Windows Active Directory Services
Content
Windows Active Directory Services
DNS (Domain Name Server)
DNS Domain Name System (DNS) is one of the industry-standard
suite of protocols that comprise TCP/IP. Microsoft Windows Server 2003. DNS
is implemented using two software components: the DNS server and the DNS
client (or resolver). Both components are run as background service
applications.
Network resources are identified by numeric IP addresses, but these IP
addresses are difficult for network users to remember. The DNS database
contains records that map user-friendly alphanumeric names for network
resources to the IP address used by those resources for communication. In
this way, DNS acts as a mnemonic device, making network resources easier
to remember for network users.
The Windows Server 2003 DNS Server and Client services use the DNS
protocol that is included in the TCP/IP protocol suite. DNS is part of the
application layer of the TCP/IP reference model.
DNS in TCP/IP
For more information and to view logical diagrams illustrating how DNS fits
with other Windows Server 2003 technologies, see “How DNS Works" in this
collection.
By default, Windows Server 2003 DNS is used for all name resolution in a
Windows Server 2003 network. In the most typical scenario, when a Windows
Server 2003 network user specifies the name of a network host or an internet
DNS domain name, the DNS Client service running on the Windows
Server 2003 computer of the user contacts a DNS server to resolve the name
to an IP address.
Bind We require to Enable the BIND server at Windows DNS
server if this server is require to transfer the zone inform to non-Windows OS.
Round robin DNS A load balancing technique in which balance power is
placed in the DNS server instead of a strictly dedicated machine as other load
techniques do.
Round robin is a local balancing mechanism used by DNS servers to share and
distribute network resource loads. You can use it to rotate all resource record (RR)
types contained in a query answer if multiple RRs are found.
Split DNS
In a split DNS infrastructure, you create two zones for the
same domain, one to be used by the internal network, the other used by the
external network. Split DNS directs internal hosts to an internal domain name server
for name resolution and external hosts are directed to an external domain name
server for name resolution.
dynamic DNS
Short for dynamic Domain Name System, a
method of keeping a domain name linked to a changing IP address as not all
computers use static IP addresses. Typically, when a user connects to the Internet,
the user's ISP assigns an unused IP address from a pool of IP addresses, and this
address is used only for the duration of that specific connection. This method of
dynamically assigning addresses extends the usable pool of available IP addresses.
A dynamic DNS service provider uses a special program that runs on the user's
computer, contacting the DNS service each time the IP address provided by the ISP
changes and subsequently updating the DNS database to reflect the change in IP
address. In this way, even though a domain name's IP address will change often,
other users do not have to know the changed IP address in order to connect with
the other computer.
DNS SEC
Short for DNS Security Extensions, DNS SEC is a set of
extensions used to add an additional layer of security to the Domain Name System
(DNS). DNS SEC was designed to prevent specific types of popular attacks on the
Internet and protect against these threats to the Domain Name System. The specific
extensions provide origin authentication of DNS data, data integrity and also to
authenticate denial of existence. May also be seen written as DNSSEC.
Cache against pollution
you will see that pollution of the DNS cache
can be a serious security issue. Essentially, the concept of cache pollution involves
servers that will cache bad queries, which can in turn disrupt your network’s
functionality and cause inaccurate resolutions. By configuring this option, you can
enable or disable the method of adding resource records to the cache. If enabled,
the DNS server will prevent the caching of resource records that were not answers
for the originally issued query.
Fail on load if bad zone data
By default, Windows 2000 DNS servers will
skip errors or incorrect data in the zone file. If you want the DNS server to fail when
loading a zone with bad data, select this check box. Generally, this is a setting you
would not enable.
Zone Microsoft defines a zone as a contiguous portion of the domain
namespace for which a DNS server has authority to answer queries.
Recursion
In DNS vernacular, there are two major methods by which a
DNS query can be identified: iterative and recursive. In the former method, a client
will issue a request for resolution to its DNS server, whereby the DNS server
provides the best possible match it can find, or a pointer to a server that is
authoritative for the domain name requested. A recursive query, on the other hand,
is where the client will issue a look up to its server and the server will return the
exact answer or nothing at all—there will be no pointing to another authoritative
server.
Enable Netmask Ordering According to the Configuring Subnet Prioritization
section in this Microsoft link, if the resolver client issuing the query “receives
multiple A resource records from a DNS server, and some have IP addresses from
networks to which the computer is directly connected to, the resolver orders those
resource records first. This reduces network traffic across subnets by forcing
computers to connect to network resources that are closer to them.
Disable Recursion Configuring this setting will disable recursion for all clients
that use this DNS server. If you wish to only allow iterative queries, then configure
this setting. Sometimes, accepting a recursive query from the Internet might be a
bad thing and could lead to hackers knowing more about your network than they
should. Many IT pros suggest disabling recursion on servers that are available to the
Internet, for security purposes.
Detecting and removing lingering objects
There are multiple methods that are available to detect or remove lingering objects
from Active Directory. This depends on the operating system version that the
domain controller is running. Repadmin could be used to detect or remove lingering
objects from a directory partition when the source and destination domain
controllers are running Windows Server 2003 and therefore the scope here is limited
to the following:
Introduction to lingering objects
Repadmin usage in Windows Server 2003
A lingering object is an object that is present on one replica, but on another replica
it has been deleted and removed from the directory by the garbage collection
process.
This condition can occur for a variety of reasons including:
Prolonged misconfigurations (such as those that cause event ID 1311
messages)
Prolonged errors in name resolution, authentication or the replication engine
that block inbound replication.
Bringing a domain controller online after it has been offline for a period
greater than the TombStone Lifetime (TSL).
Advancing system time or reducing TSL values in an attempt to accelerate
garbage collection before end-to-end replication has taken place for all
naming contexts in the forest.
Symptoms that you may have lingering objects:
Active Directory replication is prevented from occurring.
A user account that no longer exists still appears in the Global Address list for
E-mail clients.
A universal group that no longer exists still appears in a user’s access token.
E-mail messages cannot be delivered due to duplicate e-mail address on two
different user objects.
Regardless of the reason, a deleted object can remain on a domain controller in
either of the following circumstances:
A domain controller goes offline immediately prior to the deletion of an object
on another domain controller, and remains offline for a period that exceeds
the tombstone lifetime.
A domain controller goes offline immediately following the deletion of an
object on another domain controller but prior to receiving replication of the
tombstone, and remains offline for a period that exceeds the tombstone
lifetime.
What to do with a lingering object?
Determining what to do with a lingering object depends on whether or not it was
intended.
Action
Explanation
Unintended
Use repadmin to delete the lingering object on a domain controller that is
running Windows Server 2003.
Intended
Change the replication consistency on the inbound domain controller (DC).
The object will be re-animated on this DC. See strict and loose replication
consistency below
Strict and loose replication consistency
If the attributes of a lingering object never change, the object is never considered
for replication. However, if an attribute changes, the attribute is considered for
outbound replication. The problem with an attribute update for a lingering object is
that the receiving domain controller does not hold the object for the attribute being
replicated. An update cannot be performed because the entire object does not exist
on the receiving domain controller. What happens next depends on the replication
consistency set on the domain controller.
Replication
consistency
Explanation
Loose
When replication consistency is set to loose, the receiving
domain controller detects that it does not have the object for
the attribute that is being replicated. The inbound partner
requests the entire object from the outbound partner, and
reanimates the object on its copy of the directory. The same
process repeats on all domain controllers that do not have a
copy of the object. This mechanism can be used to cause
lingering objects to “reanimate” across the entire forest. If a
lingering object is discovered and its presence is intended,
then perform any update to the object. As long as replication
consistency is set to loose on all domain controllers, the
object will be reanimated as it replicates around the forest.
“Loose replication consistency” is the default for
Windows 2000 domain controllers, with the exception of
domain controllers that have the MS01-044 security rollup
package installed. For more information about the MS01-044
security rollup package, see article 297860 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?
LinkID=122508).
Strict
The default behavior for domain controllers that run
Windows Server 2003 (and domain controllers that are
upgraded from Windows NT 4.0) is to block inbound
replication for each naming context when a domain controller
receives an update to an object that it does not have.
Replication is halted in the naming context for the object until
the lingering object is removed or the replication mode is set
to “loose.”
Storage for Consistency Setting
The setting for replication consistency is in the registry on each domain controller.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Entry name: Strict Replication Consistency
Data type: REG_DWORD
Values: 1 for enabled; 0 for disabled
Default: 1 (enabled)
Note
There was a post-SP2 hotfix (also included in the security rollup package
from November 2001) that used a different registry value. A setting of 0
will not recreate the missing object (strict), and a setting of 1 will create
the missing object. This value is only needed with the November version
of the hotfix.
Value Name: Correct Missing Objects
Data type: REG_DWORD
Value data: 1
The repadmin /removelingeringobjects command does the following:
Designates an up-to-date domain controller as the authority.
Compares the Active Directory database objects on the authoritative server
with the objects that are on the suspected domain controller that contains the
lingering objects.
With /advisory_mode, the subcommand logs the potential deletions to the
Directory Service log.
Without /advisory_mode, the subcommand removes the lingering objects.
Syntax
Repadmin /removelingeringobjects <Dest_DC_LIST> <Source DC GUID> <NC>
[/ADVISORY_MODE]
Parameter
Description
<Dest_DC_LIS
T>
The domain controller that is suspected to have lingering
objects.
<Source DC
GUID>
Source domain controller GUID used to compare with the
suspected domain controller.
<NC>
Specifies the distinguished name of the directory partition.
/
ADVISORY_M
ODE
Read-only mode.
Duringlingering object removal, Event ID 1937 is logged to the Directory Service log.
This information includes the source domain controller, the objects that are
removed, and a total count of all the objects that are removed.
LDAP Service
a client needs to connect to the server known as the Directory System Agent, which
is set by default to use TCP port 389. After the connection is established, the client
and server exchange packets of data.
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server
SID
a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of
a user, user group, or other security principal. A security principal has a single SID
for life, and all properties of the principal, including its name, are associated with
the SID. This design allows a principal to be renamed (for example, from "John" to
"Jane") without affecting the security attributes of objects that refer to the principal.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: "S-1-5-213623811015-3361044348-30300820-1013";
S
The
string is
a SID.
1
The revision level
(the version of
the SID
specification).
5
The identifier
authority
value.
21-36238110153361044348-30300820
Domain or local computer
identifier
1013
A Relative ID (RID). Any group or user
that is not created by default will have a
Relative ID of 1000 or greater.
Possible identifier authority values are:
0
1
2
3
4
5
9
-
Null Authority
World Authority
Local Authority
Creator Authority
Non-unique Authority
NT Authority
Resource Manager Authority
The machine SID is stored in the SECURITY registry hive located
at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is
a binary value that has the computer SID embedded within it at the end of its data
(last 96 bits).
Decoding Machine SID[edit]
—The SID number is used in file, registry, service and users permissions. The
machine SID is determined in hexadecimal form from here:
regedit.exe: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12
bytes)
explorer.exe: \%windir%\system32\config\SAM
If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:
regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12
bytes)
explorer.exe: \%windir%\system32\config\SECURITY
Service SIDs[edit]
Service SIDs are a feature of service isolation, a security feature introduced
in Windows Vista and Windows Server 2008.[7] Any service with the "unrestricted"
SID-type property will have a service-specific SID added to the access token of the
service host process.
The purpose of Service SIDs is to allow permissions for a single service to be
managed without necessitating the creation of service accounts, an administrative
overhead.
Each service SID is a local, machine-level SID generated from the service name
using the following formula:
S-1-5-80-{SHA-1(service name in upper case)}
The sc.exe utility can be used to generate an arbitrary service SID:
sc.exe showsid dnscache
NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-8633791491145462774-2388618682 STATUS: Active
The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT
SERVICE\dnscache").
The following are well-known SIDs:
SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is
controlled by the operating system.
Note By default, the Everyone group no longer includes anonymous users on a computer that is
running Windows XP Service Pack 2 (SP2).
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-2-0
Name: Local
Description: A group that includes all users who have logged on locally.
SID: S-1-2-1
Name: Console Logon
Description: A group that includes users who are logged on to the physical console.
Note Added in Windows 7 and Windows Server 2008 R2
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE). When the ACE is
inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces
this SID with the SID for the primary group of the object's creator. The primary group is used only
by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-4 Name: Owner Rights
Description: A group that represents the current owner of the object. When an ACE that carries
this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC
permissions for the object owner.
SID: S-1-5-80-0
Name: All Services
Description: A group that includes all service processes configured on the system. Membership is
controlled by the operating system.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-4
Name: Non-unique Authority
Description: An identifier authority.
SID: S-1-5
Name: NT Authority
Description: An identifier authority.
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users who have logged on through a dial-up connection.
Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a network connection.
Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a batch queue facility.
Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on interactively. Membership is
controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on as a service.
Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on anonymously. Membership is
controlled by the operating system.
SID: S-1-5-8
Name: Proxy
Description: This SID is not used in Windows 2000.
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory
directory service. Membership is controlled by the operating system.
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active
Directory. When the ACE is inherited, the system replaces this SID with the SID for the security
principal who holds the account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they
logged on. Membership is controlled by the operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a Terminal Services server.
Membership is controlled by the operating system.
SID: S-1-5-14
Name: Remote Interactive Logon
Description: A group that includes all users who have logged on through a terminal services
logon.
SID: S-1-5-15
Name: This Organization
Description: A group that includes all users from the same organization. Only included with AD
accounts and only added by a Windows Server 2003 or later domain controller.
SID: S-1-5-17
Name: This Organization
Description: An account that is used by the default Internet Information Services (IIS) user.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-19
Name: NT Authority
Description: Local Service
SID: S-1-5-20
Name: NT Authority
Description: Network Service
SID: S-1-5-21domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account
that is given full control over the system.
SID: S-1-5-21domain-501
Name: Guest
Description: A user account for people who do not have individual accounts. This user account
does not require a password. By default, the Guest account is disabled.
SID: S-1-5-21domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center (KDC) service.
SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default,
the Domain Admins group is a member of the Administrators group on all computers that have
joined a domain, including the domain controllers. Domain Admins is the default owner of any
object that is created by any member of the group.
SID: S-1-5-21domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a domain. When you
create a user account in a domain, it is added to this group by default.
SID: S-1-5-21domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the domain's built-in Guest
account.
SID: S-1-5-21domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-21domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the domain. New domain
controllers are added to this group by default.
SID: S-1-5-21domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an enterprise
certification authority. Cert Publishers are authorized to publish certificates for User objects in
Active Directory.
SID: S-1-5-21root domain-518
Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make schema changes in Active Directory. By default, the
only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-21root domain-519
Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make forest-wide changes in Active Directory, such as adding
child domains. By default, the only member of the group is the Administrator account for the
forest root domain.
SID: S-1-5-21domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy objects in Active
Directory. By default, the only member of the group is Administrator.
SID: S-1-5-21domain-553
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members. Servers in this group
have Read Account Restrictions and Read Logon Information access to User objects in the Active
Directory domain local group.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only
member of the group is the Administrator account. When a computer joins a domain, the Domain
Admins group is added to the Administrators group. When a server becomes a domain controller,
the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only
member is the Authenticated Users group. When a computer joins a domain, the Domain Users
group is added to the Users group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest account. The Guests
group allows occasional or one-time users to log on with limited privileges to a computer's builtin Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power users can create local
users and groups; modify and delete accounts that they have created; and remove users from
the Power Users, Users, and Guests groups. Power users also can install programs; create,
manage, and delete local printers; and create and delete file shares.
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. By default, Account Operators have permission to create, modify, and delete accounts
for users, groups, and computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account Operators do not have
permission to modify the Administrators and Domain Admins groups, nor do they have
permission to modify the accounts for members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. Server Operators can log on to a server interactively; create and delete network
shares; start and stop services; back up and restore files; format the hard disk of the computer;
and shut down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By default, the only member
is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back
up and restore all files on a computer, regardless of the permissions that protect those files.
Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on domain controllers. By
default, the group has no members. Do not add users to this group.
SID: S-1-5-64-10
Name: NTLM Authentication
Description: A SID that is used when the NTLM authentication package authenticated the client
SID: S-1-5-64-14
Name: SChannel Authentication
Description: A SID that is used when the SChannel authentication package authenticated the
client.
SID: S-1-5-64-21
Name: Digest Authentication
Description: A SID that is used when the Digest authentication package authenticated the client.
SID: S-1-5-80
Name: NT Service
Description: An NT Service account prefix
SID: S-1-5-80-0
SID S-1-5-80-0 = NT SERVICES\ALL SERVICES
Name: All Services
Description: A group that includes all service processes that are configured on the system.
Membership is controlled by the operating system.
Note Added in Windows Server 2008 R2
SID: S-1-5-83-0
Name: NT VIRTUAL MACHINE\Virtual Machines
Description: A built-in group. The group is created when the Hyper-V role is installed. Membership
in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the
"Create Symbolic Links" right (SeCreateSymbolicLinkPrivilege), and also the "Log on as a
Service" right (SeServiceLogonRight).
Note Added in Windows 8 and Windows Server 2012
SID: S-1-16-0
Name: Untrusted Mandatory Level
Description: An untrusted integrity level. Note Added in Windows Vista and Windows Server
2008
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-4096
Name: Low Mandatory Level
Description: A low integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8192
Name: Medium Mandatory Level
Description: A medium integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8448
Name: Medium Plus Mandatory Level
Description: A medium plus integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-12288
Name: High Mandatory Level
Description: A high integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-16384
Name: System Mandatory Level
Description: A system integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-20480
Name: Protected Process Mandatory Level
Description: A protected-process integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-28672
Name: Secure Process Mandatory Level
Description: A secure process integrity level.
Note Added in Windows Vista and Windows Server 2008
The following groups appear as SIDs until a Windows Server 2003 domain controller is made the
primary domain controller (PDC) operations master role holder. The "operations master" is also known
as flexible single master operations (FSMO). The following additional built-in groups are created when a
Windows Server 2003 domain controller is added to the domain:
SID: S-1-5-32-554
Name: BUILTIN\Pre-Windows 2000 Compatible Access
Description: An alias added by Windows 2000. A backward compatibility group which allows read
access on all users and groups in the domain.
SID: S-1-5-32-555
Name: BUILTIN\Remote Desktop Users
Description: An alias. Members in this group are granted the right to logon remotely.
SID: S-1-5-32-556
Name: BUILTIN\Network Configuration Operators
Description: An alias. Members in this group can have some administrative privileges to manage
configuration of networking features.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts to this forest.
