Microsoft Windows Servers 2003 KC

Microsoft Windows Servers - Command Reference
Network File System Command Reference

1. mapadmin
The mapadmin command-line utility administers User Name Mapping on the local or remote
computer running Microsoft Services for Network File System. If you are logged on with an
account that does not have administrative credentials, you can specify a user name and
password of an account that does.
Syntax:
mapadmin [<computer>] [-u <user> [-p <password>]]
mapadmin [<computer>] [-u <user> [-p <password>]] {start | stop}
mapadmin [<computer>] [-u <user> [-p <password>]] config <option[...]>
mapadmin [<computer>] [-u <user> [-p <password>]] add -wu <WindowsUser> -uu
<UNIXUser> [-setprimary]
mapadmin [<computer>] [-u <user> [-p <password>]] add -wg <WindowsGroup> -ug
<UNIXGroup> [-setprimary]
mapadmin [<computer>] [-u <user> [-p <password>]] setprimary -wu <WindowsUser> [-uu
<UNIXUser>]
mapadmin [<computer>] [-u <user> [-p <password>]] setprimary -wg <WindowsGroup> [ug <UNIXGroup>]
mapadmin [<computer>] [-u <user> [-p <password>]] delete <option[...]>
mapadmin [<computer>] [-u <user> [-p <password>]] list <option[...]>
mapadmin [<computer>] [-u <user> [-p <password>]] backup <filename>
mapadmin [<computer>] [-u <user> [-p <password>]] restore <filename>
mapadmin [<computer>] [-u <user> [-p <password>]] adddomainmap -d
<WindowsDomain> {-y <<NISdomain>> | -f <path>}
mapadmin [<computer>] [-u <user> [-p <password>]] removedomainmap -d
<WindowsDomain> -y <<NISdomain>>
mapadmin [<computer>] [-u <user> [-p <password>]] removedomainmap -all
mapadmin [<computer>] [-u <user> [-p <password>]] listdomainmaps
<computer>
Specifies the remote computer running the User Name Mapping service that you want
to administer. You can specify the computer using a Windows Internet Name Service
(WINS) name or a Domain Name System (DNS) name, or by Internet Protocol (IP)
address.
-u <user>
Specifies the user name of the user whose credentials are to be used. It might be
necessary to add the domain name to the user name in the formdomain\user name.
-p <password>
Specifies the password of the user. If you specify the -u option but omit the -p option,
you are prompted for the user's password.
2. Mount
The mount command-line utility mounts the file system identified by ShareName exported
by the NFS server identified by ComputerName and associates it with the drive letter
specified by DeviceName or, if an asterisk (*) is used, by the first available driver letter.
Users can then access the exported file system as though it were a drive on the local
computer. When used without options or arguments, mount displays information about all
mounted NFS file systems.
The mount utility is available only if Client for NFS is installed.
The following options and arguments can be used with the mount utility.
Syntax :
mount [-o <Option>[...]] [-u:<UserName>] [-p:{<Password> | *}]
{\\<ComputerName>\<ShareName> | <ComputerName>:/<ShareName>} {<DeviceName> |
*}
Options, -o rsize=<buffersize> --> Sets the size in kilobytes of the read buffer. Acceptable
values are 1, 2, 4, 8, 16, and 32; the default is 32 KB.
-o wsize=<buffersize> --> Sets the size in kilobytes of the write buffer. Acceptable values are
1, 2, 4, 8, 16, and 32; the default is 32 KB.
-o timeout=<seconds> --> Sets the time-out value in seconds for a remote procedure call
(RPC). Acceptable values are 0.8, 0.9, and any integer in the range 1-60; the default is 0.8.
-o retry=<number> -->Sets the number of retries for a soft mount.Acceptable values are
integers in the range 1-10; the default is 1.
-u:<UserName> --> Specifies the user name to use for mounting the share. If username is
not preceded by a backslash (\), it is treated as a UNIX user name.
-p:<Password> --> The password to use for mounting the share. If you use an asterisk (*),
you will be prompted for the password.
Ref : http://technet.microsoft.com/en-us/library/cc733084(v=ws.10).aspx
3. nfsadmin
The nfsadmin command-line utility administers Server for NFS or Client for NFS on the
local or remote computer running Microsoft Services for Network File System (NFS). If you
are logged on with an account that does not have the required privileges, you can specify a
user name and password of an account that does. The action performed by nfsadmin depends
on the command arguments you supply.
Syntax:
nfsadmin server [ ComputerName ] [ -u UserName[-p Password]] -l
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] -r {client | all}
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] {start | stop}
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] config Option[...]
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] creategroup Name
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] listgroups
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] deletegroup Name
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] renamegroup OldName
NewName
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] addmembers Name
Host[...]
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] listmembers
nfsadmin server [ ComputerName ] [ -u UserName [-p Password]] deletemembers Group
Host[...]
nfsadmin client [ ComputerName ] [ -u UserName [-p Password]] {start | stop}
nfsadmin client [ ComputerName ] [ -u UserName [-p Password]] config Option[...]
In addition to service-specific command arguments and options, nfsadmin accepts the

following:
ComputerName
Specifies the remote computer you want to administer. You can specify the computer
using a Windows Internet Name Service (WINS) name or a Domain Name System
(DNS) name, or by Internet Protocol (IP) address.
-u UserName
Specifies the user name of the user whose credentials are to be used. It might be
necessary to add the domain name to the user name in the formdomain\UserName
-p Password
Specifies the password of the user specified using the -u option. If you specify the u option but omit the -p option, you are prompted for the user's password.
4. Nfsshare
Without arguments, the nfsshare command-line utility lists all Network File System (NFS)
shares exported by Server for NFS. With ShareName as the only argument, nfsshare lists the
properties of the NFS share identified by ShareName. When ShareName and Drive:Path are
provided, nfsshare exports the folder identified by Drive:Path as ShareName. When
the /delete option is used, the specified folder is no longer made available to NFS clients.
Syntax :
nfsshare <ShareName>=<Drive:Path> [-o <Option=value>...]
nfsshare {<ShareName> | <Drive>:<Path> | * } /delete
5. Nfsstat
When used without the -z option, the nfsstat command-line utility displays the number of
NFS V2, NFS V3, and Mount V3 calls made to the server since the counters were set to 0,
either when the service started or when the counters were reset using nfsstat -z.
Syntax :
nfsstat [-z]
6. Rpcinfo
Lists programs on remote computers. The rpcinfo command-line utility makes a remote
procedure call (RPC) to an RPC server and reports what it finds.
Syntax:
rpcinfo [/p [<Node>]] [/b <Program Version>] [/t <Node Program> [<Version>]] [/u <Node
Program> [<Version>]]
Example:
rpcinfo /p [<Node>] - To list all programs registered with the port mapper
rpcinfo /b <Program Version> - To request a response from network nodes that have a
specified program
rpcinfo /t <Node Program> [<Version>] - To use Transmission Control Protocol (TCP) to call
a program
7. Showmount
The showmount command-line utility displays information about mounted file systems
exported by Server for NFS on the computer specified by Server. If Server is not provided,
showmount displays information about the computer on which the showmount command is
run.
Syntax :
showmount { -e | -a | -d} [Server]
-e Displays all file systems exported on the server.
-a Displays all Network File System (NFS) clients and the directories on the server each has
mounted.
-d Displays all directories on the server that are currently mounted by NFS clients.
8. Umount
The umount command-line utility disconnects the specified NFS-mounted drive. You must
supply at least one of the following options or arguments.
Syntax :
umount [-f] [{-a | DriveLetter:[...] | NetworkMount[...]}]
-f Forces deletion of Network File System (NFS) network drives.
-a Deletes all NFS network drives. If there are active connections, umount prompts you for
confirmation unless you also use the -f option.
DriveLetter - The letter of the logical drive to be disconnected.
NetworkMount - The network mount point to be disconnected. This mount must have been
created using the net use Windows command-line utility without specifying a drive letter.
Windows Server Backup Command Reference
1. Wbadmin enable backup
To configure or modify a daily backup schedule, you must be a member of either the
Administrators or Backup Operators group. In addition, you must run wbadmin from an
elevated command prompt.
Syntax for Windows Server 2008:
wbadmin enable backup

[-addtarget:<BackupTargetDisk>]
[-removetarget:<BackupTargetDisk>]
[-schedule:<TimeToRunBackup>]
[-include:<VolumesToInclude>]
[-allCritical]
[-quiet]
Syntax for Windows Server 2008 R2:
wbadmin enable backup
[-addtarget:<BackupTarget>]
[-removetarget:<BackupTarget>]
[-schedule:<TimeToRunBackup>]
[-nonRecurseInclude:<ItemsToInclude>]
[-exclude:<ItemsToExclude>]
[-nonRecurseExclude:<ItemsToExclude>][-systemState]
[-allCritical]
[-vssFull | -vssCopy]
[-user:<UserName>]
[-password:<Password>]
[-quiet]
Example:
Schedule backups of volume t: and folder d:\documents to the drive h:, but exclude the folder
d:\documents\~tmp
Perform a full backup using the Volume Shadow Copy Service.
Run backups daily at 1:00 A.M.
wbadmin enable backup addtarget:H: include T:,D:\documents exclude
D:\documents\~tmp vssfull schedule:01:00
2. Wbadmin disable backup

To disable a scheduled daily backup, you must be a member of the Administrators group, or
you must have been delegated the appropriate permissions. In addition, you must
run wbadmin from an elevated command prompt.
Syntax :
wbadmin disable backup

[-quiet]
3. Wbadmin start backup
Creates a backup using specified parameters. If no parameters are specified and you have
created a scheduled daily backup, this subcommand creates the backup by using the settings
for the scheduled backup. If parameters are specified, it creates a Volume Shadow Copy
Service (VSS) copy backup and will not update the history of the files that are being backed
up.
To create a one-time backup with this subcommand, you must be a member of the Backup
Operators group or the Administrators group, or you must have been delegated the
appropriate permissions. In addition, you must run wbadmin from an elevated command
prompt.
Syntax for Windows Server 2008:
wbadmin start backup
[-backupTarget:{<BackupTargetLocation> | <TargetNetworkShare>}]
[-allCritical]
[-noVerify]
[-user:<UserName>]
[-noinheritAcl]
[-vssFull]
[-quiet]
Syntax for Windows Server 2008 R2:
Wbadmin start backup
[-backupTarget:{<BackupTargetLocation> | <TargetNetworkShare>}]
[-include:<ItemsToInclude>]
[-nonRecurseInclude:<ItemsToInclude>]
[-exclude:<ItemsToExclude>]
[-nonRecurseExclude:<ItemsToExclude>]
[-allCritical]
[-systemState]
[-noVerify]
[-user:<UserName>]
[-noInheritAcl]
[-vssFull | -vssCopy]
[-quiet]
Example:
Perform a one-time backup of f:\folder1 and h:\folder2 to volume d:.
Backup the system state
Make a copy backup so that the normally scheduled differential backup is not impacted.
wbadmin start backup backupTarget:d: -include:g\folder1,h:\folder2 systemstate -vsscopy
4. Wbadmin stop job

Cancels the backup or recovery operation that is currently running. Canceled operations
cannot be restartedyou must rerun a canceled backup or recovery operation from the
beginning.
To stop a backup or recovery operation with this subcommand, you must be a member of the
Backup Operators group or the Administrators group, or you must have been delegated the
appropriate authority. In addition, you must run wbadmin from an elevated command prompt.
Syntax :
wbadmin stop job
[-quiet]
-quiet -->Runs the subcommand with no prompts to the user.
5. Wbadmin get versions

Lists details about the available backups that are stored on the local computer or another
computer. When this subcommand is used without parameters, it lists all backups of the local
computer, even if those backups are not available. The details provided for a backup include
the backup time, the backup storage location, the version identifier (needed for the wbadmin
get items subcommand and to perform recoveries), and the type of recoveries you can
perform.
To get details about available backups using this subcommand, you must be a member of the
prompt.
Syntax :
wbadmin get versions
[-backupTarget:{<BackupTargetLocation> | <NetworkSharePath>}]
[-machine:BackupMachineName]
Example : To see a list of available backups that are stored on volume h, type:
wbadmin get versions -backupTarget:h:
6. Wbadmin get items

To use this subcommand, you must be a member of the Backup Operators group or the
Administrators group, or you must have been delegated the appropriate permissions. In
addition, you must run wbadmin from an elevated command prompt.
Syntax:
wbadmin get items
-version:<VersionIdentifier>
[-backupTarget:{<BackupTargetLocation> | <NetworkSharePath>}]
[-machine:<BackupMachineName>]
Example:
To list items from the backup that was run on March 31, 2005 at 9:00 A.M., type:
wbadmin get items -version:03/31/2005-09:00
7. Wbadmin start recovery

To perform a recovery with this subcommand, you must be a member of the Backup
prompt.
Syntax :
wbadmin start recovery
-items:{<VolumesToRecover> | <AppsToRecover> | <FilesOrFoldersToRecover>}

-itemtype:{Volume | App | File}
[-backupTarget:{<VolumeHostingBackup> | <NetworkShareHostingBackup>}]
[-recoveryTarget:{<TargetVolumeForRecovery> | <TargetPathForRecovery>}]
[-recursive]
[-overwrite:{Overwrite | CreateCopy | Skip}]
[-notRestoreAcl]
[-skipBadClusterCheck]
[-noRollForward]
[-quiet]
-quiet -->Runs the subcommand with no prompts to the user.
Example : To run a recovery of the backup from March 31, 2005, taken at 9:00 A.M., of
volume d:, type:
wbadmin start recovery -version:03/31/2005-09:00 -itemType:Volume -items:d:
8. Wbadmin get status

Reports the status of the backup or recovery operation that is currently running.
To use this subcommand, you must be a member of the Backup Operators group or the
Administrators group, or you must have been delegated the appropriate permissions. In
addition, you must run wbadmin from an elevated command prompt.
Syntax :
wbadmin get status
Example :This subcommand has no parameters.
9. Wbadmin get disks
Lists the internal and external disks that are currently online for the local computer.
To list the disks that are online with this subcommand, you must be a member of the Backup
prompt.
Syntax:
wbadmin get disks
10. Wbadmin start systemstaterecovery

Performs a system state recovery to a location and from a backup that you specify.
To perform a system state recovery with this subcommand, you must be a member of the
prompt.
Syntax :
wbadmin start systemstaterecovery
-showsummary
[-backupTarget:{<BackupDestinationVolume> | <NetworkSharePath>}]
[-recoveryTarget:<TargetPathForRecovery>]
[-authsysvol]
[-quiet]
Example : To perform a system state recovery of the backup from 03/31/2005 at 9:00 A.M.,
type:
wbadmin start systemstaterecovery -version:03/31/2005-09:00
11. Wbadmin start systemstatebackup

Creates a system state backup of the local computer and stores it on the location specified.
To perform a system state backup with this subcommand, you must be a member of the
prompt.
Syntax :
wbadmin start systemstatebackup
-backupTarget:<VolumeName>
[-quiet]
Example :To create a system state backup and store it on volume f, type:
wbadmin start systemstatebackup -backupTarget:f:
Active Directory Domain Services Command Reference

1. Adprep
Extends the Active Directory schema and updates permissions as necessary to prepare a
forest and domain for a domain controller that runs the Windows Server 2008 operating
system.
Adprep.exe is a command-line tool that is available on the Windows Server 2008 installation
disc in the \sources\adprep folder, and it is available on the Windows Server 2008 R2
installation disk in the \support\adprep folder. You must run adprep from an elevated
command prompt. To open an elevated command prompt, click Start, right-click Command
Prompt, and then click Run as administrator.
In Windows Server 2008 R2, Adprep is available in a 32-bit version and a 64-bit version. The
64-bit version runs by default. If you need to run Adprep on a 32-bit computer, run the 32-bit
version (Adprep32.exe).
Syntax:
adprep {/forestprep | /domainprep | /domainprep /gpprep | /rodcprep | /wssg | /silent }
/forestprep - Prepares a forest for the introduction of a domain controller that runs Windows
Server 2008. You run this command only once in the forest. You must run this command on
the domain controller that holds the schema operations master role (also known as flexible
single master operations or FSMO) for the forest.
/domainprep - Prepares a domain for the introduction of a domain controller that runs
Windows Server 2008. You run this command after the forestprep command finishes and
after the changes replicate to all the domain controllers in the forest.
Run this command in each domain where you plan to add a domain controller that runs
Windows Server 2008. You must run this command on the domain controller that holds the
infrastructure operations master role for the domain. You must be a member of the Domain
Admins group to run this command.
/rodcprep - Updates permissions on application directory partitions to enable replication of
the partitions to read-only domain controllers (RODCs). This operation runs remotely; it
contacts the infrastructure master in each domain to update the permissions. You need to run
this command only once in the forest. However, you can rerun this command any time if it
fails to complete successfully because an infrastructure master is not available. You can run
this command on any computer in the forest. You must be a member of the Enterprise Admins
group to run this command.
Example :
adprep /forestprep
adprep /domainprep
adprep /rodcprep
2. Dcdiag
Analyzes the state of domain controllers in a forest or enterprise and reports any problems to
help in troubleshooting.
As an end-user reporting program, dcdiag is a command-line tool that encapsulates detailed
knowledge of how to identify abnormal behavior in the system. Dcdiag displays command
output at the command prompt.
Dcdiag consists of a framework for executing tests and a series of tests to verify different
functional areas of the system. This framework selects which domain controllers are tested
according to scope directives from the user, such as enterprise, site, or single server.
Dcdiag is built into Windows Server 2008 R2 and Windows Server 2008. It is available if you
have the Active Directory Domain Services (AD DS) or Active Directory Lightweight
Directory Services (AD LDS) server role installed. It is also available if you install the Active
Directory Domain Services Tools that are part of the Remote Server Administration Tools
(RSAT).
Syntax :
dcdiag [/s:<DomainController>] [/n:<NamingContext>] [/u:<Domain>\<UserName> /p:{* |
<Password> | ""}] [{/a | /e}] [{/q | /v}] [/i] [/f:<LogFile>] [/c [/skip:<Test>]] [/test:<Test>]
[/fix] [{/h | /?}] [/ReplSource:<SourceDomainController>]
Options, /s:<DomainController>--> Specifies the name of the server to run the command
against. If this parameter is not specified, the tests are run against the local domain controller.
This parameter is ignored for DcPromo and RegisterInDns tests, which can be run locally
only.
/n:<NamingContext>-->Uses NamingContext as the naming context to test. You can specify
domains in NetBIOS, Domain Name System (DNS), or distinguished name format.
/u:<Domain>\<UserName> /p:{* | <Password> | ""}-->Uses Domain\UserName. Dcdiag
uses the current credentials of the user (or process) that is logged on. If alternate credentials
are needed
1. Dcpromo
Installs and removes Active Directory Domain Services (AD DS).
Syntax:
dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv] /uninstallBinaries

[/CreateDCAccount | /UseExistingAccount:Attach] /? /?[:{Promotion | CreateDCAccount |
UseExistingAccount | Demotion}]
/answer[:<filename>] - Specifies an answer file that contains installation parameters and
values.
/unattend[:<filename>] - Specifies an answer file that contains installation parameters and
values. This command provides the same function as /answer[:<filename>].
/adv - Performs an install from media (IFM) operation.
/UninstallBinaries - Uninstalls AD DS binaries.
/CreateDCAccount - Creates a read-only domain controller (RODC) account. Only a
member of the Domain Admins group or the Enterprise Admins group can run this command.
/UseExistingAccount:Attach - Attaches a server to an existing RODC account. A member of
the Domain Admins group or a delegated user can run this command.
Example :
dcpromo /answer:NewForestInstallation
2. Csvde
Imports and exports data from Active Directory Domain Services (AD DS) using files that
store data in the comma-separated value (CSV) format. You can also support batch operations
based on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the %windir
%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight
Directory Services (AD LDS) server role installed.
Syntax :
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t
<PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}]
[-b <UserName> <Domain> {<Password> | *}]
Options,
-i - Specifies import mode. If not specified, the default mode is export.
-f <FileName> - Identifies the import or export file name.
-s <ServerName> - Specifies the domain controller to perform the import or export

operation.
-c <String1> <String2> - Replaces all occurrences of String1 with String2. You use this
parameter when you import data from one domain to another and you want to replace the
distinguished name of the export domain (String1) with the distinguished name of the import
domain (String2).
-v - Sets verbose mode.
-j <Path> - Sets the log file location. The default is the current path.
-t <PortNumber> - Specifies an LDAP port. The default LDAP port is 389. The global
catalog port is 3268.
-u - Specifies Unicode format.
-d <BaseDN> - Sets the distinguished name of the search base for data export.
-r <LDAPFilter> - Creates an LDAP search filter for data export.
-p <Scope> - Sets the search scope. Search scope options are Base, OneLevel, or SubTree.
-l <LDAPAttributeList> - Sets the list of attributes to return in the results of an export
query. LDAP can return attributes in any order, and csvde does not attempt to impose any
order on the columns. If you omit this parameter, AD DS returns all attributes.
-o <LDAPAttributeList> - Specifies the list of attributes to omit from the results of an
export query. You use this parameter if you need to export objects from AD DS, and then
import them into another LDAP-compliant directory. If the other directory does not support
certain attributes, you can use this parameter to omit those attributes from the result set.
-g - Omits paged searches.
-m - Omits attributes that apply only to Active Directory objects, such as the ObjectGUID,
objectSID, pwdLastSet, and samAccountType attributes.
-n - Omits the export of binary values.
-k - Ignores errors during an import operation and continues processing. The following is a
complete list of ignored errors:
Object already exists
Constraint violation
Attribute or value already exists
-a [<UserDistinguishedName> {<Password> | *}]
Performs a simple LDAP bind with the user name and password. Sets the command to run
using the supplied UserDistinguishedName and Password. By default, the command runs
using the credentials of the user who is currently logged on to the network.
-b [<UserName> <Domain> {<Password> | *}]
Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets the
command to run using the supplied Username, Domain, and Password. By default, the
command will run using the credentials of the user who is currently logged on to the network.
Hardware RAID Levels
RAID
Level
Minimum Description
Number
of Drives
Strengths
Weaknesses
RAID 0 2
Data striping
without
redundancy
Highest performance
No data protection; One

drive fails, all data is lost
RAID 1 2
Disk mirroring
Very high
performance; Very
high data protection;
Very minimal penalty
on write performance
High redundancy cost

overhead; Because all
data is duplicated, twice
the storage capacity is
required
RAID 2 Not used in No practical use Previously used for

LAN
RAM error
environments
correction (known as
Hamming Code ) and
in disk drives before
the use of embedded
error correction
No practical use; Same

performance can be
achieved by RAID 3 at
lower cost
RAID 3 3
Byte-level data Excellent performance

striping with
for large, sequential
dedicated parity data requests
drive
Not well-suited for

transaction-oriented
network applications;
Single parity drive does
not support multiple,
simultaneous read and
write requests
RAID 4 3 (Not
widely
used)
Block-level data Data striping supports

striping with
multiple simultaneous
dedicated parity read requests
drive
Write requests suffer

from same single paritydrive bottleneck as
RAID 3; RAID 5 offers
equal data protection

and better performance
at same cost
RAID 5 3
RAID 4
0/1
RAID
4
1/0
RAID 0
Block-level data Best cost/performance Write performance is

striping with
for transactionslower than RAID 0 or
distributed parity oriented networks;
RAID 1
Very high
performance, very
high data protection;
Supports multiple
simultaneous reads and
writes; Can also be
optimized for large,
sequential requests
Combination of
RAID 0 (data
striping) and
RAID 1
(mirroring)
Highest performance, High redundancy cost

highest data
protection (can tolerate data is duplicated, twice
multiple drive failures) the storage capacity is
required; Requires
minimum of four drives
Shares the same fault

tolerance as RAID 1
Combination of
(the basic mirror), but
RAID 1
compliments said fault
(mirroring) and
tolerance with a
RAID 0 (data
striping mechanism
striping)
that can yield very
high read rates
High redundancy cost

data is duplicated, twice
the storage capacity is
required; Requires
minimum of four drives
RAID 1
RAID 5
=======================
AD, Win2K, and WS2K3 Monitoring Considerations
A functioning, modern Windows network is a complex mesh of relationships and

dependencies involving a variety of different systems and services, including AD, DNS, the
GC, and operations master servers. Running an effective Windows network means having a
handle of every aspect of your network environment at all times.
It?s no surprise that the primary monitoring consideration in Windows is AD and its related
services and components. This includes? responsiveness to DNS and LDAP queries, AD
inter-site and intra-site replication, and a special Windows service called
the Knowledge Consistency Checker (KCC). In addition, the health and availability of
services such as DNS, the GC, and Dfs are also important.
(The KCC is a special Windows service that automatically generates AD?s replication
topology and ensures that all domain controllers on the network participate in replication )
However, knowing what metrics to monitor is only a first step. By far, the most important and
complex aspect of monitoring network health and performance isn?t related to determining
what to monitor but rather how to digest the raw data collected from the array of metrics and
make? useful determinations from that data. For example, although it would be possible to
collect data on several dozen metrics (via Performance Monitor) related to AD replication,
simply having this information at hand doesn?t tell you how to interpret the data or what you
should? consider acceptable tolerance ranges for each metric. A useful monitoring system not
only collects raw data but also understands the inter-relation of that data and how to use
the information to identify problems on the network. This kind of artificial intelligence
represents the true value of network? monitoring software.
In order to ensure the health and availability of AD as well as other critical Windows network
services, organizations will need to regularly monitor a number of different services and
components.
Category Potential Problems
Domain controllers
/AD Low CPU or memory resources on domain controllers Low disk space on volumes
housing the Sysvol folder, the AD database (NTDS.DIT) file, and/or the AD transactional log
files Slow or broken connections between domain controllers Slow or failed client network
logon authentication requests Slow or failed LDAP query responses Slow or failed Key
Distribution Center (KDC) requests Slow or failed AD synchronization requests NetLogon
(LSASS) service not functioning properly Directory Service Agent (DSA) service not
functioning properly KCC not functioning properly? Excessive number of SMB connections
Insufficient RID allocation pool size on local server Problems with transitive or external
trusts to Win2K or down-level NT domains Low AD cache hit rate for name resolution
queries (as a result of inefficient AD design)
Replication
Failed replication (due to domain controller or network connectivity problems) .Slow
replication .Replication topology invalid/incomplete (lacks transitive closure/consistency)
.Replication using excessive network bandwidth.Too many properties being dropped during
replication Update Sequence Number (USN) update failures.Other miscellaneous replicationrelated failure events.
GC Slow or failed GC query responses.GC replication failures.
DNS
Missing or incorrect SRV records for domain controllers.Slow or failed DNS query
responses.DNS server zone file update failures.
Operation masters
(FSMOs) Inaccessibility of one or more operation master (FSMO) servers.Forest or domaincentric operation master roles not consistent across domain controllers within domain/forest
Slow or failed role master responses .
Miscellaneous problems
Low-level network connectivity problems.TCP/IP routing problems.DHCP IP address

allocation pool shortages.WINS server query or replication failures (for legacy NetBIOS
.systems and applications)Naming context lost + found items exist.Application or service
failures or performance problems.
=======================================
Monitoring and Troubleshooting the DHCP Server
You can use the Event Viewer tool, located in the Administrative Tools folder, to monitor
DHCP activity. Event Viewer stores events that are logged in the system log, application log,
and security log. The system log contains events that are associated with the operating
system. The application log stores events that pertain to applications running on the computer.
Events that are associated with auditing activities are logged in the security log. All events
that are DHCP-specific are logged in the System log. The DHCP system event log contains
events that are associated with activities of the DHCP service and DHCP server, such as when
the DHCP server started and stopped, when DHCP leases are close to being depleted, and
when the DHCP database is corrupt.
A few DHCP system event log IDs are listed below:
Event ID 1037 (Information): Indicates that the DHCP server has begun to clean up
the DHCP database.
Event ID 1038 (Information): Indicates that the DHCP server cleaned up the DHCP
database for unicast addresses:
o
0 IP address leases were recovered.
0 records were deleted.
Event ID 1039 (Information): Indicates that the DHCP server cleaned up

the DHCP database for multicast addresses:
0 IP address leases were recovered.

