modifying this attributes value, the easiest is using ADSIEdit.
tombstoneLifetime:
Note: Don't forget the "-" on the last line, at the end.
Where is the Distinguished Name of your Active Directory Forest Root domain. For example,
if your domain's name is kuku.co.il, then the DN for it would be:
DC=kuku,DC=co,DC=il
Save this file as tombstoneLifetime.ldf (or similar).
Open the Command Prompt and type:
Ldifde I f {Path to tombstoneLifetime.ldf}
=======================
dns
Install and Configure Windows Server 2003 DNS Server
Active Directory clients and client tools use DNS to locate domain controllers for
administration and logon. You must have a DNS server installed and configured for Active
Directory and the associated client software to function correctly. This article guides you
through the required DNS configuration.
Install Microsoft DNS Server
Click to select the Domain Name System (DNS) check box, and then click
OK.
Click OK to start server Setup. The DNS server and tool files are copied to
your computer.
These steps guide you through configuring DNS by using the DNS Manager snap-in in
Microsoft Management Console (MMC).
Click Start, point to Programs, point to Administrative Tools, and then click
DNS Manager. You see two zones under your computer name: Forward
Lookup Zone and Reverse Lookup Zone.
If the Wizard does not auto-start, right-click your server name object in the
DNS Manager console and choose Configure your Server.
Choose to add a forward lookup zone. Click Next. The new forward lookup
zone must be a primary zone so that it can accept dynamic updates. Click
Primary, and then click Next.
The zone name must be exactly the same as your Active Directory Domain
name, or, if on a stand-alone or workgroup environment - the same as the
suffix for all of the network computers that are to register with this DNS
server. Type the name of the zone, and then click Next.
Accept the default name for the new zone file. Click Next.
Type the name of the zone, and then click Next. The zone name should
match the Network ID of your local subnet. For example, if your subnet
range is from 192.168.0.1 to 192.168.0.254, type 192.168.0 in the name
value.
Accept the default name for the new zone file. Click Next.
On the General tab, click to select the Allow Dynamic Update check box,
and then click OK to accept the change.
Click Start, point to Programs, point to Administrative Tools, and then click
DNS to start the DNS Management Console.
Right click the DNS Server object for your server in the left pane of the
console, and click Properties.
In the IP address box enter the IP address of the DNS servers you want to
forward queries to - typically the DNS server of your ISP. You can also
move them up or down. The one that is highest in the list gets the first try,
and if it does not respond within a given time limit - the query will be
forwarded to the next server in the list.
Click OK.
================
DNS Zones Overview
A DNS zone is the contiguous portion of the DNS domain name space over which a DNS
server has authority. A zone is a portion of a namespace. It is not a domain. A domain is a
branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A
DNS server can be authoritative for multiple DNS zones. A non-contiguous namespace
cannot be a DNS zone.
A zone contains the resource records for all of the names within the particular zone. Zone
files are used if DNS data is not integrated with Active Directory. The zone files contain the
DNS database resource records that define the zone. If DNS and Active Directory are
integrated, then DNS data is stored in Active Directory.
The different types of zones used in Windows Server 2003 DNS are listed below:
Primary zone
Secondary zone
Stub zone
Primary Zone: A primary zone is the only zone type that can be edited or updated because the
data in the zone is the original source of the data for all domains in the zone. Updates made to
the primary zone are made by the DNS server that is authoritative for the specific primary
zone. Users can also back up data from a primary zone to a secondary zone.
Secondary Zone : A secondary zone is a read-only copy of the zone that was copied from the
master server during zone transfer. In fact, a secondary zone can only be updated through
zone transfer.
Active Directory-integrated zone : Zone that stores its data in Active Directory. DNS zone
files are not needed. This type of zone is an authoritative primary zone. An Active Directoryintegrated zones zone data is
replicated during the Active Directory replication process. Active Directory-integrated zones
also enjoy the Active Directorys security features.
Reverse lookup zone: Reverse lookup zone is an authoritative DNS zone. These zones mainly
resolve IP addresses to resource names on the network. A reverse lookup zone can be either
of the following zones:
Primary zone
Secondary zone
Stub Zone: A stub zone is a new Windows Server 2003 feature. Stub zones only contain those
resource records necessary to identify the authoritative DNS servers for the master zone. Stub
zones therefore contain only a copy of a zone, and are used to resolve recursive and iterative
queries:
Iterative queries: The DNS server provides the best answer it can. This can
be:
o
Recursive queries: The DNS server has to reply with the requested
information or with an error. The DNS server cannot provide a referral to a
different DNS server.