SID: S-1-5-32-558
Name: BUILTIN\Performance Monitor Users
Description: An alias. Members of this group have remote access to monitor this computer.
SID: S-1-5-32-559
Name: BUILTIN\Performance Log Users
Description: An alias. Members of this group have remote access to schedule logging of
performance counters on this computer.
SID: S-1-5-32-560
Name: BUILTIN\Windows Authorization Access Group
Description: An alias. Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers. When Windows Server 2003
Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562
Name: BUILTIN\Distributed COM Users
Description: An alias. A group for COM to provide computerwide access controls that govern
access to all call, activation, or launch requests on the computer.
The following groups appear as SIDs until a Windows Server 2008 or Windows Server 2008 R2 domain
controller is made the primary domain controller (PDC) operations master role holder. The "operations
master" is also known as flexible single master operations (FSMO). The following additional built-in
groups are created when a Windows Server 2008 or Windows Server 2008 R2 domain controller is
added to the domain:
SID: S-1-5- 21domain -498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the
enterprise
SID: S-1-5- 21domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the
domain
SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
SID: S-1-5-21 domain -571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated
to all read-only domain controllers in the domain.
SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords
replicated to any read-only domain controllers in the domain
SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local
machine.
SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification
Authorities in the enterprise.
The following groups appear as SIDs until a Windows Server 2012 domain controller is made the
primary domain controller (PDC) operations master role holder. The "operations master" is also known
as flexible single master operations (FSMO). The following additional built-in groups are created when a
Windows Server 2012 domain controller is added to the domain:
SID: S-1-5-21-domain-522
Name: Cloneable Domain Controllers
Description: A Global group. Members of this group that are domain controllers may be cloned.
SID: S-1-5-32-575
Name: BUILTIN\RDS Remote Access Servers
Description: A Builtin Local group. Servers in this group enable users of RemoteApp programs
and personal virtual desktops access to these resources. In Internet-facing deployments, these
servers are typically deployed in an edge network. This group needs to be populated on servers
running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the
deployment need to be in this group.
SID: S-1-5-32-576
Name: BUILTIN\RDS Endpoint Servers
Description: A Builtin Local group. Servers in this group run virtual machines and host sessions
where users RemoteApp programs and personal virtual desktops run. This group needs to be
populated on servers running RD Connection Broker. RD Session Host servers and RD
Virtualization Host servers used in the deployment need to be in this group.
SID: S-1-5-32-577
Name: BUILTIN\RDS Management Servers
Description: A Builtin Local group. Servers in this group can perform routine administrative
actions on servers running Remote Desktop Services. This group needs to be populated on all
servers in a Remote Desktop Services deployment. The servers running the RDS Central
Management service must be included in this group.
SID: S-1-5-32-578
Name: BUILTIN\Hyper-V Administrators
Description: A Builtin Local group. Members of this group have complete and unrestricted access
to all features of Hyper-V.
SID: S-1-5-32-579
Name: BUILTIN\Access Control Assistance Operators
Description: A Builtin Local group. Members of this group can remotely query authorization
attributes and permissions for resources on this computer.
SID: S-1-5-32-580
Name: BUILTIN\Remote Management Users
Description: A Builtin Local group. Members of this group can access WMI resources over
management protocols (such as WS-Management via the Windows Remote Management
service). This applies only to WMI namespaces that grant access to the user.
RID
In a Windows Active Directory (AD) domain, the process of generating unique Relative IDs (RIDs) is a
single-master operation that's assigned to one specific domain controller (DC). This DC is then referred
to as the RID master of the domain.
The RID master gives a pool of RIDs to each of the other DCs in the domain and keeps track of the sets
of allocated RIDs for each DC. The domain-level RID pool controlled by the RID master can hold
approximately one billion RIDs.
RIDs are never reused because the RID can't be reclaimed after a security principal is deleted. Reusing
a RID could lead to unauthorized access to resources if the resources' access control settings referred
to previously issued security IDs (SIDs) and RIDs.
To reduce the chance of running out of RIDs, you can increase the number of RIDs that are allocated by
the RID master to each DC's RID pool by adjusting the RID Block Size value (REG_DWORD) on the RID
master DC. The RID Block Size value is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values
Users, computers, and groups stored in Active Directory are collectively known as security
principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID
includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID)
that uniquely identifies the security principal within the domain. The RID is a monotonically increasing
number at the end of the SID.
Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller
that holds the RID master role (also known as flexible single master operations or FSMO) in each Active
Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID
operations master) is responsible for issuing a unique RID pool to each domain controller in its domain.
By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum
of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly
promoted domain controllers must acquire a RID pool before they can advertise their availability to
Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID
allocations in order to continue creating security principals when their current RID pool becomes
depleted.
Active Directory Restore
Three types of System State restores exist: Authoritative, Non-Authoritative, and Primary.
An Authoritative restore consists of running the NTDSUTIL after the restore is complete. Running
NTDSUTIL updates the USN (updated sequence numbers) to be greater than any other member
domain controller to which the machine formerly replicated. After restoring Authoritatively, the
domain controller will replicate its new changes to its member domain controllers, updating them
to the point where the backup last took place. Use this option if a number of users were
accidentally deleted through Active Directory.
At NTDSUTIL.EXE enter to active instance ntds and then go to authoritative restore option, then restore
subtree/object with path.
A Non-Authoritative restore is any System State restore, Active Directory or not, overwriting the
System State to the point at which it was backed up. This is the recommended way of fully
restoring a machine from a File-by-File backup. If the machine's registry is damaged or corrupt,
but bootable into "Safe Mode," the machine may have its System State restored instead of reinstalling the operating system.
A Primary Restore is performed when the first domain controller in a domain that is being entirely
rebuilt, and when no other domain controllers are present on the network. You may also use this
type of restore when the machine is the only functioning server in a replicated data set. For
instance, the SYSVOL directory is considered a replicated data set, as it is automatically
replicated to other domain controllers via the file replication service.
Get Forest and Domain
Functional Level
Get Forest Functional Level using dsquery:
dsquery * "CN=Partitions,CN=Configuration,DC=lab,DC=local" -scope base -attr msDS-Behavior-Version
Conversion table:
0 = Windows 2000
1 = Windows 2003 interim
2 = Windows 2003
3 = Windows 2008
4 = Windows 2008 R2
5 = Windows 2012
Reference here.
Get Domain Functional Level using dsquery:
dsquery * "DC=lab,DC=local" -scope base -attr msDS-Behavior-Version ntMixedDomain
Conversion table:
0, 0 = Windows 2000 Native
0, 1 = Windows 2000 Mixed
2, 0 = Windows 2003
3, 0 = Windows 2008
4, 0 = Windows 2008 R2
5, 0 = Windows 2012
Reference here.
Get the Active Directory Schema version using dsquery:
dsquery * "CN=Schema,CN=Configuration,DC=lab,DC=local" -scope base -attr objectVersion
13 = Windows 2000 Server
30 = Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with
Service Pack 2
31 = Windows Server 2003 R2
44 = Windows Server 2008 RTM
47 = Windows Server 2008 R2
56 = Windows Server 2012 RTM
Active Directory Partitions
Schema information contains - definitional details about objects and attributes that one
CAN store in the AD. Replicates to all domain controllers. Static in nature.
Configuration information contains - configuration data about forest and trees. Replicates
to all domain controllers. Static as your forest is.
Domain information contains - object information for a domain. Replicates to all domain
controllers within a domain. The object portion becomes part of Global Catalog.
Application Partition contains - information about applications in Active Directory. E.g.
when AD integrated DNS is used there are two application partitions for DNS zones –
ForestDNSZones and DomainDNSZones.
Aging
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS
record is considered as stale once both are elapsed.
Scavenging
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.
stub zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify the
authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names
between separate DNS namespaces. This type of resolution may be necessary when a corporate
merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in
both namespaces.
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue
A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
The master servers for a stub zone are one or more DNS servers authoritative for the child zone,
usually the DNS server hosting the primary zone for the delegated domain name.
A stub zone zone contains NS RECORDS of the master zone which is updated regularly. Stub zones can be used in
the following situations:
In case you have multiple levels of domain hiearchy you can use stub zones to simplify name resolution instead of
DNS servers querying the root server. It can replace secondary zones when configuring fault tolerance. They can
facilitate DNS connectivity across domains. Consider this example you have forest contoso.com and the following
domain tree ny.contoso.com (with acc.ny.contoso.com as sub domain) and sa.contoso.com (with fin.sa.contoso.com
as sub domains).
So if a client in acc.ny.contoso.com tries to access resources in fin.sa.contoso.com and stub zones are not
configured then multiple dns servers will have to be contacted i.e in following order
(acc.ny.contoso.com>ny.contoso.com>contoso.com>sa.contoso.com>fin.sa.contos.com)
Instead if a stub zone was created in acc.ny.contoso.com then it contains the list of authoritative DNS servers for
the zone and queries from acc.ny.contoso.com can be directly sent to fin.sa.contos.com.
You could argue that same thing can be configured through conditional fowarding but if there are changes in DNS
records then conditional fowarding would fail. Conditional fowarding can be used in situations where you want to
resolve Internet names or if you have a DNS server in your organisation that is responsible for your entire
namespace. Stub zones can be used in sites to avoid querying other DNS servers to
reduce DNS related traffic.
Also stub zones help in delegation. For example when a parent zone contains information about a child zone i.e
contains NS records for 2 DNS servers configured for the child zone. If the administrator of the child adds additional
DNS servers or makes changes to existing DNS infrastructure then the Parent zone won't know about this change.
Instead if the parent DNS server is configured with a stub zone for its child zone then all changes made to the child
zone DNS server's NS records would become available to the parent zone.
Stub zones are dynamic and the name servers for the zone are automatically updated in the stub zone.
Blue Screen of Death
BSoDs have been present in Windows NT 3.1 (the first release of the NT family) and all Windows operating system
released afterwards. (See History of Microsoft Windows.) BSoDs can be caused by poorly written device drivers or
malfunctioning hardware, such as faulty memory, power supply issues, overheating of components, or hardware
running beyond its specification limits. In the Windows 9x era, incompatible DLLs or bugs in the operating system
kernel could also cause BSoDs. Because of the instability and lack of memory protection in Windows 9x, BSoDs were
much more common
The most common BSoD is on a 25×80 screen which is the operating system's way of reporting
an interrupt caused by a processor exception; it is a more serious form of the general protection
fault dialog boxes. The memory address of the error is given and the error type is a hexadecimal
number from 00 to 11 (0 to 17 decimal). The error codes are as follows:[17]
00: Division fault
02: Non-Maskable Interrupt
04: Overflow Trap
05: Bounds Check Fault
06: Invalid Opcode Fault
07: "Coprocessor Not Available" Fault
08: Double Fault
09: Coprocessor Segment Overrun
0A: Invalid Task State Segment Fault
0B: Not Present Fault
0C: Stack Fault
0D: General Protection Fault
0E: Page Fault
10: Coprocessor Error Fault
11: Alignment Check Fault
Common reasons for BSoDs are:
Problems that occur with incompatible versions of DLLs: Windows loads these
DLLs into memory when they are needed by application programs; if versions
are changed, the next time an application loads the DLL it may be different
from what the application expects. These incompatibilities increase over time
as more new software is installed, and is one of the main reasons why a
freshly-installed copy of Windows is more stable than an "old" one.
Faulty or poorly written device drivers
Hardware incompatibilities
Damaged hardware may also cause a BSoD.
Operations master roles" and "FSMO Roles".
In addition to that, lets discuss what happens when a specific FSMO is not online/available:
Schema Master/FSMO unavailable: this is not visible to users directly as users do not
need it. Only admins need this FSMO to extend the AD schema. When not available
you cannot extend the AD schema to support your custom extensions or other
extensions to support other (Microsoft) products (e.g. Exchange, OCS/Lync, etc).
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
Domain Naming Master/FSMO unavailable: this not visible to users directly as users
do not need it. Only admins need this FSMO to add new partitions/naming contexts
(e.g. AD domains, application partitions) and cross-references to other partitions
outside the AD forest. When not available you cannot do what I mentioned earlier.
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
Infrastructure Master/FSMO unavailable: this may not be visible to users directly as
users or admins. Only admins may need to execute ADPREP (during AD upgrades) or
migrate objects between AD domains (intra-forest migrations only). The
infrastructure master (IM) keeps placeholder objects (so called phantoms) used in
references up-to-date. The following only applies to objects within the same AD
forest. For example, if a group in domain A contains a user from domain B. The IM will
create a placeholder object (a phantom) in domain A that represents the user from
domain B, but only if the IM is not a GC. The DC with the IM FSMO should not be a GC
if there is at least ANOTHER DC in the same AD domain that is ALSO NOT a GC. The
IM also keeps the phantom object up-to-date within information from the real object
(e.g. distinguishedName, objectGUID, objectSid). The IM is also used by ADPREP to
perform actions against domain NCs and application NCs. And if I’m not mistaken, the
IM is also used for intra-forest migrations of objects (I need to blog about this!). Also
see "The Infrastructure Master FSMO And The GC Role" and "Phantoms,
tombstones and the infrastructure master". Remember that when the Recycle
Bin is enabled in a W2K8R2 AD, every DC becomes an infrastructure master. In that
last case the regular IM FSMO becomes unimportant. In a single domain AD forest,
the IM is also less important as it does not need to update phantoms and you cannot
perform an intra-forest migration as you only have one AD domain.
RID Master/FSMO unavailable: this is not visible to users directly as users do not need
it. Only admins and provisioning systems need this FSMO to be available to be able to
created security principals (groups, computers, users). In time, every RWDC (RODCs
do not!) has two RID pools, the current RID pool and the reserve RID pool and each is
a block of 500 RIDs. When the current RID pool is exhausted, the DC copies the value
of the reserve RID pool to the current RID pool. When the current RID pool is
exhausted for at least 50%, the RWDC requests a new RID pool from the RID FSMO
and stores the value in the reserve RID pool, etc., etc. When the RID FSMO is not
available, RWDCs cannot request RID pools. You can still create security principals on
a RWDC as long as its RID pools are not fully exhausted. When the RID pools are fully
exhausted on any RWDC, you can still use any other RWDC as long as its RID pools
are not fully exhausted. When the RID pools of all RWDCS in the AD domain are fully
exhausted. Did you know that the domain RID pool is limited? If you did not, it
actually is! The top limit is "1073741823" (over 1 billion RIDs!). Also see " RID Master
FSMO Explained".
PDC Master/FSMO unavailable: the RWDC with the PDC FSMO role is the most busy
FSMO as it performs all kinds of functions. This is actually also the FSMO role that will
impact users most. The PDC FSMO performs the following functions: [‘1′] act as the
central time sync authority within an AD forest (this only applies to the PDC FSMO in
the forest root AD domain). For this also see "Configuring And Managing The
Windows Time Service (Part 1)", "Configuring And Managing The Windows
Time Service (Part 2)", "Configuring And Managing The Windows Time
Service (Part 3)" and "Configuring And Managing The Windows Time Service
(Part 4)", [‘2′] Any password changes or account lockouts that occur on any DC are
communicated to the RWDC with the PDC FSMO over the secure channel directly, [‘3′]
When a logon is attempted against a RWDC that fails (because of an incorrect
password), that RWDC will check with the RWDC hosting the PDC FSMO if it has a
newer password, [‘4′] Editing GPOs by default occur against the RWDC with the PDC
FSMO, [5] When root scalability mode is not enabled (the default), DFS root servers
get updates from the RWDC with the PDC FSMO. When root scalability is enabled, DFS
root servers get updates from the closest DC instead, [‘5′] The PDC FSMO is the only
DC that applies the Password policy settings and the account lockout policy settings
specified at domain level and writes the information to the domain NC, [‘6′] The
AdminSDHolder process is not executed to check protected groups/users and
reconfigure the ACLs if needed, [‘7′] If you have NT style applications that want/need
to target the PDC, those apps will probably break as soon as the PDC is not available.
For more information about FSMO failures, see "Responding to operations master
failures"
Operations master Roles failures
Some of the operations master roles are crucial to the operation of your network. Others can be
unavailable for quite some time before their absence becomes a problem. Generally, you will notice
that a single master operations role holder is unavailable when you try to perform some function
controlled by the particular operations master.
If an operations master is not available due to computer failure or network problems, you can seize the
operations master role. This is also referred to as forcing the transfer of the operations master role. Do
not seize the operations master role if you can transfer it instead. For more information,
see Transferring operations master roles.
Note
The operations master roles are sometimes called flexible single master operations (FSMO)
roles.
Before forcing the transfer, first determine the cause and expected duration of the computer or
network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait
for the role holder to become available again. If the domain controller that currently holds the role has
failed, you must determine if it can be recovered and brought back online.
In general, seizing an operations master role is a drastic step that should be considered only if the
current operations master will never be available again. The decision depends upon the role and how
long the particular role holder will be unavailable. The impact of various role holder failures is
discussed in the following topics.
Schema master failure
Temporary loss of the schema master is not visible to network users. It will not be visible to network
administrators either, unless they are trying to modify the schema or install an application that
modifies the schema during installation.
If the schema master will be unavailable for an unacceptable length of time, you can seize the role to
the standby operations master. However, seizing this role is a drastic step that you should take only
when the failure of the schema master is permanent.
Important
A domain controller whose schema master role has been seized must never be brought back
online.
For procedures on how to seize the schema master role, see Seize the schema master role.
Domain naming master failure
Temporary loss of the domain naming master is not visible to network users. It will not be visible to
network administrators either, unless they are trying to add a domain to the forest or remove a domain
from the forest.
If the domain naming master will be unavailable for an unacceptable length of time, you can seize the
role to the standby operations master. However, seizing this role is a drastic step that you should take
only when the failure of the domain naming master is permanent.
Important
A domain controller whose domain naming master role has been seized must never be brought
back online.
For procedures on how to seize the domain naming master role, see Seize the domain naming master
role.
RID master failure
Temporary loss of the RID master is not visible to network users. It will not be visible to network
administrators either, unless they are creating objects and the domain in which they are creating the
objects runs out of relative IDs (RIDs).
If the RID master will be unavailable for an unacceptable length of time, you can seize the role to the
operations master. However, seizing this role is a drastic step that you should take only when the
failure of the RID master is permanent.
Important
A domain controller whose RID master role has been seized must never be brought back
online.
For procedures on how to seize the RID master role, see Seize the RID master role.