o
0 records were deleted.
Event ID 1044 (Information): Indicates that the DHCP server has concluded
that it is authorized to start, and is currently servicing DHCP client
requests for IP addresses.
Event ID 1042 (Warning): Indicates that the DHCP service running on the
server has detected the following servers on the network.
Event ID 1056 (Warning): Indicates that the DHCP service has determined
that it is running on a domain controller, and no credentials are configured
for DDNS registrations.
Event ID 1046 (Error): Indicates that the DHCP service running on the
server has determined that it is not authorized to start to service DHCP
clients.
Using System Monitor to Monitor DHCP Activity

The System Monitor utility is the main tool for monitoring system performance. System
Monitor can track various processes on the Windows system in real time. The utility uses a
graphical display that you can use to view current data, or log data. You can specify specific
elements or components that should be tracked on the local computer and remote computers.
You can determine resource usage by monitoring trends. System Monitor can be displayed in
a graph, histogram, or report format. System Monitor uses objects, counters and instances to
monitor the system
System Monitor is a valuable tool when you need to monitor and troubleshooting DHCP
traffic being passed between the DHCP server and DHCP clients. Through System Monitor,
you can set counters to monitor:
The DHCP lease process.
The DHCP queue length
Duplicate IP address discards
DHCP server-side conflict attempts
To start System Monitor,

1. Click Start, Administrative Tools, and then click Performance.
2. When the Performance console opens, open System Monitor
The DHCP performance counters that you can monitor to track DHCP traffic are:
Acks/sec indicates the rate at which DHCPACK messages are sent by the DHCP
server.
Active Queue Length indicates how many packets are in the DHCP queue for
processing by the DHCP server.
Conflict Check Queue Length indicates how many packets are in the DHCP queue
that are waiting for conflict detection.
Declines/sec indicates the rate at which the DHCP server receives DHCPDECLINE
messages.
Discovers/sec indicates the rate at which the DHCP server receives

DHCPDISCOVER messages.
Duplicaed Dropped/sec indicates the rate at which duplicated packets are being
received by the DHCP server.
Informs/sec indicates the rate at which the DHCP server receives DHCPINFORM
messages.
Milliseconds per packet (Avg.) indicates the average time which the DHCP server
takes to send a response.
Nacks/sec indicates the rate at which DHCPNACK messages are sent by the DHCP
server.
Packets Expired/sec indicates the rate at which packets are expired while waiting in
the DHCP server queue.
Packets Received/sec indicates the rate that the DHCP server is receiving packets.
Releases/sec indicates the rate at which DHCPRELEASE messages are received by

the DHCP server.
Requests/sec indicates the rate at which DHCPREQUEST messages are received by

the DHCP server.
Using Network Monitor to Monitor DHCP Lease Traffic

You can use Network Monitor to monitor network traffic, and to troubleshoot network issues
or problems. Network Monitor shipped with Windows Server 2003 allow you to monitor
network activity and use the gathered information to manage and optimize traffic, identify
unnecessary protocols, and to detect problems with network applications and services. In
order to capture frames, you have to install the Network Monitor application and the Network
Monitor driver on the server where you are going to run Network Monitor. The Network
Monitor driver makes it possible for Network Monitor to receive frames from the network
adapter.
The two versions of Network Monitor are:
The Network Monitor version included with Windows Server 2003: With this version
of Network Monitor, you can monitor network activity only on the local computer
running Network Monitor.
The Network Monitor version (full) included with Microsoft Systems Management
Server (SMS): With this version, you can monitor network activity on all devices on a
network segment. You can capture frames from a remote computer, resolve device
names to MAC addresses, and determine the user and protocol that is consuming the
most bandwidth.
Because of these features, you can use Network Monitor to monitor and troubleshoot DHCP
lease traffic. You can use the Network Monitor version included in Windows Server 2003 to
capture and analyze the traffic being received by the DHCP server. Before you can use
Network Monitor to monitor DHCP lease traffic, you first have to install it. The Network
Monitor driver is automatically installed when you install Network Monitor.
How to install Network Monitor
1. Click Start, and then click Control Panel.
2. Click Add Or Remove Programs to open the Add Or Remove programs dialog box.
3. Click Add/Remove Windows Components.
4. Select Management and Monitoring Tools and click the Details button.
5. On the Management and Monitoring Tools dialog box, select the Network Monitor
Tools checkbox and click OK.
6. Click Next when you are returned to the Windows Components Wizard.
7. If prompted during the installation process for additional files, place the Windows
Server 2003 CD-ROM into the CD-ROM drive.
8. Click Finish on the Completing the Windows Components Wizard page.
Capture filters disregard frames that you do not want to capture before they are stored in the
capture buffer. When you create a capture filter, you define settings that can be used to detect
the frames that you do want to capture. You can design capture filters in the Capture Window
to only capture specific DHCP traffic, by selecting Filter from the Capture menu. You can
also create a display filter after you have captured data. A display filter enables you to decide
what is displayed.
How to start a capture of DHCP lease traffic in Network Monitor
1. Open Network Monitor.
2. Use the Tools menu to click Capture, and then click Start.
3. If you want to examine captured data during he capture, select Stop And View from
the Capture menu.
Understanding DHCP Server log Files

DHCP server log files are comma-delimited text files. Each log entry represents one line of
text. Through DHCP logging, you can log many different events. A few of these events are
listed below:
DHCP server events
DHCP client events
DHCP leasing
DHCP rogue server detection events
Active Directory authorization
The DHCP server log file format is depicted below. Each log file entry has the fields listed
below, and in this particular order as well:
ID: This is the DHCP server event ID code. Event codes are used to describe
information on the activity which is being logged.
Date: The date when the particular log file entry was logged on your DHCP server.
Time: The time when the particular log file entry was logged on your DHCP server.
Description: This is a description of the particular DHCP server event.
IP Address: This is the IP address of the DHCP client.
Host Name: This is the host name of the DHCP client.
MAC Address: This is the MAC address used by the DHCP client's network adapter.
DHCP server log files use reserved event ID codes. These event ID codes describe
information on the activities being logged. The actual log file only describes event ID codes
which are lower than 50.
A few common DHCP server log event ID codes are listed below:
00 indicates the log was started.
01 indicates the log was stopped.
02 indicates the log was temporarily paused due to low disk space.
10 indicates a new IP address was leased to a client.
11 indicates a lease was renewed by a client.
12 indicates a lease was released by a client
13 indicates an IP address was detected to be in use on the network.
14 indicates a lease request could not be satisfied due to the scope's address pool
being exhausted.
15 indicates a lease was denied.
16 indicates a lease was deleted
17 indicates a lease was expired
20 indicates a BootP address was leased to a client.
21 indicates a dynamic BOOTP address was leased to a client.
22 indicates a BOOTP request could not be satisfied due to the address pool of the
scope for BOOTP being exhausted.
23 indicates a BOOTP IP address was deleted after confirming it was not being used.
24 indicates an IP address cleanup operation has started.
25 indicates IP address cleanup statistics.
30 indicates a DNS update request.
31 indicates DNS update failed.
32 indicates DNS update successful.
The following DHCP server log event ID codes are not described in the DHCP log file.
TheseDHCP server log event ID codes relate to the DHCP server's Active Directory
authorization status:
50 Unreachable domain: The DHCP server could not locate the applicable domain
for its Active Directory installation.
51 Authorization succeeded: The DHCP server was authorized to start on the

network.
52 Upgraded to a Windows Server 2003 operating system: The DHCP server was
recently upgraded to a Windows Server 2003 OS, therefore, the unauthorized DHCP
server detection feature (used to determine whether the server has been authorized in
Active Directory) was disabled.
53 Cached authorization: The DHCP server was authorized to start using previously
cached information. Active Directory was not visible at the time the server was started
on the network.
54 Authorization failed: The DHCP server was not authorized to start on the
network. When this even occurs, it is likely followed by the server being stopped.
55 Authorization (servicing): The DHCP server was successfully authorized to start

on the network
56 Authorization failure: The DHCP server was not authorized to start on the
network and was shut down by Windows Server 2003 OS. You must first authorize
the server in the directory before starting it again.
57 Server found in domain: Another DHCP server exists and is authorized for
service in the same Active Directory domain.
58 Server could not find domain: The DHCP server could not locate the specified
Active Directory domain.
59 Network failure: A network-related failure prevented the server from determining

if it is authorized.
60 No DC is DS enabled: No Active Directory DC was located. For detecting

whether the server is authorized, a domain controller that is enabled for Active
Directory is needed
61 Server found that belongs to DS domain: Another DHCP server that belongs to
the Active Directory domain was found on the network.
62 Another server found: Another DHCP server was found on the network.
63 Restarting rogue detection: The DHCP server is trying once more to determine
whether it is authorized to start and provide service on the network.
64 No DHCP enabled interfaces: The DHCP server has its service bindings or
network connections configured so that it is not enabled to provide service.
How to change DHCP log files location

1. Open the DHCP console.
2. Right-click the DHCP server node and select Properties from the shortcut menu.
3. The DHCP Server Properties dialog box opens.
4. Click the Advanced tab.
5. Change the audit log file location in the Audit Log File Path text box.
6. Click OK.
How to disable DHCP logging
2. Right-click the DHCP server node and select Properties from the shortcut menu.
3. The DHCP Server Properties dialog box opens.
4. On the General tab, clear the Enable DHCP Audit Logging checkbox to disable DHCP
server logging.
5. Click OK.
Troubleshooting the DHCP Client Configuration

A DHCP failure usually exists when the following events occur:
A DHCP client cannot contact the DHCP server.
A DHCP client loses connectivity.
When these events occur, one of the first tasks you need to perform is to determine whether
the connectivity issues occurred because of the actual DHCP client configuration, or whether
it occurred because of some other network issue. You do this by determining the address type
of the IP address of the DHCP client.
To determine the address type,
1. Use the Ipconfig command to determine if the client received an IP addresses lease
from the DHCP server.
2. The client received an IP address from the DHCP server if the Ipconfig /all output
displays:
The DHCP server as being enabled
The IP address is displayed as IP Address. It should not be displayed as

Autoconfiguration IP Address.
3. You can also use the status dialog box for the network connection to
determine the IP address type for the client.
4. To view this information, double-click the appropriate network connection
in the Network Connections dialog box.
5. Click the Support tab.
6. The IP address type should be displayed as being Assigned By DHCP.
If after the above checks, you can conclude that the IP address was assigned to the client by
the DHCP server, some other network issue is the cause of the DHCP server connectivity
issues being experienced. The issue is not due to an IP addressing issue on the client.
When clients have the incorrect IP address, it was probably due o the computer not being
able to contact the DHCP server. When this occurs, the computer assigns its own IP address
through Automatic Private IP Addressing (APIPA).
Computers could be unable to contact the DHCP server for a number of reasons:
A problem might exist with the hardware or software of the DHCP server.
A data-link protocol issue could be preventing the computer from communicating

with the network.
The DHCP server and the client are on different LANs and there is no DHCP Relay
Agent. A DHCP Relay Agent enables a DHCP server to handle IP address requests of
clients that are located on a different LAN.
When a DHCP client is assigned an IP address that is currently being used by another client,
then an address conflict has occurred.
The process that occurs to detect duplicate IP addresses is illustrated below:
1. When the computer starts, the system checks for any duplicate IP addresses.
2. The TCP/IP protocol stack is disabled on the computer when the system detects
duplicate IP addresses.
3. An error message is shown that indicates the hardware address of the other system
that this computer is in conflict with.
4. The computer that initially owned the duplicate IP address experiences no

interruptions, and operates as normally.
5. You have to reconfigure the conflicting computer with a unique IP address so that the
TCP/IP protocol stack can be enabled on that particular computer again.
When address conflicts exist, a warning message is displayed:
A warning is displayed in the system tray
A warning message is displayed in the System log, which you can view in Event
Viewer.
Addresses conflicts usually occur under the following circumstances:
You have competing DHCP servers in your environment: You can use the
Dhcploc.exe utility to locate any rogue DHCP servers. The Dhcploc.exe utility is
included with the Windows Support Tools. To solve the competing DHCP server
issue, you have to locate the rogue DHCP servers, remove the necessary rogue DHCP
servers, and then check that no two DHCP servers can allocate IP address leases from
the same IP address range.
A scope redeployment has occurred: You can recover from a scope redeployment
through the following strategy:
o
Increase the conflict attempts on the DHCP server.
Renew your DHCP client leases
One of the following methods can be used to renew your DHCP client leases:
Use the Ipconfig /renew command

o
The Repair button of the status dialog box (Support tab) of the connection can
be used to renew the DHCP client lease.
When you click the Repair button of the status dialog box (Support tab) of
the connection to renew the DHCP client lease, the following process
occurs:
1. A DHCPREQUEST message is broadcast on the network to renew your DHCP

clients' IP address leases.
2. The ARP cache is flushed.
3. The NetBIOS cache is flushed.
4. The DNS cache is flushed.

5. The NetBIOS name and IP address of the client is registered again with the WINS
server.
6. The computer name and IP address of the client is registered again with the DNS
server.
You can enable server-side conflict detection through the following process
1. Open the DHCP console
2. Right-click the DHCP server in the console tree, and select Properties from the
shortcut menu.
3. When the Server Properties dialog box opens, click the Advanced tab.
4. Set the number of times that the DHCP server should run conflict detection prior to it
leasing an IP address to a client.
5. Click OK.
A few troubleshooting strtegies which you can use when a DHCP client cannot obtain an IP
address from the DHCP server, are summarized below:
Use the Ipconfig /renew command or the Repair button of the status dialog box
(Support tab) of the connection to refresh the IP configuration of the client.
Following the above, verify that the DHCP server is enabled, and that a configured
DHCP Relay Agent exists in the broadcast range.
If the client still cannot obtain an IP address from the DHCP server, check that the
actual physical connection to the DHCP server, or DHCP Relay Agent is operating
correctly and is not broken.
Verify the status of the DHCP server and DHCP Relay Agent.
If the issue still persists after all the above checks have been performed, you might
have an issue at the DHCP server or a scope issue might exist.
When troubleshooting the DHCP server:

o
Check that the DHCP server is installed and enabled.
Check that the DHCP server is correctly configured
Verify that the DHCP server is authorized.
when troubleshooting the scope configured for the DHCP server:

o
heck that the scope is enabled.
heck whether all the available IP leases have already been assigned
to clients
A few troubleshooting strategies which you can use when a DHCP client obtains an IP
address from the incorrect scope are summarized below:
First determine whether competing DHCP servers exist on your network. Use the
Dhcploc.exe utility, included with the Windows Support Tools to locate rogue DHCP
servers that are allocating IP addresses to clients.
If no rogue DHCP servers are located through the Dhcploc.exe utility, your next step
is to verify that each DHCP server is allocating IP address leases from unique scopes.
There should be no overlapping of the address space.
If you have multiple scopes on your DHCP server, and the DHCP server is assigning
IP addresses to clients on remote subnets, verify that a DHCP Relay Agent that is used
to enable communication with the DHCP server has the correct address
Troubleshooting the DHCP Server Configuration

If you have clients that cannot obtain IP addresses from the DHCP server, even though they
can contact the DHCP server, verify the following:
Verify that the DHCP Server service is running on the particular server.
Check the actual TCP/IP configuration settings on the DHCP server.
If you are using the Active Directory directory service, verify that the DHCP server is
authorized.
The DHCP server could be configured with the incorrect scope. Check that the scope
is correct on the DHCP server, and verify that it is active.
When you need to verify the configuration of the DHCP server, use the following process:
First check that the DHCP server is configured with the correct IP address. The
network ID of the address being used must be the same for the subnet for which the
DHCP server is expected to assign IP addresses to client.
Verify the network bindings of the DHCP server. The DHCP server must be bound to
the particular subnet. To check this,

2. Right-click the DHCP server in the console tree, and select Properties from the
shortcut menu.
3. When the Server Properties dialog box opens, click the Advanced tab.
4. Click the Bindings button.
Check that the DHCP server is authorized in Active Directory. You have to
authorize the DHCP server in Active Directory so that it can provide IP
addresses to your DHCP clients. To authorize the DHCP server:
2. In the console tree, expand the DHCP server node.
3. Click the DHCP server that you want to authorize.
4. Click the action menu, and then select Authorize.
Verify the scope configuration associated with the DHCP server:
Check that the scope is activated. To activate a scope,

2. Right-click the scope in the console tree, and select Activate from the shortcut
menu.
Verify that the scope is configured with the correct IP address range.
Verify that there are available IP address leases which can be assigned to
your DHCP clients.
Verify the exclusions which are specified in the address pool. Confirm that
all exclusions are valid and necessary. You need to verify that no IP
addresses are being unnecessarily excluded.
Verify the reservations which are specified. If you have a client that cannot
obtain a reserved IP address, check whether the same address is also
defined as an exclusion in the address pool. All reserved IP addresses must
fall within the address range of the scope. Check too that the MAC
addresses were successfully registered for all IP addresses that are
reserved
If you have DHCP servers that contain multiple scopes, check that each of
these scopes is configured correctly.
Troubleshooting DHCP Database Issues

The DHCP service uses a number of database files to maintain DHCP-specific data or
information on IP addresses leases, scopes, superscopes, and DHCP options. The DHCP
database files that are located in the systemrootSystem32DHCP folder are listed below. These
files remain open while the DHCP service is running on the server. You should therefore not
change any of these files while the DHCP service is running.
Dhcp.mdb: This is considered the main DHCP database file because it contains all
scope information.
Dhcp.tmp: This file contains a backup copy of the database file which was created
during re-indexing of the DHCP database.
J50.log: This log file contains changes prior to it being written to the DHCP database.
J50.chk: This checkpoint file informs DHCP on those log files that still have to be
recovered.
If you need to change the role of the DHCP server, and move its functions to another server,
it is recommended that you migrate the DHCP database to the new DHCP server. This
strategy prevents errors that occur when you manually attempt to recreate information in the
DHCP database of the destination DHCP server.
To migrate an existing DHCP database to a new DHCP server,
2. Right-click the DHCP server whose database you want to move to a different server,
and select Backup from the shortcut menu.
3. When the Browse For Folder dialog box opens, select the folder to which the DHCP
database should be backed up. Click OK.
4. To prevent the DHCP server from allocating new IP addresses to clients once the
DHCP server database is backed up, you have to stop the DHCP server.
5. Open the Services console.
6. Double-click the DHCP server.
7. When the DHCP Server Properties dialog box opens, select Disable from the Startup
Type drop down list.
1. Proceed to copy the folder which contains the backup to the new DHCP server. You
now have to restore the DHCP backup at the destination DHCP server.

3. Right-click the destination DHCP server for which you want to restore the DHCP
database, and select Restore from the shortcut menu.
4. When the Browse For Folder dialog box opens, select the folder that contains the back
up of the database that you want to restore. Click OK.
5. Click Yes when prompted to restore the database, and to stop and restart the DHCP
service.
If your lease information in the DHCP database does not correspond to the actual IP
addresses leased to clients on the network, you can delete your existing database files, and
commence with a clean (new) database. To do this,
1. Stop the DHCP service.
2. Remove all the DHCP database files from the systemrootsystem32DHCP folder.
3. Restart the DHCP service.
4. You can rebuild the contents of the database by reconciling the DHCP scopes. The
DHCP console is used for this.
When DHCP database information is inconsistent with what is on the network, corrupt, or
when information is missing, you can reconcile DHCP data for the scopes to recover the
database. The DHCP service stores IP addresses lease data as follows:
Detailed IP address lease information is stored in the DHCP database.
Summary IP address lease information is stored in the DHCP database
These sets of information are compared when scopes are reconciled. Before you can reconcile
the DHCP server's scopes, you first have to stop the DHCP service running on the server. You
can repair any inconsistencies which are detected by the comparison between the contents of
the DHCP database, and the contents of the Registry.
How to reconcile the DHCP database

2. Right-click the DHCP server for which you want to reconcile the DHCP database, and
then select Reconcile All Scopes from the shortcut menu. The Reconcile All Scopes
command also appears as an Action menu item.
3. When the Reconcile All Scopes dialog box opens, click Verify to start the DHCP
database reconciliation process.
4. When no inconsistencies are reported, click OK.
5. When inconsistencies are detected, select the addresses which need to be reconciled,
and then click Reconcile.
6. The inconsistencies are repaired.
How to reconcile a single scope

2. In the console tree, expand the DHCP server node that contains the scope which you
want to reconcile.
3. Right-click the scope and then select Reconcile from the shortcut menu.
4. When the Reconcile All Scopes dialog box opens, click Verify to start the scope
reconciliation process.
5. When no inconsistencies are detected, click OK.
6. When inconsistencies are detected, select the addresses which need to be reconciled,
and then click Reconcile.
7. The inconsistencies are repaired.
=====================
What is RPC ?
Microsoft Remote Procedure Call (RPC) is a powerful technology for creating distributed
client/server programs. RPC is an interprocess communication technique that allows client
and server software to communicate. The Microsoft RPC facility is compatible with the Open
Groups Distributed Computing Environment (DCE) specification for remote procedure calls
and is interoperable with other DCE-based RPC systems, such as those for HP-UX and IBM
AIX UNIXbased operating systems.
Computer operating systems and programs have steadily gotten more complex over the years.
With each release, there are more features. The growing intricacy of systems makes it more
difficult for developers to avoid errors during the development process. Often, developers
create a solution for their system or application when a nearly identical solution has already
been devised. This duplication of effort consumes time and money and adds complexity to
already complex systems.
RPC is designed to mitigate these issues by providing a common interface between
applications. RPC serves as a gobetween for client/server communications. RPC is designed
to make client/server interaction easier and safer by factoring out common tasks, such as
security, synchronization, and data flow handling, into a common library so that developers
do not have to dedicate the time and effort into developing their own solutions.
Terms and Definitions
The following terms are associated with RPC.

Client
A process, such as a program or task, that requests a service provided by another program.
The client process uses the requested service without having to deal with many working
details about the other program or the service.
Server
A process, such as a program or task, that responds to requests from a client.

Endpoint
The name, port, or group of ports on a host system that is monitored by a server program for
incoming client requests. The endpoint is a network-specific address of a server process for
remote procedure calls. The name of the endpoint depends on the protocol sequence being
used.
Endpoint Mapper (EPM)
Part of the RPC subsystem that resolves dynamic endpoints in response to client requests and,
in some configurations, dynamically assigns endpoints to servers.
Client Stub
Module within a client application containing all of the functions necessary for the client to
make remote procedure calls using the model of a traditional function call in a
standalone application. The client stub is responsible for invoking the marshalling engine and
some of the RPC application programming interfaces (APIs).
Server Stub
Module within a server application or service that contains all of the functions necessary for
the server to handle remote requests using local procedure calls.
RPC Dependencies and Interactions
RPC is a client/server technology in the most generic sense. There is a sender and a receiver;
data is transferred between them. This can be classic client/server (for example,
Microsoft Outlookcommunicating with a server running Microsoft Exchange Server) or
system services within the computer communicating with each other. The latter is especially
common. Much of the Windows architecture is composed of services that communicate with
each other to accomplish a task. Most services built into the Windows architecture use RPC
to communicate with each other.
The following table briefly describes the services in Windows Server 2003 that depend on the
RPC system service (RPCSS).
Services That Depend on RPCSS

SERVICE
DESCRIPTION
Background
Intelligent Transfer Transfers data between clients and servers in the background.
Service
COM+ Event
System
Supports System Event Notification Service (SENS), which

provides automatic distribution of events to subscribing
Component Object Model (COM) components.
COM+
Manages the configuration and tracking of COM+-based
SystemApplication components.
Cryptographic
Services
Provides three management services: Catalog Database

Service, which confirms the signatures of Windows files;
Protected Root Service, which adds and removes Trusted Root
Certification Authority certificates from this computer; and
Key Service, which helps enroll this computer for certificates.
DHCP Server
Performs TCP/IP configuration for DHCP clients, including

dynamic assignments of IP addresses, specification of the
WINS and DNS servers, and connectionspecific Domain Name
System (DNS) names.
Distributed Link
Tracking Client
Enables client programs to track linked files that are moved

within an NTFS volume to another NTFS volume on the same
computer or to an NTFS volume on another computer.
Distributed Link
Tracking Server
Enables the Distributed Link Tracking Client service within the

same domain to provide more reliable and efficient
maintenance of links within the domain.
Distributed Link
Transaction
Coordinator
Coordinates transactions that span multiple resource

managers, such as databases, message queues, and file
systems.
DNS Server
Enables DNS clients to resolve DNS names by answering DNS

queries and dynamic update requests.
Error Reporting
Service
Collects, stores, and reports unexpected application failures

to Microsoft.
File Replication
Service
Allows files to be automatically copied and maintained

simultaneously on multiple servers.
Help and Support Enables Help and Support Center to run on the computer.
Human Interface
Device Access
Enables generic input access to Human Interface Devices

(HID), which activates and maintains the use of predefined
hot buttons on keyboards, remote controls, and other
multimedia devices.
Indexing Service
Indexes contents and properties of files on local and remote

computers; provides rapid access to files through flexible
querying language.
IPSec Services
Provides end-to-end security between clients and servers on

TCP/IP networks.
Kerberos Key
Distribution
Center
On domain controllers, enables users to log on to the network

using the Kerberos authentication protocol.
Logical Disk
Manager
Detects and monitors new hard disk drives and sends disk
volume information to Logical Disk Manager Administrative
Service for configuration.
Logical Disk
Manager
Administrative
Service
Configures hard disk drives and volumes.
Messenger
Transmits net send and Alerter service messages between

clients and servers. This service is not related to Windows
Messenger.
Microsoft Software
Manages software-based volume shadow copies taken by the
Shadow Copy
Volume Shadow Copy service.
Provider
Network
Connections
Manages objects in the Network and Dial-Up Connections

folder in which you can view local area network (LAN)
and remote connections.
Print Spooler
Manages all local and network print queues and controls

all printing jobs.
Protects storage of sensitive information, such as private keys

Protected Storage and prevents access by unauthorized services, processes, or
users.
Remote Desktop
Help Session
Manager
Manages and controls Remote Assistance.
Remote Registry
Enables remote users to modify registry settings on a

computer.
Removable
Storage
Manages and catalogs removable media and operates

automated removable media devices.
Resultant Set of
Policy Provider
Enables a user to connect to a remote computer, access the

Windows Management Instrumentation (WMI) database
for that computer, and either verify the current Group Policy
settings made for the computer or check settings before they
are applied.
Routing and
Remote Access
Enables multi-protocol LAN-to-LAN, LAN-to-wide area network

(WAN), virtual private network (VPN), and network address
translation (NAT) routing services for clients and servers on
the network.
Security Accounts Upon startup, signals other services that the Security
Manager
Accounts Manager (SAM) is ready to accept requests.
Shell Hardware
Detection
Provides notifications for AutoPlay hardware events.
Task Scheduler
Enables a user to configure and schedule automated tasks on

the computer.
Telephony
Provides Telephony API (TAPI) support for clients using

programs that control telephony devices and IP-based voice
connections.
Telnet
Enables a remote user to log on to a computer and run

programs; supports various TCP/IP Telnet clients, including
UNIX-based and Windows-based computers.
Allows users to connect interactively to a remote computer.