Resource records that list the authoritative DNS servers of the zone
Glue address (A) resource records that are necessary for contacting the
authoritative servers of the zone.
Zone delegation occurs when users assign authority over portions of the DNS namespace to
subdomains of the DNS namespace. Users should delegate a zone under the following
circumstances:
A zone transfer can be defined as the process that occurs to copy the zones resource records
on the primary DNS server to secondary DNS servers. Zone transfer enables a secondary
DNS server to continue handling queries if the primary DNS server fails. A secondary DNS
server can also transfer its zone data to other secondary DNS servers that are beneath it in the
DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server
to the other secondary servers.
The zone transfer methods are:
Full transfer: When the user configures a secondary DNS server for a zone
and starts the secondary DNS server, the secondary DNS server requests
a full copy of the zone from the primary DNS server. A full transfer of all
the zone information is performed. Full zone transfers tend to be resource
intensive. This disadvantage of full transfers has led to the development of
incremental zone transfers.
Name
Function
Host record
AAAA
AFSDB
ATMA
CNAME
HINFO
ISDN
KEY
MB
MG
MINFO
MR
MX
NS
NXT
OPT
PTR
RT
SIG
SOA
SRV
TXT
Text record
X25
While there are various resource records that contain different information, there are a few
required fields that each particular resource record has to contain:
TTL (Time to Live) indicates the time duration that DNS servers can
cache resource record information prior to discarding the information. This
is, however, an optional resource records field.
Class is another optional resource records field. Class types were used in
earlier implementations of the DNS naming system and are no longer used
these days.
Record Specific Data a variable length field that further defines the
function of the resource. The format of the field is determined by Class
and Type.
Delegation records and glue records can also be added to a zone. These records delegate a
subdomain into a separate zone.
Glue records: These are A type resource records for the DNS server that
has authority over delegated zone.
The more important resource records are discussed now. This includes the following:
Start of Authority (SOA), Name Server (NS), Host (A), Alias (CNAME), Mail
exchanger (MX), Pointer (PTR), Service location (SRV)
This is the first record in the DNS database file. The SOA record includes information on the
zone property information, such the primary DNS server for the zone and version
information.
The fields located within the SOA record are listed below:
Source host the host for which the DNS database file is maintained
Contact e-mail e-mail address for the individual who is responsible for
the database file.
Refresh time the time that a secondary DNS server waits while
determining whether database updates have been made that have to be
replicated via zone transfer.
Retry time the time for which a secondary DNS server waits before
attempting a failed zone transfer again.
Expiration time the time for which a secondary DNS server will continue
to attempt to download zone information. Old zone information is
discarded when this limit is reached.
Time to live the time that the particular DNS server can cache resource
records from the DNS database file.
The Name Server (NS) resource record provides a list of the authoritative DNS servers for a
domain as well authoritative DNS server for any delegated subdomains. Each zone must have
one (or more) NS resource records at the zone root. The NS resource record indicates the
primary and secondary DNS servers for the zone defined in the SOA resource record. This in
turn enables other DNS servers to look up names in the domain.
Host (A) Resource Record
The host (A) resource record contains the IP address of a specific host and maps the FQDN to
this 32-bit IPv4 addresses. Host (A) resource records basically associates the domain names
of computers (FQDNs) or hosts names to their associated IP addresses. Because a host (A)
resource record statically associates a host name to a specific IP address, users can manually
add these records to zones if they have machines that have statically assigned IP addresses.
The methods used to add host (A) resource records to zones are:
Use the Dnscmd tool at the command line to add host (A) resource
records.
Alias (CNAME) resource records tie an alias name to its associated domain name. Alias
(CNAME) resource records are referred to as canonical names. By using canonical names,
users can hide network information from the clients connected to their network. Alias
(CNAME) resource records should be used when users have to rename a host that is defined
in a host (A) resource record in the identical zone.
Mail Exchanger (MX) Resource Record
The mail exchanger (MX) resource record provides routing for messages to mail servers and
backup servers. The mail MX resource record provides information on which mail servers
processes e-mail for the particular domain name. E-mail applications therefore mostly utilize
MX resource records.
A mail exchanger (MX) resource record has the following parameters:
Priority
Mail server
The mail exchanger (MX) resource record enables the DNS server to work with e-mail
addresses where no specific mail server is defined. A DNS domain can have multiple MX
records. MX resource records can therefore also be used to provide failover to different mail
servers when the primary server specified is unavailable. In this case, a server preference
value is added to indicate the priority of a server in the list. Lower server preference values
specify higher preference.