PDC emulator master failure
The severity of a PDC outage depends on your Service Level Agreement (SLA) and the actual behavior
and configuration of the environment. For example, inconsistent password change behavior may affect
users beyond what your SLAs allow, or the lack of time synchronization may cause resource access
failures.
Also, in smaller environments, it may happen that the PDC as the first server in the domain is the only
DNS or Global Catalog Server, or is the only domain controller (DC) with a valid SYSVOL in case other
DCs did not successfully initiate or maintain SYSVOL replication. The PDC role holder may also be the
target for regular file server access. When this is done for folder redirection or logon script activities, it
may also affect users when logging on and while they work.
Other than the conditions described above, there is no direct dependency of the domain members on
the PDC role holder. However, you might be using applications that are coded to contact the PDC only.
You should try to avoid having this single point of failure.
Often, these applications were written for Windows NT 3.x and 4.0 deployments where the PDC was
the only writable DC. However, since Active Directory, all DCs except Read-Only DCs are writable. The
DsGetDcName API allows you to pick the right type; similar options are available in AD API interfaces
like ADSI (ADS_READONLY_SERVER) or the .NET runtime.
The loss of the primary domain controller (PDC) emulator master may affect network users. Therefore,
when the PDC emulator master is not available, you may need to immediately seize the role.
For procedures on how to seize the PDC emulator role, see Seize the PDC emulator role.
Infrastructure master failure
Temporary loss of the infrastructure master is not visible to network users. It will not be visible to
network administrators either, unless they have recently moved or renamed a large number of
accounts.
If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the
role to a domain controller that is not a global catalog but is well connected to a global catalog (from
any domain), ideally in the same site as the current global catalog. When the original infrastructure
master is returned to service, you can transfer the role back to the original domain controller.
Understanding SYSVOL/GPO replication
Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings,
Its stored in two different locations and uses different replication technology to replicate the changes,
however both should be available up-to-date on domain controller to function properly
Group policy templates are stored in SYSVOL, it’s a folder structure in SYSVOL share on a domain
controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL
share for the new policy that contain the group policy setting related to this policy, GPT folder name
would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT
folders from the below Path (it’s a default GPT path)
C:\Windows\Sysvol\Sysvol\DomainName\Policies
Group Policy template (GPT) is replicated by SYSVOL through FRS, FRS uses state-based replication. As
soon as there is a change to any file under the Sysvol folder structure, replication is triggered and
entire file get replicated
Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT
(Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT
path, GUID of the GPO, version information, WMI filter information, and a list of components that have
settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)
\System\Policies
Group policy container (GPC) is replicated through Active Directory replication
Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all
administrators can work on the same domain controller, if you want a different Domain controller you can change
through Group Policy Management console (GPMC)
File Replication Services (FRS)
I will try to explain step by step, let say you modify the Policy A from Server001 and
how this change get replicated to Server002 (Server002 is a downstream replication
partner for server001)
Once you modify the Policy A from server001, the corresponding GPT folder on
SYSVOL gets updated on the server001 (also updates the Group policy containers in
Active Directory on server001)
NTFS will change the USN journal according to the file and folder change.
FRS monitors the USN journal for changes on the SYSVOL folder
FRS updates the inbound log on server001, FRS not only updates the local changes
on inbound log, also updates the inbound log for the changes from entire upstream
replication partner (all inbound partners)
FRS creates a file in staging folder on server001 by using APIs (backup application
programming interfaces) based on the change.
This change has been updated on outbound log on server001 by FRS. And also send
change notification to entire downstream replication partner about the change (all
outbound partners)
Server002 get the change notification from Server001 and store the change order in
inbound log, Server002 copies the staging file from Server001 to the staging folder
on Server002. Server002 then update outbound log so other outbound partners can
pick up the change
Using Restore APIs, Server002 reconstructs the file and folder in the preinstall
folder, and then FRS renames the file or folder into the replica tree
In FRS replication process the entire changed file and folder get replicate to source
to destination server
What is NTFS USN journal?
Logs all the changes to an NTFS volume, including file creations, deletions, and
changes, Separate log on each NTFS volume and it has a size limit (Windows server
2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up
to 2 TB, however MS Recommends increasing by 128 MB for every 100,000
files/folders
What happens when the NTFS USN change journal fills up?
If the USN journal log fills up then NTFS will be overwrite the old entry’s, that’s why
in some scenarios before the change get updated, NTFS delete the entries in USN
journal log, it’s called journal_wrap
USN journal wrap Error
An error that occurs when large numbers of files change so quickly that the USN
journal must remove the oldest changes (before FRS has a chance to detect the
changes) to stay within the specified size limit, to resolve this issue you have to
perform a non-authoritative restore also called D2
Morphed folder
Replication conflict will occur if identically named directories are created in different
servers, to resolve this conflict FRS create a folder and this folder called morphed
folder
Let’s say two identical directories are created in different replication members, FRS
identifies the conflict during replication, and the receiving member protects the
original copy of the folder and renames (morphs) the later inbound copy of the
folder. The morphed folder names have a suffix of “_NTFRS_xxxxxxxx,” where
“xxxxxxxx” represents eight random hexadecimal digits.
Version vector join (vvjoin)
Till now we are discussing about the SYSVOL replication, how the SYSVOL replication
works for the newly added replication partner, newly added replication member
doesn’t have any updates, and it should build the folder structure from the
beginning, this process is called vvjoin, in which a downstream partner joins with an
upstream partner for the first time.
Vvjoin is a CPU-intensive operation that can affect the performance of the server
and increase the replication traffic
Distributed File System (DFS)
Now we are coming to the point, how the SYSVOL replicating using DFS and how it’s
been improved to provide better replication performance, to use this feature you
should have Windows Server 2008 domain functional level that means all the
domain controller has to be Windows Server 2008
SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)
DFSR is a multimaster replication engine and changes that occur on one of the
replication member are then replicated to all of the other servers in the replication
group
DFSR also monitors the NTFS for the update sequence number (USN) journal to
detects changes on the volume, and then DFSR replicate the changes only after the
file closed
And before sending or receiving a file, DFSR uses a staging folder to stage the file
If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR
replicates only the changes blocks and not the entire file, sounds like a attribute
level Active Directory replication, it compare the source and destination file using
remote differential compression (RDC), it reduce the SYSVOL replication traffic
Other Difference between DFRS and FRS
DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR
always heals itself hence no Journal Wrap error
Morphed files and folders automatically taken care of
FRS silently fails if the volume SYSVOL resides on < 1GB of free space
Copies the changes on files and folder not entire files and folder
Uses Version Vector tables to confirm the changes, also to resolve the conflicts
Support read-only replication on a particular members in which users cannot add or
change files
You can also make the changes to the SYSVOL folder of an RODC
DFSR does not require the version vector join (vvjoin) operation
Active Directory Replication Topology
Dependencies
Active Directory replication topology has the following dependencies:
Routable IP infrastructure. The replication topology is dependent upon a routable
IP infrastructure from which you can map IP subnet address ranges to site objects.
This mapping generates the information that is used by client workstations to
communicate with domain controllers that are close by, when there is a choice,
rather than those that are located across WAN links.
DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active
Directory replication topology requires that DNS is properly designed and deployed so
that domain controllers can correctly resolve the DNS names of replication partners.
DNS also stores service (SRV) resource records that provide site affinity information
to clients searching for domain controllers, including domain controllers that are
searching for replication partners. Every domain controller registers these records so
that they can be located according to site.
Net Logon service. Net Logon is required for DNS registrations.
RPC. Active Directory replication requires IP connectivity and RPC to transfer updates
between replication partners within sites. RPC is required for replication between two
sites containing domain controllers in the same domain, but SMTP is an alternative
where RPC cannot be used and domain controllers for the same domain are all
located in one site so that intersite replication of domain data is not required.
Intersite Messaging. Intersite Messaging is required for SMTP intersite replication
and for site coverage calculations. If the forest functional level is Windows 2000,
Intersite Messaging is also required for intersite topology generation.
2 types of replication.
1> AD replication
2> Sysvol replication
AD replication uses RPC.
Sysvol uses DFS Replication (DFSR) service, if Domain is at2008 functional level and all DCs
are WIndows Server2008 or higher OS version. If domain functional level is2003, Sysvol uses
NT File Replication Service (NTFS).
File replication service is responsible for replication of sysvol folders and distributed
file system between replica servers. it will replicate what ever changes which
happends to sysvol with replica servers. ntdutil command line tool is used to
monitor replication process.
Below 2008 R2 Forest Function Level (FFL) --> "Windows File Replication Service".
After raising the FFL to at least2008 R2, then migrating your SYSVOL folder from "File
Replication Service" to "Distributed File System Replication (DFS-R)" then another service
will be found in the DC which is DFSR "Distributed File System Replication service"
What is Active Directory replication?
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain
and forest data consistent among domain controllers that store the same directory partitions.
Intrasite replication or Replication within site:
The KCC creates separate replication topologies to transfer Active Directory updates within a site
and between all configured sites in the forest. The connections that are used for replication within
sites are created automatically with no additional configuration. Intrasite replication takes advantage
of LAN network speeds by providing replication as soon as changes occur, without the overhead of
data compression, thus maximizing CPU efficiency. Intrasite replication connections form a ring
topology with extra shortcut connections where needed to decrease latency. The fast replication of
updates within sites facilitates timely updates of domain data. In deployments where large
datacenters constitute hub sites for the centralization of mission-critical operations, directory
consistency is critical.
Intersite Replication or Replication between sites:
Replication between sites is made possible by user-defined site and site link objects that are created
in Active Directory to represent the physical LAN and WAN network infrastructure. When Active
Directory sites and site links are configured, the KCC creates an intersite topology so that replication
flows between domain controllers across WAN links. Intersite replication occurs according to a site
link schedule so that WAN usage can be controlled, and is compressed to reduce network bandwidth
requirements. Site link settings can be managed to optimize replication routing over WAN links. The
connections that are created between sites form a spanning tree for each directory partition in the
forest, merging where common directory partitions can be replicated over the same connection.
What is FRS?
File Replication service (FRS) is related to Active Directory replication because it requires the Active
Directory replication topology. FRS is a multimaster replication service that is used to replicate files
and folders in the system volume (SYSVOL) shared folder on domain controllers and in Distributed
File System (DFS) shared folders. FRS works by detecting changes to files and folders and then
replicating the updated files and folders to other replica members, which are connected in a
replication topology.
FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all
domain controllers in the domain. SYSVOL files are required by all domain controllers for Active
Directory to function.
What are the two protocols that are used in replication?
RPC over IP and SMTP over IP.
SMTP
Simple Mail Transfer Protocol (SMTP) is a packaging protocol that can be used
as an alternative to the remote procedure call (RPC) replication transport.
SMTP can be used to transport nondomain replication over IP networks in
mail-message format. Where networks are not fully routed, e-mail is
sometimes the only transport method available
Replication transports provide the wire protocols that are required for data
transfer. There are three levels of connectivity for replication of Active
Directory information:
• Uniform high-speed, synchronous RPC over IP within a site.
• Point-to-point, synchronous, low-speed RPC over IP between sites.
• Low-speed, asynchronous SMTP between sites.
The following rules apply to the replication transports:
• Replication within a site always uses RPC over IP.
• Replication between sites can use either RPC over IP or SMTP over IP.
• Replication between sites over SMTP is supported for only domain
controllers of different domains. Domain controllers of the same domain must
replicate by using the RPC over IP transport. Therefore, replication between
sites over SMTP is supported for only schema, configuration, and global
catalog replication, which means that domains can span sites only when
point-to-point, synchronous RPC is available between sites.
Synchronous and Asynchronous Communication
The RPC intersite and intrasite transport (RCP over IP within sites and
between sites) and the SMTP intersite transport (SMTP over IP between sites
only) correspond to synchronous and asynchronous communication methods,
respectively. Synchronous communication favors fast, available connections,
while asynchronous communication is better suited for slow or intermittent
connections.
KCC: It creates the replication topology within the site.
ISTG: It creates the topology for the replication between the sites of the same
domain.
Bridgehead server: These servers are responsible to receive the receiving the
replication data from another site and then replicate to the servers within the
site. Any replication originating from its site will be sent to other sites by this
server only.
What is FRS?
The File Replication service (FRS) is a multi-threaded, multi-master replication
engine that replaces the LMREPL (LanMan Replication) service in the 3.x/4.0
versions of Microsoft Windows NT. Windows 2000 domain controllers and
servers use FRS to replicate system policy and logon scripts for Windows
2000 and earlier clients that are located in the System Volume (Sysvol).
FRS can also replicate content between Windows 2000 servers hosting the
same fault-tolerant Distributed File System (DFS) roots or child node replicas.
In Windows 2008 and Windows 2012 Active Directory, FRS has been replaced
by DFS.
What is Journal Wrap?
Journal wrap errors occur if a sufficient number of changes take place while
FRS is turned off such that the last USN change that FRS recorded during
shutdown no longer exists in the USN journal during startup. The risk is that
changes to files and folders for FRS replicated trees may have taken place
while the service was turned off, and no record of the change exists in the
USN journal. To guard against data inconsistency, FRS asserts into a journal
wrap state.
Port Assignments for Active Directory Replication
Service Name
UDP
TCP
LDAP
389
389
LDAP
636
LDAP
3268
Kerboros
88
88
DNS
53
53
smb over IP
445
445
ldap start queries from port no 3268 & after that it goes to 368
636 is LDAP on SSL
Active Directory – Health Check
Note : The following commands and script are to be run from a domain controller with
enterprise / domain admin privileges. You may run the individual commands one by one
or run the script. The script will run all the commands listed and generate a report
1. Replsummary operation quickly and concisely summarizes the replication state and relative
health of a forest.
repadmin /replsummary
2. Synchronizes a specified domain controller with all replication partners, and reports if the
sync was successful or not
repadmin /syncall /e
repadmin /syncall /Aped
A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )
3. Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound
replication topology
repadmin /kcc *
4. Find the last time your DCs were backed up, by reading the DSASignature attribute from all
servers
Repadmin /showbackup *
5. Output all replication summary information from all DCs
Repadmin /showrepl *
6. Displays inbound replication requests that the domain controller has to issue to become
consistent with its source replication partners.
Repadmin / queue *
7. List all the Domain Controllers in Active Directory
DSQUERY Server -o rdn
8. Identifies domain controllers that are failing inbound replication or outbound replication, and
summarizes the results in a report.
Repadmin /replsummary
9. Displays calls that have not yet been answered, made by the specified server to other servers
repadmin /showoutcalls *
10. List the Topology information of all the bridgehead servers
repadmin /bridgeheads * /verbose
11. Inter Site Topology Generator Report
repadmin /istg * /verbose
12. Displays a list of failed replication events detected by the Knowledge Consistency Checker
(KCC).
repadmin /failcache *
13. Lists all domains trusted by a specified domain
Repadmin /showtrust *
14. Displays the replication features for, a directory partition on a domain controller.
repadmin /bind *
15. Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any
problems to help in troubleshooting
dcdiag /c /e /v
16. AD Health Check Script
This script will run all the commands mentioned in this document and generate an output/log file
This script will work under the following conditions
·
DSQUERY.exe is present in C:\Windows\System32
·
Repadmin.exe is present in C:\Windows\System32
·
Dcdiag.exe is present in C:\Windows\System32
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
NetBIOS Name resolution
NetBIOS Name resolution
DFSN, NetBIOS Session
Service, NetLogon
User and Computer Authentication, Replication
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
LDAP
LDAP SSL
LDAP GC
LDAP GC SSL
User and Computer Authentication, Forest Level Trusts
Kerberos
User and Computer Authentication, Name Resolution,
Trusts
DNS
Replication, User and Computer Authentication, Group
Policy, Trusts
SMB, CIFS, SMB2, DFSN,
LSARPC, NbtSS, NetLogonR,
SamR, SrvSvc
AD DS Web Services
SOAP
File Replication
RPC, DFSR (SYSVOL)
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
Windows Time, Trusts
DFS, Group Policy, NetBIOS Netlogon, Browsing
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
DHCP (Note: DHCP is not a core AD DS service but these
ports may be necessary for other functions besides DHCP,
such as WDS)
DHCP, MADCAP, PXE
User and Computer Authentication
If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of
10.19.174.98, then the RR records created during the installation process will be:
dcsA.corp.mycompany.com. A 10.19.174.98
_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
If you don't see these records in DNS for each DC, then you need to manually correct or add them.
The NetLogon Service will register various SRV DNS records for the DC depending on what services or
capabilities the system hosts:
(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for
the actual globally unique identifier for the domain.)
_ldap._tcp.corp.mycompany.com
(used for finding an LDAP server) - registered by all DCs and servers
_ldap._tcp.SITE._sites.corp.mycompany.com
(used for finding an LDAP server in a particular site) - registered by all DCs
_ldap._tcp.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain) - registered by all DCs
_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain and site) - registered by all DCs
_ldap._tcp.pdc._msdcs.corp.mycompany.com
(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators
_ldap._tcp.gc._msdcs.mycompany.com
(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers
_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com
(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers
_gc._tcp.mycompany.com
(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server
_gc._tcp.SITE._sites.mycompany.com
(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC
server
_ldap._tcp.GUID.domains._msdcs.mycompany.com
(used for finding a domain using a GUID—used only if the domain name has been changed) - registered
by all DCs
_kerberos._tcp.corp.mycompany.com
(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers
with Kerberos
_kerberos._udp.corp.mycompany.com
(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos
_kerberos._tcp.SITE._sites.corp.mycompany.com
(used for finding a KDC in the domain and site) - registered by all servers with Kerberos
_kerberos._tcp.dc._msdcs.corp.mycompany.com
(used for finding a KDC in the domain) - registered by all DCs with Kerberos
_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos
_kpasswd._tcp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers
with Kerberos
_kpasswd._udp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by
all servers with Kerberos
Pointer (PTR) resource records
Pointer (PTR) resource records support the reverse lookup process, based on zones that are created
and rooted in the in-addr.arpa domain. These records locate a computer by its IP address and resolve
this information to the DNS domain name for that computer.
Service location (SRV) resource records
Service location (SRV) resource records are required for location of Active Directory domain
controllers. Typically, you can avoid manual administration of service location (SRV) resource
records when you install Active Directory Domain Services (AD DS).
By default, the Active Directory Domain Services Installation Wizard attempts to locate a
DNS server based on the list of preferred or alternate DNS servers, which are configured in
any of its TCP/IP client properties, for any of its active network connections. If a DNS server
that can accept dynamic update of the service location (SRV) resource record is contacted,
the configuration process is complete. (This is also true for other resource records that are
related to registering AD DS as a service in DNS.)