Terminal Services Remote Desktop, Fast User Switching, Remote Assistance,
and Terminal Server depend on this service.
Terminal Services Enables a user connection request to be routed to the
Session Directory appropriate terminal server in a cluster.
Upload Manager
Manages the synchronous and asynchronous file transfers

between clients and servers on the network.
Virtual Disk
Service
Provides software volume and hardware volume management

service.
Volume Shadow
Manages and implements Volume Shadow Copies used for
Copy
backup and other purposes.
Windows Audio
Manages audio devices for Windows-based programs.
Windows Image
Acquisition (WIA)
Provides image acquisition services for scanners and

cameras.
Windows Installer
Installs, repairs, and removes software according to

instructions contained in .MSI files.
Windows Internet
Resolves NetBIOS names for TCP/IP clients by locating
Name Service
network services that use NetBIOS names.
(WINS)
Windows
Management
Instrumentation
Provides a common interface and object model to access

management information about operating system, devices,
applications, and services. If this service is stopped, most
Windows-based software will not function properly.
Wireless
Configuration
Enables automatic configuration for IEEE 802.11 adapters.
WMI Performance Provides performance library information from WMI providers

Adapter
to clients on the network.
================================================
==========
Distributed File System - DFS
DFS allows administrators to make it easier for users to access and manage file that are
physically distributed across a network.
With DFS, you can make files distributed across multiple servers. It may appear for users that
files actually reside in one place (computer) on the network.
Benefits of DFS
1. Easily access:
Users need not remember multiple locations form where they get data just by remembering
one location they get access to the data.
2. Fall tolerance:
For master DFS server we can have a replica (Target) on another DFS server. With the master
DFS server face users can still continue accessing the data from back up DFS (Target)
There is no interruption to accessing data.
3. Load balancing:
If all the DFS root servers and targets are working fine it leads to load balancing.
This is achieved by specifying locations for separate users.
4. Security:
We can implement security by using NTFS settings.
DFS Terminology:
1. DFS root
2. DFS links
3. DFS targets
4. Domain DFS root
5. Stand alone DFS root
Domain DFS root:
It is a server configurable in the domain and offers fall tolerance and load balancing. It is a
root server, which maintains links from other file servers
Requirements:
DC or Member Server
Stand-alone DFS root:
It is configurable work group model and does not provide fall tolerance &load balancing
DFS root:
DFS root is the beginning of a hierarchy of DFS links that points to shared folders.
DFS link:
A link from a DFS root to one or more shared file or folders.
Targets:
The mapping destination of a DFS root or links, which corresponds to a physical folder that
has been shared.

Implementation of DFS
Creating a DFS root:
On DC
Create a folder in any drive
Share it
Give everyone full control
Use the folder name as DFS root
Create 2 more folders for links
Share them & everyone full control
Start >p>admin tools>DFS
Right click on DFS
New root
Select domain root
Domain name
Browse the server DC
Next mention the root name
Browse the folder to share
Next finish.
Implementing DFS links
On DC
Create 2 folders.
Share them & give full control permission
On Member Server also same process
On DC
Start > P>Admin tools>DFS>right click on DFS
New link
Link name (e.g. Germany)
Browse the share folder from DC
Ok
Create all four links two from DC & two from member server
Accessing the resources (links):
Either on DC or member server
\\domain name\DFS root name
ex: \\zoom.com\DFS root
Implementing of DFS target:

On Dc
Open DFs
Right click on DFs root
Select new root target
Browse server name >next
Browse folder to share
Next>finish
Replication:
After configuring the target we can configure the replication between DFS root and DFS
target.
And this can be scheduled.
Types of replication topologies:
Ring topology
Hub & spoke topology
Mesh topology
Configuring replication between DFS root & target.
On DC
Open DFS
Right click on the DFS root
Configure replication>next
Select topology
Finish
===================================
DiskPart commands Guide
DiskPart is a text-mode command interpreter that enables you to manage objects (disks,
partitions, volumes, or virtual hard disks) by using scripts or direct input from a command
prompt. Before you can use DiskPart commands, you must first list, and then select an object
to give it focus. When an object has focus, any DiskPart commands that you type will act on
that object.
You can list the available objects and determine an object's number or drive letter by using
the list disk, list volume, list partition, and list vdiskcommands. The list disk, list
vdisk and list volume commands display all disks and volumes on the computer. However,
the list partition command only displays partitions on the disk that has focus. When you use
the list commands, an asterisk (*) appears next to the object with focus.
When you select an object, the focus remains on that object until you select a different object.
For example, if the focus is set on disk 0 and you select volume 8 on disk 2, the focus shifts
from disk 0 to disk 2, volume 8. Some commands automatically change the focus. For
example, when you create a new partition, the focus automatically switches to the new
partition.
You can only give focus to a partition on the selected disk. When a partition has focus, the
related volume (if any) also has focus. When a volume has focus, the related disk and
partition also have focus if the volume maps to a single specific partition. If this is not the
case, focus on the disk and partition is lost.
Diskpart command list
The list of sub-commands for Diskpart are shown below. Some commands are not available
in Windows XP and they are indicates with an asterisk (*).
ACTIVE - Mark the selected partition as active.
ADD - Add a mirror to a simple volume.
ASSIGN - Assign a drive letter or mount point to the selected volume.
ATTRIBUTES - Manipulate volume or disk attributes.*
ATTACH - Attaches a virtual disk file.*
AUTOMOUNT - Enable and disable automatic mounting of basic volumes.*
BREAK - Break a mirror set.
CLEAN - Clear the configuration information, or all information, off the disk.
COMPACT - Attempts to reduce the physical size of the file.*
CONVERT - Convert between different disk formats.
CREATE - Create a volume, partition or virtual disk. (No virtual disk management in
Windows XP.)
DELETE - Delete an object.
DETAIL - Provide details about an object.
DETACH - Detaches a virtual disk file.*
EXIT - Exit DiskPart.
EXTEND - Extend a volume.
EXPAND - Expands the maximum size available on a virtual disk.*
FILESYSTEMS - Display current and supported file systems on the volume.*
FORMAT - Format the volume or partition.*
GPT - Assign attributes to the selected GPT partition.*
HELP - Display a list of commands.
IMPORT - Import a disk group.
INACTIVE - Mark the selected partition as inactive.

LIST - Display a list of objects.
MERGE - Merges a child disk with its parents.*
ONLINE - Online an object that is currently marked as offline.
OFFLINE - Offline an object that is currently marked as online.
RECOVER - Refreshes the state of all disks in the selected pack. Attempts recovery on disks
in the invalid pack, and resynchronizes mirrored volumes and RAID5 volumes that have stale
plex or parity data.*
REM - Does nothing. This is used to comment scripts.
REMOVE - Remove a drive letter or mount point assignment.
REPAIR - Repair a RAID-5 volume with a failed member.
RESCAN - Rescan the computer looking for disks and volumes.
RETAIN - Place a retained partition under a simple volume.
SAN - Display or set the SAN policy for the currently booted OS.*
SELECT - Shift the focus to an object.
SETID - Change the partition type.*
SHRINK - Reduce the size of the selected volume.*
UNIQUEID - Displays or sets the GUID partition table (GPT) identifier or master boot
record (MBR) signature of a disk.*
=========================
Active Directory (AD)- Windows Server 2003
History Of Active Directory
Active Directory was introduced to the world in the mid-1990s by Microsoft as a replacement
for Windows NT-style user authentication. Windows NT included a flat and non-extensible
domain model which did not scale well for large corporations. Active Directory, on the other
hand, was created as a true directory service versus a flat user-management service that NT
had. Though it was introduced in the 1990s, it did not become a part of the Operating System
until Windows 2000 Server was released in 2000. Since then, Windows Server
2003 and Server 2008 have been introduced and Active Directory has gone under some
expansion.
This tutorial is based on Windows Server 2003 as it is currently the most widely installed
version of the Windows network Operating System (NOS), though in the future we will
release versions forWindows Server 2008 and future Windows releases as it becomes
necessary. Though this tutorial is not focused on Windows Server 2008, much of the basic
knowledge and instruction relates to either OS.
LDAP
Active Directory is based loosely on LDAP ? Lightweight Directory Access Protocol ? an
application protocol for querying and modifying directory services developed at the
University of Michigan in the early 1990s. An LDAP directory tree is a hierarchical structure
of organizations, domains, trees, groups, and individual units.
Active Directory is a Directory Sometimes, it?s easy to get lost in all of the technology and
functions that are provided with AD and forget that Active Directory is a directory. It is a
directory in both the common use of the term like a white pages (you can add in a person?s
first name, last name, phone number, address, email address, etc) and a directory of
information for use by applications and services (such as Microsoft Exchange for email). AD
is functionally a place to store information about people, things (computers, printers, etc),
applications, domains, services, security access permissions, and more. Applications and
services then use the directory to perform a function.
For example, Microsoft Windows uses Active Directory information to allow a user to login
to their computer and provide access to the security rights assigned in Active Directory.
Windows is accessing the directory and then providing rights based on what it finds. If a user
account is disabled in Active Directory, the directory itself is just setting a flag which
Windows uses to disallow a user from logging in.
We mentioned in the introduction that administrators use Active Directory to deploy
software ? this is an incomplete description. Administrators can set policies and information
that a certain software application should be deployed to a certain user ? AD itself does not
deploy the software, but a Windows service reads the information from Active Directory and
then installs the software.
======================
Flexible Single Master Operations (FSMO in AD)

Windows 2000/2003 Multi-Master Model
A multi-master enabled database, such as the Active Directory, provides the flexibility of
allowing changes to occur at any DC in the enterprise, but it also introduces the possibility of
conflicts that can potentially lead to problems once the data is replicated to the rest of the
enterprise.
One way Windows 2000/2003 deals with conflicting updates is by having a conflict
resolution algorithm handle discrepancies in values by resolving to the DC to which changes
were written last (that is, "the last writer wins"), while discarding the changes in all other
DCs. Although this resolution method may be acceptable in some cases, there are times when
conflicts are just too difficult to resolve using the "last writer wins" approach. In such cases,
it is best to prevent the conflict from occurring rather than to try to resolve it after the fact.
For certain types of changes, Windows 2000/2003 incorporates methods to prevent
conflicting Active Directory updates from occurring.
Windows 2000/2003 Single-Master Model

To prevent conflicting updates in Windows 2000/2003, the Active Directory performs updates
to certain objects in a single-master fashion.
In a single-master model, only one DC in the entire directory is allowed to process updates.
This is similar to the role given to a primary domain controller (PDC) in earlier versions of
Windows (such as Microsoft Windows NT 4.0), in which the PDC is responsible for
processing all updates in a given domain.
In a forest, there are five FSMO roles that are assigned to one or more domain controllers.
The five FSMO roles are:
Schema Master:
The schema master domain controller controls all updates and modifications to the schema.
Once the Schema update is complete, it is replicated from the schema master to all other DCs
in the directory. To update the schema of a forest, you must have access to the schema master.
There can be only one schema master in the whole forest.
Domain naming master:
The domain naming master domain controller controls the addition or removal of domains in
the forest. This DC is the only one that can add or remove a domain from the directory. It can
also add or remove cross references to domains in external directories. There can be only one
domain naming master in the whole forest.
Infrastructure Master:
When an object in one domain is referenced by another object in another domain, it
represents the reference by the GUID, the SID (for references to security principals), and the
DN of the object being referenced. The infrastructure FSMO role holder is the DC
responsible for updating an object's SID and distinguished name in a cross-domain object
reference. At any one time, there can be only one domain controller acting as the
infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a
Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it
will stop updating object information because it does not contain any references to objects
that it does not hold. This is because a Global Catalog server holds a partial replica of every
object in the forest.
As a result, cross-domain object references in that domain will not be updated and a warning
to that effect will be logged on that DC's event log. If all the domain controllers in a domain
also host the global catalog, all the domain controllers have the current data, and it is not
important which domain controller holds the infrastructure master role.
Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all domain controllers
in a particular domain. When a DC creates a security principal object such as a user or group,
it attaches a unique Security ID (SID) to the object.
This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative
ID (RID) that is unique for each security principal SID created in a domain. Each DC in a
domain is allocated a pool of RIDs that it is allowed to assign to the security principals it
creates.
When a DC's allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain's RID master. The domain RID master responds to the request
by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of
the requesting DC. At any one time, there can be only one domain controller acting as the
RID master in the domain.
PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000/2003
includes the W32Time (Windows Time) time service that is required by the Kerberos
authentication protocol.
All Windows 2000/2003-based computers within an enterprise use a common time. The
purpose of the time service is to ensure that the Windows Time service uses a hierarchical
relationship that controls authority and does not permit loops to ensure appropriate common
time usage.
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root
of the forest becomes authoritative for the enterprise, and should be configured to gather the
time from an external source.
All PDC FSMO role holders follow the hierarchy of domains in the selection of their inbound time partner. In a Windows 2000/2003 domain, the PDC emulator role holder retains
the following functions:
Password changes performed by other DCs in the domain are replicated preferentially to the
PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is
reported to the user.
Account lockout is processed on the PDC emulator.

Editing or creation of Group Policy Objects (GPO) is always done from the GPO copy found
in the PDC Emulator's SYSVOL share, unless configured not to do so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows NT 4.0 Serverbased PDC or earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all workstations, member
servers, and domain controllers that are running Windows NT 4.0 or earlier are all upgraded
to Windows 2000/2003. The PDC emulator still performs the other functions as described in a
Windows 2000/2003 environment. At any one time, there can be only one domain controller
acting as the PDC emulator master in each domain in the forest.
================
Determining FSMO Role Holders

How can I determine who are the current FSMO Roles holders in my domain/forest ?
Windows 2000/2003 Active Directory domains utilize a Single Operation Master method
called FSMO (Flexible Single Master Operation), as described in Understanding FSMO
Roles in Active Directory.
The five FSMO roles are:
Schema master - Forest-wide and one per forest.
Domain naming master - Forest-wide and one per forest.
RID master - Domain-specific and one for each domain.
PDC - PDC Emulator is domain-specific and one for each domain.
Infrastructure master - Domain-specific and one for each domain.
In most cases an administrator can keep the FSMO role holders (all 5 of them) in the same
spot (or actually, on the same DC) as has been configured by the Active Directory installation
process. However, there are scenarios where an administrator would want to move one or
more of the FSMO roles from the default holder DC to a different DC. The transferring
method is described in the Transferring FSMO Roles article, while seizing the roles from a
non-operational DC to a different DC is described in the Seizing FSMO Roles article.
In order to better understand your AD infrastructure and to know the added value that each
DC might possess, an AD administrator must have the exact knowledge of which one of the
existing DCs is holding a FSMO role, and what role it holds. With that knowledge in hand,
the administrator can make better arrangements in case of a scheduled shut-down of any
given DC, and better prepare him or herself in case of a non-scheduled cease of operation
from one of the DCs.
How to find out which DC is holding which FSMO role? Well, one can accomplish this task
by many means. This article will list a few of the available methods.
Method #1: Know the default settings

The FSMO roles were assigned to one or more DCs during the DCPROMO process. The
following table summarizes the FSMO default locations:
FSMO Role
Number of DCs holding

this role
Schema
One per forest
Domain Naming
One per forest
RID
One per domain
PDC Emulator
One per domain
Infrastructure
One per domain
Original DC holding the FSMO role

The first DC in the first domain in the
forest (i.e. the Forest Root Domain)
The first DC in a domain (any domain,
including the Forest Root Domain, any
Tree Root Domain, or any Child
Domain)
Method #2: Use the GUI

The FSMO role holders can be easily found by use of some of the AD snap-ins. Use this table
to see which tool can be used for what FSMO role:
FSMO Role
Which snap-in should I use?
Schema
Schema snap-in
Domain Naming
AD Domains and Trusts snap-in
RID
PDC Emulator
AD Users and Computers snap-in
Infrastructure
Finding the RID Master, PDC Emulator, and Infrastructure Masters via GUI
To find out who currently holds the Domain-Specific RID Master, PDC Emulator, and
Infrastructure Master FSMO Roles:
1.Open the Active Directory Users and Computers snap-in from the Administrative Tools
folder.
2.Right-click the Active Directory Users and Computers icon again and press Operation
Masters.
3.Select the appropriate tab for the role you wish to view.
4.When you're done click Close.
Finding the Domain Naming Master via GUI
To find out who currently holds the Domain Naming Master Role:
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools
folder.
2. Right-click the Active Directory Domains and Trusts icon again and press Operation
Masters.
3. When you're done click Close.
Finding the Schema Master via GUI
To find out who currently holds the Schema Master Role:
1. Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
2. Press OK. You should receive a success confirmation.
3. From the Run command open an MMC Console by typing MMC.
4. On the Console menu, press Add/Remove Snap-in.
5. Press Add. Select Active Directory Schema.
6. Press Add and press Close. Press OK.
7. Click the Active Directory Schema icon. After it loads right-click it and press Operation
Masters.
8. Press the Close button.
Method #3: Use the Ntdsutil command

The FSMO role holders can be easily found by use of the Ntdsutil command.
Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active
Directory functionality.
1. On any domain controller, click Start, click Run, type Ntdsutil in the Open box, and then
click OK.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS>ntdsutil
ntdsutil:
1. Type roles, and then press ENTER.
ntdsutil: roles
fsmo maintenance:
Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?,
and then press ENTER.
Type connections, and then press ENTER.
fsmo maintenance: connections
server connections:
Type connect to server <servername>, where <servername> is the name of the server you
want to use, and then press ENTER.
server connections: connect to server server100
Binding to server100 ...
Connected to server100 using credentials of locally logged on user.

server connections:
At the server connections: prompt, type q, and then press ENTER again.
server connections: q
fsmo maintenance:
At the FSMO maintenance: prompt, type Select operation target, and then press ENTER
again.
fsmo maintenance: Select operation target
select operation target:
At the select operation target: prompt, type List roles for connected server, and then press
ENTER again.
select operation target: List roles for connected server
Server "server100" knows about 5 roles
Schema - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
Domain - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=C
onfiguration,DC=dpetri,DC=net
PDC - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
RID - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-First-SiteName,CN=Sites,CN=Conf
iguration,DC=dpetri,DC=net
Infrastructure - CN=NTDS Settings,CN=SERVER100,CN=Servers,CN=Default-FirstSite-Name,CN=Si
tes,CN=Configuration,DC=dpetri,DC=net
select operation target:
Type q 3 times to exit the Ntdsutil prompt.
Note: You can download THIS nice batch file that will do all this for you (1kb).
Another Note: Microsoft has a nice tool called Dumpfsmos.cmd, found in the Windows 2000
Resource Kit (and can be downloaded here: Download Free Windows 2000 Resource Kit
Tools). This tool is basically a one-click Ntdsutil script that performs the same operation
described above.
================
Forest and Domain Functional Levels

Overview of Domain and Forest Functional levels
Domain and forest functional levels provides the means by which you can enable additional
domain-wide and forest-wide Active Directory features, remove outdated backward
compatibility within your environment, and improve Active Directory performance and
security. In Windows 2000, the terminology used to refer to domain functional levels was
domain modes. Forests in Windows 2000 have one mode and domains can have the domain
mode set as either mixed mode or native mode. With Windows Server 2003 Active Directory
came the introduction of the Windows Server 2003 interimfunctional level and
Windows Server 2003 functional level for both domains and forests. The four domain
functional levels that can be set for domain controllers are Windows 2000 mixed, Windows
2000 native, Windows Server 2003 interim, and Windows Server 2003. The default domain
functional level is Windows 2000 mixed. The three forest functional levels are Windows
2000, Windows Server 2003 interim, and Windows Server 2003. The default forest functional
level is Windows 2000.
When the Windows Server 2003 functional level is enabled in your environment,
additional Active Directory domain-wide and forest-wide features are automatically enabled.
Windows Server 2003functional level is enabled in your environment when all
domain controllers are running WindowsServer 2003. The Active Directory Domains And
Trusts console is used to raise the functional levels of domains and forests in Active
Directory.
Domain Functional Levels
When raising the domain functional level from Windows mixed to Windows 2000 native or
the Windows Server 2003 functional level, domain controllers are regarded as peers to each
other. What this essentially means is that the domain master concept no longer exists. It also
means that pre-Windows 2000 replication no longer exists. If you are considering raising the
domain functional level within your environment to Windows Server 2003, you should
remember that after the domain functional level is raised, you cannot add any Windows 2000
server to the particular domain.
Windows 2000 Mixed Domain Functional Level
Any newly installed domain controller operates in Windows 2000 mixed domain functional
level for the domain by default. This makes the Windows 2000 mixed domain functional
level the default functional level for all Windows Server 2003 domains. Windows 2000
mixed domain functional level enables the Windows Server 2003 domain controller to
operate together with Windows NT 4, Windows 2000, and Windows Server 2003 domain
controllers. The only Windows NT domain controllers supported are Windows NT backup
domain controllers (BDCs). Windows NT primary domain controllers do not exist in Active
Directory. In Active Directory, domain controllers act as peers to one another. Windows 2000
mixed domain functional level is usually used to migrate domain controllers from Windows
NT to Windows 2000 domain controllers.
You can raise Windows 2000 mixed domain functional level to
Windows 2000 native domain functional level
Windows Server 2003 domain functional level
The Active Directory domain features that are available in Windows 2000 mixed domain
functional level are listed below:
Local and Global groups
Distribution Groups
Distribution Group nesting
Global Catalog support
Up to 40,000 domain objects are supported
The Active Directory domain features that are not supported in Windows 2000 mixed domain
Renaming domain controllers
Universal Groups
Security group nesting
SID History
Update logon timestamp
Group conversion between Security Groups and Distribution Groups
Users/Computers container redirection
Constrained delegation
User password support on the InetOrgPerson object
windows 2000 Native Domain Functional Level
The Windows 2000 native domain functional level enables Windows Server 2003 domain
controllers to operate with Windows 2000 domain controllers and Windows Server
2003 domain controllers. This domain functional level is typically used to support domain
controller upgrades from Windows 2000 to Windows Server 2003. Windows NT 4.0 backup
domain controllers are not supported in the Windows 2000 native domain functional level.
Windows 2000 native cannot be lowered again to the Windows 2000 mixed domain
functional level.
You can raise the Windows 2000 native domain functional level to
Windows Server 2003 domain functional level.
The Active Directory domain features that are available in Windows 2000 native domain
Distribution Groups
Distribution group nesting
Universal Groups
SID History
Up to 1,000,000 domain objects are supported
The Active Directory domain features that are not supported in Windows 2000 native domain
Windows Server 2003 Interim Domain Functional Level
Windows Server 2003 interim domain functional level enable domain controllers running
WindowsServer 2003 to function in a domain containing both Windows NT 4.0 domain
controllers and Windows Server 2003 domain controllers. Domain controllers running
Windows 2000 are not supported in this domain functional level. You can only set this
domain functional level when upgrading from Windows NT to Windows Server 2003. In fact,
the Windows Server 2003 interimdomain functional level can only be raised to
Windows Server 2003 domain functional level. WindowsServer 2003 interim domain
functional level is also typically used when you are not going to immediately upgrade
your Windows NT 4.0 backup domain controllers to Windows Server 2003, and when your
existing Windows NT domain has groups consisting of over 5,000 members.
The Active Directory domain features that are available in Windows Server
2003 interim domain functional level are listed below:
Distribution groups
Up to 40,000 domain objects are supported
The Active Directory domain features that are not supported in Windows Server
2003 interim domain functional level are listed below:
Universal Groups
SID History
Windows Server 2003 Domain Functional Level
Windows Server 2003 domain functional level is the highest level that can be specified for a
domain.All domain controllers in the domain are running Windows Server 2003. This
basically means thatWindows NT 4 and Windows 2000 domain controllers are not supported
these domains. Once the domain level is set as Windows Server 2003 domain functional
level, it cannot be lowered to any of the previous domain functional levels.
All Active Directory domain features are available in Windows Server 2003 domain
functional level:
Distribution Groups
universal Groups
SID History
Up to 1,000,000 domain objects are supported
How to check which domain function level is set for the domain
1. Open the Active Directory Domains And Trusts console
2. Right-click the particular domain whose functional level you want verify,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current
domain functional level.
How to raise the domain functional level to the Windows 2000 native domain functional
level or Windows Server 2003 domain functional level
Before you can raise the domain functional level to Windows Server 2003 domain functional
level, each domain controller in the domain has to running Windows Server 2003.
To raise the domain functional level for a domain,
2. Right-click the particular domain whose functional level you want to raise,
and select Raise Domain Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens.
4. Use the Select An Available Domain Functional Level list to choose the
domain functional level for the domain.
5. Click Raise
6. Click OK
Forest Functional Levels