Pointer (PTR) Resource Record
The pointer (PTR) resource record points to a different resource record and is used for reverse
lookups to point to A resource records. Reverse lookups resolve IP addresses to host names or
FQDNs.
Add PTR resource records to zones through the following methods:
Use the Dnscmd tool at the command line to add PTR resource records.
Service (SRV) resource records are typically used by Active directory to locate domain
controllers, LDAP servers, and global catalog servers. The SRV records define the location of
specific services in a domain. They associate the location of a service such as a domain
controller or global catalog server with details on how the particular service can be contacted.
The fields of the service (SRV) resource record are explained below:
Service name
The class
The target specifying the FQDN of the particular host supporting the
service
If the user is not using Active Directory-integrated zones, the specific zone database files that
are used for zone data are:
Domain Name file: When new A type resource records are added to the
domain, they are stored in this file. When a zone is created, the Domain
Name file contains the following:
o
Cache file: This file contains a listing of the names and addresses of root
name servers that are needed for resolving names that are external to the
authoritative domains.
Boot file: This file controls the DNS servers startup behavior. The boot file
supports the commands listed below:
o
Cache command this command defines the list of root hints used
for contacting DNS servers for the root domain.
=================
DNS traffic patterns: use the System Monitor tool to examine DNS performance
counters and to obtain DNS server statistics.
Network link speed: The types of network links that exist between DNS servers
should be determined when users plan the zones for their environment.
Whether full DNS servers or caching-only DNS servers are being used also affects
how users break up DNS zones.
The main zone types used in Windows Server 2003 DNS environments are primary zones and
Active Directory-integrated zones. The question on whether to implement primary zones or
Active Directory-integrated zones would be determined by the environments DNS design
requirements.
Both primary zones and secondary zones are standard DNS zones that use zone files. The
main difference between primary zones and secondary zones is that primary zones can be
updated. Secondary zones contain read-only copies of zone data. A secondary DNS zone can
only be updated through DNS zone transfer. Secondary DNS zones are usually implemented
to provide fault tolerance for the DNS server environment.
An Active Directory-integrated zone can be defined as an improved version of a primary
DNS zone because it can use multi-master replication and the security features of Active
Directory. The zone data of Active Directory-integrated zones are stored in Active Directory.
Active Directory-integrated zones are authoritative primary zones.
A few advantages that Active Directory-integrated zone implementations have over standard
primary zone implementations are:
Active Directory replication is faster, which means that the time needed to transfer
zone data between zones is far less.
The Active Directory replication topology is used for Active Directory replication and
for Active Directory-integrated zone replication. There is no longer a need for DNS
replication when DNS and Active Directory are integrated.
Active Directory-integrated zones can enjoy the security features of Active Directory.
The need to manage Active Directory domains and DNS namespaces as separate
entities is eliminated. This in turn reduces administrative overhead.
When DNS and Active Directory are integrated, the Active Directory-integrated zones
are replicated and stored on any new domain controllers automatically.
Synchronization takes place automatically when new domain controllers are
deployed.
The mechanism that DNS utilizes to forward a query that one DNS server cannot resolve to
another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to
forward DNS queries for different DNS namespace to those DNS servers who can answer the
query. A DNS server is configured as a DNS forwarder when users configure the other DNS
servers to direct any unresolved queries to a specific DNS server. Creating DNS forwarders
can improve name resolution efficiency.
Windows Server 2003 DNS introduces a new feature called conditional forwarding. With
conditional forwarding, users create conditional forwarders within their environment that will
forward DNS queries based on the specific domain names being requested in the query. This
differs from DNS forwarders where the standard DNS resolution path to the root was used to
resolve the query. A conditional forwarder can only forward queries for domains that are
defined in the particular conditional forwarders list. The query is passed to the default DNS
forwarder if there are no entries in the forwarders list for the specific domain queried.
When conditional forwarders are configured, the process to resolve domain names is
illustrated below:
1. A client sends a query to the DNS server for name resolution.
2. The DNS server checks its DNS database file to determine whether it can resolve the
query with its zone data.
3. The DNS server also checks its DNS server cache to resolve the request.
4. If the DNS server is not configured to use forwarding, the server uses recursion to
attempt to resolve the query.
5. If the DNS server is configured to forward the query for a specific domain name to a
DNS forwarder, the DNS server then forwards the query to the IP address of its
configured DNS forwarder.
A few considerations for configuring forwarders for the DNS environment are:
Only implement the DNS forwarders that are necessary for the environment. Refrain
from creating loads of forwarders for the internal DNS servers.
To avoid the DNS forwarder turning into a bottleneck, do not configure one external
DNS forwarder for all the internal DNS servers.
=====================