If, during the installation, a DNS server that can accept updates for the DNS domain name
that is used to name your directory is not found, the wizard can install a DNS server locally
and automatically configure it with a zone to support the Active Directory domain.
Mail exchanger (MX) resource records
E-mail applications use the mail exchanger (MX) resource record to locate a mail server based on a
DNS domain name in the destination address for the e-mail recipient of a message. For example, a
DNS query for the name example.tailspintoys.com can be used to find a mail exchanger (MX) resource
record, which makes it possible for an e-mail application to forward or exchange mail to a user with the
e-mail address [email protected].
The mail exchanger (MX) resource record shows the DNS domain name for the computer or computers
that process mail for a domain. If multiple mail exchanger (MX) resource records exist, the DNS Client
service attempts to contact mail servers in the order of preference from lowest value (highest priority)
to highest value (lowest priority). The following example shows the basic syntax of a mail exchanger
(MX) resource record:
Alias (CNAME) resource records
Alias (CNAME) resource records are also sometimes called canonical name resource records. With
these records, you can use more than one name to point to a single host, which makes it easy to do
such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer.
For example, the well-known server names (ftp, www) are registered with alias (CNAME) resource
records that map to the DNS host name (such as server-1) for the server computer that hosts these
services.
We recommend alias (CNAME) resource records for the following scenarios:
When a host that is specified in an host (A) resource record in the same zone must be renamed
When a generic name for a well-known server, such as www, must resolve to a group of
individual computers (each with individual host (A) resource records) that provide the same
service, for example, in a group of redundant Web servers.
Host (A) resource records
You use host (A) resource records in a zone to associate DNS domain names of computers (or hosts) to
their IP addresses. You can add them to a zone in several ways:
You can manually create a host (A) resource record for a static TCP/IP client computer by using
DNS Manager.
Windows clients and servers use the DNS Client service to dynamically register and update
their own host (A) resource records in DNS when an IP configuration change occurs.
Dynamic Host Configuration Protocol (DHCP)–enabled client computers running earlier versions
of Microsoft operating systems can have their host (A) resource records registered and updated
by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000,
Windows Server 2003, and Windows Server 2008 DHCP Server service support this feature.)
Stub zone
A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces
Required DNS Records
Mnemoni
c
Pdc
Type
DNS Record
Requirements
SRV
_ldap._tcp.pdc._msdcs.<DnsDomainNa
me>
One per domain
SRV
_ldap._tcp.gc._msdcs.<DnsForestName
>
At least one per
forest
GcIpAddre
ss
A
_gc._msdcs.<DnsForestName>
At least one per
forest
DsaCname
CNAM
E
<DsaGuide>._msdcs.<DnsForestName
>
One per domain
controller
Kdc
SRV
_kerberos._tcp.dc._msdcs.<DnsDomain
Name>
At least one per
domain
Dc
SRV
_ldap._tcp.dc._msdcs.<DnsDomainNam
e>
At least one per
domain
A
<DomainControllerFQDN>
One per domain
controller
(domain
controllers that
have multiple IP
addresses can
have more than
one A resource
record)
GC
Adprep-Related Errors
Adprep is a utility that you run to prepare an existing Active Directory (AD) environment for
the first DC that runs a newer OS, such as Server 2008 R2. If you have an AD environment
in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that
runs Server 2008 R2, then you need to run certain Adprep commands:
1. Run adprep /forestprep on the schema master.
2. Run adprep /domainprep on each domain's infrastructure master.
3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to
run adprep /rodcprep for every domain that will have an RODC.
4. adprep32 /domainprep /gpprep
Primary domain controller (PDC) is down
The primary domain controller (PDC) in a Windows NT 3.51 or Windows NT 4.0 domain is
responsible for the following:
Processing password changes from both users and computers
Replicating updates to backup domain controllers
Running the Domain Master Browser
If you don't have a PDC Emulator role, users won't be able to change their domain passwords.
"Directory Service Access (DSAccess) is an internal component in Exchange 2010 Server, in
Exchange Server 2007, in Exchange Server 2003, and in Exchange Server 2000 that controls how all
Exchange Server components access Active Directory. The primary function of DSAccess is to
maintain information about various directory-related events and operations. For example, DSAccess
discovers the Active Directory topology and detects if domain controllers and global catalog servers
are available and responding to queries."
The RID master helps to create unique GUIDs for new Objects and the infrastructure master
updates references from objects to objects in other domains.
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only
with NT 4.0 BDC's complain, but also there will be no time
synchronization. Another problem is that you probably will not be able
to change or troubleshoot group policies as the default setting is for the
PDC emulator also to be the group policy master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates
with some of the other roles. Quickly seize PDC role from another
machine.
RID Master
One Domain Controller is responsible for giving all the rest of the
Domain Controllers a pack of unique numbers so that no two new
objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing
Domain Controllers will have enough unused RIDs to last a week or so
do not be in a hurry to seize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects
with the same RID would be disastrous. So if the original is found it
must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group
memberships may be incomplete. If you only have one domain, then
there will be no impact as the Infrastructure Master is responsible for
updating your user's membership in other domains in the forest.
Implications for Duplicates
No damage occurs if the old Infrastructure master returns, just check
out the Roles and decide which machine should hold the role.
Forest Wide Roles
Schema Master
If you lose the Schema Master, then long term it is serious because you
cannot install Exchange 2003 or extend the schema. However, short
term no-one will notice a missing Schema Master, so try and repair the
old one rather than seize the role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or
repaired, it must be completely rebuilt rather than allowed into the
forest.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and
new trees. Unless you are going to run DCPROMO, then you will not
miss this FSMO role, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild
before you let the machine back in the forest.
What Dns Records Register when run dcpromo.
SRV record should appear for the following services:
_kerberos
_ldap
Exchange 2010
That means that MAPI clients no longer connect directly to a Mailbox server when opening a mailbox. Instead they
connect to the RPC Client Access service which then talks to Active directory and Mailbox server. For directory
information, Outlook connects to an NSPI endpoint on the Client Access Server, and NSPI then talks to the Active
Directory via the Active Directory driver. The NSPI endpoint replaces the DSProxy component as we know from
Exchange 2007.
Figure 4: Exchange 2010 Client Access architecture
How is this different from Outlook Anywhere (RPC over HTTP) clients that connect to a mailbox in Exchange 2007?
Well, although Outlook Anywhere clients connected to the RPC Proxy component on the Client Access Server, they
also talked MAPI over RPC directly with the Mailbox server and with the NSPI endpoint in Active Directory.
Some of you might wonder what the benefits of the RPC Client Access service are. There are several actually. First,
with MAPI and directory connections moved to the Client Access Server role in the middle tier layer, Exchange now
has a single common path through which all data access occurs. This not only improves the consistency, when
applying business logic to clients, but also provides a much better client experience during switch-over and fail-overs
when you have deployed a highly available solution that makes use of the new Database Availability Group (DAG)
HA feature which I will cover in-depth in a future article. If the Outlook client user will even notice a disconnection, it
will not occur for more than approximately 30 seconds compared to disconnection in Exchange 2007 that could take
several minutes, heck even up to 30 minutes if it was a complex AD topology consisting of many AD sites and
Domain Controllers throughout which DNS has to replicate.
Lastly having a single common path for all data access, will allow for more concurrent connections and mailboxes per
mailbox server. In Exchange 2007 a Mailbox server could handle 64.000 connections compared to Exchange 2010
which will increase that number to a 250.000 RPC context handle limit.
Difference between Active Directory Replication and FRS
At heigher level, Active Directory replication replicates *only* AD database including doman,
configuration, schema, and ADLS partitions. Where in FRS is legacy replication technology used in
windows to replication SYSVOL and other information in active directory structure. The latest of FRS is
DFS which is more efficient.
FILE REPLICATION SERVICE:
File Replication service (FRS) is a technology that replicates files and folders stored in the
SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared
folders. When FRS detects that a change has been made to a file or folder within a replicated
shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a
multimaster replication service, any server that participates in replication can generate
changes. In addition, FRS can resolve file and folder conflicts to make data consistent among
servers.
Active directory replication :
Windows uses multi-master replication for the Active Directory. In multimaster
environments, all domain controllers function as peers and all replicate
Active Directory database changes to each other. There is no single master
replicator, but all domain controllers are responsible for the replication
If FRS is Stopped, What event ID will be generated in logs
13508
Lost and Found
Orphan Objects :
Lost and Found folder basically contain ORPHAN objects.
Now what is Orphaned objects : The objects that don't have any parent are called as orphand objects.
Objects usually become orphans through AD replication . Every AD domain controller contains a
complete read/write copy of the domain database. That means that it is possible for two administrators to
make conflicting changes to AD at the same time.
Suppose one administrator changes user XX's password, while another changes the user XX's name. AD
replicates each attribute individually, so there’s no conflict, even though two administrators made changes
to the same user.Because here there are two attribute and AD will replicate both individually.
But in some scenarios these conflicts will not be easy to handle by AD as well.
For example, suppose that one administrator moved a user into the Admin organizational unit (OU), at the
same time another administrator deleted the Admin OU on another domain controller. When replication
occurs,You will not get the user account in Admin OU it will be in Lost and Found.
When the Administror deletes the OU “Admin” in the Additional Domain Controller and simultaneously
on the other side Administrator is moving the one object called “Vijay” to OU “Admin”
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
NetBIOS Name resolution
User and Computer Authentication, Replication
NetBIOS Name resolution
DFSN, NetBIOS Session
Service, NetLogon
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
LDAP
LDAP SSL
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Port
21
23
25
25
53
67
80
80
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
LDAP GC
User and Computer Authentication, Forest Level Trusts
Kerberos
User and Computer Authentication, Name Resolution,
Trusts
DNS
Replication, User and Computer Authentication, Group
Policy, Trusts
SMB, CIFS, SMB2, DFSN,
LSARPC, NbtSS, NetLogonR,
SamR, SrvSvc
AD DS Web Services
SOAP
File Replication
RPC, DFSR (SYSVOL)
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
Windows Time, Trusts
DFS, Group Policy, NetBIOS Netlogon, Browsing
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
DHCP (Note: DHCP is not a core AD DS service but these
ports may be necessary for other functions besides DHCP,
such as WDS)
DHCP, MADCAP, PXE
User and Computer Authentication
Protocol
TCP
TCP
TCP
TCP
TCP
UDP
TCP
TCP
Network Service
FTP control
Telnet
SMTP
SMTP
DNS
DHCP Server
HTTP
HTTP
LDAP GC SSL
System Service
FTP Publishing Service
Telnet
Simple Mail Transport Protocol
Exchange Server
DNS Server
DHCP Server
Windows Media Services
World Wide Web Publishing
Service
System Service
Logical Name
MSFtpsvc
TlntSvr
SMTPSVC
DNS
DHCPServer
WMServer
W3SVC
88
110
110
123
135
135
135
135
135
135
135
135
137
TCP
TCP
TCP
UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
137
UDP
137
UDP
137
UDP
138
UDP
138
UDP
139
TCP
143
270
TCP
TCP
Kerberos
POP3
POP3
NTP
RPC
RPC
RPC
RPC
RPC
RPC
RPC
RPC
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Datagram
Service
NetBIOS Datagram
Service
NetBIOS Session
Service
IMAP
MOM 2004
Kerberos Key Distribution Center
Microsoft POP3 Service
Exchange Server
Windows Time
Remote Procedure Call
Certificate Services
Cluster Service
Distributed File System
Event Log
File Replication
Systems Management Server 2.0
Terminal Services Licensing
Computer Browser
Kdc
POP3SVC
Server
lanmanserver
Windows Internet Name Service
WINS
Net Logon
Netlogon
389
443
443
TCP
TCP
TCP
LDAP Server
HTTPS
HTTPS
445
636
995
143
3
170
1
172
3
181
2
239
3
239
4
253
5
272
TCP
TCP
TCP
TCP
SMB
LDAP SSL
POP3 over SSL
SQL over TCP
Exchange Server
Microsoft Operations Manager
2004
Local Security Authority
HTTP SSL
World Wide Web Publishing
Service
Print Spooler
Local Security Authority
Exchange Server
Microsoft SQL Server
UDP
L2TP
Routing and Remote Access
RemoteAccess
TCP
PPTP
Routing and Remote Access
RemoteAccess
UDP
Internet Authentication Service
IAS
TCP
RADIUS
Authentication
OLAP Services 7.0
TCP
OLAP Services 7.0
UDP
MADCAP
SQL Server: Downlevel OLAP
Client Support
SQL Server: Downlevel OLAP
Client Support
DHCP Server
DHCPServer
TCP
SQL Analysis
SQL 2000 Analysis Server
W32Time
RpcSs
CertSvc
ClusSvc
DFS
Eventlog
NtFrs
TermServLicensing
Browser
Systems Management Server 2.0
License Logging Service
LicenseService
Net Logon
Netlogon
MOM
LSASS
HTTPFilter
W3SVC
Spooler
LSASS
SQLSERVR
5
326
8
326
9
338
9
338
9
TCP
Services
Global Catalog
Server
Global Catalog
Server
Terminal Services
TCP
Terminal Services
TCP
TCP
Local Security Authority
LSASS
Local Security Authority
LSASS
NetMeeting Remote Desktop
Sharing
Terminal Services
mnmsrvc
TermService
Can you explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authenticationworks?
When a user enters a user name and password, the computer sends the username to the KDC. The KDC
contains a master database of unique long termkeys for every principal in its realm. The KDC looks up the
user's master key(KA), which is based on the user's password. The KDC then creates two items:a session key
(SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the
user name, and an expirationtime. The KDC encrypts this ticket by using its own master key (KKDC), whichonly
the KDC knows. The client computer receives the information from theKDC and runs the user's password
through a one-way hashing function, whichconverts the password into the user's KA. The client computer now
has asession key and a TGT so that it can securely communicate with the KDC. Theclient is now authenticated
to the domain and is ready to access otherresources in the domain by using the Kerberos protocol.
Inter-Site Topology Generator
When the ISTG determines that a connection object needs to be modified on a given
bridgehead server in the site, the ISTG makes the change to its local Active Directory copy. As
part of the normal intra-site replication process, these changes propagate to the bridgehead
servers in the site.
DNS (Domain Name Server)
DNS Domain Name System (DNS) is one of the industry-standard
suite of protocols that comprise TCP/IP. Microsoft Windows Server 2003. DNS
is implemented using two software components: the DNS server and the DNS
client (or resolver). Both components are run as background service
applications.
Network resources are identified by numeric IP addresses, but these IP
addresses are difficult for network users to remember. The DNS database
contains records that map user-friendly alphanumeric names for network
resources to the IP address used by those resources for communication. In
this way, DNS acts as a mnemonic device, making network resources easier
to remember for network users.
The Windows Server 2003 DNS Server and Client services use the DNS
protocol that is included in the TCP/IP protocol suite. DNS is part of the
application layer of the TCP/IP reference model.
DNS in TCP/IP
For more information and to view logical diagrams illustrating how DNS fits
with other Windows Server 2003 technologies, see “How DNS Works" in this
collection.
By default, Windows Server 2003 DNS is used for all name resolution in a
Windows Server 2003 network. In the most typical scenario, when a Windows
Server 2003 network user specifies the name of a network host or an internet
DNS domain name, the DNS Client service running on the Windows
Server 2003 computer of the user contacts a DNS server to resolve the name
to an IP address.
Bind We require to Enable the BIND server at Windows DNS
server if this server is require to transfer the zone inform to non-Windows OS.
Round robin DNS A load balancing technique in which balance power is
placed in the DNS server instead of a strictly dedicated machine as other load
techniques do.
Round robin is a local balancing mechanism used by DNS servers to share and
distribute network resource loads. You can use it to rotate all resource record (RR)
types contained in a query answer if multiple RRs are found.
Split DNS
In a split DNS infrastructure, you create two zones for the
same domain, one to be used by the internal network, the other used by the
external network. Split DNS directs internal hosts to an internal domain name server
for name resolution and external hosts are directed to an external domain name
server for name resolution.
dynamic DNS
Short for dynamic Domain Name System, a
method of keeping a domain name linked to a changing IP address as not all
computers use static IP addresses. Typically, when a user connects to the Internet,
the user's ISP assigns an unused IP address from a pool of IP addresses, and this
address is used only for the duration of that specific connection. This method of
dynamically assigning addresses extends the usable pool of available IP addresses.
A dynamic DNS service provider uses a special program that runs on the user's
computer, contacting the DNS service each time the IP address provided by the ISP
changes and subsequently updating the DNS database to reflect the change in IP
address. In this way, even though a domain name's IP address will change often,
other users do not have to know the changed IP address in order to connect with
the other computer.
DNS SEC
Short for DNS Security Extensions, DNS SEC is a set of
extensions used to add an additional layer of security to the Domain Name System
(DNS). DNS SEC was designed to prevent specific types of popular attacks on the
Internet and protect against these threats to the Domain Name System. The specific
extensions provide origin authentication of DNS data, data integrity and also to
authenticate denial of existence. May also be seen written as DNSSEC.
Cache against pollution
you will see that pollution of the DNS cache
can be a serious security issue. Essentially, the concept of cache pollution involves
servers that will cache bad queries, which can in turn disrupt your network’s
functionality and cause inaccurate resolutions. By configuring this option, you can
enable or disable the method of adding resource records to the cache. If enabled,
the DNS server will prevent the caching of resource records that were not answers
for the originally issued query.
Fail on load if bad zone data
By default, Windows 2000 DNS servers will
skip errors or incorrect data in the zone file. If you want the DNS server to fail when
loading a zone with bad data, select this check box. Generally, this is a setting you
would not enable.
Zone Microsoft defines a zone as a contiguous portion of the domain
namespace for which a DNS server has authority to answer queries.
Recursion
In DNS vernacular, there are two major methods by which a
DNS query can be identified: iterative and recursive. In the former method, a client
will issue a request for resolution to its DNS server, whereby the DNS server
provides the best possible match it can find, or a pointer to a server that is
authoritative for the domain name requested. A recursive query, on the other hand,
is where the client will issue a look up to its server and the server will return the
exact answer or nothing at all—there will be no pointing to another authoritative
server.
Enable Netmask Ordering According to the Configuring Subnet Prioritization
section in this Microsoft link, if the resolver client issuing the query “receives
multiple A resource records from a DNS server, and some have IP addresses from
networks to which the computer is directly connected to, the resolver orders those
resource records first. This reduces network traffic across subnets by forcing
computers to connect to network resources that are closer to them.