While Window 2000 has only one forest functional level, Windows Server 2003 has three
forest functional levels. Through the forest functional levels, you can enable forest-wide
Active Directory features in your Active Directory environment. The forest functional levels
are actually very much like the domain functional levels.
Windows 2000 Forest Functional Level
This is the default forest functional level, which means that all newly created Windows
Server 2003 forests have this level when initially created. The Windows 2000 forest
functional level supports Windows NT 4, Windows 2000 and Windows Server 2003 domain
controllers.
The Active Directory forest features that are available in Windows 2000 forest functional
level are listed below:
Universal Group caching
Application directory partitions
Global Catalog replication enhancements
Installations from backups
The Active Directory quota feature
SIS for system access control lists (SACL)
The Active Directory forest features that are not supported in Windows 2000 forest functional
level are listed below:
Domain renaming
Forest Trust
Defunct schema objects
Linked value replication
Dynamic auxiliary classes
Improved Knowledge Consistency Checker (KCC) replication algorithms
Application groups
InetOrgPerson objectClass
NTDS.DIT size reduction
Windows Server 2003 Interim Forest Functional Level

Domain controllers in a domain running Windows NT 4 and Windows Server 2003 are
supported in the Windows Server 2003 interim forest functional level. This level is used to
when upgrading from Windows NT 4 to Windows Server 2003. The functional level is also
configured when you are not planning to immediately upgrade your existing Windows NT 4
backup domain controllers, or your existing Windows NT 4.0 domain has groups consisting
of over 5,000 members. No Windows 2000 domain controllers can exist if the Windows
Server 2003 interim forest functional level is set for the forest. The Windows Server 2003
interim forest functional level can only be raised to the Windows Server 2003 forest
functional level.
The Active Directory forest-wide features that are available in Windows Server 2003 interim
forest functional level are listed below:
The Active Directory forest features that are not supported in Windows Server 2003 interim
forest functional level are listed below:
Domain renaming
Forest Trust
Application groups
Windows Server 2003 Forest Functional Level

All domain controllers in the forest have to be running Windows Server 2003 in order for the
forest functional level to be raised to the Windows Server 2003 forest functional level. What
this means is that no domain controllers in the Active Directory forest can be running
Windows NT 4 and Windows 2000. In the Windows Server 2003 forest functional level, all
forest-wide Active Directory features are available, including the following:
Domain renaming
Forest Trust
Application groups
How to check which forest functional level is set for the forest
2. Right-click Active Directory Domains and Trusts in the console tree, and
select Raise Forest Functional Level from the shortcut menu.
3. The Raise Forest Functional Level dialog box opens
4. You can view the existing domain functional level for the domain in Current
forest functional level.
How to raise the forest functional level to Windows Server 2003 forest functional level
Each domain controller in the forest has to be running Windows Server 2003 before you can
change the forest functional level to Windows Server 2003. When you raise the forest
functional level, all domains in the forest will automatically have their domain functional
level raised to Windows Server 2003.
To raise the forest functional level for a forest,
2. Right-click Active Directory Domains And Trusts in the console tree, and
select Raise forest Functional Level from the shortcut menu.
3. The Raise Domain Functional Level dialog box opens
4. Click Raise
5. Click OK
Approaches for Raising Functional Levels

You can use one of the following approaches to move from Windows 2000 mixed and
Windows 2000 native functional levels to the Windows Server 2003 functional level for the
entire forest. These are:
Windows 2000 native route: This approach involves raising the domain
functional level to Windows native, and then raising the forest functional
level to Windows Server 2003.
Windows Server 2003 route: This approach involves raising the domain
functional level to Windows native, and then to the Windows Server 2003
functional level. The forest functional level has to lastly be changed to
Windows Server 2003.
========================
Windows Active directory Groups !
Groups in AD
Groups are containers that contain user and computer objects within them as members. When
security permissions are set for a group in the Access Control List on a resource, all members
of that group receive those permissions. Domain Groups enable centralized administration in
a domain. All domain groups are created on a domain controller.
In a domain, Active Directory provides support for different types of groups and group
scopes. The group type determines the type of task that you manage with the group. The
group scope determines whether the group can have members from multiple domains or a
single domain.
Group Types
Security groups: Use Security groups for granting permissions to gain

access to resources. Sending an e-mail message to a group sends the
message to all members of the group. Therefore security groups share the
capabilities of distribution groups.
Distribution groups: Distribution groups are used for sending e-main

messages to groups of users. You cannot grant permissions to security
groups. Even though security groups have all the capabilities of
distribution groups, distribution groups still requires, because some
applications can only read distribution groups.
Group Scopes
Group scope normally describe which type of users should be clubbed together in a way
which is easy for there administration. Therefore, in domain, groups play an important part.
One group can be a member of other group(s) which is normally known as Group nesting.
One or more groups can be member of any group in the entire domain(s) within a forest.
Domain Local Group: Use this scope to grant permissions to domain

resources that are located in the same domain in which you created the
domain local group. Domain local groups can exist in all mixed, native and
interim functional level of domains and forests. Domain local group
memberships are not limited as you can add members as user accounts,
universal and global groups from any domain. Just to remember, nesting
cannot be done in domain local group. A domain local group will not be a
member of another Domain Local or any other groups in the same domain.
Global Group: Users with similar function can be grouped under global
scope and can be given permission to access a resource (like a printer or
shared folder and files) available in local or another domain in same forest.
To say in simple words, Global groups can be use to grant permissions to
gain access to resources which are located in any domain but in a single
forest as their memberships are limited. User accounts and global groups
can be added only from the domain in which global group is created.
Nesting is possible in Global groups within other groups as you can add a
global group into another global group from any domain. Finally to provide
permission to domain specific resources (like printers and published
folder), they can be members of a Domain Local group. Global groups exist
in all mixed, native and interim functional level of domains and forests.
Universal Group Scope: these groups are precisely used for email
distribution and can be granted access to resources in all trusted domain
as these groups can only be used as a security principal (security group
type) in a windows 2000 native or windows server 2003 domain functional
level domain. Universal group memberships are not limited like global
groups. All domain user accounts and groups can be a member of
universal group. Universal groups can be nested under a global or Domain
Local group in any domain.
======================
Windows Server 2003 - NTDSutil Guide
NTDSutil is a Windows utility for configuring the heart of Active Directory. Ntdsutil.exe is a
command-line tool that provides management facilities for Active Directory .Use Ntdsutil to
perform database maintenance of Active Directory, to manage and control single master
operations, and to remove metadata left behind by domain controllers that were removed
from the network without being properly uninstalled. By default, Ntdsutil is installed in the
Winnt\System32 folder.
Preparation for NTDSutil
Begin by logging on at a Windows Server 2003 or 2008. We suggest that you create a new
folder to hold any logs that NTDSutil creates, for example D:\ ntdsutil. Run a CMD prompt
change directory to D: \ntdsutil and at the prompt type, ntdsutil. Unsurprisingly, the actual
executable is called ntdsutil.exe and is found in the %systemroot%\system32 folder.
Key NTDSutil command
When you are experimenting with NTDSutil, if you get stuck remember these four little
words, they will make the difference between success and frustration:
Connect to Server Server3 (Substitute your server for Server3)
Don't shorten the command to: Connect Server3 (Remember the words 'to' and 'server').
Tip: NTDSutil help tip If ever you are stuck in NTDSutil, simply type help.
Variety of NTDSutil tasks
Authoritative Restore - Major project, needs careful planning.
Configurable Settings - Not very interesting.
Domain Management - Specialist area. Create Naming Contexts and add replicas to the
Application Directory Partition of DNS.
Files - Available only if you boot the server into Directory Restore Mode. Checks the
integrity of NTDS.DIT and moves associated databases.
Roles = FSMO Maintenance. Which Domain Controller has which Single Operations
Master? Seize roles such as PDC Emulator. Good news, for once you do get a message
detailing the transfer you are about to make. My advice is to use Roles in conjunction with
netdom or the Active Directory Snap-ins. My point is I could not find a way of displaying
who holds which FSMO role with NTDSutil.
Reset DSRM password. If you don't know the server's Directory Service account password,
then here is your change to reset to a password that you will remember.
Security Account Management. Check for duplicate SIDs
Example 1: Security Account Management (Maintenance)
Let us start gently and check for duplicate SIDs. This experiment is more for gaining
experience of the NTDSutil interface than the probability of finding any duplicate SIDs. This
is what I typed at the command prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server Server3
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:
1) In the above session I typed the full command security accounts management. However
you can shorten commands thus: 'sec acc man'
Incidentally, I am inventing these shorthand commands in the sense that NTDSutil also
understands:
sec ac ma or even 'secu a m'. NTDSutil's brain works by analysing your letters and if there is
only one possible interpretation then it fills in the gaps and returns the service that you asked
for. For example plain, 'se' will not work because there is another command which begins
with se, Semantic....
2) When the command prompt shows, Security Accounts Maintenance:
Here is where you must type: 'connect to server Server3'. Be aware that even though I am
sitting at Server3's console, I must remember this command : connect to server xyz.
3) When I type the instruction, 'Check Duplicate SID', don't ask me why, but you cannot
shorten the command to 'chk dup sd'. Please just accept you need the full words here.
4) As ever, read the screen and take note of dupsid.log. However, you have to quit NTDSutil,
or use Explorer before you can attempt to read dupsid.log. My point is that you cannot issue a
command : 'notepad dupsid.log' from within NTDSutil.
Example 2: Reset password for DSRM (Directory Services Restore Mode)

Here is where I challenge you to perform a real task. Once upon a time, when your Windows
server 2003 was first installed, setup asked the installer for a separate directory service
restore mode password. 90% of administrators ignored the box or forgot the password. 50%
of Administrator's don't realize that this Directory Services Restore Mode password is
different from the normal Administrator password. The two can get out of synch because they
are stored in separate databases.
Now is your chance to reset the password that will be required if ever you need to restart the
server in Active Directory Restore Mode. In many ways, this is such an insignificant job, in
other ways it saves frustration of being thwarted by not having the administrative password
for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server Server3
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit
ntdsutil: quit
E:\ntdsutil>
1) The key command type: 'reset password on Server3'
If NTDSutil replies with: 'Please type password for DS Restore Mode', then you know you
are in the correct place.
2) To escape from NTDSutil you need just type quit, possibly 2 or three times to get back to
the command prompt.
======================
Responding to Operations Master Failures

The first step in responding to the unavailability of a domain controller that is an operations
master role owner is to determine the anticipated duration of the outage. If the outage is
expected to be brief, the recommended response is simply to wait for the role owner to
become available before performing a role-related function.
If the outage is longer, the correct response might be to seize the operations master role from
a domain controller. To seize a role is to move it without the cooperation of its current owner.
It is best to avoid seizing roles. The decision to seize an operations master role depends upon
the role and the expected length of the outage.
Primary Domain Controller Emulator Failures
The loss of a domain controller that is the primary domain controller emulator role can be
visible to any user, either users or administrators. Specifically, an end user running Windows
NT Workstation3.51, or Windows NT 4.0, Windows 95, or Windows 98 without the Active
Directory client, cannot change their password without communicating with the
primary domain controller emulator. If the users password has expired, the user is not able to
log on.
Therefore, you might need to repair a primary domain controller emulator failure quickly.If
the primary domain controller emulator is offline for a significant period of time and the
domain has users running Windows NT Workstation 3.51, or Windows NT 4.0, Windows 95,
or Windows 98 without the Active Directory client, or domain controllers running earlier
versions of Windows NT, you should seize the primary domain controller emulator role to the
Standby operations masterdomain controller.
The user interface for this seizure is similar to that of a normal operations master role
transfer, except it requires an extra confirmation from you. Agree to the confirmation only if
you know the current primary domain controller emulator will be offline for a significant
period. Later, when the original primary domain controller emulator domain controller comes
back online, transfer the role back to the original role owner.
Infrastructure Master Failures
Temporary loss of a domains infrastructure master is not visible to end users, and is not
visible to you, as an administrator, unless you recently moved or renamed a large number of
accounts. Therefore, in most cases, a temporary loss of the infrastructure master is not a
problem worth fixing. If you anticipate a long outage of a domains infrastructure master and
you need to repair it, first select a domain controller that is not a Global Catalog server and
that has good network connectivity to a Global Catalog server located in any domain.
Ideally, the domain controller you have chosen should be within the same site as a Global
Catalog server. It is not important that the new infrastructure master be near the previous one.
When you have selected the domain controller, seize the infrastructure master role to
this domain controller.
The user interface for this seizure is similar to that of a normal operations master role
transfer, except it requires an extra confirmation from you. Agree to the confirmation only if
you know that the current infrastructure master will be offline for a very long period. Later,
when the original infrastructure master comes back online, transfer the role back to the
original role owner.
Other Operations Master Failures
Temporary loss of the schema master, domain naming master, or RID master is ordinarily not
visible to end users, and does not usually inhibit your work as an administrator. Therefore,
this is usually not a problem worth fixing. However, if you anticipate an extremely long
outage of the domain controller holding one of these roles, you can seize that role to the
Standby operations master domain controller.
But, seizing any of these roles is a drastic step; one that you would take only when the outage
is permanent, as in the case when a domain controller is physically destroyed and cannot be
restored from backup media. A domain controller whose schema master, domain
naming master, or RID master role is seized must never come back online. Before proceeding
with the role seizure, you must ensure that the outage of this domain controller is permanent
by physically disconnecting the domain controller from the network.
The domain controller that seizes the role should be fully up-to-date with respect to updates
performed on the previous role owner. Because of replication latency, it is possible that
the domain controllermight not be up-to-date.
To check the status of updates for a domain controller, you can use the Repadmin commandline tool. The Repadmin command-line tool is a Resource Kit tool that performs replication
diagnostics. It is available on the Microsoft Windows 2000 Server installation CD. Repadmin
can determine whether a domain controller has the most current updates.
For more information about using the Repadmin tool, see Windows 2000 Support Tools Help,
which is included on the Windows 2000 Server CD and Active Directory Diagnostics,
Troubleshooting, and Recovery in this book.
For example, to make sure a domain controller is fully up-to-date, suppose that server05 is
the RID master of the domain reskit.com, server10 is the Standby operations
master domain controller, and server12 is the only other domain controller in the
reskit.com domain. Using the Repadmin tool, you would issue the following commands:
C:\> repadmin /showvector dc=reskit,dc=com server10.reskit.com
New-York\server05 @ USN 2604
San-Francisco\server12 @ USN 2706
C:\> repadmin /showvector dc=reskit,dc=com server12.reskit.com
New-York\server05 @ USN 2590
Chicago\server10 @ USN 3110
Note
In the previous example, user input is in bold type.
Ignore all output lines except those for server05. Server10s up-to-date status value with
respect to server05 (server05 @ USN 2604) is larger than server12s up-to-date status value
with respect to server05 (server05 @ USN 2590), making it is safe for server10 to seize the
RID master role formerly held by server05. If the up-to-date status value for server10
was less than the value for server12, you would wait for normal replication to update
server10, or use the Repadmin tools /sync/force commands to make the replication happen
immediately.
After you have determined that the role owner is fully up-to-date, you can seize the
operations master role using the Ntdsutil tool as in the following example:
C:\> ntdsutil
ntdsutil: roles
server connections: connect to server10.reskit.com
binding to server10.reskit.com
Connected to server10.reskit.com
using credentials of locally logged on user
server connections: quit
fsmo maintenance: seize RID master
Server server10.reskit.com knows about 5 roles
Schema CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
Domain CN=NTDS Settings,CN=server04,CN=Servers,
CN=New-York,CN=Sites,CN=Configuration,DC=reskit,DC=com
PDC CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
RID CN=NTDS Settings,CN=server10,CN=Servers,
CN=Chicago,CN=Sites,CN=Configuration,DC=reskit,DC=com
Infrastructure CN=NTDS Settings,CN=server12,CN=Servers,
CN=San-Francisco,CN=Sites,CN=Configuration,DC=reskit,DC=com
fsmo maintenance: quit
ntdsutil: quit
C:\>
Note
In the previous example, user input is in bold type.
For more information about specific procedures for using the Ntdsutil command-line tool, see
Windows 2000 Support Tools Help, which is included on the Windows 2000
Server installation CD.
Using the Ntdsutil Tool for Role Placement
The Ntdsutil tool allows you to transfer and seize operations master roles. The Ntdsutil tool
might be more convenient for operations master transfers and seizures than the graphical user
interface tools, because it is simpler and quicker to enter commands than to use multiple
windows.
To perform seizures of the schema master, domain naming master, and RID master roles, the
Ntdsutil tool is the required method.
When you use the Ntdsutil command-line tool to seize an operations master role, the tool
attempts a transfer from the current role owner first. Then, if the existing operations master is
unavailable, it performs the seizure. The Ntdsutil tool provides help information when you
type a question mark (?). The following is an example showing the transfer of the domain
naming master role (with user input shown in bold type):
C:\> ntdsutil
ntdsutil: ?
? Print this help information
Authoritative restore Authoritatively restore the DIT database
Domain management Prepare for new domain creation
Files Manage NTDS database files
Help Print this help information
IPDeny List Manage LDAP IP Deny List
LDAP policies Manage LDAP protocol policies
Metadata cleanup Clean up objects of decommissioned servers
Popups %s (en/dis)able popups with on or off
Quit Quit the utility
Roles Manage NTDS role owner tokens
Security account management Manage Security Account Database Duplicate SID
Cleanup
Semantic database analysis Semantic Checker
ntdsutil: roles
fsmo maintenance: ?
Connections Connect to a specific domain controller
Quit Return to the prior menu
Seize domain naming master Overwrite domain role on connected server
Seize infrastructure master Overwrite infrastructure role on connected server
Seize PDC Overwrite PDC role on connected server
Seize RID master Overwrite RID role on connected server
Seize schema master Overwrite schema role on connected server
Select operation target Select sites, servers, domains, roles and Naming Contexts
Transfer domain naming master Make connected server the domain naming master
Transfer infrastructure master Make connected server the infrastructure master
Transfer PDC Make connected server the PDC
Transfer RID master Make connected server the RID master
Transfer schema master Make connected server the schema master

server connections: ?
Clear creds Clear prior connection credentials
Connect to domain %s Connect to DNS domain name
Connect to server %s Connect to server, DNS name or IP address
Info Show connection information
Quit Return to the prior menu
Set creds %s %s %s Set connection creds as domain, user, pwd
Use NULL for null password
server connections: connect to server reskit1
Binding to reskit1
Connected to reskit1 using credentials of locally logged on user
server connections: quit
fsmo maintenance: transfer domain naming master
Server reskit1 knows about 5 roles
Schema CN=NTDS
Settings,CN=RESKIT1,CN=Servers,CN=Washington,CN=Sites,CN=Configuration,DC=resk
it,DC=com
Domain CN=NTDS
it,DC=com
PDC CN=NTDS
it,DC=com
RID CN=NTDS
it,DC=com
Infrastructure CN=NTDS
it,DC=com
fsmo maintenance: quit
ntdsutil: quit
Disconnecting from reskit1
C:\>
In the previous example, the available Ntdsutil tool commands display after entering a
question mark (?). To transfer an operations master role, the roles command is entered, which
displays the fsmo maintenance menu. Entering a question mark (?) displays the
subcommands within the fsmo maintenance menu. Before transferring the operations master
role, you must connect to the domain controller that will receive the role (reskit1 in the
example above) by entering the connect to server subcommand. Then, after leaving the server
connections mode by entering quit, issue the transfer domain naming master command. A
confirmation pop-up window (not shown) displays for the transfer domain naming master
operation.
Note
You must have sufficient permissions to execute commands using the Ntdsutil tool. For more
information about controlling access to operations master role placements, see Controlling
Access to Role Placements later in this chapter.
It is also possible to view the current operations master role owner using the Ntdsutil
command-line tool from the Select Operation Target menu located under the Roles option. By
using the List roles for connected server command, a list displays of all of the current
operations master role owners.
For more information about using the Ntdsutil command-line tool, see Windows 2000
Support Tools Help, which is included on the Windows 2000 Server installation CD.
================
Active Directory Trust Relationships

In Active Directory, when two domains trust each other or a trust relationship exists between
the domains, the users and computers in one domain can access resources residing in the
other domain. The trust relationships supported in Windows Server 2003 are summarized
below:
The characteristics of Windows Server 2003 trusts are outlined below:
Trusts can be nontransitive or transitive:

o
Transitive trusts: With transitive trusts, trust is applicable for each trusted
domain. What this means is where Domain1 trusts Domain2, and Domain2
trusts Domain3; Domain1 would also trust Domain3.
Nontransitive trust: The defined trust relationship ends with the two domains
between which the particular trust is created.
Trusts can be one-way or two-way trusts:

o
One-way trusts: Based on the direction of the trust, one-way trust

can further be broken into either incoming trust or outgoing trusts.
One way trust can be transitive or nontransitive:
Incoming Trust: With incoming trust, the trust is created in

the trusted domain, and users in the trusted domain are able
to access network resources in the trusting domain or other
domain. Users in the other domain cannot however access
network resources in the trusted domain.
Outgoing Trust: In this case, users in the other domain able to

access network resources in the initiating domain. Users in
the initiating domain are not able to access any resources in
the other domain.
Two-way trusts: A two-way trust relationship means that where

Domain1 trusts Domain2, then Domain2 trusts Domain1. The trust
basically works both ways, and users in each domain are able to
access network resources in eitherone of the dolmans. A two-way,
transitive trust relationship is the trust that exists between parent
domains and child domains in a domain tree. In two-way transitive
trust, where Domain1 trusts Domain2 and Domain2 trusts Domain3,
then Domain1 would trust Domain3 and Domain3 would trust
Domain1.Two-way, transitive trust is the default trust relationship
between domains in a tree. It is automatically created and exists
between top-level domains in a forest.
Trusts can be implicit or explicit trusts:

o
Implicit: Automatically created trust relationships are called implicit

trust. An example of implicit trust is the two-way, transitive trust
relationship that Active Directory creates between a parent and
child domains.
Explicit: Manually created trust relationships are referred to as

explicit trust.
Types of Active Directory Trust Relationships
Parent/Child trust: A parent/child trust relationship exists between two domains in

Active Directory that have a common contiguous DNS namespace, and who belong to
the identical forest. This trust relationship is established when a child domain is
created in a domain tree.
Tree Root trust: A tree root trust relationship can be configured between root domains
in the same forest. The root domains do not have a common DNS namespace. This
trust relationship is established when a new tree root domain is added to a forest.
Shortcut trust: This trust relationship can be configured between two domains in
different domain trees but within the same forest. Shortcut trust is typically utilized to
improve user logon times.
External trust: External trust relationships are created between an Active Directory
domain and a Windows NT4 domain.
Realm trust: A realm trust relationship exists between an Active Directory domain and
a non-Windows Kerberos realm.
Forest trust: Forest trust can be created between two Active Directory forests.
==================
Planning Considerations for Trust Relationships

Tree-root trust and Parent-child trust is implicitly created by Active Directory when new
domains are created. What this means is that you do not need to explicitly create these trusts,
nor do you have to perform any configuration or management tasks for the trust relationships.
Shortcut trust, Realm trust, External trust and Forest trust differ to Tree-root and Parent-child
trust, in that the former four trusts have to be explicitly created and managed. Because of the
different types of trust relationships that can be created, you need to plan which type of trust
relationship to create for the domains within your Active Directory environment.
Shortcut Trust
Before you can create any shortcut trusts, you must be a member of the Enterprise Admin or
Domain Admin groups in each domain in the forest. Another requirement is that the domains
you are creating shortcut trust for, are Windows Server 2003 domains that reside in the same
forest. As mentioned earlier, Shortcut trust is usually created to speed up authentication
between two domains in different trees but within the same forest.
Shortcut trust can be one-way transitive trust, or two-way transitive trust. What shortcut trust
essentially does is it shortens the trust path traversed for authentication requests made
between domains of different trees. Shortcut trust is typically configured in an intricate forest
where users continually need to access resources of domains belonging to different trees.
Shortcut trust improves query response performance as well.
You would need to create one-way shortcut trust when the optimized tust path is only
needed for one of the domains in the trust. The other domain's users would need to transverse
the full trust path when handling authentication requests.
You would need to create two-way shortcut trust when the users in each domain need
to use the shortened trust path for authentication requests.
The Active Directory tool that you use to create shortcut trust is the Active Directory
Domains and Trusts console. The console enables you to specify selective authentication for
incoming shortcut trust and outgoing shortcut trust. What this means is that you can set
authentication differently for the two forms of trust. When you set selective authentication for
incoming shortcut trust, you would need to specify permissions for every resource that users
in the other domain should be able to access. If domain wide authentication is specified on
the incoming shortcut trust, users in the other domain and users in the local domain have the
identical permissions to network resources.
Realm Trust
In order to create realm trust, you should have Enterprise Admin or Domain Admin
permissions for the Windows Server 2003 domain, and you should have the permissions
required for the non-Windows Kerberos version 5 realm. You would typically create realm
trust to enable trust between a Windows Server 2003 domain and a MIT or UNIX v5
Kerberos realm. You can create Realm trust as either transitive or nontransitive trust, and as
either be one-way trust or two-way.
External Trust
You need to be a member of Enterprise Admins or Domain Admins of the Windows Server
2003 domain and you need to be a member Enterprise Admins or Domain Admins of the
other domain, to create one-way External trust or two-way External trust.
Recall from an earlier discussion, that External trust is always nontransitive in nature, and is
typically used to enable trust between an Active Directory domain and a down-level
Windows NT 4 domain. When the External trust is created, security principals (Users,
Groups, Computers) from the external domain are able to access network resources in the
internal domain (Windows Server 2003 domain). The foreign security principals can be
examined in the Active Directory Users And Computers console. The only requirement is that
Advanced Features are enabled. You can explicitly define different authentication for
incoming External trusts and outgoing External trusts.
Forest Trust
You need to belong to the Enterprise Admins groups in each forest that you want to create
forest trust between. In addition to this, the domains within each forest and each particular
forest have to be raised to the Windows Server 2003 functional level.
Forest trust is typically created when enterprises merge or takeovers occur, and each company
within the enterprise still needs to maintain some form of administrative independence. This
trust relationship enables users to access Active Directory objects between all domains
impacted by the particular forest trust relationship. Forest trust is transitive, and can be oneway or two-way trust. You would create one-way Forest trusts when users in the trusted forest
need to access Active Directory objects in the trusting forest, but those users in the trusting
forest do not need to access resources in the trusted forest. You would create two-way Forest
trust in cases where users in either one of the forests need to access resources hosted in the
other forest.
================
Understanding Windows Group Policy !
Introduction
This document is part of a set of step-by-step guides that introduce IT managers and system
administrators to the features of the Windows 2000 operating system. This document
presents a brief overview of Group Policy, and shows how to use the Group Policy snap-in to
specify policy settings for groups of users and of computers. It includes information on:
Configuring the Group Policy snap-in.
Creating and managing Group Policy objects.
Setting options for registry-based policy, scripts, and loopback policy.
Using security groups with Group Policy.
Linking multiple Group Policy Objects.
Blocking and enforcing Group Policy.
Group Policy and the Active Directory
In Windows 2000, administrators use Group Policy to enhance and control users' desktops. To
simplify the process, administrators can create a specific desktop configuration that is applied
to groups of users and computers. The Windows 2000 Active Directory service enables
Group Policy. The policy information is stored in Group Policy objects (GPOs), which are
linked to selected Active Directory containers: sites, domains, and organizational units (OUs).
A GPO can be used to filter objects based on security group membership, which allows
administrators to manage computers and users in either a centralized or a de-centralized
manner. To do this, administrators can use filtering based on security groups to define the
scope of Group Policy management, so that Group Policy can be applied centrally at the
domain level, or in a decentralized manner at the OU level, and can then be filtered again by
security groups. Administrators can use security groups in Group Policy to:
Filter the scope of a GPO. This defines which groups of users and
computers a GPO affects.
Delegate control of a GPO. There are two aspects to managing and

delegating Group Policy: managing the group policy links and managing
who can create and edit GPOs.
Administrators use the Group Policy Microsoft Management Console (MMC) snap-in to
manage policy settings. Group Policy includes various features for managing these policy
settings. In addition, third parties can extend Group Policy to host other policy settings. The
data generated by Group Policy is stored in a Group Policy object (GPO), which is replicated
in all domain controllers within a single domain.
The Group Policy snap-in includes several MMC snap-in extensions, which constitute the
main nodes in the Group Policy snap-in. The extensions are as follows:
Administrative templates. These include registry-based Group Policy,

which you use to mandate registry settings that govern the behavior and
appearance of the desktop, including the operating system components
and applications.
Security settings. You use the Security Settings extension to set security
options for computers and users within the scope of a Group Policy object.
You can define local computer, domain, and network security settings.
Software installation. You can use the Software Installation snap-in to

centrally manage software in your organization. You can assign and
publish software to users and assign software to computers.
Scripts. You can use scripts to automate computer startup and shutdown
and user logon and logoff. You can use any language supported by
Windows Script Host. These include the Microsoft Visual Basic
development system, Scripting Edition (VBScript); JavaScript; PERL; and
MS-DOS-style batch files (.bat and .cmd).
Remote Installation Services. You use Remote Installation Services