Disable Recursion Configuring this setting will disable recursion for all clients
that use this DNS server. If you wish to only allow iterative queries, then configure
this setting. Sometimes, accepting a recursive query from the Internet might be a
bad thing and could lead to hackers knowing more about your network than they
should. Many IT pros suggest disabling recursion on servers that are available to the
Internet, for security purposes.
Detecting and removing lingering objects
There are multiple methods that are available to detect or remove lingering objects
from Active Directory. This depends on the operating system version that the
domain controller is running. Repadmin could be used to detect or remove lingering
objects from a directory partition when the source and destination domain
controllers are running Windows Server 2003 and therefore the scope here is limited
to the following:
Introduction to lingering objects
Repadmin usage in Windows Server 2003
A lingering object is an object that is present on one replica, but on another replica
it has been deleted and removed from the directory by the garbage collection
process.
This condition can occur for a variety of reasons including:
Prolonged misconfigurations (such as those that cause event ID 1311
messages)
Prolonged errors in name resolution, authentication or the replication engine
that block inbound replication.
Bringing a domain controller online after it has been offline for a period
greater than the TombStone Lifetime (TSL).
Advancing system time or reducing TSL values in an attempt to accelerate
garbage collection before end-to-end replication has taken place for all
naming contexts in the forest.
Symptoms that you may have lingering objects:
Active Directory replication is prevented from occurring.
A user account that no longer exists still appears in the Global Address list for
E-mail clients.
A universal group that no longer exists still appears in a user’s access token.
E-mail messages cannot be delivered due to duplicate e-mail address on two
different user objects.
Regardless of the reason, a deleted object can remain on a domain controller in
either of the following circumstances:
A domain controller goes offline immediately prior to the deletion of an object
on another domain controller, and remains offline for a period that exceeds
the tombstone lifetime.
A domain controller goes offline immediately following the deletion of an
object on another domain controller but prior to receiving replication of the
tombstone, and remains offline for a period that exceeds the tombstone
lifetime.
What to do with a lingering object?
Determining what to do with a lingering object depends on whether or not it was
intended.
Action
Explanation
Unintended
Use repadmin to delete the lingering object on a domain controller that is
running Windows Server 2003.
Intended
Change the replication consistency on the inbound domain controller (DC).
The object will be re-animated on this DC. See strict and loose replication
consistency below
Strict and loose replication consistency
If the attributes of a lingering object never change, the object is never considered
for replication. However, if an attribute changes, the attribute is considered for
outbound replication. The problem with an attribute update for a lingering object is
that the receiving domain controller does not hold the object for the attribute being
replicated. An update cannot be performed because the entire object does not exist
on the receiving domain controller. What happens next depends on the replication
consistency set on the domain controller.
Replication
consistency
Explanation
Loose
When replication consistency is set to loose, the receiving
domain controller detects that it does not have the object for
the attribute that is being replicated. The inbound partner
requests the entire object from the outbound partner, and
reanimates the object on its copy of the directory. The same
process repeats on all domain controllers that do not have a
copy of the object. This mechanism can be used to cause
lingering objects to “reanimate” across the entire forest. If a
lingering object is discovered and its presence is intended,
then perform any update to the object. As long as replication
consistency is set to loose on all domain controllers, the
object will be reanimated as it replicates around the forest.
“Loose replication consistency” is the default for
Windows 2000 domain controllers, with the exception of
domain controllers that have the MS01-044 security rollup
package installed. For more information about the MS01-044
security rollup package, see article 297860 in the Microsoft
Knowledge Base (http://go.microsoft.com/fwlink/?
LinkID=122508).
Strict
The default behavior for domain controllers that run
Windows Server 2003 (and domain controllers that are
upgraded from Windows NT 4.0) is to block inbound
replication for each naming context when a domain controller
receives an update to an object that it does not have.
Replication is halted in the naming context for the object until
the lingering object is removed or the replication mode is set
to “loose.”
Storage for Consistency Setting
The setting for replication consistency is in the registry on each domain controller.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters
Entry name: Strict Replication Consistency
Data type: REG_DWORD
Values: 1 for enabled; 0 for disabled
Default: 1 (enabled)
Note
There was a post-SP2 hotfix (also included in the security rollup package
from November 2001) that used a different registry value. A setting of 0
will not recreate the missing object (strict), and a setting of 1 will create
the missing object. This value is only needed with the November version
of the hotfix.
Value Name: Correct Missing Objects
Data type: REG_DWORD
Value data: 1
The repadmin /removelingeringobjects command does the following:
Designates an up-to-date domain controller as the authority.
Compares the Active Directory database objects on the authoritative server
with the objects that are on the suspected domain controller that contains the
lingering objects.
With /advisory_mode, the subcommand logs the potential deletions to the
Directory Service log.
Without /advisory_mode, the subcommand removes the lingering objects.
Syntax
Repadmin /removelingeringobjects <Dest_DC_LIST> <Source DC GUID> <NC>
[/ADVISORY_MODE]
Parameter
Description
<Dest_DC_LIS
T>
The domain controller that is suspected to have lingering
objects.
<Source DC
GUID>
Source domain controller GUID used to compare with the
suspected domain controller.
<NC>
Specifies the distinguished name of the directory partition.
/
ADVISORY_M
ODE
Read-only mode.
Duringlingering object removal, Event ID 1937 is logged to the Directory Service log.
This information includes the source domain controller, the objects that are
removed, and a total count of all the objects that are removed.
LDAP Service
a client needs to connect to the server known as the Directory System Agent, which
is set by default to use TCP port 389. After the connection is established, the client
and server exchange packets of data.
LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and
other programs use to look up information from a server
SID
a Security Identifier (commonly abbreviated SID) is a unique, immutable identifier of
a user, user group, or other security principal. A security principal has a single SID
for life, and all properties of the principal, including its name, are associated with
the SID. This design allows a principal to be renamed (for example, from "John" to
"Jane") without affecting the security attributes of objects that refer to the principal.
SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.
The format of an SID can be illustrated using the following example: "S-1-5-213623811015-3361044348-30300820-1013";
S
The
string is
a SID.
1
The revision level
(the version of
the SID
specification).
5
The identifier
authority
value.
21-36238110153361044348-30300820
Domain or local computer
identifier
1013
A Relative ID (RID). Any group or user
that is not created by default will have a
Relative ID of 1000 or greater.
Possible identifier authority values are:
0
1
2
3
4
5
9
-
Null Authority
World Authority
Local Authority
Creator Authority
Non-unique Authority
NT Authority
Resource Manager Authority
The machine SID is stored in the SECURITY registry hive located
at SECURITY\SAM\Domains\Account, this key has two values F and V. The V value is
a binary value that has the computer SID embedded within it at the end of its data
(last 96 bits).
Decoding Machine SID[edit]
—The SID number is used in file, registry, service and users permissions. The
machine SID is determined in hexadecimal form from here:
regedit.exe: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12
bytes)
explorer.exe: \%windir%\system32\config\SAM
If the SAM file is missing at startup, a backup is retrieved in hexadecimal form here:
regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12
bytes)
explorer.exe: \%windir%\system32\config\SECURITY
Service SIDs[edit]
Service SIDs are a feature of service isolation, a security feature introduced
in Windows Vista and Windows Server 2008.[7] Any service with the "unrestricted"
SID-type property will have a service-specific SID added to the access token of the
service host process.
The purpose of Service SIDs is to allow permissions for a single service to be
managed without necessitating the creation of service accounts, an administrative
overhead.
Each service SID is a local, machine-level SID generated from the service name
using the following formula:
S-1-5-80-{SHA-1(service name in upper case)}
The sc.exe utility can be used to generate an arbitrary service SID:
sc.exe showsid dnscache
NAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-8633791491145462774-2388618682 STATUS: Active
The service can also be referred to as NT SERVICE\<service_name> (e.g. "NT
SERVICE\dnscache").
The following are well-known SIDs:
SID: S-1-0
Name: Null Authority
Description: An identifier authority.
SID: S-1-0-0
Name: Nobody
Description: No security principal.
SID: S-1-1
Name: World Authority
Description: An identifier authority.
SID: S-1-1-0
Name: Everyone
Description: A group that includes all users, even anonymous users and guests. Membership is
controlled by the operating system.
Note By default, the Everyone group no longer includes anonymous users on a computer that is
running Windows XP Service Pack 2 (SP2).
SID: S-1-2
Name: Local Authority
Description: An identifier authority.
SID: S-1-2-0
Name: Local
Description: A group that includes all users who have logged on locally.
SID: S-1-2-1
Name: Console Logon
Description: A group that includes users who are logged on to the physical console.
Note Added in Windows 7 and Windows Server 2008 R2
SID: S-1-3
Name: Creator Authority
Description: An identifier authority.
SID: S-1-3-0
Name: Creator Owner
Description: A placeholder in an inheritable access control entry (ACE). When the ACE is
inherited, the system replaces this SID with the SID for the object's creator.
SID: S-1-3-1
Name: Creator Group
Description: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces
this SID with the SID for the primary group of the object's creator. The primary group is used only
by the POSIX subsystem.
SID: S-1-3-2
Name: Creator Owner Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-3
Name: Creator Group Server
Description: This SID is not used in Windows 2000.
SID: S-1-3-4 Name: Owner Rights
Description: A group that represents the current owner of the object. When an ACE that carries
this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC
permissions for the object owner.
SID: S-1-5-80-0
Name: All Services
Description: A group that includes all service processes configured on the system. Membership is
controlled by the operating system.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-4
Name: Non-unique Authority
Description: An identifier authority.
SID: S-1-5
Name: NT Authority
Description: An identifier authority.
SID: S-1-5-1
Name: Dialup
Description: A group that includes all users who have logged on through a dial-up connection.
Membership is controlled by the operating system.
SID: S-1-5-2
Name: Network
Description: A group that includes all users that have logged on through a network connection.
Membership is controlled by the operating system.
SID: S-1-5-3
Name: Batch
Description: A group that includes all users that have logged on through a batch queue facility.
Membership is controlled by the operating system.
SID: S-1-5-4
Name: Interactive
Description: A group that includes all users that have logged on interactively. Membership is
controlled by the operating system.
SID: S-1-5-5-X-Y
Name: Logon Session
Description: A logon session. The X and Y values for these SIDs are different for each session.
SID: S-1-5-6
Name: Service
Description: A group that includes all security principals that have logged on as a service.
Membership is controlled by the operating system.
SID: S-1-5-7
Name: Anonymous
Description: A group that includes all users that have logged on anonymously. Membership is
controlled by the operating system.
SID: S-1-5-8
Name: Proxy
Description: This SID is not used in Windows 2000.
SID: S-1-5-9
Name: Enterprise Domain Controllers
Description: A group that includes all domain controllers in a forest that uses an Active Directory
directory service. Membership is controlled by the operating system.
SID: S-1-5-10
Name: Principal Self
Description: A placeholder in an inheritable ACE on an account object or group object in Active
Directory. When the ACE is inherited, the system replaces this SID with the SID for the security
principal who holds the account.
SID: S-1-5-11
Name: Authenticated Users
Description: A group that includes all users whose identities were authenticated when they
logged on. Membership is controlled by the operating system.
SID: S-1-5-12
Name: Restricted Code
Description: This SID is reserved for future use.
SID: S-1-5-13
Name: Terminal Server Users
Description: A group that includes all users that have logged on to a Terminal Services server.
Membership is controlled by the operating system.
SID: S-1-5-14
Name: Remote Interactive Logon
Description: A group that includes all users who have logged on through a terminal services
logon.
SID: S-1-5-15
Name: This Organization
Description: A group that includes all users from the same organization. Only included with AD
accounts and only added by a Windows Server 2003 or later domain controller.
SID: S-1-5-17
Name: This Organization
Description: An account that is used by the default Internet Information Services (IIS) user.
SID: S-1-5-18
Name: Local System
Description: A service account that is used by the operating system.
SID: S-1-5-19
Name: NT Authority
Description: Local Service
SID: S-1-5-20
Name: NT Authority
Description: Network Service
SID: S-1-5-21domain-500
Name: Administrator
Description: A user account for the system administrator. By default, it is the only user account
that is given full control over the system.
SID: S-1-5-21domain-501
Name: Guest
Description: A user account for people who do not have individual accounts. This user account
does not require a password. By default, the Guest account is disabled.
SID: S-1-5-21domain-502
Name: KRBTGT
Description: A service account that is used by the Key Distribution Center (KDC) service.
SID: S-1-5-21domain-512
Name: Domain Admins
Description: A global group whose members are authorized to administer the domain. By default,
the Domain Admins group is a member of the Administrators group on all computers that have
joined a domain, including the domain controllers. Domain Admins is the default owner of any
object that is created by any member of the group.
SID: S-1-5-21domain-513
Name: Domain Users
Description: A global group that, by default, includes all user accounts in a domain. When you
create a user account in a domain, it is added to this group by default.
SID: S-1-5-21domain-514
Name: Domain Guests
Description: A global group that, by default, has only one member, the domain's built-in Guest
account.
SID: S-1-5-21domain-515
Name: Domain Computers
Description: A global group that includes all clients and servers that have joined the domain.
SID: S-1-5-21domain-516
Name: Domain Controllers
Description: A global group that includes all domain controllers in the domain. New domain
controllers are added to this group by default.
SID: S-1-5-21domain-517
Name: Cert Publishers
Description: A global group that includes all computers that are running an enterprise
certification authority. Cert Publishers are authorized to publish certificates for User objects in
Active Directory.
SID: S-1-5-21root domain-518
Name: Schema Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make schema changes in Active Directory. By default, the
only member of the group is the Administrator account for the forest root domain.
SID: S-1-5-21root domain-519
Name: Enterprise Admins
Description: A universal group in a native-mode domain; a global group in a mixed-mode
domain. The group is authorized to make forest-wide changes in Active Directory, such as adding
child domains. By default, the only member of the group is the Administrator account for the
forest root domain.
SID: S-1-5-21domain-520
Name: Group Policy Creator Owners
Description: A global group that is authorized to create new Group Policy objects in Active
Directory. By default, the only member of the group is Administrator.
SID: S-1-5-21domain-553
Name: RAS and IAS Servers
Description: A domain local group. By default, this group has no members. Servers in this group
have Read Account Restrictions and Read Logon Information access to User objects in the Active
Directory domain local group.
SID: S-1-5-32-544
Name: Administrators
Description: A built-in group. After the initial installation of the operating system, the only
member of the group is the Administrator account. When a computer joins a domain, the Domain
Admins group is added to the Administrators group. When a server becomes a domain controller,
the Enterprise Admins group also is added to the Administrators group.
SID: S-1-5-32-545
Name: Users
Description: A built-in group. After the initial installation of the operating system, the only
member is the Authenticated Users group. When a computer joins a domain, the Domain Users
group is added to the Users group on the computer.
SID: S-1-5-32-546
Name: Guests
Description: A built-in group. By default, the only member is the Guest account. The Guests
group allows occasional or one-time users to log on with limited privileges to a computer's builtin Guest account.
SID: S-1-5-32-547
Name: Power Users
Description: A built-in group. By default, the group has no members. Power users can create local
users and groups; modify and delete accounts that they have created; and remove users from
the Power Users, Users, and Guests groups. Power users also can install programs; create,
manage, and delete local printers; and create and delete file shares.
SID: S-1-5-32-548
Name: Account Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. By default, Account Operators have permission to create, modify, and delete accounts
for users, groups, and computers in all containers and organizational units of Active Directory
except the Builtin container and the Domain Controllers OU. Account Operators do not have
permission to modify the Administrators and Domain Admins groups, nor do they have
permission to modify the accounts for members of those groups.
SID: S-1-5-32-549
Name: Server Operators
Description: A built-in group that exists only on domain controllers. By default, the group has no
members. Server Operators can log on to a server interactively; create and delete network
shares; start and stop services; back up and restore files; format the hard disk of the computer;
and shut down the computer.
SID: S-1-5-32-550
Name: Print Operators
Description: A built-in group that exists only on domain controllers. By default, the only member
is the Domain Users group. Print Operators can manage printers and document queues.
SID: S-1-5-32-551
Name: Backup Operators
Description: A built-in group. By default, the group has no members. Backup Operators can back
up and restore all files on a computer, regardless of the permissions that protect those files.
Backup Operators also can log on to the computer and shut it down.
SID: S-1-5-32-552
Name: Replicators
Description: A built-in group that is used by the File Replication service on domain controllers. By
default, the group has no members. Do not add users to this group.
SID: S-1-5-64-10
Name: NTLM Authentication
Description: A SID that is used when the NTLM authentication package authenticated the client
SID: S-1-5-64-14
Name: SChannel Authentication
Description: A SID that is used when the SChannel authentication package authenticated the
client.
SID: S-1-5-64-21
Name: Digest Authentication
Description: A SID that is used when the Digest authentication package authenticated the client.
SID: S-1-5-80
Name: NT Service
Description: An NT Service account prefix
SID: S-1-5-80-0
SID S-1-5-80-0 = NT SERVICES\ALL SERVICES
Name: All Services
Description: A group that includes all service processes that are configured on the system.
Membership is controlled by the operating system.
Note Added in Windows Server 2008 R2
SID: S-1-5-83-0
Name: NT VIRTUAL MACHINE\Virtual Machines
Description: A built-in group. The group is created when the Hyper-V role is installed. Membership
in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the
"Create Symbolic Links" right (SeCreateSymbolicLinkPrivilege), and also the "Log on as a
Service" right (SeServiceLogonRight).
Note Added in Windows 8 and Windows Server 2012
SID: S-1-16-0
Name: Untrusted Mandatory Level
Description: An untrusted integrity level. Note Added in Windows Vista and Windows Server
2008
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-4096
Name: Low Mandatory Level
Description: A low integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8192
Name: Medium Mandatory Level
Description: A medium integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-8448
Name: Medium Plus Mandatory Level
Description: A medium plus integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-12288
Name: High Mandatory Level
Description: A high integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-16384
Name: System Mandatory Level
Description: A system integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-20480
Name: Protected Process Mandatory Level
Description: A protected-process integrity level.
Note Added in Windows Vista and Windows Server 2008
SID: S-1-16-28672
Name: Secure Process Mandatory Level
Description: A secure process integrity level.
Note Added in Windows Vista and Windows Server 2008
The following groups appear as SIDs until a Windows Server 2003 domain controller is made the
primary domain controller (PDC) operations master role holder. The "operations master" is also known
as flexible single master operations (FSMO). The following additional built-in groups are created when a
Windows Server 2003 domain controller is added to the domain:
SID: S-1-5-32-554
Name: BUILTIN\Pre-Windows 2000 Compatible Access
Description: An alias added by Windows 2000. A backward compatibility group which allows read
access on all users and groups in the domain.
SID: S-1-5-32-555
Name: BUILTIN\Remote Desktop Users
Description: An alias. Members in this group are granted the right to logon remotely.
SID: S-1-5-32-556
Name: BUILTIN\Network Configuration Operators
Description: An alias. Members in this group can have some administrative privileges to manage
configuration of networking features.
SID: S-1-5-32-557
Name: BUILTIN\Incoming Forest Trust Builders
Description: An alias. Members of this group can create incoming, one-way trusts to this forest.
SID: S-1-5-32-558
Name: BUILTIN\Performance Monitor Users
Description: An alias. Members of this group have remote access to monitor this computer.
SID: S-1-5-32-559
Name: BUILTIN\Performance Log Users
Description: An alias. Members of this group have remote access to schedule logging of
performance counters on this computer.
SID: S-1-5-32-560
Name: BUILTIN\Windows Authorization Access Group
Description: An alias. Members of this group have access to the computed
tokenGroupsGlobalAndUniversal attribute on User objects.
SID: S-1-5-32-561
Name: BUILTIN\Terminal Server License Servers
Description: An alias. A group for Terminal Server License Servers. When Windows Server 2003
Service Pack 1 is installed, a new local group is created.
SID: S-1-5-32-562
Name: BUILTIN\Distributed COM Users
Description: An alias. A group for COM to provide computerwide access controls that govern
access to all call, activation, or launch requests on the computer.
The following groups appear as SIDs until a Windows Server 2008 or Windows Server 2008 R2 domain
controller is made the primary domain controller (PDC) operations master role holder. The "operations
master" is also known as flexible single master operations (FSMO). The following additional built-in
groups are created when a Windows Server 2008 or Windows Server 2008 R2 domain controller is
added to the domain:
SID: S-1-5- 21domain -498
Name: Enterprise Read-only Domain Controllers
Description: A Universal group. Members of this group are Read-Only Domain Controllers in the
enterprise
SID: S-1-5- 21domain -521
Name: Read-only Domain Controllers
Description: A Global group. Members of this group are Read-Only Domain Controllers in the
domain
SID: S-1-5-32-569
Name: BUILTIN\Cryptographic Operators
Description: A Builtin Local group. Members are authorized to perform cryptographic operations.
SID: S-1-5-21 domain -571
Name: Allowed RODC Password Replication Group
Description: A Domain Local group. Members in this group can have their passwords replicated
to all read-only domain controllers in the domain.
SID: S-1-5- 21 domain -572
Name: Denied RODC Password Replication Group
Description: A Domain Local group. Members in this group cannot have their passwords
replicated to any read-only domain controllers in the domain
SID: S-1-5-32-573
Name: BUILTIN\Event Log Readers
Description: A Builtin Local group. Members of this group can read event logs from local
machine.
SID: S-1-5-32-574
Name: BUILTIN\Certificate Service DCOM Access
Description: A Builtin Local group. Members of this group are allowed to connect to Certification
Authorities in the enterprise.
The following groups appear as SIDs until a Windows Server 2012 domain controller is made the
primary domain controller (PDC) operations master role holder. The "operations master" is also known
as flexible single master operations (FSMO). The following additional built-in groups are created when a
Windows Server 2012 domain controller is added to the domain:
SID: S-1-5-21-domain-522
Name: Cloneable Domain Controllers
Description: A Global group. Members of this group that are domain controllers may be cloned.
SID: S-1-5-32-575
Name: BUILTIN\RDS Remote Access Servers
Description: A Builtin Local group. Servers in this group enable users of RemoteApp programs
and personal virtual desktops access to these resources. In Internet-facing deployments, these
servers are typically deployed in an edge network. This group needs to be populated on servers
running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the
deployment need to be in this group.
SID: S-1-5-32-576
Name: BUILTIN\RDS Endpoint Servers
Description: A Builtin Local group. Servers in this group run virtual machines and host sessions
where users RemoteApp programs and personal virtual desktops run. This group needs to be
populated on servers running RD Connection Broker. RD Session Host servers and RD
Virtualization Host servers used in the deployment need to be in this group.
SID: S-1-5-32-577
Name: BUILTIN\RDS Management Servers
Description: A Builtin Local group. Servers in this group can perform routine administrative
actions on servers running Remote Desktop Services. This group needs to be populated on all
servers in a Remote Desktop Services deployment. The servers running the RDS Central
Management service must be included in this group.
SID: S-1-5-32-578
Name: BUILTIN\Hyper-V Administrators
Description: A Builtin Local group. Members of this group have complete and unrestricted access
to all features of Hyper-V.
SID: S-1-5-32-579
Name: BUILTIN\Access Control Assistance Operators
Description: A Builtin Local group. Members of this group can remotely query authorization
attributes and permissions for resources on this computer.
SID: S-1-5-32-580
Name: BUILTIN\Remote Management Users
Description: A Builtin Local group. Members of this group can access WMI resources over
management protocols (such as WS-Management via the Windows Remote Management
service). This applies only to WMI namespaces that grant access to the user.
RID
In a Windows Active Directory (AD) domain, the process of generating unique Relative IDs (RIDs) is a
single-master operation that's assigned to one specific domain controller (DC). This DC is then referred
to as the RID master of the domain.
The RID master gives a pool of RIDs to each of the other DCs in the domain and keeps track of the sets
of allocated RIDs for each DC. The domain-level RID pool controlled by the RID master can hold
approximately one billion RIDs.
RIDs are never reused because the RID can't be reclaimed after a security principal is deleted. Reusing
a RID could lead to unauthorized access to resources if the resources' access control settings referred
to previously issued security IDs (SIDs) and RIDs.
To reduce the chance of running out of RIDs, you can increase the number of RIDs that are allocated by
the RID master to each DC's RID pool by adjusting the RID Block Size value (REG_DWORD) on the RID
master DC. The RID Block Size value is located in the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values
Users, computers, and groups stored in Active Directory are collectively known as security
principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID
includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID)
that uniquely identifies the security principal within the domain. The RID is a monotonically increasing
number at the end of the SID.
Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller
that holds the RID master role (also known as flexible single master operations or FSMO) in each Active
Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID
operations master) is responsible for issuing a unique RID pool to each domain controller in its domain.
By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum
of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly
promoted domain controllers must acquire a RID pool before they can advertise their availability to
Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID
allocations in order to continue creating security principals when their current RID pool becomes
depleted.
Active Directory Restore
Three types of System State restores exist: Authoritative, Non-Authoritative, and Primary.
An Authoritative restore consists of running the NTDSUTIL after the restore is complete. Running
NTDSUTIL updates the USN (updated sequence numbers) to be greater than any other member
domain controller to which the machine formerly replicated. After restoring Authoritatively, the
domain controller will replicate its new changes to its member domain controllers, updating them
to the point where the backup last took place. Use this option if a number of users were
accidentally deleted through Active Directory.
At NTDSUTIL.EXE enter to active instance ntds and then go to authoritative restore option, then restore
subtree/object with path.
A Non-Authoritative restore is any System State restore, Active Directory or not, overwriting the
System State to the point at which it was backed up. This is the recommended way of fully
restoring a machine from a File-by-File backup. If the machine's registry is damaged or corrupt,
but bootable into "Safe Mode," the machine may have its System State restored instead of reinstalling the operating system.
A Primary Restore is performed when the first domain controller in a domain that is being entirely
rebuilt, and when no other domain controllers are present on the network. You may also use this
type of restore when the machine is the only functioning server in a replicated data set. For
instance, the SYSVOL directory is considered a replicated data set, as it is automatically
replicated to other domain controllers via the file replication service.
Get Forest and Domain
Functional Level
Get Forest Functional Level using dsquery:
dsquery * "CN=Partitions,CN=Configuration,DC=lab,DC=local" -scope base -attr msDS-Behavior-Version
Conversion table:
0 = Windows 2000
1 = Windows 2003 interim
2 = Windows 2003
3 = Windows 2008
4 = Windows 2008 R2
5 = Windows 2012
Reference here.
Get Domain Functional Level using dsquery:
dsquery * "DC=lab,DC=local" -scope base -attr msDS-Behavior-Version ntMixedDomain
Conversion table:
0, 0 = Windows 2000 Native
0, 1 = Windows 2000 Mixed
2, 0 = Windows 2003
3, 0 = Windows 2008
4, 0 = Windows 2008 R2
5, 0 = Windows 2012
Reference here.
Get the Active Directory Schema version using dsquery:
dsquery * "CN=Schema,CN=Configuration,DC=lab,DC=local" -scope base -attr objectVersion
13 = Windows 2000 Server
30 = Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with
Service Pack 2
31 = Windows Server 2003 R2
44 = Windows Server 2008 RTM
47 = Windows Server 2008 R2
56 = Windows Server 2012 RTM
Active Directory Partitions
Schema information contains - definitional details about objects and attributes that one
CAN store in the AD. Replicates to all domain controllers. Static in nature.
Configuration information contains - configuration data about forest and trees. Replicates
to all domain controllers. Static as your forest is.
Domain information contains - object information for a domain. Replicates to all domain
controllers within a domain. The object portion becomes part of Global Catalog.
Application Partition contains - information about applications in Active Directory. E.g.
when AD integrated DNS is used there are two application partitions for DNS zones –
ForestDNSZones and DomainDNSZones.
Aging
Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS
record is considered as stale once both are elapsed.
Scavenging
Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.
stub zones
A stub zone is a copy of a zone that contains only those resource records necessary to identify the
authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names
between separate DNS namespaces. This type of resolution may be necessary when a corporate
merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in
both namespaces.
A stub zone consists of:
The start of authority (SOA) resource record, name server (NS) resource records, and the glue
A resource records for the delegated zone.
The IP address of one or more master servers that can be used to update the stub zone.
The master servers for a stub zone are one or more DNS servers authoritative for the child zone,
usually the DNS server hosting the primary zone for the delegated domain name.
A stub zone zone contains NS RECORDS of the master zone which is updated regularly. Stub zones can be used in
the following situations:
In case you have multiple levels of domain hiearchy you can use stub zones to simplify name resolution instead of
DNS servers querying the root server. It can replace secondary zones when configuring fault tolerance. They can
facilitate DNS connectivity across domains. Consider this example you have forest contoso.com and the following
domain tree ny.contoso.com (with acc.ny.contoso.com as sub domain) and sa.contoso.com (with fin.sa.contoso.com
as sub domains).
So if a client in acc.ny.contoso.com tries to access resources in fin.sa.contoso.com and stub zones are not
configured then multiple dns servers will have to be contacted i.e in following order
(acc.ny.contoso.com>ny.contoso.com>contoso.com>sa.contoso.com>fin.sa.contos.com)
Instead if a stub zone was created in acc.ny.contoso.com then it contains the list of authoritative DNS servers for
the zone and queries from acc.ny.contoso.com can be directly sent to fin.sa.contos.com.
You could argue that same thing can be configured through conditional fowarding but if there are changes in DNS
records then conditional fowarding would fail. Conditional fowarding can be used in situations where you want to
resolve Internet names or if you have a DNS server in your organisation that is responsible for your entire
namespace. Stub zones can be used in sites to avoid querying other DNS servers to
reduce DNS related traffic.
Also stub zones help in delegation. For example when a parent zone contains information about a child zone i.e
contains NS records for 2 DNS servers configured for the child zone. If the administrator of the child adds additional
DNS servers or makes changes to existing DNS infrastructure then the Parent zone won't know about this change.
Instead if the parent DNS server is configured with a stub zone for its child zone then all changes made to the child
zone DNS server's NS records would become available to the parent zone.
Stub zones are dynamic and the name servers for the zone are automatically updated in the stub zone.
Blue Screen of Death
BSoDs have been present in Windows NT 3.1 (the first release of the NT family) and all Windows operating system
released afterwards. (See History of Microsoft Windows.) BSoDs can be caused by poorly written device drivers or
malfunctioning hardware, such as faulty memory, power supply issues, overheating of components, or hardware
running beyond its specification limits. In the Windows 9x era, incompatible DLLs or bugs in the operating system
kernel could also cause BSoDs. Because of the instability and lack of memory protection in Windows 9x, BSoDs were
much more common
The most common BSoD is on a 25×80 screen which is the operating system's way of reporting
an interrupt caused by a processor exception; it is a more serious form of the general protection
fault dialog boxes. The memory address of the error is given and the error type is a hexadecimal
number from 00 to 11 (0 to 17 decimal). The error codes are as follows:[17]
00: Division fault
02: Non-Maskable Interrupt
04: Overflow Trap
05: Bounds Check Fault
06: Invalid Opcode Fault
07: "Coprocessor Not Available" Fault
08: Double Fault
09: Coprocessor Segment Overrun
0A: Invalid Task State Segment Fault
0B: Not Present Fault
0C: Stack Fault
0D: General Protection Fault
0E: Page Fault
10: Coprocessor Error Fault
11: Alignment Check Fault
Common reasons for BSoDs are:
Problems that occur with incompatible versions of DLLs: Windows loads these
DLLs into memory when they are needed by application programs; if versions
are changed, the next time an application loads the DLL it may be different
from what the application expects. These incompatibilities increase over time
as more new software is installed, and is one of the main reasons why a
freshly-installed copy of Windows is more stable than an "old" one.
Faulty or poorly written device drivers
Hardware incompatibilities
Damaged hardware may also cause a BSoD.
Operations master roles" and "FSMO Roles".
In addition to that, lets discuss what happens when a specific FSMO is not online/available:
Schema Master/FSMO unavailable: this is not visible to users directly as users do not
need it. Only admins need this FSMO to extend the AD schema. When not available
you cannot extend the AD schema to support your custom extensions or other
extensions to support other (Microsoft) products (e.g. Exchange, OCS/Lync, etc).
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
Domain Naming Master/FSMO unavailable: this not visible to users directly as users
do not need it. Only admins need this FSMO to add new partitions/naming contexts
(e.g. AD domains, application partitions) and cross-references to other partitions
outside the AD forest. When not available you cannot do what I mentioned earlier.
These activities are not done on a day to day basis, so relatively speaking it is not
critical when not available.
Infrastructure Master/FSMO unavailable: this may not be visible to users directly as
users or admins. Only admins may need to execute ADPREP (during AD upgrades) or
migrate objects between AD domains (intra-forest migrations only). The
infrastructure master (IM) keeps placeholder objects (so called phantoms) used in
references up-to-date. The following only applies to objects within the same AD
forest. For example, if a group in domain A contains a user from domain B. The IM will
create a placeholder object (a phantom) in domain A that represents the user from
domain B, but only if the IM is not a GC. The DC with the IM FSMO should not be a GC
if there is at least ANOTHER DC in the same AD domain that is ALSO NOT a GC. The
IM also keeps the phantom object up-to-date within information from the real object
(e.g. distinguishedName, objectGUID, objectSid). The IM is also used by ADPREP to
perform actions against domain NCs and application NCs. And if I’m not mistaken, the
IM is also used for intra-forest migrations of objects (I need to blog about this!). Also
see "The Infrastructure Master FSMO And The GC Role" and "Phantoms,
tombstones and the infrastructure master". Remember that when the Recycle
Bin is enabled in a W2K8R2 AD, every DC becomes an infrastructure master. In that
last case the regular IM FSMO becomes unimportant. In a single domain AD forest,
the IM is also less important as it does not need to update phantoms and you cannot
perform an intra-forest migration as you only have one AD domain.
RID Master/FSMO unavailable: this is not visible to users directly as users do not need
it. Only admins and provisioning systems need this FSMO to be available to be able to
created security principals (groups, computers, users). In time, every RWDC (RODCs
do not!) has two RID pools, the current RID pool and the reserve RID pool and each is
a block of 500 RIDs. When the current RID pool is exhausted, the DC copies the value
of the reserve RID pool to the current RID pool. When the current RID pool is
exhausted for at least 50%, the RWDC requests a new RID pool from the RID FSMO
and stores the value in the reserve RID pool, etc., etc. When the RID FSMO is not
available, RWDCs cannot request RID pools. You can still create security principals on
a RWDC as long as its RID pools are not fully exhausted. When the RID pools are fully
exhausted on any RWDC, you can still use any other RWDC as long as its RID pools
are not fully exhausted. When the RID pools of all RWDCS in the AD domain are fully
exhausted. Did you know that the domain RID pool is limited? If you did not, it
actually is! The top limit is "1073741823" (over 1 billion RIDs!). Also see " RID Master
FSMO Explained".
PDC Master/FSMO unavailable: the RWDC with the PDC FSMO role is the most busy
FSMO as it performs all kinds of functions. This is actually also the FSMO role that will
impact users most. The PDC FSMO performs the following functions: [‘1′] act as the
central time sync authority within an AD forest (this only applies to the PDC FSMO in
the forest root AD domain). For this also see "Configuring And Managing The
Windows Time Service (Part 1)", "Configuring And Managing The Windows
Time Service (Part 2)", "Configuring And Managing The Windows Time
Service (Part 3)" and "Configuring And Managing The Windows Time Service
(Part 4)", [‘2′] Any password changes or account lockouts that occur on any DC are
communicated to the RWDC with the PDC FSMO over the secure channel directly, [‘3′]
When a logon is attempted against a RWDC that fails (because of an incorrect
password), that RWDC will check with the RWDC hosting the PDC FSMO if it has a
newer password, [‘4′] Editing GPOs by default occur against the RWDC with the PDC
FSMO, [5] When root scalability mode is not enabled (the default), DFS root servers
get updates from the RWDC with the PDC FSMO. When root scalability is enabled, DFS
root servers get updates from the closest DC instead, [‘5′] The PDC FSMO is the only
DC that applies the Password policy settings and the account lockout policy settings
specified at domain level and writes the information to the domain NC, [‘6′] The
AdminSDHolder process is not executed to check protected groups/users and
reconfigure the ACLs if needed, [‘7′] If you have NT style applications that want/need
to target the PDC, those apps will probably break as soon as the PDC is not available.
For more information about FSMO failures, see "Responding to operations master
failures"
Operations master Roles failures
Some of the operations master roles are crucial to the operation of your network. Others can be
unavailable for quite some time before their absence becomes a problem. Generally, you will notice
that a single master operations role holder is unavailable when you try to perform some function
controlled by the particular operations master.