(RIS) to control the behavior of the Remote Operating System Installation
feature as displayed to client computers.
Internet Explorer maintenance. You use Internet Explorer Maintenance

to manage and customize Microsoft Internet Explorer on Windows 2000based computers.
Folder redirection. You use Folder Redirection to redirect Windows 2000

special folders from their default user profile location to an alternate
location on the network. These special folders include My Documents,
Application Data, Desktop, and the Start Menu.
Figure 1 below shows how Group Policy objects use the Active Directory hierarchy for
deploying Group Policy.
Figure 1: The Hierarchy of Group Policy and the Active Directory

Group Policy objects are linked to site, domain, and OU containers in the Active Directory.
The default order of precedence follows the hierarchical nature of the Active Directory: sites
are first, then domains, and then each OU. A GPO can be associated with more than one
Active Directory container or multiple containers can be linked to a single GPO.
Prerequisites and Initial Configuration
Prerequisites
This Software Installation and Maintenance document is based on Step-by-Step to a Common

Infrastructure for Windows 2000 Server
Deployment http://www.microsoft.com/windows2000/techinfo/planning/server/serversteps.as
p
Before using this guide, you need to build the common infrastructure as described in the
document above. This infrastructure specifies a particular hardware and software
configuration. If you are not using the common infrastructure, you must take this into account
when using the guide.
Group Policy Scenarios
Note that this document does not describe all of the possible Group Policy scenarios. Please
use this instruction set to begin to understand how Group Policy works and begin to think
about how your organization might use Group Policy to reduce its TCO. Other Windows
2000 features, including Security Settings and Software Installation and Maintenance, are
built on Group Policy. To learn how to use Group Policy in those specific scenarios, refer to
the white papers and Windows 2000 Server online help on Windows 2000 Security and
Software Installation and Maintenance, which are available on the Windows 2000 Web site.
Important Notes
The example company, organization, products, people, and events depicted in this guide are
fictitious. No association with any real company, organization, product, person, or event is
intended or should be inferred.
This common infrastructure is designed for use on a private network. The fictitious company
name and DNS name used in the common infrastructure are not registered for use on the
Internet. Please do not use this name on a public network or Internet.
The Active Directory service structure for this common infrastructure is designed to show
how Windows 2000 Change and Configuration Management works and functions with Active
Directory. It was not designed as a model for configuring an Active Directory service for any
organizationfor such information see the Active Directory documentation.
Group Policy Snap-in Configuration
Group Policy is tied to the Active Directory service. The Group Policy snap-in extends the
Active Directory management tools using the Microsoft Management Console (MMC) snapin extension mechanism.
The Active Directory snap-ins set the scope of management for Group Policy. The most
common way to access Group Policy is by using the Active Directory User and Computers
snap-in, for setting the scope of management to domain and organizational units (OUs). You
can also use the Active Directory Sites and Services snap-in to set the scope of management
to a site. These two tools can be accessed from the Administrative Tools program group; the
Group Policy snap-in extension is enabled in both tools. Alternatively, you can create a
custom MMC console, as described in the next section.
Configuring a Custom Console
The examples in this document use the custom MMC console that you can create by
following the procedure in this section. You need to create this custom console before
attempting the remaining procedures in this document.
Note: If you want more experience building MMC consoles, run through the procedures
outlined in "Step-by-Step Guide to Microsoft Management Console"
To configure a custom console
Log on to the HQ-RES-DC-01 domain controller server as an

administrator.
Click Start, click Run, type mmc, and then click OK.
On the Console menu, click Add/Remove Snap-in.
In the Add/Remove Snap-in dialog box, click Add.
In the Add Standalone Snap-in dialog box, in the Available

standalone snap-ins list box, click Active directory users and
computers, and then click Add.
Double-click Active directory sites and services snap-in from

the Available standalone snap-ins list box.
In the Available standalone snap-ins list box, double-click Group

Policy.
In the Select Group Policy object dialog box, Local computer is

selected under Group Policy object. ClickFinish to edit the local Group
Policy object. Click Close in the Add standalone snap-in dialog box.
In the Add/Remove Snap-in dialog box, click the Extensions tab. Ensure
that the Add all extensions check box is checked for each primary
extension added to the MMC console (these are checked by default).
Click OK.
To save console changes
In the MMC console, on the Console menu, click Save.
In the Save As dialog box, in the File name text box,

type GPWalkthrough, and then click Save.
The console should appear as in Figure 2 below:
Figure 2: Group Policy MMC Console

Accessing Group Policy
You can use the appropriate Active Directory tools to access Group Policy while focused on
any site, domain, or OU.
To open Group Policy from Active Directory Sites and Services
In the GPWalkthrough MMC console, in the console tree, click the + next
to Active Directory Sites and Services.
In the console tree, right-click the site for which to access Group Policy.
Click Properties, and click Group Policy.
To open Group Policy from Active Directory Users and Computers
In the console tree in the GPWalkthrough MMC console, click the + next
to Active Directory Users and Computers.
In the console tree, right-click either the reskit domain or the OU for
which to access Group Policy.
Click Properties, and click Group Policy.
To access Group Policy scoped to a specific computer (or the local computer), you must load
the Group Policy snap-in into the MMC console namespace targeted at the specific computer
(or local computer). There are two major reasons for these differences:
Sites, domains, and OUs can have multiple GPOs linked to them; these
GPOs require an intermediate property page to manage them.
A GPO for a specific computer is stored on that computer and not in the
Active Directory.
Scoping a Domain or OU
To scope the domain or OU, use the GPWalkthrough MMC console that you saved earlier.
To scope Group Policy for a domain or OU
Click Start, point to Programs, click Administrative Tools, and

click GPWalkthrough to open the MMC console you created earlier.
Click the + next to Active Directory Users and Computers to expand

the tree.
Click the + next to reskit.com to expand the tree.
Right-click either the domain (reskit.com) or an OU, and click Properties.
Click the Group Policy tab as shown in Figure 3 below.
This displays a property page where the GPOs associated with the selected Active Directory
container can be managed. You use this property page to add, edit, delete (or remove), and
disable GPOs; to specify No Override options; and to change the order of the associated
GPOs. Selecting Edit starts the Group Policy snap-in. More information on using the Group
Policy property page and the Group Policy snap-in can be found later in this document.
Note: The Computers and Users containers are not organizational units; therefore, you cannot
apply Group Policy directly to them. Users or computers in these containers receive policies
from GPOs scoped to the domain and site objects only. The domain controller container is an
OU, and Group Policy can be applied directly to it.
Figure 3: Group Policy Link Management

Scoping Local or Remote Computers
To access Group Policy for a local or a remote computer, you add the Group Policy snap-in to
the MMC console, and focus it on a remote or local computer. To access Group Policy for the
local computer, use the GPWalkthrough console created earlier in this document, and choose
the Local Computer Policy node. You can add other computers to the console namespace by
adding another Group Policy snap-in to the GPWalkthrough console, and clicking
the Browsebutton when the Select Group Policy object dialog box is displayed.
Note: Some of the Group Policy extensions are not loaded when Group Policy is run against
a local GPO.
Creating a Group Policy Object
The Group Policy settings you create are contained in a Group Policy Object (GPO) that is in
turn associated with selected Active Directory objects, such as sites, domains, or
organizational units (OUs).
To create a Group Policy Object (GPO)
Open the GPWalkthrough MMC console.
Click the + next to Active Directory Users and Computers, and click
the reskit.com domain.
Click the + next to Accounts to expand the tree.
Right-click Headquarters, and select Properties from the context menu.
In the Headquarters Properties page, click the Group Policy tab.
Click New, and type HQ Policy.
The Headquarters Properties page should appear as in Figure 4 below:
Figure 4: Headquarters Properties

At this point you could add another GPO for the Headquarters OU, giving each one that you
create a meaningful name, or you could edit the HQ Policy GPO, which starts the Group
Policy snap-in for that GPO. All Group Policy functionality is derived from the snap-in
extensions. In this exercise, all of these extensions are enabled. It is possibleusing standard
MMC methodsto restrict the extension snap-ins that are loaded for any given snap-in. For
information on this capability, see the Windows 2000 Server Online Help for Microsoft
Management Console.
There is also a Group Policy that you can use to restrict the use of MMC snap-in extensions.
To access this policy, navigate to the System\Group Policy node under Administrative
Templates. Use the Explain tab to learn more about the use of these policies.
If you have more than one GPO associated with an Active Directory folder, verify the GPO
order; a GPO that is higher in the list has the highest precedence. Note that GPOs higher in
the list are processed last (this is what gives them a higher precedence). GPOs in the list are
objects; they have context menus that you use to view the properties of each GPO. You can
use the context menus to obtain and modify general information about a GPO. This
information includes Discretionary Access Control Lists (DACLs, which are covered in the
Security Group Filtering section of this document), and lists the other site, domain, or OUs to
which this GPO is linked.
Click Close
Best Practice You can further refine a GPO by using user or computer membership in
security groups and then setting DACLs based on that membership. This is covered in the
Security Group Filtering section below.
Managing Group Policy
To manage Group Policy, you need to access the context menu of a site, domain, or OU,
select Properties, and then select the Group Policy tab. This displays the Group Policy
Properties page. Please note the following:
This page displays any GPOs that have been associated with the currently
selected site, domain, or OU. The links are objects; they have a context
menu that you can access by right-clicking the object. (Right-clicking the
white space displays a context menu for creating a new link, adding a link,
or refreshing the list.)
This page also shows an ordered GPO list, with the highest priority GPO at
the top of the list. You can change the list order by selecting a GPO and
then using the Up or Down buttons.
To associate (link) a new GPO, click the Add button.
To edit an existing GPO in the list, select the GPO and click
the Edit button, or just double-click the GPO. This starts the Group Policy
snap-in, which is how the GPO is modified. This is described in more detail
later in this document.
To permanently delete a GPO from the list, select it from the list and click
the Delete button. Then, when prompted, select Remove the link and
delete the Group Policy object permanently. Be careful when deleting
an object, because the GPO may be associated with another site, domain,
or OU. If you want to remove a GPO from the list, select the GPO from the
links list, click Delete, and then when prompted, select Remove the link
from the list.
To determine what other sites, domains, or OUs are associated with a

given GPO, right-click the GPO, selectProperties from the context menu,
and then click the Links tab in the GPO Properties page.
The No override check column marks the selected GPO as one whose
policies cannot be overridden by another GPO.
Note: You can enable the No Override property on more than one GPO. All GPOs that are
marked as No override will take precedence over all other GPOs not marked. Of those GPOs
marked as No override, the GPO with the highest priority will be applied after all the other
similarly marked GPOs.
The Disabled check box simply disables (deactivates) the GPO without
removing it from the list. To remove a GPO from the list, select the GPO
from the links list, click Delete, and then select Remove the link from
the list in the Delete dialog box.
It is also possible to disable only the User or Computer portion of the GPO.
To do this, right-click the GPO, clickProperties, click either Disable
computer configuration settings or Disable user configuration
settings, and then click OK. These options are available on the
GPO Properties page, on the General tab.
The Block policy inheritance check box has the effect of negating all
GPOs that exist higher in the hierarchy. However, it cannot block any GPOs
that are enforced by using the No override check box; those GPOs are
always applied.
Note: Policy settings contained within the local GPO that are not specifically overridden by
domain-based policy settings are also always applied. Block Policy Inheritance at any level
will not remove local policy.
Editing a Group Policy Object
You can use the custom console to edit a GPO. You will need to log on to the HQ-RES-DC01 server as an Administrator, if you have not already done so.
To edit a Group Policy Object (GPO)
Click Start, point to Programs, click Administrative Tools, and then

select GPWalkthrough.
Click the + next to Active Directory Users and Computers, click

the reskit.com domain, and then click theAccounts OU.
Right-click Headquarters, select Properties, and then click the Group

Policy tab. HQ Policy in the Group Policy object links list box should
be highlighted.
Double-click the HQ Policy GPO (or click Edit).
This opens the Group Policy snap-in focused on a GPO named HQ Policy, which is linked to
the OU named Headquarters. It should appear as in Figure 5 below:
Figure 5: HQ Policy
Adding or Browsing a Group Policy Object
The Add a Group Policy Object Link dialog box shows GPOs currently associated with
domains, OUs, sites, or all GPOs without regard to their current associations (links). The Add
a Group Policy Object Link dialog box is shown in Figure 6 below.
Figure 6: Add a Group Policy Object Link
GPOs are stored in each domain. The Look In drop-down box allows you to
select a different domain to view.
In the Domains/OUs tab, the list box displays the sub-OUs and GPOs for
the currently selected domain or OU. To navigate the hierarchy, doubleclick a sub-OU or use the Up one level toolbar button.
To add a GPO to the currently selected domain or OU, either double-click

the object, or select it and click OK.
Alternatively, you can create a new GPO by clicking the All tab, rightclicking in the open space, and selectingNew on the context menu, or by
using the Create New GPO toolbar button.
The Create New GPO
toolbar button is only active in the All tab. To create a new GPO and link it
to a particular site, domain, or OU, use the New button on the Group Policy
Property page.
Note: It is possible to create two or more GPOs with the same name. This is by design and is
because the GPOs are actually stored as GUIDs and the name shown is a friendly name
stored in the Active Directory.
In the Sites tab, all GPOs associated with the selected site are displayed.
Use the drop-down list to select another site. There is no hierarchy of sites.
The All tab shows a flat list of all GPOs that are stored in the selected
domain. This is useful when you want to select a GPO that you know by
name, rather than where it is currently associated. This is also the only
place to create a GPO that does not have a link to a site, domain, or OU.
To create an unlinked GPO, access the Add a Group Policy Link dialog
box from any site, domain, or OU. Click the All tab, select the toolbar
button or right-click the white space, and select New. Name the new GPO,
and clickEnter, and then click Canceldo not click OK . Clicking OK links
the new GPO to the current site, domain, or OU. Clicking Cancel creates
an unlinked GPO.
Registry-based Policies
The user interface for registry-based policies is controlled by using Administrative Template
(.adm) files. These files describe the user interface that is displayed in the Administrative
Templates node of the Group Policy snap-in. These files are format-compatible with the
.adm files used by the System Policy Editor tool (poledit.exe) in Microsoft Windows NT 4.0.
With Windows 2000, the available options have been expanded.
Note: Although it is possible to add any .adm file to the namespace, if you use an .adm file
from a previous version of Windows, the registry keys are unlikely to have an effect on
Windows 2000, or they actually set preference settings and mark the registry with these
settings; that is, the registry settings persist.
By default, only those policy settings defined in the loaded .adm files that exist in the
approved Group Policy trees are displayed; these settings are referred to as true policies. This
means that the Group Policy snap-in does not display any items described in the .adm file that
set registry keys outside of the Group Policy trees; such items are referred to as Group
Policy preferences. The approved Group Policy trees are:
\Software\Policies
\Software\Microsoft\Windows\CurrentVersion\Policies
A Group Policy called Enforce Show Policies Only is available in User

Configuration\Administrative Templates, under the System\Group Policy nodes. If you
set this policy to Enabled, the Show policies only command is turned on and administrators
cannot turn it off, and the Group Policy snap-in displays only true policies. If you set this
policy to Disabled or Not configured, the Show policies only command is turned on by
default; however, you can view preferences by turning off the Show policies only command.
To view preferences, you must turn off the Show policies only command, which you access
by selecting the Administrative Templates node (under either User
Configuration or Computer Configuration nodes), and then clicking the View menu on the
Group Policy console and clearing the Show policies only check box. Note that it is not
possible for the selected state for this policy to persist; that is, there is no preference for this
policy setting.
In Group Policy, preferences are indicated by a red icon to distinguish them from true
policies, which are indicated by a blue icon.
Use of non-policies within the Group Policy infrastructure is strongly discouraged because of
the persistent registry settings behavior mentioned previously. To set registry policies on
Windows NT 4.0, and Windows 95 and Windows 98 clients, use the Windows NT 4.0 System
Policy Editor tool, Poledit.exe.
By default the System.adm, Inetres.adm, and Conf.adm files are loaded and present this
namespace as shown in Figure 7 below:
Figure 7: User Configuration

The .adm files include the following settings:
System.adm: Operating system settings
Inetres.adm: Internet Explorer restrictions
Conf.adm: NetMeeting settings
Adding Administrative Templates
The .adm file consists of a hierarchy of categories and subcategories that together define how
options are organized in the Group Policy user interface.
To add administrative templates (.adm files)
o
In the Group Policy console double-click Active Directory Users

and Computers, select the domain or OU for which you want to set
policy, click Properties, and then click Group Policy.
In the Group Policy properties page, select the Group Policy Object
you want to edit from the Group Policy objects links list, and
click Edit to open the Group Policy snap-in.
In the Group Policy console, click the plus sign (+) next to
either User Configuration or Computer Configuration. The .adm
file defines which of these locations the policy is displayed in, so it
doesn't matter which node you choose.
Right-click Administrative Templates, and select Add/Remove

Templates. This shows a list of the currently active templates files
for this Active Directory container.
Click Add. This shows a list of the available .adm files in the
%systemroot%\inf directory of the computer where Group Policy is
being run. You can choose an .adm file from another location. Once
chosen, the .adm file is copied into the GPO.
To set registry-based settings using administrative templates

o
In the GPWalkthrough console, double-click Active Directory

Users and Computers, double-click thereskit.com domain,
double-click Accounts, right-click the Headquarters OU, and then
click Properties.
In the Headquarters Properties dialog box, click Group Policy.
Double-click the HQ Policy GPO from the Group Policy object

links list to edit the HQ Policy GPO.
In the Group Policy console, under the User Configuration node,

click the plus sign (+) next toAdministrative Templates.
Click Start Menu & Taskbar. Note that the details pane shows all
the policies as Not configured.
In the details pane, double-click the Remove Run menu from

Start menu policy. This displays a dialog box for the policy as
shown in Figure 8 below.
Figure 8: Remove Run menu from Start Menu

o
In the Remove Run menu from Start menu dialog box,

click Enabled.
Note the Previous Policy and Next Policy buttons in the dialog box. You can use
these buttons to navigate the details pane to set the state of other policies. You can
also leave the dialog box open and click another policy in the details pane of the
Group Policy snap-in. After the details pane has the focus, you can use
the Up and Downarrow keys on the keyboard and press Enter to quickly browse
through the settings (or Explain tabs) for each policy in the selected node.
o
Click OK. Note the change in state in the Setting column, in the
details pane. This change is immediate; it has been saved to the
GPO. If you are in a replicated domain controller (DC) environment,
this action sets a flag that triggers a replication cycle.
If you log on to a workstation in the reskit.com domain with a user from

the Headquarters OU, you will note that theRun menu has been removed.
At this point, you may want to experiment with the other available policies. Look at
the text in the Explain tab for information about each policy.
Scripts
You can set up scripts to run when users log on or log off, or when the system starts
up or shuts down. All scripts are Windows Script Host (WSH)-enabled. As such, they
may include Java Scripts or VB Scripts, as well as .bat and .cmd files. Links to more
information on the Windows Script Host are located in the More Information section
at the end of this document.
Setting up a Logon Script
Use this procedure to add a script that runs when a user logs on.
Note: This procedure uses the Welcome2000.js script described in Appendix A of this
document, which includes instructions for creating and saving the script file. Before
performing the procedure for setting up logon scripts, you need to create the
Welcome2000.js script file and copy it to the HQ-RES-DC-01 domain controller.
To set up logon scripts
o

Users and Computers, right-click thereskit.com domain,
click Properties, and then click Group Policy.
In the Group Policy properties page, select the Default Domain

Policy GPO from the Group Policy objects links list, and
click Edit to open the Group Policy snap-in.
In the Group Policy snap-in, under User Configuration, click

the + next to Windows Settings, and then click the Scripts
(Logon/Logoff) node.
In the details pane, double-click Logon.
The Logon Properties dialog box displays the list of scripts

that run when affected users log on. This is an ordered list,
with the script that is to run first appearing at the top of the
list. You can change the order by selecting a script and then
using the Up or Down buttons.
To add a new script to the list, click the Add button. This
displays the Add a Script dialog box. Browsing from this
dialog allows you to specify the name of an existing script
located in the current GPO or to browse to another location
and select it for use in this GPO. The script file must be
accessible to the user at logon or it does not run. Scripts in
the current GPO are automatically available to the user. You
can create a new script by right-clicking the empty space and
selecting New, then selecting a new file.
Note: If the View Folder Options for this folder are set to Hide file extensions for
known file types, the file may have an unwanted extension that prevents it from being
run.
To edit the name or the parameters of an existing script in

the list, select it and click the Edit button. This button does
not allow the script itself to be edited. That can be done
through the Show Files button.
To remove a script from the list, select it and click Remove.
The Show Files button displays an Explorer view of the

scripts for the GPO. This allows quick access to these files or
to the place to copy support files to if the script files require
them. If you change a script file name from this location, you
must also use the Edit button to change the file name, or the
script cannot execute.
Click on the Start menu, click Programs, click Accessories,

click Windows Explorer, navigate to theWelcome2000.js file
(use Appendix A to create the file), and then right-click the file and
select Copy.
Close Windows Explorer.
In the Logon Properties dialog box, click the Show Files button,
and paste the Welcome2000.js script into the default file location. It
should appear as in Figure 9 below:
Figure 9: Welcome2000.js
o
Close the Logon window.
Click the Add button in the Logon Properties dialog box.
In the Add a Script dialog box, click Browse, and then in

the Browse dialog box, double-click theWelcome2000.js file.
Click Open.
In the Add a Script dialog box, click OK (no script parameters are
needed), and then click OK again.
You can then logon to a client workstation that has a user in the Headquarters OU,
and verify that the script is run when the user logs on.
Setting Up a Logoff or Computer Startup or Shutdown Script
You can use the same procedure outlined in the preceding section to set up scripts that
run when a user logs off or when a computer starts up or is shut down. For logoff
scripts, you would select Logoff in step 4.
Other Script Considerations
By default, Group Policy scripts that run in a command window (such as .bat or .cmd
files) run hidden, and legacy scripts (those defined in the user object) are by default
visible as they are processed (as was the case for Windows NT 4.0), although there is
a Group Policy that allows this visibility to be changed. The policy for users is
called Run logon scripts visible or Run logoff scripts visible, and is accessed in
the User Configuration\Administrative Templates node,
under System\Logon/Logoff. For computers, the policy is Run startup scripts
visible and can be accessed in the Computer Configuration\Administrative
Templates node, under System\Logon.
Security Group Filtering
You can refine the effects of any GPO by modifying the computer or user membership
in a security group. To do this, you use the Security tab to set Discretionary Access
Control Lists (DACLs) for the properties of a GPO. DACLs are used for performance
reasons, the details of which are contained in the Group Policy technical paper
referenced earlier in this document. This feature allows for tremendous flexibility in
designing and deploying GPOs and the policies they contain.
By default, all GPOs affect all users and machines that are contained in the linked site,
domain, or OU. By using DACLs, the effect of any GPO can be modified to exclude
or include the members of any security group.
You can modify a DACL using the standard Windows 2000 Security tab, which is
accessed from the Properties page of any GPO.
To access a GPO Properties page from the Group Policy Properties page of a
Domain, or OU
o

Users and Computers, double-click thereskit.com domain,
double-click Accounts, right-click the Headquarters OU, and then
click Properties.
In the Headquarters Properties dialog, click Group Policy.
Right-click the HQ Policy GPO from the Group Policy Object