If an operations master is not available due to computer failure or network problems, you can seize the
operations master role. This is also referred to as forcing the transfer of the operations master role. Do
not seize the operations master role if you can transfer it instead. For more information,
see Transferring operations master roles.
Note
The operations master roles are sometimes called flexible single master operations (FSMO)
roles.
Before forcing the transfer, first determine the cause and expected duration of the computer or
network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait
for the role holder to become available again. If the domain controller that currently holds the role has
failed, you must determine if it can be recovered and brought back online.
In general, seizing an operations master role is a drastic step that should be considered only if the
current operations master will never be available again. The decision depends upon the role and how
long the particular role holder will be unavailable. The impact of various role holder failures is
discussed in the following topics.
Schema master failure
Temporary loss of the schema master is not visible to network users. It will not be visible to network
administrators either, unless they are trying to modify the schema or install an application that
modifies the schema during installation.
If the schema master will be unavailable for an unacceptable length of time, you can seize the role to
the standby operations master. However, seizing this role is a drastic step that you should take only
when the failure of the schema master is permanent.
Important
A domain controller whose schema master role has been seized must never be brought back
online.
For procedures on how to seize the schema master role, see Seize the schema master role.
Domain naming master failure
Temporary loss of the domain naming master is not visible to network users. It will not be visible to
network administrators either, unless they are trying to add a domain to the forest or remove a domain
from the forest.
If the domain naming master will be unavailable for an unacceptable length of time, you can seize the
role to the standby operations master. However, seizing this role is a drastic step that you should take
only when the failure of the domain naming master is permanent.
Important
A domain controller whose domain naming master role has been seized must never be brought
back online.
For procedures on how to seize the domain naming master role, see Seize the domain naming master
role.
RID master failure
Temporary loss of the RID master is not visible to network users. It will not be visible to network
administrators either, unless they are creating objects and the domain in which they are creating the
objects runs out of relative IDs (RIDs).
If the RID master will be unavailable for an unacceptable length of time, you can seize the role to the
operations master. However, seizing this role is a drastic step that you should take only when the
failure of the RID master is permanent.
Important
A domain controller whose RID master role has been seized must never be brought back
online.
For procedures on how to seize the RID master role, see Seize the RID master role.
PDC emulator master failure
The severity of a PDC outage depends on your Service Level Agreement (SLA) and the actual behavior
and configuration of the environment. For example, inconsistent password change behavior may affect
users beyond what your SLAs allow, or the lack of time synchronization may cause resource access
failures.
Also, in smaller environments, it may happen that the PDC as the first server in the domain is the only
DNS or Global Catalog Server, or is the only domain controller (DC) with a valid SYSVOL in case other
DCs did not successfully initiate or maintain SYSVOL replication. The PDC role holder may also be the
target for regular file server access. When this is done for folder redirection or logon script activities, it
may also affect users when logging on and while they work.
Other than the conditions described above, there is no direct dependency of the domain members on
the PDC role holder. However, you might be using applications that are coded to contact the PDC only.
You should try to avoid having this single point of failure.
Often, these applications were written for Windows NT 3.x and 4.0 deployments where the PDC was
the only writable DC. However, since Active Directory, all DCs except Read-Only DCs are writable. The
DsGetDcName API allows you to pick the right type; similar options are available in AD API interfaces
like ADSI (ADS_READONLY_SERVER) or the .NET runtime.
The loss of the primary domain controller (PDC) emulator master may affect network users. Therefore,
when the PDC emulator master is not available, you may need to immediately seize the role.
For procedures on how to seize the PDC emulator role, see Seize the PDC emulator role.
Infrastructure master failure
Temporary loss of the infrastructure master is not visible to network users. It will not be visible to
network administrators either, unless they have recently moved or renamed a large number of
accounts.
If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the
role to a domain controller that is not a global catalog but is well connected to a global catalog (from
any domain), ideally in the same site as the current global catalog. When the original infrastructure
master is returned to service, you can transfer the role back to the original domain controller.
Understanding SYSVOL/GPO replication
Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings,
Its stored in two different locations and uses different replication technology to replicate the changes,
however both should be available up-to-date on domain controller to function properly
Group policy templates are stored in SYSVOL, it’s a folder structure in SYSVOL share on a domain
controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL
share for the new policy that contain the group policy setting related to this policy, GPT folder name
would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT
folders from the below Path (it’s a default GPT path)
C:\Windows\Sysvol\Sysvol\DomainName\Policies
Group Policy template (GPT) is replicated by SYSVOL through FRS, FRS uses state-based replication. As
soon as there is a change to any file under the Sysvol folder structure, replication is triggered and
entire file get replicated
Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT
(Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT
path, GUID of the GPO, version information, WMI filter information, and a list of components that have
settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)
\System\Policies
Group policy container (GPC) is replicated through Active Directory replication
Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all
administrators can work on the same domain controller, if you want a different Domain controller you can change
through Group Policy Management console (GPMC)
File Replication Services (FRS)
I will try to explain step by step, let say you modify the Policy A from Server001 and
how this change get replicated to Server002 (Server002 is a downstream replication
partner for server001)
Once you modify the Policy A from server001, the corresponding GPT folder on
SYSVOL gets updated on the server001 (also updates the Group policy containers in
Active Directory on server001)
NTFS will change the USN journal according to the file and folder change.
FRS monitors the USN journal for changes on the SYSVOL folder
FRS updates the inbound log on server001, FRS not only updates the local changes
on inbound log, also updates the inbound log for the changes from entire upstream
replication partner (all inbound partners)
FRS creates a file in staging folder on server001 by using APIs (backup application
programming interfaces) based on the change.
This change has been updated on outbound log on server001 by FRS. And also send
change notification to entire downstream replication partner about the change (all
outbound partners)
Server002 get the change notification from Server001 and store the change order in
inbound log, Server002 copies the staging file from Server001 to the staging folder
on Server002. Server002 then update outbound log so other outbound partners can
pick up the change
Using Restore APIs, Server002 reconstructs the file and folder in the preinstall
folder, and then FRS renames the file or folder into the replica tree
In FRS replication process the entire changed file and folder get replicate to source
to destination server
What is NTFS USN journal?
Logs all the changes to an NTFS volume, including file creations, deletions, and
changes, Separate log on each NTFS volume and it has a size limit (Windows server
2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up
to 2 TB, however MS Recommends increasing by 128 MB for every 100,000
files/folders
What happens when the NTFS USN change journal fills up?
If the USN journal log fills up then NTFS will be overwrite the old entry’s, that’s why
in some scenarios before the change get updated, NTFS delete the entries in USN
journal log, it’s called journal_wrap
USN journal wrap Error
An error that occurs when large numbers of files change so quickly that the USN
journal must remove the oldest changes (before FRS has a chance to detect the
changes) to stay within the specified size limit, to resolve this issue you have to
perform a non-authoritative restore also called D2
Morphed folder
Replication conflict will occur if identically named directories are created in different
servers, to resolve this conflict FRS create a folder and this folder called morphed
folder
Let’s say two identical directories are created in different replication members, FRS
identifies the conflict during replication, and the receiving member protects the
original copy of the folder and renames (morphs) the later inbound copy of the
folder. The morphed folder names have a suffix of “_NTFRS_xxxxxxxx,” where
“xxxxxxxx” represents eight random hexadecimal digits.
Version vector join (vvjoin)
Till now we are discussing about the SYSVOL replication, how the SYSVOL replication
works for the newly added replication partner, newly added replication member
doesn’t have any updates, and it should build the folder structure from the
beginning, this process is called vvjoin, in which a downstream partner joins with an
upstream partner for the first time.
Vvjoin is a CPU-intensive operation that can affect the performance of the server
and increase the replication traffic
Distributed File System (DFS)
Now we are coming to the point, how the SYSVOL replicating using DFS and how it’s
been improved to provide better replication performance, to use this feature you
should have Windows Server 2008 domain functional level that means all the
domain controller has to be Windows Server 2008
SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)
DFSR is a multimaster replication engine and changes that occur on one of the
replication member are then replicated to all of the other servers in the replication
group
DFSR also monitors the NTFS for the update sequence number (USN) journal to
detects changes on the volume, and then DFSR replicate the changes only after the
file closed
And before sending or receiving a file, DFSR uses a staging folder to stage the file
If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR, DFSR
replicates only the changes blocks and not the entire file, sounds like a attribute
level Active Directory replication, it compare the source and destination file using
remote differential compression (RDC), it reduce the SYSVOL replication traffic
Other Difference between DFRS and FRS
DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR
always heals itself hence no Journal Wrap error
Morphed files and folders automatically taken care of
FRS silently fails if the volume SYSVOL resides on < 1GB of free space
Copies the changes on files and folder not entire files and folder
Uses Version Vector tables to confirm the changes, also to resolve the conflicts
Support read-only replication on a particular members in which users cannot add or
change files
You can also make the changes to the SYSVOL folder of an RODC
DFSR does not require the version vector join (vvjoin) operation
Active Directory Replication Topology
Dependencies
Active Directory replication topology has the following dependencies:
Routable IP infrastructure. The replication topology is dependent upon a routable
IP infrastructure from which you can map IP subnet address ranges to site objects.
This mapping generates the information that is used by client workstations to
communicate with domain controllers that are close by, when there is a choice,
rather than those that are located across WAN links.
DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active
Directory replication topology requires that DNS is properly designed and deployed so
that domain controllers can correctly resolve the DNS names of replication partners.
DNS also stores service (SRV) resource records that provide site affinity information
to clients searching for domain controllers, including domain controllers that are
searching for replication partners. Every domain controller registers these records so
that they can be located according to site.
Net Logon service. Net Logon is required for DNS registrations.
RPC. Active Directory replication requires IP connectivity and RPC to transfer updates
between replication partners within sites. RPC is required for replication between two
sites containing domain controllers in the same domain, but SMTP is an alternative
where RPC cannot be used and domain controllers for the same domain are all
located in one site so that intersite replication of domain data is not required.
Intersite Messaging. Intersite Messaging is required for SMTP intersite replication
and for site coverage calculations. If the forest functional level is Windows 2000,
Intersite Messaging is also required for intersite topology generation.
2 types of replication.
1> AD replication
2> Sysvol replication
AD replication uses RPC.
Sysvol uses DFS Replication (DFSR) service, if Domain is at2008 functional level and all DCs
are WIndows Server2008 or higher OS version. If domain functional level is2003, Sysvol uses
NT File Replication Service (NTFS).
File replication service is responsible for replication of sysvol folders and distributed
file system between replica servers. it will replicate what ever changes which
happends to sysvol with replica servers. ntdutil command line tool is used to
monitor replication process.
Below 2008 R2 Forest Function Level (FFL) --> "Windows File Replication Service".
After raising the FFL to at least2008 R2, then migrating your SYSVOL folder from "File
Replication Service" to "Distributed File System Replication (DFS-R)" then another service
will be found in the DC which is DFSR "Distributed File System Replication service"
What is Active Directory replication?
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain
and forest data consistent among domain controllers that store the same directory partitions.
Intrasite replication or Replication within site:
The KCC creates separate replication topologies to transfer Active Directory updates within a site
and between all configured sites in the forest. The connections that are used for replication within
sites are created automatically with no additional configuration. Intrasite replication takes advantage
of LAN network speeds by providing replication as soon as changes occur, without the overhead of
data compression, thus maximizing CPU efficiency. Intrasite replication connections form a ring
topology with extra shortcut connections where needed to decrease latency. The fast replication of
updates within sites facilitates timely updates of domain data. In deployments where large
datacenters constitute hub sites for the centralization of mission-critical operations, directory
consistency is critical.
Intersite Replication or Replication between sites:
Replication between sites is made possible by user-defined site and site link objects that are created
in Active Directory to represent the physical LAN and WAN network infrastructure. When Active
Directory sites and site links are configured, the KCC creates an intersite topology so that replication
flows between domain controllers across WAN links. Intersite replication occurs according to a site
link schedule so that WAN usage can be controlled, and is compressed to reduce network bandwidth
requirements. Site link settings can be managed to optimize replication routing over WAN links. The
connections that are created between sites form a spanning tree for each directory partition in the
forest, merging where common directory partitions can be replicated over the same connection.
What is FRS?
File Replication service (FRS) is related to Active Directory replication because it requires the Active
Directory replication topology. FRS is a multimaster replication service that is used to replicate files
and folders in the system volume (SYSVOL) shared folder on domain controllers and in Distributed
File System (DFS) shared folders. FRS works by detecting changes to files and folders and then
replicating the updated files and folders to other replica members, which are connected in a
replication topology.
FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all
domain controllers in the domain. SYSVOL files are required by all domain controllers for Active
Directory to function.
What are the two protocols that are used in replication?
RPC over IP and SMTP over IP.
SMTP
Simple Mail Transfer Protocol (SMTP) is a packaging protocol that can be used
as an alternative to the remote procedure call (RPC) replication transport.
SMTP can be used to transport nondomain replication over IP networks in
mail-message format. Where networks are not fully routed, e-mail is
sometimes the only transport method available
Replication transports provide the wire protocols that are required for data
transfer. There are three levels of connectivity for replication of Active
Directory information:
• Uniform high-speed, synchronous RPC over IP within a site.
• Point-to-point, synchronous, low-speed RPC over IP between sites.
• Low-speed, asynchronous SMTP between sites.
The following rules apply to the replication transports:
• Replication within a site always uses RPC over IP.
• Replication between sites can use either RPC over IP or SMTP over IP.
• Replication between sites over SMTP is supported for only domain
controllers of different domains. Domain controllers of the same domain must
replicate by using the RPC over IP transport. Therefore, replication between
sites over SMTP is supported for only schema, configuration, and global
catalog replication, which means that domains can span sites only when
point-to-point, synchronous RPC is available between sites.
Synchronous and Asynchronous Communication
The RPC intersite and intrasite transport (RCP over IP within sites and
between sites) and the SMTP intersite transport (SMTP over IP between sites
only) correspond to synchronous and asynchronous communication methods,
respectively. Synchronous communication favors fast, available connections,
while asynchronous communication is better suited for slow or intermittent
connections.
KCC: It creates the replication topology within the site.
ISTG: It creates the topology for the replication between the sites of the same
domain.
Bridgehead server: These servers are responsible to receive the receiving the
replication data from another site and then replicate to the servers within the
site. Any replication originating from its site will be sent to other sites by this
server only.
What is FRS?
The File Replication service (FRS) is a multi-threaded, multi-master replication
engine that replaces the LMREPL (LanMan Replication) service in the 3.x/4.0
versions of Microsoft Windows NT. Windows 2000 domain controllers and
servers use FRS to replicate system policy and logon scripts for Windows
2000 and earlier clients that are located in the System Volume (Sysvol).
FRS can also replicate content between Windows 2000 servers hosting the
same fault-tolerant Distributed File System (DFS) roots or child node replicas.
In Windows 2008 and Windows 2012 Active Directory, FRS has been replaced
by DFS.
What is Journal Wrap?
Journal wrap errors occur if a sufficient number of changes take place while
FRS is turned off such that the last USN change that FRS recorded during
shutdown no longer exists in the USN journal during startup. The risk is that
changes to files and folders for FRS replicated trees may have taken place
while the service was turned off, and no record of the change exists in the
USN journal. To guard against data inconsistency, FRS asserts into a journal
wrap state.
Port Assignments for Active Directory Replication
Service Name
UDP
TCP
LDAP
389
389
LDAP
636
LDAP
3268
Kerboros
88
88
DNS
53
53
smb over IP
445
445
ldap start queries from port no 3268 & after that it goes to 368
636 is LDAP on SSL
Active Directory – Health Check
Note : The following commands and script are to be run from a domain controller with
enterprise / domain admin privileges. You may run the individual commands one by one
or run the script. The script will run all the commands listed and generate a report
1. Replsummary operation quickly and concisely summarizes the replication state and relative
health of a forest.
repadmin /replsummary
2. Synchronizes a specified domain controller with all replication partners, and reports if the
sync was successful or not
repadmin /syncall /e
repadmin /syncall /Aped
A ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )
3. Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound
replication topology
repadmin /kcc *
4. Find the last time your DCs were backed up, by reading the DSASignature attribute from all
servers
Repadmin /showbackup *
5. Output all replication summary information from all DCs
Repadmin /showrepl *
6. Displays inbound replication requests that the domain controller has to issue to become
consistent with its source replication partners.
Repadmin / queue *
7. List all the Domain Controllers in Active Directory
DSQUERY Server -o rdn
8. Identifies domain controllers that are failing inbound replication or outbound replication, and
summarizes the results in a report.
Repadmin /replsummary
9. Displays calls that have not yet been answered, made by the specified server to other servers
repadmin /showoutcalls *
10. List the Topology information of all the bridgehead servers
repadmin /bridgeheads * /verbose
11. Inter Site Topology Generator Report
repadmin /istg * /verbose
12. Displays a list of failed replication events detected by the Knowledge Consistency Checker
(KCC).
repadmin /failcache *
13. Lists all domains trusted by a specified domain
Repadmin /showtrust *
14. Displays the replication features for, a directory partition on a domain controller.
repadmin /bind *
15. Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any
problems to help in troubleshooting
dcdiag /c /e /v
16. AD Health Check Script
This script will run all the commands mentioned in this document and generate an output/log file
This script will work under the following conditions
·
DSQUERY.exe is present in C:\Windows\System32
·
Repadmin.exe is present in C:\Windows\System32
·
Dcdiag.exe is present in C:\Windows\System32
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
NetBIOS Name resolution
NetBIOS Name resolution
DFSN, NetBIOS Session
Service, NetLogon
User and Computer Authentication, Replication
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
LDAP
LDAP SSL
LDAP GC
LDAP GC SSL
User and Computer Authentication, Forest Level Trusts
Kerberos
User and Computer Authentication, Name Resolution,
Trusts
DNS
Replication, User and Computer Authentication, Group
Policy, Trusts
SMB, CIFS, SMB2, DFSN,
LSARPC, NbtSS, NetLogonR,
SamR, SrvSvc
AD DS Web Services
SOAP
File Replication
RPC, DFSR (SYSVOL)
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
Windows Time, Trusts
DFS, Group Policy, NetBIOS Netlogon, Browsing
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
DHCP (Note: DHCP is not a core AD DS service but these
ports may be necessary for other functions besides DHCP,
such as WDS)
DHCP, MADCAP, PXE
User and Computer Authentication
If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of
10.19.174.98, then the RR records created during the installation process will be:
dcsA.corp.mycompany.com. A 10.19.174.98
_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com
_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com
If you don't see these records in DNS for each DC, then you need to manually correct or add them.