Links list, and select Properties from the context menu.
In the Properties page, click the Security tab. This displays the
standard Security properties page.
You will see security groups and users based on the Common Infrastructure. For more
information, see the Windows 2000 step-by-step guide, A Common Infrastructure for
Change and Configuration Management. Make sure that you have completed the
appropriate steps in that document before continuing.
o
In the Security property page, click Add.
In the Select Users, Computers, and Groups dialog box, select

the Management group from the list, clickAdd, and click OK to
close the dialog.
In the Security tab of the HQ Policy Properties page, select

the Management group, and view the permissions. By default, only
the Read Access Control Entry (ACE) is set to Allow for the
Management group. This means that the members of the
Management group do not have this GPO applied to them unless
they are also members of another group (by default, they are also
Authenticated Users) that has the Apply Group PolicyACE
selected.
At this point, everyone in the Authenticated Users group has this GPO applied,
regardless of having added the Management group to the list, as shown in Figure 10
below..
Figure 10: Authenticated Users

o
Configure the GPO so that it applies to the members of the

Management group only. Select Allow for the Apply Group
Policy ACE for the Management group, and then remove the Allow
Group Policy ACE from the Authenticated Users group.
By changing the ACEs that are applied to different groups, administrators can
customize how a GPO affects the users or computers that are subject to that
GPO. Write access is required for modifications to be made; Readand Allow Group
Policy ACEs are required for a policy to affect a group (for the policy to apply to the
group).
Use the Deny ACE with caution. A Deny ACE setting for any group has precedence
over any Allow ACE given to a user or computer because of membership in another
group. Details of this interaction may be found in the Windows 2000 Server online
Help by searching on Security Group.
Figure 11 belows shows an example of the security settings that allow everyone to be
affected by this GPO exceptthe members of the Management group, who were
explicitly denied permission to the GPO by setting the Apply Group Policy ACE
to Deny. Note that if a member of the Management group were also a member of a
group that had an explicit Allow setting for the Apply Group Policy ACE,
the Deny would take precedence and the GPO would not affect the user.
Figure 11: Security Settings

Variations on the above may include:
o
Adding additional GPOs with different sets of policies and having

them apply only to groups other than the Management group.
Creating another group with members of the existing groups in

them, and then using those groups as filters for a GPO.
Note: You can use these same types of security options with the Logon scripts you set
up in the preceding section. You can set a script to run only for members of a
particular group or for everyone except the members of a specific group.
Security group filtering has two functions: the first is to modify which group is
affected by a particular GPO, and the second is to delegate which group of
administrators can modify the contents of the GPO by restricting Full Control to a
limited set of administrators (by a group). This is recommended because it limits the
chance of multiple administrators making changes at any one time.
Blocking Inheritance and No Override
The Block inheritance and No override features allow you to have control over the
default inheritance rules. In this procedure, you set up a GPO in the Accounts OU,
which applies by default to the users (and computers) in the Headquarters, Production,
and Marketing OUs.
You then establish another GPO in the Accounts OU and set it as No override. These
settings apply to the children OUs, even if you set up a contrary setting in a GPO
scoped to that OU.
You then use the Block inheritance feature to prevent Group policies set in a parent
site, domain, or OU (in this case, the Accounts OU) from being applied to the
Production OU.
A description of how to disable portions of a GPO to improve performance is also
included.
Setting Up the Environment
You must first set up the environment for the procedures in this section.
To set up the GPO environment
o
Open the saved MMC GP console GPWalkthrough, and then open

the Active Directory User and Computersnode.
Double-click the reskit.com domain, and then double-click

the Accounts OU.
Right-click the Accounts OU, and select Properties from the

context menu, and click the Group Policy tab.
Click New to create a new GPO called Default User Policies.
Click New to create a new GPO called Enforced User Policies.
Select the Enforced Users Policies GPO, and click the Up button
to move it to the top of the list. The Enforced Users Policies GPO
should have the highest precedence. Note that this step only serves
to demonstrate the functionality of the Up button; an enforced GPO
always takes precedence over those that are not enforced.
Select the No override setting for the Enforced User

Policies GPO by double-clicking the No overridecolumn or using
the Options button. The Accounts Properties page should now
appear as in Figure 12 below:
Figure 12: Enforced User Policies

o
Double-click the Enforced User Policies GPO to start the Group

Policy snap-in.
In the Group Policy snap-in, under User Configuration,

click Administrative Templates, click System, and then
click Logon/Logoff.
In the details pane, double-click the Disable Task Manager policy,

click Enabled in the Disable Task Manager dialog box, and then
click OK. For information on the policy, click the Explain tab. Note
that the setting is now Enabled as in Figure 13 below.
Figure 13: Task Manager

o
Click the Close button to exit the Group Policy snap-in.
In the Accounts Properties dialog box, on the Group Policy tab,

double-click the Default User Policies GPO from the Group
Policy objects links list.
In the Group Policy snap-in, in the User Configuration node,

under Administrative Templates, click theDesktop node, click
the Active Desktop folder, and then double-click the Disable
Active Desktop policy on the details pane.
Click Enabled, click OK, and click Close.
In the Accounts Properties dialog box, click Close.
You can now log on to a client workstation as any user in any of the OUs under the
Accounts OU. Note that you cannot run the Task Managerthe tab is unavailable
from both CTRL+SHIFT+ESC and CTRL+ALT+DEL. In addition, the Active
Desktop cannot be enabled. When you right-click on Desktop and select Properties,
you will see that the Web tab is missing.
As an extra step, you can reverse the setting of the Disable Task Manager policy in a
GPO that is linked to any of the child OUs of the Accounts OU (Headquarters,
Production, Marketing). To do this, change the radio button for that policy.
Note: Doing this has no effect while the Enforced User Policies GPO is enabled in the
Accounts OU.
Disabling Portions of a GPO
Because these GPOs are used solely for user configuration, the computer portion of
the GPO can be turned off. Doing so reduces the computer startup time, because the
Computer GPOs do not have to be evaluated to determine if any policies exist. In this
procedure, no computers are affected by these GPOs. Therefore, disabling a portion of
the GPO has no immediate benefit. However, since these GPOs could later be linked
to a different OU that may include computers, you may want to disable the computer
side of these GPOs.
To disable the Computer portion of a GPO
Open the saved MMC console GPWalkthrough, and then

double-click the Active Directory User and
Computers node.
Double-click the reskit.com domain.
Right-click the Accounts OU, select Properties from the

context menu, and click the Group Policy tab.
In the Accounts Properties dialog box, click the Group

Policy tab, right-click the Enforced User PoliciesGPO, and
select Properties.
In the Enforced User Policies Properties dialog box, select

the General tab, and then select the Disable computer
configuration settings check box. In the Confirm
Disable dialog box click Yes.
Note that the General properties page includes two check boxes for disabling
a portion of the GPO.
Repeat steps 4 and 5 for the Default Users Policies GPO.
Blocking Inheritance
You can block inheritance so that one GPO does not inherit policy from
another GPO in the hierarchy. After you block inheritance, only those settings
in the Enforced User Policies affect the users in this OU. This is simpler than
reversing each individual policy in a GPO scoped at this OU.
To block inheritance of Group Policy for the Production OU

Computers node.
Double-click the reskit.com domain, and then double-click

the Accounts OU.
Right-click the Production OU, select Properties from the

context menu, and then click the Group Policy tab.
Select the Block policy inheritance check box, and

click OK.
To verify that inherited settings are now blocked, you can logon as any user in
the Production OU. Notice that the Web tab is present in the Display setting
properties page. Also, note that the task manager is still disabled, as it was set
to No Override in the parent OU.
Linking a GPO to Multiple Sites, Domains, and OUs
This section demonstrates how you can link a GPO to more than one container
(site, domain, or OU) in the Active Directory. Depending on the exact OU
configuration, you can use other methods to achieve similar Group Policy
effects; for example, you can use security group filtering or you can block
inheritance. In some cases, however, those methods do not have the desired
affects. Whenever you need to explicitly state which sites, domains, or OUs
need the same set of policies, use the method outlined below:
To link a GPO to multiple sites, domains, and OUs

Computers node.
Double-click the reskit.com domain, and double-click

the Accounts OU.
Right-click the Headquarters OU, select Properties from

the context menu, and then click the Group Policytab.
In the Headquarters Properties dialog box, on the Group

Policy tab, click New to create a new GPO namedLinked
Policies.
Select the Linked Policies GPO, and click the Edit button.
In the Group Policy snap-in, in the User Configuration node,

under Administrative Templates node, clickControl
Panel, and then click Display.
On the details pane, click the Disable Changing

Wallpaper policy, and then click Enabled in the Disable
Changing Wallpaper dialog box and click OK.
Click Close to exit the Group Policy snap-in.
In the Headquarters Properties page, click Close.
Next you will link the Linked Policies GPO to another OU.
In the GPWalkthrough console, double-click the Active

Directory User and Computers node, double-click
thereskit.com domain, and then double-click
the Accounts OU.
Right-click the Production OU, click Properties on the

context menu, and then click the Group Policy tab on
the Production Properties dialog box.
Click the Add button, or right-click the blank area of

the Group Policy objects links list, and select Add on the
context menu.
In the Add a Group Policy Object Link dialog box, click the
down arrow on the Look in box, and select
theAccounts.reskit.com OU.
Double-click the Headquarters.Accounts.reskit.com OU

from the Domains, OUs, and linked Group Policy
objects list.
Click the Linked Policies GPO, and then click OK.
You have now linked a single GPO to two OUs. Changes made to the GPO in
either location result in a change for both OUs. You can test this by changing
some policies in the Linked Policies GPO, and then logging onto a client in
each of the affected OUs, Headquarters and Production.
Loopback Processing
This section demonstrates how to use the loopback processing policy to enable
a different set of user type Group Policies based on the Computer being
logged onto. This policy is useful when you need to have user type policies
applied to users of specific computers. There are two methods for doing this.
One allows for the policies applied to the user to be processed, but to also
apply user policies based on the computer that the user has logged onto. The
second method does not apply the user's settings based on where the user
object is, but only processes the policies based on the computer's list of GPOs.
Details on this method can be found in the Group Policy white paper referred
to earlier.
To use the Loopback processing policy
In the GPWalkthrough console, double-click the Active
Directory User and Computers node, double-click
thereskit.com domain, and then double-click
the Resources OU.
Right-click the Desktop OU, click Properties on the

context menu, and then click the Group Policy tab on
theDesktop Properties dialog box.
Click New to create a new GPO named Loopback

Policies.
Select the Loopback Policies GPO, and click Edit.
In the Group Policy snap-in, under the Computer

Configuration node, click Administrative
Templates, clickSystem, and then click Group
Policy.
In the details pane, double-click the User Group

Policy loopback processing mode policy.
Click Enabled in the User Group Policy loopback

processing mode dialog box, select Replace in
the Modedrop-down box, and then click OK to exit the
property page.
Next, you will set several User Configuration policies by using

the Next Policy navigation buttons in the policy dialog boxes.
In the Group Policy snap-in, under the User

Configuration node, click Administrative
Templates, and clickStart Menu & Taskbar.
In the details pane, double-click the Remove user's

folders from the Start menu policy, and then
clickEnabled in the Remove user's folders from
the Start menu dialog box.
Click Apply to apply the policy, and click the Next

Policy button to go on to the next policy, Disable and
remove links to Windows update.
In the Disable and Remove Links to Windows

Update dialog box, click Enabled, click Apply, and
then click the Next Policy button.
In each of the following policies' dialog boxes, set the

state of the policies as indicated on the list below:
Policy
Setting
Remove common program groups

from Start Menu
Enabled
Remove Documents from Start

Menu
Enabled
Disable programs on Settings Menu Enabled

Remove Network & Dial-up
Connections from Start menu
Enabled
Remove Favorites Menu from Start Enabled

menu
Remove Search Menu from Start
menu
Enabled
Remove Help Menu from Start menu Enabled

Remove Run Menu from Start menu Enabled
Add Logoff on the Start Menu
Enabled
Disable Logoff on the Start Menu
Not configured
Disable and remove the Shut Down Not configured

command
Disable drag-and-drop context
menus on the Start Menu
Enabled
Disable changes to Taskbar and Start Enabled

Menu Settings
Disable Context menus for the
taskbar
Enabled
Do not keep history of recently

opened documents
Enabled
Clear history of recently opened

documents on exit
Enabled
Click OK when you have set the last policy from the list
in step 5.
In the Group Policy console tree, navigate to

the Desktops node under User
Configuration\Administrative Templates, and set
the following policies to Enabled:
Policy
Setting
Hide Remove My Documents from

Start Menu
Enabled
Hide My Network Places icon on

desktop
Enabled
Hide Internet Explorer icon on desktop Enabled

Prohibit user from changing My
Documents path
Enabled
Disable adding, dragging, dropping

and closing the Taskbar's toolbars
Enabled
Disable adjusting desktop toolbars
Enabled
Don't save settings at exit
Enabled
Click OK when you have set the last policy from the list
in step 7.

the Active Desktop node under User
Configuration\Administrative
Templates\Desktops, set the Disable Active
Desktop policy to Enabled, and then click OK.

the Control Panel node under User
Configuration\Administrative Templates, click
the Add/Remove Programs node, double-click
theDisable Add/Remove Programs policy, set it
to Enabled, and then click OK.

the Control Panel node under User
Configuration\Administrative Templates, click
the Display node, double click the Disable display in
control panel policy, set it to Enabled, and then
click OK.
In the Group Policy snap-in, click Close.
In the Desktops Properties dialog box, click Close.
At this point, all users who log on to computers in the Desktops OU

have no policies that would normally be applied to them; instead, they
have the user policies set in the Loopback Policies GPO. You may
want to use the procedures outlined in the section on Security Group
Filtering to restrict this behavior to specific groups of computers, or
you may want to move some computers to another OU.
For the following example, a security group called No Loopback is
created. To do this, use the Active Directory Users and
Computers snap-in, click the Groups container, click New, and create
this global security group.
In this example, computers that are in the No-Loopback security
group are excluded from this loopback policy, if the following steps are
taken:
In the GPWalkthrough console, double-click Active

Directory Users and Computers, doubleclickreskit.com, double-click Resources, rightclick Desktop, and then select Properties.
In the Desktop Properties dialog box, click Group

Policy, right-click the Loopback Policies GPO, and
then select Properties.
In the Loopback Policies Properties page,

click Security, and select Allow for the Apply Group
Policy ACE for the Authenticated Users group.
Add the No Loopback group to the Name list. To do

this, click Add, select the No Loopback group, and
clickOK.
Select Deny for the Apply Group Policy ACE for

the No Loopback group, and click OK.
Click OK in the Loopback Policies Properties page.
Click Close in the Desktop Properties dialog box
In the GPWalkthrough console, click Save on

the Console menu.
=================
Global Catalog
Because AD is the central component of a Windows network, network clients and servers
frequently query it. In order to increase the availability of AD data on the network as well as
the efficiency of directory object queries from clients, AD includes a service known as the
GC. The GC is a separatedatabase from AD and contains a partial, read-only replica of all the
directory objects in the entire AD forest.
Only Windows servers acting as domain controllers can be configured as GC servers. By
default, the first domain controller in a Windows forest is automatically configured to be a
GC server (this designation can be moved later to a different domain controller if desired;
however, every forest must contain at least one GC). Like AD, the GC uses replication in
order to ensure updates
between the various GC servers within a domain or forest. In addition to being a repository of
commonly queried AD object attributes, the GC plays two primary roles on a Windows
network:
Network logon authentication?In native-mode domains (networks in which all domain
controllers have been upgraded to Win2K or later, and the domain?s functional level has been
manually set to the appropriate level), the GC facilitates network logons for ADenabled
clients. It does so by providing universal group membership information to the account
sending the logon request to a domain controller. This applies not only to regular users but
also to every type of object that must authenticate to AD (including computers).In multidomain networks, at least one domain controller acting as a GC must be available in order for
users to log on. Another situation that requires a GC server occurs when a user attempts to log
on with a user principal name (UPN) other than the default. If a GC server is not available in
these circumstances, users will only be able to logon to the local computer (the one exception
is members of the domain administrators group, who do not require a GC server in order to
log on to the network).
Directory searches and queries With AD, read requests such as directory searches and
queries, by far tend to outweigh write-oriented requests such as directory updates (for
example, by an administrator or during replication). The majority of AD-related network
traffic is comprised of requests from users, administrators, and applications about objects in
the directory. As a result, the GC is essential to the network infrastructure because it allows
clients to quickly perform searches acrossall domains within a forest.
(Although mixed-mode Win2K domains do not require the GC for the network logon
authentication process, GCs are still important in facilitating directory queries and searches
on these networks and should therefore be made available at each site within the network.)
========================
Configure a New Global Catalog in Windows Server 2003

How can I configure a Windows Server 2003 as a Global Catalog?
To configure a Windows Server 2003 Domain Controller as a GC server, perform the
following steps:
1. Start the Microsoft Management Console (MMC) Active Directory Sites and
Services Manager. (From the Start menu, select Programs, Administrative
Tools, Active Directory Sites and Services Manager).
2. Select the Sites branch.
3. Select the site that owns the server, and expand the Servers branch.
4. Select the server you want to configure.
5. Right-click NTDS Settings, and select Properties.
Select or clear the Global Catalog Server checkbox.
Click Apply, OK.
You must allow for the GC to replicate itself throughout the forest. This process might take
anywhere between 10-15 minutes to even several days, all depending on your AD
infrastructure.
=====================
How can we manually delete a server object from the Active

Directory database in case of a bad DCPROMO procedure ?
The DCPROMO (Dcpromo.exe) utility is used for promoting a server to a domain controller
and demoting a domain controller to a member server (or to a standalone server in a
workgroup if the domain controller is the last in the domain). As part of the demotion
process, the DCPROMO utility removes the configuration data for the domain controller
from the Active Directory. This data takes the form of an "NTDS Settings" object, which
exists as a child to the server object in the Active Directory Sites and Services Manager.
The information is in the following location in the Active Directory:CN=NTDS
Settings,CN=<servername>, CN=Servers,CN=<sitename>,CN=Sites,
CN=Configuration,DC=<domain>...
The attributes of the NTDS Settings object include data representing how the domain
controller is identified in respect to its replication partners, the naming contexts that are
maintained on the machine, whether or not the domain controller is a Global Catalog server,
and the default query policy. The NTDS Settings object is also a container that may have
child objects that represent the domain controller's direct replication partners. This data is
required for the domain controller to operate within the environment, but is retired upon
demotion.In the event that the NTDS Settings object is not removed properly (for example,
the NTDS Settings object is not properly removed from a demotion attempt), the
administrator can use the Ntdsutil.exe utility to manually remove the NTDS Settings object.
The following steps list the procedure for removing the NTDS Settings object in the Active
Directory for a given domain controller. At each NTDSUTIL menu, the administrator can
type help for more information about the available options.
Caution: The administrator should also check that replication has occurred since the
demotion before manually removing the NTDS Settings object for any server. Using the
NTDSUTIL utility improperly can result in partial or complete loss of Active Directory
functionality.
Procedure
1. Click Start, point to Programs, point to Accessories, and then click Command Prompt.
At the command prompt, type
ntdsutil
and then press ENTER.
2. Type
metadata cleanup
and then press ENTER. Based on the options given, the administrator can perform the
removal, but additional configuration parameters need to be specified before the removal can
occur.
3. Type
connections
and press ENTER. This menu is used to connect to the specific server on which the changes
occur. If the currently logged on user does not have administrative permissions, alternate
credentials can be supplied by specifying the credentials to use before making the connection.
To do so, type
set creds domain nameusernamepassword
and press ENTER. For a null password, type null for the password parameter.
4. Type
connect to server servername
and then press ENTER. You should receive confirmation that the connection is successfully
established. If an error occurs, verify that the domain controller being used in the connection
is available and the credentials you supplied have administrative permissions on the server.
Note: If you try to connect to the same server that you want to delete, when you try to delete
the server that step 15 refers to, you may receive the following error message:
Error 2094. The DSA Object cannot be deleted0x2094
Note: Windows Server 2003 Service Pack 1 eliminates the need for steps 3 and 4.
5. Type
quit
and then press ENTER. The Metadata Cleanup menu appears.
6. Type
select operation target
and press ENTER.
7. Type
list domains
and press ENTER. A list of domains in the forest is displayed, each with an associated
number.
8. Type
select domain number
and press ENTER, where number is the number associated with the domain to which the
server you are removing is a member. The domain you select is used to determine if the
server being removed is the last domain controller of that domain.
9. Type
list sites
and press ENTER. A list of sites, each with an associated number, is displayed.
10. Type
select site number
and press ENTER, where number is the number associated with the site to which the server
you are removing is a member. You should receive a confirmation listing the site and domain
you chose.
11. Type
list servers in site
and press ENTER. A list of servers in the site, each with an associated number, is displayed.
12. Type
select server number
where number is the number associated with the server you want to remove. You receive a
confirmation listing the selected server, its Domain Name Server (DNS) host name, and the
location of the server's computer account you want to remove.
13. Type
quit
and press ENTER. The Metadata Cleanup menu appears.
14. Type
remove selected server
and press ENTER. You should receive confirmation that the removal completed successfully.
If you receive the following error message:
Error 8419 (0x20E3) The DSA object could not be found
the NTDS Settings object may already be removed from the Active Directory as the result of
another administrator removing the NTDS Settings object, or replication of the successful
removal of the object after running the DCPROMO utility.
Note: You may also see this error when you attempt to bind to the domain controller that is
going to be removed. Ntdsutil needs to bind to a domain controller other than the one that is
going to be removed with metadata cleanup.
15. Type
quit
at each menu to quit the NTDSUTIL utility. You should receive confirmation that the
connection disconnected successfully.
16. Remove the cname record in the _msdcs.root domain of forest zone in DNS.
Assuming that DC is going to be reinstalled and re-promoted, a new NTDS settings
object is created with a new globally unique identifier (GUID) and a matching cname
record in DNS. You do not want the DC's that exist to use the old cname record.
As best practice you should delete the hostname and other DNS records. If the lease time that
remains on Dynamic Host Configuration Protocol (DHCP) address assigned to offline server
is exceeded then another client can obtain the IP address of the problem DC.
Now that the NTDS setting object has been deleted we can now delete the following objects:
1. Use ADSIEdit to delete the computer account in the OU=Domain
Controllers,DC=domain...
Note: The FRS subscriber object is deleted when the computer object is deleted, since it is a
child of the computer account.
2. Use ADSIEdit to delete the FRS member object in CN=Domain System Volume
(SYSVOL share),CN=file replication service,CN=system....
3. In the DNS console, use the DNS MMC to delete the cname (also known as the Alias)
record in the _msdcs container.
4. In the DNS console, use the DNS MMC to delete the A (also known as the Host)
record in DNS.
5. If the deleted computer was the last domain controller in a child domain and the child
domain was also deleted, use ADSIEdit to delete the trustDomain object for the child
in CN=System, DC=domain, DC=domain, Domain NC.
=================
Netdom Guide
Netdom is a command-line tool that is built into Windows Server 2008 and Windows
Server 2008 R2. It is available if you have the Active Directory
Domain Services (AD DS) server role installed. It is also available if you install the
Active Directory Domain Services Tools that are part of the Remote
Server Administration Tools (RSAT).
You can use netdom to:
Join a computer that runs Windows XP Professional, Windows Vista, or

Windows 7 to a Windows Server 2008 R2, Windows Server 2008,
Windows Server 2003, Windows 2000, or Windows NT 4.0 domain.
Provide an option to specify the organizational unit (OU) for the

computer account.
Generate a random computer password for an initial Join operation.
Manage computer accounts for domain member workstations and member

servers. Management operations include:
o
Add, Remove, Query.
An option to specify the OU for the computer account.
An option to move an existing computer account for a member

workstation from one domain to another while maintaining
the security descriptor on the computer account.
Establish one-way or two-way trust relationships between domains,

including the following kinds of trust relationships:
From a Windows 2000, Windows Server 2003,

Windows Server 2008, or Windows Server 2008 R2 domain to a
Windows NT 4.0 domain.
From a Windows 2000, Windows Server 2003,

Windows Server 2008, or Windows Server 2008 R2 domain to a
Windows 2000,
Windows Server 2003, Windows Server 2008, or Windows

Server 2008 R2 domain in another enterprise.
Between two Windows 2000, Windows Server 2003,

Windows Server 2008, or Windows Server 2008 R2 domains in an
enterprise
(a shortcut trust).
The Windows Server 2008 R2, Windows Server 2008,

Windows Server 2003, or Windows 2000 Server half of an
interoperable
Kerberos protocol realm.
Verify or reset the secure channel for the following configurations:

o
Member workstations and servers.
Backup domain controllers (BDCs) in a Windows NT 4.0 domain.
Specific Windows Server 2008 R2, Windows Server 2008,

Windows Server 2003, or Windows 2000 replicas.
Manage trust relationships between domains, including the following

operations:
o
Enumerate trust relationships (direct and indirect).
View and change some attributes on a trust.
Syntax
Netdom uses the following general syntaxes:
NetDom <Operation> [<Computer>] [{/d: | /domain:} <Domain>] [<Options>] NetDom help
<Operation>
Commands
Command
Description
Netdom add
Adds a workstation or server account to the domain.
Netdom
computername
Manages the primary and alternate names for a computer.

This command can safely rename Active Directory domain
controllers as well as member servers.
Netdom join
Joins a workstation or member server to a domain. The act

of joining a computer to a domain creates an account for
the computer on the domain, if it does not already exist.
Netdom move
Moves a workstation or member server to a new domain.