The NetLogon Service will register various SRV DNS records for the DC depending on what services or
capabilities the system hosts:
(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for
the actual globally unique identifier for the domain.)
_ldap._tcp.corp.mycompany.com
(used for finding an LDAP server) - registered by all DCs and servers
_ldap._tcp.SITE._sites.corp.mycompany.com
(used for finding an LDAP server in a particular site) - registered by all DCs
_ldap._tcp.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain) - registered by all DCs
_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC in a particular domain and site) - registered by all DCs
_ldap._tcp.pdc._msdcs.corp.mycompany.com
(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators
_ldap._tcp.gc._msdcs.mycompany.com
(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers
_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com
(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers
_gc._tcp.mycompany.com
(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server
_gc._tcp.SITE._sites.mycompany.com
(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC
server
_ldap._tcp.GUID.domains._msdcs.mycompany.com
(used for finding a domain using a GUID—used only if the domain name has been changed) - registered
by all DCs
_kerberos._tcp.corp.mycompany.com
(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers
with Kerberos
_kerberos._udp.corp.mycompany.com
(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos
_kerberos._tcp.SITE._sites.corp.mycompany.com
(used for finding a KDC in the domain and site) - registered by all servers with Kerberos
_kerberos._tcp.dc._msdcs.corp.mycompany.com
(used for finding a KDC in the domain) - registered by all DCs with Kerberos
_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com
(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos
_kpasswd._tcp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers
with Kerberos
_kpasswd._udp.corp.mycompany.com
(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by
all servers with Kerberos
Pointer (PTR) resource records
Pointer (PTR) resource records support the reverse lookup process, based on zones that are created
and rooted in the in-addr.arpa domain. These records locate a computer by its IP address and resolve
this information to the DNS domain name for that computer.
Service location (SRV) resource records
Service location (SRV) resource records are required for location of Active Directory domain
controllers. Typically, you can avoid manual administration of service location (SRV) resource
records when you install Active Directory Domain Services (AD DS).
By default, the Active Directory Domain Services Installation Wizard attempts to locate a
DNS server based on the list of preferred or alternate DNS servers, which are configured in
any of its TCP/IP client properties, for any of its active network connections. If a DNS server
that can accept dynamic update of the service location (SRV) resource record is contacted,
the configuration process is complete. (This is also true for other resource records that are
related to registering AD DS as a service in DNS.)
If, during the installation, a DNS server that can accept updates for the DNS domain name
that is used to name your directory is not found, the wizard can install a DNS server locally
and automatically configure it with a zone to support the Active Directory domain.
Mail exchanger (MX) resource records
E-mail applications use the mail exchanger (MX) resource record to locate a mail server based on a
DNS domain name in the destination address for the e-mail recipient of a message. For example, a
DNS query for the name example.tailspintoys.com can be used to find a mail exchanger (MX) resource
record, which makes it possible for an e-mail application to forward or exchange mail to a user with the
e-mail address [email protected].
The mail exchanger (MX) resource record shows the DNS domain name for the computer or computers
that process mail for a domain. If multiple mail exchanger (MX) resource records exist, the DNS Client
service attempts to contact mail servers in the order of preference from lowest value (highest priority)
to highest value (lowest priority). The following example shows the basic syntax of a mail exchanger
(MX) resource record:
Alias (CNAME) resource records
Alias (CNAME) resource records are also sometimes called canonical name resource records. With
these records, you can use more than one name to point to a single host, which makes it easy to do
such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer.
For example, the well-known server names (ftp, www) are registered with alias (CNAME) resource
records that map to the DNS host name (such as server-1) for the server computer that hosts these
services.
We recommend alias (CNAME) resource records for the following scenarios:
When a host that is specified in an host (A) resource record in the same zone must be renamed
When a generic name for a well-known server, such as www, must resolve to a group of
individual computers (each with individual host (A) resource records) that provide the same
service, for example, in a group of redundant Web servers.
Host (A) resource records
You use host (A) resource records in a zone to associate DNS domain names of computers (or hosts) to
their IP addresses. You can add them to a zone in several ways:
You can manually create a host (A) resource record for a static TCP/IP client computer by using
DNS Manager.
Windows clients and servers use the DNS Client service to dynamically register and update
their own host (A) resource records in DNS when an IP configuration change occurs.
Dynamic Host Configuration Protocol (DHCP)–enabled client computers running earlier versions
of Microsoft operating systems can have their host (A) resource records registered and updated
by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows 2000,
Windows Server 2003, and Windows Server 2008 DHCP Server service support this feature.)
Stub zone
A stub zone is a copy of a zone that contains only those resource records necessary to identify
the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to
resolve names between separate DNS namespaces
Required DNS Records
Mnemoni
c
Pdc
Type
DNS Record
Requirements
SRV
_ldap._tcp.pdc._msdcs.<DnsDomainNa
me>
One per domain
SRV
_ldap._tcp.gc._msdcs.<DnsForestName
>
At least one per
forest
GcIpAddre
ss
A
_gc._msdcs.<DnsForestName>
At least one per
forest
DsaCname
CNAM
E
<DsaGuide>._msdcs.<DnsForestName
>
One per domain
controller
Kdc
SRV
_kerberos._tcp.dc._msdcs.<DnsDomain
Name>
At least one per
domain
Dc
SRV
_ldap._tcp.dc._msdcs.<DnsDomainNam
e>
At least one per
domain
A
<DomainControllerFQDN>
One per domain
controller
(domain
controllers that
have multiple IP
addresses can
have more than
one A resource
record)
GC
Adprep-Related Errors
Adprep is a utility that you run to prepare an existing Active Directory (AD) environment for
the first DC that runs a newer OS, such as Server 2008 R2. If you have an AD environment
in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that
runs Server 2008 R2, then you need to run certain Adprep commands:
1. Run adprep /forestprep on the schema master.
2. Run adprep /domainprep on each domain's infrastructure master.
3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to
run adprep /rodcprep for every domain that will have an RODC.
4. adprep32 /domainprep /gpprep
Primary domain controller (PDC) is down
The primary domain controller (PDC) in a Windows NT 3.51 or Windows NT 4.0 domain is
responsible for the following:
Processing password changes from both users and computers
Replicating updates to backup domain controllers
Running the Domain Master Browser
If you don't have a PDC Emulator role, users won't be able to change their domain passwords.
"Directory Service Access (DSAccess) is an internal component in Exchange 2010 Server, in
Exchange Server 2007, in Exchange Server 2003, and in Exchange Server 2000 that controls how all
Exchange Server components access Active Directory. The primary function of DSAccess is to
maintain information about various directory-related events and operations. For example, DSAccess
discovers the Active Directory topology and detects if domain controllers and global catalog servers
are available and responding to queries."
The RID master helps to create unique GUIDs for new Objects and the infrastructure master
updates references from objects to objects in other domains.
PDC Emulator
Of the 5 roles, this is the role that you will miss the soonest. Not only
with NT 4.0 BDC's complain, but also there will be no time
synchronization. Another problem is that you probably will not be able
to change or troubleshoot group policies as the default setting is for the
PDC emulator also to be the group policy master.
Implications for Duplicates
If the old PDC emulator returns, then it is not as serious as duplicates
with some of the other roles. Quickly seize PDC role from another
machine.
RID Master
One Domain Controller is responsible for giving all the rest of the
Domain Controllers a pack of unique numbers so that no two new
objects have the same GUID (Globally Unique Identifier).
If you lose the RID master the chances are good that the existing
Domain Controllers will have enough unused RIDs to last a week or so
do not be in a hurry to seize.
Implications for Duplicates
You must not allow two RID masters, as the possibility of two objects
with the same RID would be disastrous. So if the original is found it
must be reformatted and reinstalled before re-joining the forest.
Infrastructure Master
The consequence for a missing Infrastructure master is that group
memberships may be incomplete. If you only have one domain, then
there will be no impact as the Infrastructure Master is responsible for
updating your user's membership in other domains in the forest.
Implications for Duplicates
No damage occurs if the old Infrastructure master returns, just check
out the Roles and decide which machine should hold the role.
Forest Wide Roles
Schema Master
If you lose the Schema Master, then long term it is serious because you
cannot install Exchange 2003 or extend the schema. However, short
term no-one will notice a missing Schema Master, so try and repair the
old one rather than seize the role.
Implications for Duplicates
You must not allow two Schema Masters, so if the original is found or
repaired, it must be completely rebuilt rather than allowed into the
forest.
Domain Naming Master
This is a forest wide role that is responsible for adding child domains and
new trees. Unless you are going to run DCPROMO, then you will not
miss this FSMO role, so wait rather than seize the role.
Implications for Duplicates
You must not allow the original Domain Naming Master to return, rebuild
before you let the machine back in the forest.
What Dns Records Register when run dcpromo.
SRV record should appear for the following services:
_kerberos
_ldap
Exchange 2010
That means that MAPI clients no longer connect directly to a Mailbox server when opening a mailbox. Instead they
connect to the RPC Client Access service which then talks to Active directory and Mailbox server. For directory
information, Outlook connects to an NSPI endpoint on the Client Access Server, and NSPI then talks to the Active
Directory via the Active Directory driver. The NSPI endpoint replaces the DSProxy component as we know from
Exchange 2007.
Figure 4: Exchange 2010 Client Access architecture
How is this different from Outlook Anywhere (RPC over HTTP) clients that connect to a mailbox in Exchange 2007?
Well, although Outlook Anywhere clients connected to the RPC Proxy component on the Client Access Server, they
also talked MAPI over RPC directly with the Mailbox server and with the NSPI endpoint in Active Directory.
Some of you might wonder what the benefits of the RPC Client Access service are. There are several actually. First,
with MAPI and directory connections moved to the Client Access Server role in the middle tier layer, Exchange now
has a single common path through which all data access occurs. This not only improves the consistency, when
applying business logic to clients, but also provides a much better client experience during switch-over and fail-overs
when you have deployed a highly available solution that makes use of the new Database Availability Group (DAG)
HA feature which I will cover in-depth in a future article. If the Outlook client user will even notice a disconnection, it
will not occur for more than approximately 30 seconds compared to disconnection in Exchange 2007 that could take
several minutes, heck even up to 30 minutes if it was a complex AD topology consisting of many AD sites and
Domain Controllers throughout which DNS has to replicate.
Lastly having a single common path for all data access, will allow for more concurrent connections and mailboxes per
mailbox server. In Exchange 2007 a Mailbox server could handle 64.000 connections compared to Exchange 2010
which will increase that number to a 250.000 RPC context handle limit.
Difference between Active Directory Replication and FRS
At heigher level, Active Directory replication replicates *only* AD database including doman,
configuration, schema, and ADLS partitions. Where in FRS is legacy replication technology used in
windows to replication SYSVOL and other information in active directory structure. The latest of FRS is
DFS which is more efficient.
FILE REPLICATION SERVICE:
File Replication service (FRS) is a technology that replicates files and folders stored in the
SYSVOL shared folder on domain controllers and Distributed File System (DFS) shared
folders. When FRS detects that a change has been made to a file or folder within a replicated
shared folder, FRS replicates the updated file or folder to other servers. Because FRS is a
multimaster replication service, any server that participates in replication can generate
changes. In addition, FRS can resolve file and folder conflicts to make data consistent among
servers.
Active directory replication :
Windows uses multi-master replication for the Active Directory. In multimaster
environments, all domain controllers function as peers and all replicate
Active Directory database changes to each other. There is no single master
replicator, but all domain controllers are responsible for the replication
If FRS is Stopped, What event ID will be generated in logs
13508
Lost and Found
Orphan Objects :
Lost and Found folder basically contain ORPHAN objects.
Now what is Orphaned objects : The objects that don't have any parent are called as orphand objects.
Objects usually become orphans through AD replication . Every AD domain controller contains a
complete read/write copy of the domain database. That means that it is possible for two administrators to
make conflicting changes to AD at the same time.
Suppose one administrator changes user XX's password, while another changes the user XX's name. AD
replicates each attribute individually, so there’s no conflict, even though two administrators made changes
to the same user.Because here there are two attribute and AD will replicate both individually.
But in some scenarios these conflicts will not be easy to handle by AD as well.
For example, suppose that one administrator moved a user into the Admin organizational unit (OU), at the
same time another administrator deleted the Admin OU on another domain controller. When replication
occurs,You will not get the user account in Admin OU it will be in Lost and Found.
When the Administror deletes the OU “Admin” in the Additional Domain Controller and simultaneously
on the other side Administrator is moving the one object called “Vijay” to OU “Admin”
Protocol
and Port
AD and
AD DS
Usage
TCP 25
TCP 42
TCP
135
TCP
137
TCP
139
TCP
and
UDP
389
TCP
Type of traffic
Replication
If using WINS in a domain trust scenario offering NetBIOS
resolution
SMTP
WINS
Replication
RPC, EPM
NetBIOS Name resolution
User and Computer Authentication, Replication
NetBIOS Name resolution
DFSN, NetBIOS Session
Service, NetLogon
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
LDAP
LDAP SSL
636
TCP
3268
TCP
3269
TCP
and
UDP 88
TCP
and
UDP 53
TCP
and
UDP
445
TCP
9389
TCP
5722
TCP
and
UDP
464
UDP
123
UDP
137
UDP
138
UDP 67
and
UDP
2535
Port
21
23
25
25
53
67
80
80
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
Directory, Replication, User and Computer Authentication,
Group Policy, Trusts
LDAP GC
User and Computer Authentication, Forest Level Trusts
Kerberos
User and Computer Authentication, Name Resolution,
Trusts
DNS
Replication, User and Computer Authentication, Group
Policy, Trusts
SMB, CIFS, SMB2, DFSN,
LSARPC, NbtSS, NetLogonR,
SamR, SrvSvc
AD DS Web Services
SOAP
File Replication
RPC, DFSR (SYSVOL)
Replication, User and Computer Authentication, Trusts
Kerberos change/set password
Windows Time, Trusts
DFS, Group Policy, NetBIOS Netlogon, Browsing
Windows Time
NetLogon, NetBIOS Name
Resolution
DFSN, NetLogon, NetBIOS
Datagram Service
DHCP (Note: DHCP is not a core AD DS service but these
ports may be necessary for other functions besides DHCP,
such as WDS)
DHCP, MADCAP, PXE
User and Computer Authentication
Protocol
TCP
TCP
TCP
TCP
TCP
UDP
TCP
TCP
Network Service
FTP control
Telnet
SMTP
SMTP
DNS
DHCP Server
HTTP
HTTP
LDAP GC SSL
System Service
FTP Publishing Service
Telnet
Simple Mail Transport Protocol
Exchange Server
DNS Server
DHCP Server
Windows Media Services
World Wide Web Publishing
Service
System Service
Logical Name
MSFtpsvc
TlntSvr
SMTPSVC
DNS
DHCPServer
WMServer
W3SVC
88
110
110
123
135
135
135
135
135
135
135
135
137
TCP
TCP
TCP
UDP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
TCP
UDP
137
UDP
137
UDP
137
UDP
138
UDP
138
UDP
139
TCP
143
270
TCP
TCP
Kerberos
POP3
POP3
NTP
RPC
RPC
RPC
RPC
RPC
RPC
RPC
RPC
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Name
Resolution
NetBIOS Datagram
Service
NetBIOS Datagram
Service
NetBIOS Session
Service
IMAP
MOM 2004
Kerberos Key Distribution Center
Microsoft POP3 Service
Exchange Server
Windows Time
Remote Procedure Call
Certificate Services
Cluster Service
Distributed File System
Event Log
File Replication
Systems Management Server 2.0
Terminal Services Licensing
Computer Browser
Kdc
POP3SVC
Server
lanmanserver
Windows Internet Name Service
WINS
Net Logon
Netlogon
389
443
443
TCP
TCP
TCP
LDAP Server
HTTPS
HTTPS
445
636
995
143
3
170
1
172
3
181
2
239
3
239
4
253
5
272
TCP
TCP
TCP
TCP
SMB
LDAP SSL
POP3 over SSL
SQL over TCP
Exchange Server
Microsoft Operations Manager
2004
Local Security Authority
HTTP SSL
World Wide Web Publishing
Service
Print Spooler
Local Security Authority
Exchange Server
Microsoft SQL Server
UDP
L2TP
Routing and Remote Access
RemoteAccess
TCP
PPTP
Routing and Remote Access
RemoteAccess
UDP
Internet Authentication Service
IAS
TCP
RADIUS
Authentication
OLAP Services 7.0
TCP
OLAP Services 7.0
UDP
MADCAP
SQL Server: Downlevel OLAP
Client Support
SQL Server: Downlevel OLAP
Client Support
DHCP Server
DHCPServer
TCP
SQL Analysis
SQL 2000 Analysis Server
W32Time
RpcSs
CertSvc
ClusSvc
DFS
Eventlog
NtFrs
TermServLicensing
Browser
Systems Management Server 2.0
License Logging Service
LicenseService
Net Logon
Netlogon
MOM
LSASS
HTTPFilter
W3SVC
Spooler
LSASS
SQLSERVR
5
326
8
326
9
338
9
338
9
TCP
Services
Global Catalog
Server
Global Catalog
Server
Terminal Services
TCP
Terminal Services
TCP
TCP
Local Security Authority
LSASS
Local Security Authority
LSASS
NetMeeting Remote Desktop
Sharing
Terminal Services
mnmsrvc
TermService
Can you explain the process between a user providing his Domain credential to his
workstation and the desktop being loaded? Or how the AD authenticationworks?
When a user enters a user name and password, the computer sends the username to the KDC. The KDC
contains a master database of unique long termkeys for every principal in its realm. The KDC looks up the
user's master key(KA), which is based on the user's password. The KDC then creates two items:a session key
(SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the
user name, and an expirationtime. The KDC encrypts this ticket by using its own master key (KKDC), whichonly
the KDC knows. The client computer receives the information from theKDC and runs the user's password
through a one-way hashing function, whichconverts the password into the user's KA. The client computer now
has asession key and a TGT so that it can securely communicate with the KDC. Theclient is now authenticated
to the domain and is ready to access otherresources in the domain by using the Kerberos protocol.
Inter-Site Topology Generator
When the ISTG determines that a connection object needs to be modified on a given
bridgehead server in the site, the ISTG makes the change to its local Active Directory copy. As
part of the normal intra-site replication process, these changes propagate to the bridgehead
servers in the site.