The act of moving a computer to a new domain creates an
account for the computer on the domain, if it does not
already exist.
Netdom query
Queries the domain for information such as membership

and trust.
Netdom remove
Removes a workstation or server from the domain.
Netdom
movent4bdc
Renames a Windows NT 4.0 backup domain controller to

reflect a domain name change. This can assist in
Windows NT 4.0 domain renaming efforts.
Netdom
renamecomputer
Renames a domain computer and its corresponding

domain account. Use this command to rename domain
workstations and member servers only. To rename domain
controllers, use the netdom computername command.
Netdom reset
Resets the secure connection between a workstation and a

domain controller.
Netdom resetpwd
Resets the computer account password for a domain

controller.
Netdom trust
Establishes, verifies, or resets a trust relationship between

domains.
Netdom verify
Verifies the secure connection between a workstation and a

domain controller.
Remarks
A trust relationship is a defined affiliation between domains that enables

pass-through authentication.
A one-way trust relationship between two domains means that one domain
(the trusting domain) allows users who have accounts on theother domain
(the trusted domain), access to its resources.
The one-way trust relationship described here is helpful in master domain

models, but it is not the only kind of trust relationship. When two one-way
trusts are established between domains, it is known as a two-way trust. In
two-way trusts, each domain treats the users from the trusted (and
trusting) domain as its own users.
By default, only the result of an operation is reported. For example, if you

use the Join operation, you see output similar to the following:
success: mywksta joined to mycompany domain
If you specify the /verbose parameter, the output lists the success or
failure of each transaction that is necessary to perform the operation. For
example, this time when you use the Join operation, you see output similar
to the following:
success: adding machine account for mywksta to mycompany domain success: configuring
lsa on mywksta success: mywksta joined to mycompany domain
The /reboot parameter specifies that the computer being acted upon by
the specified netdom operation is shut down and automatically rebooted
after the completion of the operation. When you specify the /reboot
parameter, the following message and a countdown timer display on the
workstation screen, prior to the Restart operation:
The system is shutting down. Please save all work in progress and logoff. Any unsaved
changes will be lost. This shutdown was initiated because the domain which this machine
belongs to was changed by nnn.
For nnn, netdom substitutes the name of the administrator that you enter
by using the /uo parameter.
The default delay before the computer restarts is 20 seconds.
==================
Replmon.exe Command
Replmon is the first tool you should use when troubleshooting Active Directory replication
issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to
diagnose than using its command line counterparts. The purpose of this document is to guide
you in how to use it, list some common replication errors and show some examples of when
replication issues can stop other network installation actions.
Symptoms of Replication Faults
Failure to extend the schema The Active Directory schema has to be extended for
many reasons. Two of the most common are:
o When installing an Exchange 200x server (by running setup.exe /forestprep
and /domainprep)
o When adding a 2003 Domain Controller to a Windows 2000 Active Directory
network (by running adprep /forestprep and /domainprep).
If there is a replication issue with any of the domain controllers on the Schema
partition, the Schema will not allow any extension.
Failure to DCPromo a new Domain Controller When installing a new Domain

Controller, the wizard waits until Active Directory is fully synchronised before
continuing. Replication issues would cause this to hang at this point. (Although it can
be forced to wait until later, this would only put off the problem).
Installation of Active Directory aware software Software that creates a new user
account per network or writes to the Active Directory could fail or produce
ambiguous errors when replication issues exist on the network.
Any recent warnings or errors in the File Replication Service log in Event Viewer
Any recent NTDS Replication Errors in the Directory Service log in Event
Viewer
How to Use Replmon

To use Replmon logon to a Domain Controller, select Start|Run, type Replmon, and click OK.
You will be presented with the following screen:
Right click on the Monitored Servers icon and select Add Monitored Server...
Select the Search the directory for the server to add radio button.
Ensure the correct domain populates in drop down list, and click Next.
Select an appropriate server from the list of Domain Controllers
If you know you are experiencing issues with a particular domain controller, choose
that server.
If you are checking general replication, or are not sure where the fault lies, choose the
Forest Root.
On larger networks, you will need to choose more than one server depending on the
replication topology.
(For information on viewing the replication topology, see Appendix A) and click
Finish.
If your Active Directory contains only Windows 2000 domain controllers, you will see three
Directory partitions.
If your Active Directory Forest Root is Windows 2003 you will see five Directory partitions.
By expanding the + on each directory partition you will be able to see each of the servers
replication partners. Selecting one on the left shows the last replication attempt in the right
hand pane.
If there are any replication issues the partitions on the domain controller the server cannot
replicate with will show a red x.
Highlighting one of the problem replication partner servers will then show more verbose
error messages in the logs pane explaining why it could not replicate.
Troubleshooting Replication Issues

Step 1: Check validity of replication partners
Perhaps an obvious step, but there can be replication issues when there are servers present in
the replication topology that are no longer connected to the network. Look for replication
agreements with non-existent servers, servers that have been forcibly removed from the
domain or are simply turned off.
Step 2: Force replication
The last scheduled replication attempt could have failed for unaccountable reasons, but the
failure cause may no longer be an issue. Get an accurate current understanding of the
situation by right clicking on the replication partner server in each of the partitions and
selecting Synchronise with this Replication Partner.
Then refresh the Tree view by pressing F5. Re-check the replication status in the right hand
logs pane.
Step 3: General IP checks
Doesnt matter if youve done them, do them all again now! From a command prompt:
Can you ping the IP address of the destination server? e.g. Ping 192.168.3.201
If not: The issue will either be hardware (cable, switch, NIC, check all physical
connections) or incorrect configuration of a servers (either destination or host server)
IP details. Check the NICs IP address and Subnet Mask.
Can you ping the netbios name of the destination server? e.g. Ping Replicadc1
If not: The issue will be a name resolution issue. Check there is an A host entry in the
domains Forward Lookup zone. Check the NIC IP properties and ensure the Forest
Root IP is entered as the Preferred DNS Server.
Can you ping the FQDN of the destination server? e.g. Ping
Replicadc1.RMTDS.Internal
If not: The issue will be a DNS issue. Check as above, also check the NICs IP
Advanced Properties and ensure the correct DNS Suffix is being used. Open the DNS
admin console and ensure there is a populated Forward Lookup zone for the domain.
Can you reverse lookup the IP of the destination server? e.g. Ping a 192.168.3.201
If not: You have a reverse lookup zone issue. Open the DNS admin console and check
for the existence of a Reverse Lookup zone per Class C IP range. e.g.
10.0.0.x Subnet
10.0.1.x Subnet
Check there is a valid PTR record for each of the Domain Controllers in the relevant
Reverse lookup zone.
Appendix A Other Replmon functions
By right clicking the server you have selected to view Replication agreements from, you will
see a range of options. A few of them are detailed below.
Update Status This will recheck the replication status of the server. The time of the
updated status is logged and displayed in the right hand pane.
Check Replication Topology This will cause the Knowledge Consistency Checker (KCC)
to recalculate the replication topology for the server.
Synchronize Each Directory Partition with All Servers This will start immediate
replication for all of the servers directory partitions with each replication partner.
Generate Status Report - Creates and saves a verbose status report in the form of a log file.
Show Domain Controllers in Domain will show a list of all known Domain Controllers.
Show Replication Topologies - will show a graphical view of the replication topology. Click
View on the menu and select Connection Objects only. Then right click each server, and
select Show Intra/Inter-site connections.
Show Group Policy Object Status shows a list of all the Domains Group Policies and
their respective AD and Sysvol version numbers.
========================
Manually Undeleting Objects in Active Directory
An administrator might sometime need to restore deleted objects from the Active Directory
database. You see, when an object is deleted from Active Directory, it is not immediately
erased, but is marked for future deletion. The marker used to designate that an AD object
scheduled to be destroyed is called "tombstone". A tombstone is an object whose IsDeleted
property has be set to True, and it indicates that the object has been deleted but not removed
from the directory, much like a deleted file is removed from the file allocation table but the
data is not actually removed from the drive. The directory service moves tombstoned objects
to the Deleted Objects container, where they remain until the garbage collection process
removes the objects. The length of time tombstoned objects remain in the directory service
before being deleted is either 60 days for Windows 2000/2003 Active Directory, or 180 days
for Windows Server 2003 SP1 Active Directory (by default).
There are several methods of reanimating tombstoned objects from the Active Directory.
Some are listed on my "Recovering Deleted Items in Active Directory" article. Another
method is to manually recover these items, a process called "Reanimation".
To manually undelete objects in a deleted object's container, follow these steps:
1. Click Start, click Run, and then type LDP.exe.
Note: If the LDP.exe utility is not installed, install the support tools from the Windows Server
2003 installation CD, or get them from Windows 2003 SP1 Support Tools.
2. Use the Connection menu in LDP to perform the connect operations and
the bindoperations to a Windows Server 2003 domain controller. Specify domain
administrator credentials during the bind operation.
3. Click Options > Controls.

4. In the Load Predefined list, click Return Deleted Objects. Under Control Type,
click Server, and the click OK.
5. Click View > Tree. Now type the distinguished name path of the deleted objects
container in the domain where the deletion occurred, and then click OK.
Note: The distinguished name path is also known as the DN path. For example, if the deletion
occurred in the petri.local domain, the DN path would be the following path:
cn=deleted Objects,dc=petri,dc=local
6. In the left pane of the window, double click the Deleted Object Container.
Note: As a search result of LDAP query, only 1000 objects are returned by default. For
example, if more than 1000 objects exist in the Deleted Objects container, not all objects
appear in this container. If your target object does not appear, use NTDSUTIL, and then set
the maximum number by using maxpagesize to get the search results, as described in the
following KB article: How to view and set LDAP policy in Active Directory by using
Ntdsutil.exe - 315071 7. Double-click the object that you want to undelete or to reanimate.
8. Right-click the object that you want to reanimate, and then click Modify.
9. Next, change the value for the isDeleted attribute and the DN path in a single Lightweight
Directory Access Protocol (LDAP) modify operation.
To configure the Modify dialog, follow these steps:
a. In the Edit Entry Attribute box, type isDeleted. Leave the Value box blank.
b. Click the DELETE option button, and then click Enter to make the first of two entries in
the Entry List dialog.
Important: Do not click Run at this phase!!!

c. In the Attribute box, type distinguishedName. In the Values box, type the new DN path of
the reanimated object. For example, to reanimate the TestUser user account to the Sales OU,
use the following DN path:
cn=TestUser,ou=Sales,dc=petri,dc=local
Note: If you want to reanimate a deleted object to its original container, append the value of
the deleted object's lastKnownParent attribute to its CN value, and then paste the full DN
path in the Values box.
d. In the Operation box, click REPLACE. Click ENTER.
e. Click to select the Synchronous check box, and the Extended check box.
f. Click RUN. Note the results pane on the right side showing you that the operation was
successful.
10. After you reanimate the objects, click Options > Controls and click the Check
Out button to remove (1.2.840.113556.1.4.417) from the Active Controls box list.
11. Open Active Directory Users and Computers, and reset the user account passwords,
profiles, home directories and group memberships for the deleted users. You need to do this
because when the object was deleted, all the attribute values except SID, ObjectGUID,
LastKnownParent and SAMAccountName were stripped.
12. Enable the reanimated account in Active Directory Users and Computers.
Note: The restored object has the same primary SID as it had before the deletion, but the
object must be added again to the same security groups to have the same level of access to
resources. The RTM release of Windows Server 2003 does not preserve the sIDHistory
attribute on reanimated user accounts, computer accounts, and security groups, however,
Windows Server 2003 with Service Pack 1 does preserve the sIDHistory attribute on deleted
objects.
13. If you do not reset the reanimated user account's password you will get an error saying:
Windows cannot enable object TestUser because:
Unable to update the password. The value provided for the new password does
not meet the length,
complexity, or history requirement of the domain.
For organizations using Exchange 2003 you need to remove Microsoft Exchange attributes
and reconnect the user to the Exchange mailbox.
In order to do so follow these steps:
In Active Directory Users and Computers, right-click the restored user and
select Exchange Tasks.
Select Remove Exchange Attributes and click Ok all the way till the end of
the wizard.
In Exchange System Manager, navigate to the mailbox store containing

the recovered user's mailbox. Refresh the Mailboxes node list, and if
needed, right-click the Mailboxes node and select Run Cleanup Agent.
Note that the deleted user's mailbox is marked with a red X.
Right-click the deleted mailbox, select Reconnect.
Type the reanimated user's name. Press Check Names, then click Ok.
The mailbox is now reconnected. Wait a couple of minutes or re-run the

Recipient Update Service from the Exchange System Manager console.
You can automate some or all of these recovery steps by using the following methods:
Write a script that automates the manual recovery steps.
Obtain a non-Microsoft program that supports the reanimation of deleted

objects on Windows Server 2003 domain controllers. Read my "Recovering
Deleted Items in Active Directory" article for more info on that.
===========================How to Restore
Windows Server 2003 Active Directory
Windows Server 2003 OS, we can restore the Active Directory database if it get corrupted /
destroyed because of hardware or software failures. We must restore the Active Directory
database when objects in Active Directory are changed / deleted.
Tombstone : In Windows Server 2003 there is an option to restore Active Directory objects
that have been deleted and are in a "tombstone". These items are hidden from the GUI and
await their cleanup by a process called "garbage collection".
Below are the three methods available to restore Active Directory from backup media:
Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
Primary Restore: This rebuilds the first domain controller in a domain when
there is no other way to rebuild the domain. Perform a primary restore only when
all the domain controllers in the domain are lost, and you want to rebuild the
domain from the backup. Members of the Administrators group can perform the
primary restore on local computer. On a domain controller, only members of the
Domain Admins group can perform this restore
Normal Restore: This reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Authoritative Restore: This tandem with a normal restore. An authoritative

restore marks specific data as current and prevents the replication from
overwriting that data. The authoritative data is then replicated through the
domain. Perform an authoritative restore for individual object in a domain that
has multiple domain controllers. When you perform an authoritative restore, you
lose all changes to the restore object that occurred after the backup. You need to
use the NTDSUTIL command line utility to perform an authoritative restore. You
need to use it in order to mark Active Directory objects as authoritative, so that
they receive a higher version recently changed data on other domain controllers
does not overwrite System State data during replication.
Example, if you inadvertently delete or modify objects in Active Directory, and those objects
were thereafter replicated to other DCs, you will need to authoritatively restore those objects
so they are replicated or distributed to the other servers. If you do not authoritatively restore
the objects, they will never get replicated or distributed to your other servers because they
will appear to be older than the objects currently on your other DCs. Using the NTDSUTIL
utility to mark objects for authoritative restore ensures that the data you want to restore gets
replicated or distributed throughout your organization.
On the other hand, if your system disk has failed or the Active Directory database is
corrupted, then you can simply restore the data normally without using NTDSUTIL. After
rebooting the DC, it will receive newer updates from other DCs.
=========================
How to Restore Windows Server 2003 Active Directory

Windows Server 2003 OS, we can restore the Active Directory database if it get corrupted /
destroyed because of hardware or software failures. We must restore the Active Directory
database when objects in Active Directory are changed / deleted.
Tombstone : In Windows Server 2003 there is an option to restore Active Directory objects
that have been deleted and are in a "tombstone". These items are hidden from the GUI and
await their cleanup by a process called "garbage collection".
Below are the three methods available to restore Active Directory from backup media:
Primary Restore, Normal Restore (i.e. Non Authoritative), and Authoritative Restore.
Primary Restore: This rebuilds the first domain controller in a domain when
there is no other way to rebuild the domain. Perform a primary restore only when
all the domain controllers in the domain are lost, and you want to rebuild the
domain from the backup. Members of the Administrators group can perform the
primary restore on local computer. On a domain controller, only members of the
Domain Admins group can perform this restore
Normal Restore: This reinstates the Active Directory data to the state
before the backup, and then updates the data through the normal replication
process. Perform a normal restore for a single domain controller to a previously
known good state.
Authoritative Restore: This tandem with a normal restore. An authoritative

restore marks specific data as current and prevents the replication from
overwriting that data. The authoritative data is then replicated through the
domain. Perform an authoritative restore for individual object in a domain that
has multiple domain controllers. When you perform an authoritative restore, you
lose all changes to the restore object that occurred after the backup. You need to
use the NTDSUTIL command line utility to perform an authoritative restore. You
need to use it in order to mark Active Directory objects as authoritative, so that
they receive a higher version recently changed data on other domain controllers
does not overwrite System State data during replication.
Example, if you inadvertently delete or modify objects in Active Directory, and those objects
were thereafter replicated to other DCs, you will need to authoritatively restore those objects
so they are replicated or distributed to the other servers. If you do not authoritatively restore
the objects, they will never get replicated or distributed to your other servers because they
will appear to be older than the objects currently on your other DCs. Using the NTDSUTIL
utility to mark objects for authoritative restore ensures that the data you want to restore gets
replicated or distributed throughout your organization.

On the other hand, if your system disk has failed or the Active Directory database is
corrupted, then you can simply restore the data normally without using NTDSUTIL. After
rebooting the DC, it will receive newer updates from other DCs.
==================
Offline defragmentation of the Active Directory database

Active Directory automatically performs online defragmentation of the database at certain
intervals (by default, every 12 hours) as part of the Garbage Collection process. Online
defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes
data storage in the database and reclaims space in the directory for new objects.
To perform offline defragmentation of the Active Directory database:
1. Back up Active Directory. Windows 2000 Backup natively supports backing
up Active Directory while online. This occurs automatically when you
select the option to back up everything on the computer in the Backup
Wizard, or independently by selecting to back up the "System State" in the
wizard.
2. Reboot the domain controller, select the appropriate installation from the
boot menu, and press F8 to display the Windows 2000 Advanced Options
menu. Choose Directory Services Restore Mode and press ENTER.
Press ENTER again to start the boot process.
3. Log on using the Administrator account with the password defined for the
local Administrator account in the offline SAM. For more information about
the use of the offline SAM database.
4. Click Start, point to Programs, point to Accessories, and then

click Command Prompt. At the command prompt, type ntdsutil, and then
press ENTER.
5. Type files, and then press ENTER.
6. Type info, and then press ENTER. This displays current information about
the path and size of the Active Directory database and its log files. Note
the path.
7. Establish a location that has enough drive space for the compacted
database to be stored.
8. Type compact to drive:\directory, and then press ENTER,

where drive and directory is the path to the location you established in the
previous step.
Note You must specify a directory path. If the path contains any spaces,
the entire path must be surrounded by quotation marks. For example,
type:
compact to "c:\new folder"
9. A new database named Ntds.dit is created in the path you specified.
10.Type quit, and then press ENTER. Type quit again to return to the
command prompt.
11.If defragmentation succeeds without errors, follow the Ntdsutil.exe onscreen instructions. Delete all the log files in the log directory by typing
the following command:
del drive :\ pathToLogFiles \*.log
Copy the new Ntds.dit file over the old Ntds.dit file in the current Active
Directory database path that you noted in step 6.
Note You do not have delete the Edb.chk file.
12.Restart the computer normally.
=====================
DSRM Administrator Password Reset
1. Click, Start, click Run, type ntdsutil, and then click OK.
2. At the Ntdsutil command prompt, type set dsrm password.
3. At the DSRM command prompt, type one of the following lines:

o To reset the password on the server on which you are working, type reset
password on server null. The null variable assumes that the DSRM password
is being reset on the local computer. Type the new password when you are
prompted. Note that no characters appear while you type the password.
-oro To reset the password for another server, type reset password on
server servername, where servername is the DNS name for the server on
which you are resetting the DSRM password. Type the new password when
you are prompted. Note that no characters appear while you type the
password.
4. At the DSRM command prompt, type q.
5. At the Ntdsutil command prompt, type q to exit.
=====================
Guide to Active Directory Sites and Services

Sites
A site is a region of your network with high bandwidth connectivity, and by definition is a
collection of well-connected computersbased on Internet Protocol (IP) subnets. Because
sites control how replication occurs, changes made with the Sites and Service snap-in affect
how efficiently domain controllers (DC) within a domain (but separated by great distances)
can communicate.
A site is separate in concept from Windows 2000-based domains because a site may span
multiple domains, and a domain may span multiple sites. Sites are not part of your domain
namespace. Sites control replication of your domain information and help to determine
resource proximity. For example, a workstation will select a DC within its site with which to
authenticate.
To ensure that the Active Directory service in the Windows 2000 operating system can
replicate properly, a service known as the Knowledge Consistency Checker (KCC) runs on all
DCs and automatically establishes connections between individual computers in the same
site. These are known as Active Directory connection objects. An administrator can establish
additional connection objects or remove connection objects, but at any point where
replication within a site becomes impossible or has a single point of failure, the KCC steps in
and establishes as many new connection objects as necessary to resume Active Directory
replication.
Replication between sites is assumed to occur on either higher cost or slower speed
connections. As such, the mechanism for inter-site (between site) replication permits the
selection of alternative transports, and is established by creating Site Links and Site Link
Bridges.
Default-First-Site
Your first site was set up automatically when you installed Windows 2000 Server on the first
domain controller in your enterprise. The resulting first site is called Default-First-Site. You
can rename this site later or leave it as is.
The replication topology of sites on your network controls:
Where replication occurs, such as which DCs communicate directly with

which other DCs in the same site. Additionally, this topology controls how
sites communicate with each other.
When replication occurs. Replication between sites can be completely

scheduled by the administrator. Replication between DCs inside the same
site is notification based, where notifications are sent within five minutes
of a change being made to an object in the domain.
All newly promoted Domain Controllers are placed in the Site container that applies to them
at time of installation. For example, a server bound for California might have been initially
built and configured in the Maui, Hawaii data centertherefore the Configure Your Server
wizard places the server in the Maui site. After it arrives in California, the server object can
be moved to the new site using the Sites and Services snap-in.
You can use the sites portion of Sites and Services snap-in to:
Display the valid sites within an enterprise. As an example, Default-FirstSite might be a site name such as Headquarters. You can create, delete, or
rename sites.
Display the servers that participate in a site. You can delete or move
servers between sites. (Note: Although you can also manually add
servers, the task of adding a server is typically performed automatically
during Domain Controller setup.)
Display the applications that use site knowledge. The Active Directory
topology is rooted at Sites\Default-First-Site\Servers. This contains just
those servers participating in a specific site, regardless of domain. To view
the connections for any given server, display Sites\Default-FirstSite\Servers\{server}\NTDS Settings. For each server, there are
connections and schedules that control replication to other servers in this
site.
o
Connections. For two machines to have two-way replication, a

connection must exist from the first machine to the second, and a
complimentary connection must exist from the second machine to
the first.
Schedules. Within a site, pull replication of new directory deltas

occurs between servers approximately every five minutes.
Schedules are significant within a site to force periodic notification
to in-bound partners in the event that a partner has a damaged
connection object. This type of notification typically occurs every six
hours. In addition, schedules are very significant in controlling pull
replication between sites (there is no automatic five-minute
replication between sites).
Display transports and links between sites. Transports represent the

protocols used to communicate between chosen sites (for example, IP).
Display subnets. Subnets allow the administrator to associate ranges of IP

addresses with sites.
Prerequisites
At a minimum, you need to set up two Windows 2000 domain controllers (DCs). Each DC
should host a different domain partition (host different Windows 2000 domains) and be
members of the same forest. This step-by-step guide assumes a parent/child relationship
between the two Windows 2000 domains.
You can create this base configuration by running through the Common
Infrastructure and Setting up Additional Domain step-by-step guides before going through the
instructions in this document.
If you are not using the common infrastructure, you need to make the appropriate changes to
this instruction set.
Using the Sites Topology Tool

1. Click Start, point to Programs, point to Administrative Tools, and then
click Active Directory Sites and Services.
Adding a Site
1. Right-click Sites in the left pane of the console, and then click New Site.
2. In the New ObjectSite dialog box, type a name for the new site
3. Select a site link object that contains the new site. If presented with a
Default Site Link, you might associate this site to it at this time. Site Links
are explained later in this document. Then click OK.
4. When the Active Directory message box appears, click OK.
You can now move computers from other sites into this site, under the NTDS Settings
container.
To move computers into a site
1. In the Active Directory Sites and Services snap-in, right-click the
computer you want to move in the left pane, click Move, and the Move
Server box appears.
2. Select the site to move the computer to, and click OK.
Adding a Subnet
To define subnets for a particular site
1. In the left pane of the console, right-click Subnets under the site name.
2. On the Action menu, click New Subnet.
3. In the New ObjectSubnet box, type the subnet address and subnet
mask numbers.
4. Select a Site object for this subnet in the lower pane and click OK.
If you have correctly entered the subnet, it will appear in the Subnets folder.
To associate the subnet with a site
1. Right-click the subnet in the right pane of the console, and then
click Properties.
2. In the Properties dialog box, select a site to associate with this subnet
from the list box.
3. Click the Location tab, and enter the name of the city; in this
example, Renton. Click OK.
Site Links and Site Link Bridges

Creating a Site Link
For scheduled replication to occur between multiple sites, both sites must agree on a transport
to communicate. This will more than likely be IP-based.
1. Click the + next to Inter-Site Transports in the left pane to expand it (if
it is not already expanded). Right click IP, and click New Site Link.
1
Enter a name for the Site Link in the New ObjectSite Link dialog box,
shown in Figure 7 below.
Select sites in the left pane, and click Add.
Click OK when all the sites you want to include in this site link are added
to the right pane list.
To create a link between two sites

1. From the Intersite Transports node, click one of the applicable
transports to select it. In this example, IP is selected.
2. If you wish to join a site to an existing Site Link, select the link from
the Sites in this Link list in the right pane, right-click it, and then
click Properties.
3. Add the site, click Apply, and then click OK.
Creating a Site Link Bridge
The process for creating a Site Link Bridge is identical to creating a Site Link; however,
instead of providing Site names for the link, youre now providing Site Link names for the
bridge.
========================
Adding Custom Attributes in Active Directory
Pre-requisites
Enable Schema Updates by Means of the Registry:

1. Click Start, click Run, and then in the Open box, type:
regedit
Then press ENTER.
2. Locate and click the following registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
3. On the Edit menu, click New, and then click DWORD Value.
4. Enter the value data when the following registry value is displayed:
Value Name: Schema Update Allowed
Data Type: REG_DWORD
Base: Binary
Value Data: Type 1 to enable this feature, or 0 (zero) to disable it.
5. Quit Registry Editor.
Follow these steps to configure attributes
1. Install the Schema snap-in (Start, Run, regsvr32 schmmgmt.dll).
2. Go to Start -> Run -> Type MMC and press Enter
3. Go to File -> Add/Remove Snap-in -> click Add -> Select Active Directory Schema and
click Add
4. Expand the Active Directory schema and Right Click Attributes
5. Click Create Attribute
6. Create New Attribute window will appear
7. In Common name enter ROLLNUMBER
8. Enter LDAP name also as ROLLNUMBER
Get OID please refer http://msdn2.microsoft.com/en-us/library/ms677620.aspx
For our demo we have used DUMMY Values like 1.2.3.4.5
9. Select the appropriate syntax, which in our case may be INTEGER. Assuming that in
ROLLNUMBER we have all INTEGER Values.
10. Mention Minimum and Maximum values if required. These are optional you can leave
them blank.
11. Once created your attribute will look as below
12. Once Attribute is created, select Classes
13. Expand CLASSES and Select PERSON
14. Rick click PERSON and select Properties
15. Click Attribute Tab and click Add
16. Select the Attribute you created and click OK.
17. Click OK to close all property windows
18. Goto Start ->Run -> Type ADSIEDIT.MSC. For running this command you may need to
install the support tools from the Windows installation CD.
19. Open the Active Directory Service Interfaces (ADSI) Edit utility, then navigate to
Configuration Container, CN=Configuration,
Click CN=DisplaySpecifiers
Click CN=409.
20. In the right-pane, locate and right-click CN=user-display, and select Properties.
21. Select AdminContextMenu and click EDIT
22. In the Edit Attribute box, type the following:
23. Enter the following in the Empty box and Click Add
3,&ROLL NUMBER, c:\EnterAttrib.vbs
Note:
3 is the serial number
&ROLL NUMBER is the Attribute which will appear in User and Computers context Menu
C:\EnterAttrib.vbs is the script which will add the value to attribute
Please do not change the Syntax
24. Click OK to close all window popups
25. Select Configuration in ADSIEDIT panel and Right Click
26. Click UPDATE SCHEMA NOW
27. These steps configure the options ROLL NUMBER on the context menu for a user in the
Microsoft Management Console (MMC) Active Directory Users and Computers snap-in.
28. You must write and place the following scripts on your C drive or somewhere else in your
file path:
Dim oVar
Dim oUsr
Dim tmp
Set oVar = Wscript.Arguments
Set oUsr = GetObject(oVar(0))
tmp = InputBox("The Roll Number of the user is: " & oUsr.ROLLNUMBER & vbCRLF &
vbCRLF & Enter the new Roll Number Below)
if tmp <> "" then oUsr.Put "ROLLNUMBER",tmp
oUsr.SetInfo
Set oUsr = Nothing
WScript.Quit
How To Add Custom Attributes to the Directory Service Find List

1. Use ADSIEdit to select the Configuration namespace.
2. Expand the displaySpecifier container.
3. Expand the appropriate displaySpecifier container. For example, "409" is English.
4. View the Properties for the user-Display object.
5. Modify the attributeDisplayNames attribute by adding a value in the format:

Your_new_Attribute,friendly_name
For example, "Roll Number" looks like this:
ROLLNUMBER,Roll Number
=========================
Changing the Tombstone Lifetime Attribute in Active Directory
The tombstone lifetime must be substantially longer than the expected replication latency
between the domain controllers. The interval between cycles of deleting tombstones must be
at least as long as the maximum replication propagation delay across the forest.
Because the expiration of a tombstone lifetime is based on the time when an object was
deleted logically, rather than on the time when a particular server received that tombstone
through replication, an object's tombstone is collected as garbage on all servers at
approximately the same time. If the tombstone has not yet replicated to a particular domain
controller, that DC never records the deletion. This is the reason why you cannot restore a
domain controller from a backup that is older than the tombstone lifetime.
By default, the Active Directory tombstone lifetime is sixty days. This value can be changed
if necessary. To change this value, the tombstoneLifetime attribute of the CN=Directory
Service object in the configuration partition must be modified. This object is located here:
cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=
Note: Longer tombstone lifetime decreases the chance that a deleted object remains in the
local directory of a disconnected DC beyond the time when the object is permanently deleted
from online DCs. The tombstone lifetime is not changed automatically when you upgrade to
Windows Server 2003 with SP1, but you can change the tombstone lifetime manually after
the upgrade. New forests that are installed with Windows Server 2003 with SP1 have a
default tombstone lifetime of 180 days.
You can check your tombstone lifetime attribute by using the following command:
dsquery * " cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc="
-scope base -attr tombstonelifetime
There are several ways of modifying this attributes value, the easiest is using ADSIEdit.
Method #1: Using ADSIEdit

The following explains how to modify this attributes value using ADSI Edit.
Note: ADSIEdit is part of the Windows 2003 Support Tools. To get ADSIEdit you need to
install the support tools on your computer/DC. Read my "What are the Windows Server 2003
Support Tools? Where can I get them from?" article for more info on how to obtain the
Windows Server 2003 Support Tools (insert link to existing article).
In addition, in order to perform the following steps you'll need to be a member of the
Enterprise Admins group.
To view or change attribute values by using ADSIEdit:
1. On the Start menu, point to Run and then type ADSIEdit.msc and press Enter.
2. Navigate to:
cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,dc=
Where "ForestRootDN" is the Distinguished Name of your Active Directory Forest Root
domain. For example, if your domain's name is kuku.co.il, then the DN for it would be:
DC=kuku,DC=co,DC=il
3. Right-click and choose properties.
4. In the resultant properties dialog, scroll down to tombstoneLifetime, select this attribute
and choose Edit.
5. Configure the Tombstone Lifetime Period, then press Ok.
6. Click OK and then close ADSIEdit.
When you view properties on cn=Directory Service,cn=Windows NT,
cn=Services,cn=Configuration,dc=, if no value is set it means that the default value is in
effect. Any value that you type in the Edit Attribute box replaces the default value when you
click Set .
The default value for these two attributes applies if the attribute is not set (the initial state of
the system).
Method #2: Using an LDIF file
Open Notepad and create a text file with the following content:
dn: cn=Directory Service,cn=Windows NT,cn=Services,cn=Configuration,
changetype: modify
replace: tombstoneLifetime
tombstoneLifetime:
Note: Don't forget the "-" on the last line, at the end.
Where is the Distinguished Name of your Active Directory Forest Root domain. For example,
if your domain's name is kuku.co.il, then the DN for it would be:
DC=kuku,DC=co,DC=il
Save this file as tombstoneLifetime.ldf (or similar).
Open the Command Prompt and type:
Ldifde I f {Path to tombstoneLifetime.ldf}
=======================
dns
Install and Configure Windows Server 2003 DNS Server
Active Directory clients and client tools use DNS to locate domain controllers for
administration and logon. You must have a DNS server installed and configured for Active
Directory and the associated client software to function correctly. This article guides you
through the required DNS configuration.
Install Microsoft DNS Server
Click Start, point to Settings, and then click Control Panel.
Double-click Add/Remove Programs.
Click Add and Remove Windows Components.
The Windows Components Wizard starts. Click Next.
Click Networking Services, and then click Details.
Click to select the Domain Name System (DNS) check box, and then click
OK.
Click OK to start server Setup. The DNS server and tool files are copied to
your computer.
Continue to the next step to configure the DNS server.
Configure the DNS Server Using DNS Manager
These steps guide you through configuring DNS by using the DNS Manager snap-in in
Microsoft Management Console (MMC).
Click Start, point to Programs, point to Administrative Tools, and then click
DNS Manager. You see two zones under your computer name: Forward
Lookup Zone and Reverse Lookup Zone.
The DNS Server Configuration Wizard starts. Click Next.
If the Wizard does not auto-start, right-click your server name object in the
DNS Manager console and choose Configure your Server.
Choose to add a forward lookup zone. Click Next. The new forward lookup
zone must be a primary zone so that it can accept dynamic updates. Click
Primary, and then click Next.
The zone name must be exactly the same as your Active Directory Domain
name, or, if on a stand-alone or workgroup environment - the same as the
suffix for all of the network computers that are to register with this DNS
server. Type the name of the zone, and then click Next.
Accept the default name for the new zone file. Click Next.
Choose to add a reverse lookup zone now. Click Next.
Click Primary, and then click Next.
Type the name of the zone, and then click Next. The zone name should
match the Network ID of your local subnet. For example, if your subnet
range is from 192.168.0.1 to 192.168.0.254, type 192.168.0 in the name
value.
Accept the default name for the new zone file. Click Next.
Click Finish to complete the Server Configuration Wizard.
After the Server Configuration Wizard is finished, DNS Manager starts.

Proceed to the next step to enable dynamic update on the zone you just
added.
Enable Dynamic Update on the Forward and Reverse Lookup Zones
In DNS Manager, expand the DNS Server object.
Expand the Forward Lookup Zones folder.
Right-click the zone you created, and then click Properties.
On the General tab, click to select the Allow Dynamic Update check box,
and then click OK to accept the change.
Do the same for the Reverse Lookup Zone.
Enable DNS Forwarding for Internet connections
Click Start, point to Programs, point to Administrative Tools, and then click
DNS to start the DNS Management Console.
Right click the DNS Server object for your server in the left pane of the
console, and click Properties.
Click the Forwarders tab.
Check the Enable forwarders check-box.
In the IP address box enter the IP address of the DNS servers you want to
forward queries to - typically the DNS server of your ISP. You can also
move them up or down. The one that is highest in the list gets the first try,
and if it does not respond within a given time limit - the query will be
forwarded to the next server in the list.
Click OK.
================
DNS Zones Overview
A DNS zone is the contiguous portion of the DNS domain name space over which a DNS
server has authority. A zone is a portion of a namespace. It is not a domain. A domain is a
branch of the DNS namespace. A DNS zone can contain one or more contiguous domains. A
DNS server can be authoritative for multiple DNS zones. A non-contiguous namespace
cannot be a DNS zone.
A zone contains the resource records for all of the names within the particular zone. Zone
files are used if DNS data is not integrated with Active Directory. The zone files contain the
DNS database resource records that define the zone. If DNS and Active Directory are
integrated, then DNS data is stored in Active Directory.
The different types of zones used in Windows Server 2003 DNS are listed below:
Primary zone
Secondary zone
Active Directory-integrated zone
Reverse lookup zone
Stub zone
Primary Zone: A primary zone is the only zone type that can be edited or updated because the
data in the zone is the original source of the data for all domains in the zone. Updates made to
the primary zone are made by the DNS server that is authoritative for the specific primary
zone. Users can also back up data from a primary zone to a secondary zone.
Secondary Zone : A secondary zone is a read-only copy of the zone that was copied from the
master server during zone transfer. In fact, a secondary zone can only be updated through
zone transfer.
Active Directory-integrated zone : Zone that stores its data in Active Directory. DNS zone
files are not needed. This type of zone is an authoritative primary zone. An Active Directoryintegrated zones zone data is
replicated during the Active Directory replication process. Active Directory-integrated zones
also enjoy the Active Directorys security features.
Reverse lookup zone: Reverse lookup zone is an authoritative DNS zone. These zones mainly
resolve IP addresses to resource names on the network. A reverse lookup zone can be either
of the following zones:
Primary zone
Secondary zone
Active Directory-integrated zone
Stub Zone: A stub zone is a new Windows Server 2003 feature. Stub zones only contain those
resource records necessary to identify the authoritative DNS servers for the master zone. Stub
zones therefore contain only a copy of a zone, and are used to resolve recursive and iterative
queries:
Iterative queries: The DNS server provides the best answer it can. This can
be:
o
The resolved name
A referral to a different DNS server
Recursive queries: The DNS server has to reply with the requested
information or with an error. The DNS server cannot provide a referral to a
different DNS server.
Stub zones contain the following information:
Start of Authority (SOA) resource records of the zone
Resource records that list the authoritative DNS servers of the zone
Glue address (A) resource records that are necessary for contacting the
authoritative servers of the zone.
Zone delegation occurs when users assign authority over portions of the DNS namespace to
subdomains of the DNS namespace. Users should delegate a zone under the following
circumstances:
To delegate administration of a DNS domain to a department or branch of

the organization.
To improve performance and fault tolerance of the DNS environment.

Users can distribute DNS database management and maintenance
between several DNS servers.
Understanding DNS Zone Transfer
A zone transfer can be defined as the process that occurs to copy the zones resource records
on the primary DNS server to secondary DNS servers. Zone transfer enables a secondary
DNS server to continue handling queries if the primary DNS server fails. A secondary DNS
server can also transfer its zone data to other secondary DNS servers that are beneath it in the
DNS hierarchy. In this case, the secondary DNS server is regarded as the master DNS server
to the other secondary servers.
The zone transfer methods are:
Full transfer: When the user configures a secondary DNS server for a zone
and starts the secondary DNS server, the secondary DNS server requests
a full copy of the zone from the primary DNS server. A full transfer of all
the zone information is performed. Full zone transfers tend to be resource
intensive. This disadvantage of full transfers has led to the development of
incremental zone transfers.
Incremental zone transfer: With an incremental zone transfer, only those

resource records that have since changed in a zone are transferred to the
secondary DNS servers. During zone transfer, the DNS database is on the
primary.
DNS server and the secondary DNS server are compared to determine
whether there are differences in the DNS data. If the primary and
secondary DNS servers data are the same, zone transfer does not take
place. If the DNS data of the two servers are different, transfer of the delta
resource records starts. This occurs when the serial number on the
primary DNS server database is higher than that of secondary DNS server.
For incremental zone transfer to occur, the primary DNS server has to
record incremental changes to its DNS database. Incremental zone
transfers require less bandwidth than full zone transfers.
Active Directory transfers: These zone transfers occur when Active

Directory-integrated zones are replicated to the domain controllers in a
domain. Replication occurs through Active Directory replication.
DNS Notify: This is a mechanism that enables a primary DNS server to

inform secondary DNS servers when its database has been updated. DNS
Notify informs the secondary DNS servers when they need to initiate a
zone transfer so that the updates of the primary DNS server can be
replicated to them. When a secondary DNS server receives the notification
from the primary DNS server, it can start an incremental zone transfer or a
full zone transfer to pull zone changes from the primary DNS servers.
Understanding DNS Resource Records

The DNS database contains resource records (entries) that resolve name resolution queries
sent to the DNS server. Each DNS server contains the resource records (RRs) it needs to
respond to name resolution queries for the portion of the DNS namespace for which it is
authoritative. There are different types of resource records.
A few of the commonly used resource records (RR) and their associated functions are
described in the Table.
Resource Records
Type
Name
Function
Host record
Contains the IP address of a specific host

32-bit IPv4
addresses.
AAAA
IPv6 address record
Ties a FQDN to an IPv6 128-bit address.
AFSDB
Andrews files system
Associates a DNS domain name to a serv

volume or an authenticated name server
ATMA
Asynchronous Transfer Mode

address
Associates a DNS domain name to the AT

atm_address field.
CNAME
Canonical Name / Alias name
Ties an alias to its associated domain nam
HINFO
Host info record
Indicates the CPU and OS type for a parti
ISDN
ISDN info record
Ties a FQDN to an associated ISDN teleph
KEY
Public key resource record
Contains the public key for zones that ca

Extensions (DNSSEC).
MB
Mailbox name record
Maps the domain mail server name to th

name
MG
Mail group record
Ties th domain mailing group to mailbox
MINFO
Mailbox info record
Associates a mailbox for an individual tha
MR
Mailbox renamed record
Maps an older mailbox name to its new m
MX
Mail exchange record
Provides routing for messages to mail ser

servers.
NS
Name server record
Provides a list of the authoritative server

the authoritative DNS server for delegate
NXT
Next resource record
Indicates those resource record types tha

the resource record in the zone.
OPT
Option resource record
A pseudo-resource record which provides

functionality.
PTR
Pointer resource record
Points to a different resource record, and

lookups to point to A type resource recor
RT
Route through record
Provides routing information for hosts tha

address.
SIG
Signature resource record
Stores the digital signature for an RR set.
SOA
Start of Authority resource

record
This resource record contains zone inform

determining the name of the primary DN
SOA record stores other zone property in
such as version information.
SRV
Service locator record
Used by Active directory to locate domain

and global catalog servers.
TXT
Text record
Maps a DNS name to descriptive text.
X.25 info record
Maps a DNS address to the public switche

address
number.
X25
While there are various resource records that contain different information, there are a few
required fields that each particular resource record has to contain:
Owner the DNS domain that contains the resource record
TTL (Time to Live) indicates the time duration that DNS servers can
cache resource record information prior to discarding the information. This
is, however, an optional resource records field.
Class is another optional resource records field. Class types were used in
earlier implementations of the DNS naming system and are no longer used
these days.
Type indicates the type of information contained in the resource record.
Record Specific Data a variable length field that further defines the
function of the resource. The format of the field is determined by Class
and Type.
Delegation records and glue records can also be added to a zone. These records delegate a
subdomain into a separate zone.
Delegation records: These are Name Space (NS) resource records in a

parent zone. The delegation record specifies the parent zone as being
authoritative for the delegated zones.
Glue records: These are A type resource records for the DNS server that
has authority over delegated zone.
The more important resource records are discussed now. This includes the following:
Start of Authority (SOA), Name Server (NS), Host (A), Alias (CNAME), Mail
exchanger (MX), Pointer (PTR), Service location (SRV)
Start of Authority (SOA) Resource Record
This is the first record in the DNS database file. The SOA record includes information on the
zone property information, such the primary DNS server for the zone and version
information.
The fields located within the SOA record are listed below:
Source host the host for which the DNS database file is maintained
Contact e-mail e-mail address for the individual who is responsible for
the database file.
Serial number the version number of the database.
Refresh time the time that a secondary DNS server waits while
determining whether database updates have been made that have to be
replicated via zone transfer.
Retry time the time for which a secondary DNS server waits before
attempting a failed zone transfer again.
Expiration time the time for which a secondary DNS server will continue
to attempt to download zone information. Old zone information is
discarded when this limit is reached.
Time to live the time that the particular DNS server can cache resource
records from the DNS database file.
Name Server (NS) Resource Record
The Name Server (NS) resource record provides a list of the authoritative DNS servers for a
domain as well authoritative DNS server for any delegated subdomains. Each zone must have
one (or more) NS resource records at the zone root. The NS resource record indicates the
primary and secondary DNS servers for the zone defined in the SOA resource record. This in
turn enables other DNS servers to look up names in the domain.
Host (A) Resource Record
The host (A) resource record contains the IP address of a specific host and maps the FQDN to
this 32-bit IPv4 addresses. Host (A) resource records basically associates the domain names
of computers (FQDNs) or hosts names to their associated IP addresses. Because a host (A)
resource record statically associates a host name to a specific IP address, users can manually
add these records to zones if they have machines that have statically assigned IP addresses.
The methods used to add host (A) resource records to zones are:
Manually add these records using the DNS management console.
Use the Dnscmd tool at the command line to add host (A) resource
records.
TCP/IP client computers running Windows 2000, Windows XP, or Windows

Server 2003 use the DHCP Client service to both register their names and
update their host (A) resource records.
Alias (CNAME) Resource Record
Alias (CNAME) resource records tie an alias name to its associated domain name. Alias
(CNAME) resource records are referred to as canonical names. By using canonical names,
users can hide network information from the clients connected to their network. Alias
(CNAME) resource records should be used when users have to rename a host that is defined
in a host (A) resource record in the identical zone.
Mail Exchanger (MX) Resource Record
The mail exchanger (MX) resource record provides routing for messages to mail servers and
backup servers. The mail MX resource record provides information on which mail servers
processes e-mail for the particular domain name. E-mail applications therefore mostly utilize
MX resource records.
A mail exchanger (MX) resource record has the following parameters:
Priority
Mail server
The mail exchanger (MX) resource record enables the DNS server to work with e-mail
addresses where no specific mail server is defined. A DNS domain can have multiple MX
records. MX resource records can therefore also be used to provide failover to different mail
servers when the primary server specified is unavailable. In this case, a server preference
value is added to indicate the priority of a server in the list. Lower server preference values
specify higher preference.
Pointer (PTR) Resource Record
The pointer (PTR) resource record points to a different resource record and is used for reverse
lookups to point to A resource records. Reverse lookups resolve IP addresses to host names or
FQDNs.
Add PTR resource records to zones through the following methods:
Manually add these records with the DNS management console.
Use the Dnscmd tool at the command line to add PTR resource records.
Service (SRV) Resource Records
Service (SRV) resource records are typically used by Active directory to locate domain
controllers, LDAP servers, and global catalog servers. The SRV records define the location of
specific services in a domain. They associate the location of a service such as a domain
controller or global catalog server with details on how the particular service can be contacted.
The fields of the service (SRV) resource record are explained below:
Service name
The protocol used
The domain name associated with the SRV records
The port number for the particular service
The Time to Live value
The class
The priority and weight
The target specifying the FQDN of the particular host supporting the
service
The Zone Database Files
If the user is not using Active Directory-integrated zones, the specific zone database files that
are used for zone data are:
Domain Name file: When new A type resource records are added to the
domain, they are stored in this file. When a zone is created, the Domain
Name file contains the following:
o
An SOA resource record for the domain
An NS resource record that indicates the name of the DNS server

that was created.
Reverse Lookup file: This database file contains information on a reverse

lookup zone.
Cache file: This file contains a listing of the names and addresses of root
name servers that are needed for resolving names that are external to the
authoritative domains.
Boot file: This file controls the DNS servers startup behavior. The boot file
supports the commands listed below:
o
Directory command this command defines the location of the

other files specified in the Boot file.
Primary command defines the domain for which this particular

DNS server has authority.
Secondary specifies a domain as being a secondary domain.
Cache command this command defines the list of root hints used
for contacting DNS servers for the root domain.
=================
Planning DNS Zone Implementations

When users divide up the DNS namespace, DNS zones are created. Breaking up the
namespace into zones enables DNS to more efficiently manage available bandwidth usage,
which in turn improves DNS performance.
When determining how to break up the DNS zones, a few considerations to take include:
DNS traffic patterns: use the System Monitor tool to examine DNS performance
counters and to obtain DNS server statistics.
Network link speed: The types of network links that exist between DNS servers
should be determined when users plan the zones for their environment.
Whether full DNS servers or caching-only DNS servers are being used also affects
how users break up DNS zones.
The main zone types used in Windows Server 2003 DNS environments are primary zones and
Active Directory-integrated zones. The question on whether to implement primary zones or
Active Directory-integrated zones would be determined by the environments DNS design
requirements.
Both primary zones and secondary zones are standard DNS zones that use zone files. The
main difference between primary zones and secondary zones is that primary zones can be
updated. Secondary zones contain read-only copies of zone data. A secondary DNS zone can
only be updated through DNS zone transfer. Secondary DNS zones are usually implemented
to provide fault tolerance for the DNS server environment.
An Active Directory-integrated zone can be defined as an improved version of a primary
DNS zone because it can use multi-master replication and the security features of Active
Directory. The zone data of Active Directory-integrated zones are stored in Active Directory.
Active Directory-integrated zones are authoritative primary zones.
A few advantages that Active Directory-integrated zone implementations have over standard
primary zone implementations are:
Active Directory replication is faster, which means that the time needed to transfer
zone data between zones is far less.
The Active Directory replication topology is used for Active Directory replication and
for Active Directory-integrated zone replication. There is no longer a need for DNS
replication when DNS and Active Directory are integrated.
Active Directory-integrated zones can enjoy the security features of Active Directory.
The need to manage Active Directory domains and DNS namespaces as separate
entities is eliminated. This in turn reduces administrative overhead.
When DNS and Active Directory are integrated, the Active Directory-integrated zones
are replicated and stored on any new domain controllers automatically.
Synchronization takes place automatically when new domain controllers are
deployed.
The mechanism that DNS utilizes to forward a query that one DNS server cannot resolve to
another DNS server is called DNS forwarding. DNS forwarders are the DNS servers used to
forward DNS queries for different DNS namespace to those DNS servers who can answer the
query. A DNS server is configured as a DNS forwarder when users configure the other DNS
servers to direct any unresolved queries to a specific DNS server. Creating DNS forwarders
can improve name resolution efficiency.
Windows Server 2003 DNS introduces a new feature called conditional forwarding. With
conditional forwarding, users create conditional forwarders within their environment that will
forward DNS queries based on the specific domain names being requested in the query. This
differs from DNS forwarders where the standard DNS resolution path to the root was used to
resolve the query. A conditional forwarder can only forward queries for domains that are
defined in the particular conditional forwarders list. The query is passed to the default DNS
forwarder if there are no entries in the forwarders list for the specific domain queried.
When conditional forwarders are configured, the process to resolve domain names is
illustrated below:
1. A client sends a query to the DNS server for name resolution.
2. The DNS server checks its DNS database file to determine whether it can resolve the
query with its zone data.
3. The DNS server also checks its DNS server cache to resolve the request.
4. If the DNS server is not configured to use forwarding, the server uses recursion to
attempt to resolve the query.
5. If the DNS server is configured to forward the query for a specific domain name to a
DNS forwarder, the DNS server then forwards the query to the IP address of its
configured DNS forwarder.
A few considerations for configuring forwarders for the DNS environment are:
Only implement the DNS forwarders that are necessary for the environment. Refrain
from creating loads of forwarders for the internal DNS servers.
Avoid chaining your DNS servers together in a forwarding configuration.
To avoid the DNS forwarder turning into a bottleneck, do not configure one external
DNS forwarder for all the internal DNS servers.
=====================

Microsoft Windows Servers 2003 KC

Enviado por

Dados do documento

Descrição original:

Título original

Direitos autorais

Formatos disponíveis

Compartilhar este documento

Compartilhar ou incorporar documento

Opções de compartilhamento

Você considera este documento útil?

Este conteúdo é inapropriado?

Direitos autorais:

Formatos disponíveis

Microsoft Windows Servers 2003 KC

Enviado por

Direitos autorais:

Formatos disponíveis

Microsoft Windows Servers - Command Reference

Network File System Command Reference

In addition to service-specific command arguments and options, nfsadmin accepts the

wbadmin enable backup

2. Wbadmin disable backup

wbadmin disable backup

4. Wbadmin stop job

5. Wbadmin get versions

6. Wbadmin get items

7. Wbadmin start recovery

-items:{<VolumesToRecover> | <AppsToRecover> | <FilesOrFoldersToRecover>}

8. Wbadmin get status

10. Wbadmin start systemstaterecovery

11. Wbadmin start systemstatebackup

Active Directory Domain Services Command Reference

dcpromo [/answer[:<filename>] | /unattend[:<filename>] | /unattend | /adv] /uninstallBinaries

-s <ServerName> - Specifies the domain controller to perform the import or export

No data protection; One

High redundancy cost

RAID 2 Not used in No practical use Previously used for

No practical use; Same

Byte-level data Excellent performance

Not well-suited for

Block-level data Data striping supports

Write requests suffer

equal data protection

Block-level data Best cost/performance Write performance is

Highest performance, High redundancy cost

Shares the same fault

High redundancy cost

A functioning, modern Windows network is a complex mesh of relationships and

Low-level network connectivity problems.TCP/IP routing problems.DHCP IP address

0 IP address leases were recovered.

0 records were deleted.

Event ID 1039 (Information): Indicates that the DHCP server cleaned up

0 IP address leases were recovered.

0 records were deleted.

Using System Monitor to Monitor DHCP Activity

The DHCP lease process.

The DHCP queue length

Duplicate IP address discards

DHCP server-side conflict attempts

To start System Monitor,

Discovers/sec indicates the rate at which the DHCP server receives

Releases/sec indicates the rate at which DHCPRELEASE messages are received by

Requests/sec indicates the rate at which DHCPREQUEST messages are received by

Using Network Monitor to Monitor DHCP Lease Traffic

Understanding DHCP Server log Files

DHCP server events

DHCP client events

DHCP rogue server detection events

Active Directory authorization

Description: This is a description of the particular DHCP server event.

IP Address: This is the IP address of the DHCP client.

Host Name: This is the host name of the DHCP client.

00 indicates the log was started.

01 indicates the log was stopped.

10 indicates a new IP address was leased to a client.

11 indicates a lease was renewed by a client.

12 indicates a lease was released by a client

13 indicates an IP address was detected to be in use on the network.

15 indicates a lease was denied.