Active Directory is a centralized and standardized system, stores information about objects in a network and makes this information available to users and network administrators. Domain Controller
In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Global catalog server
A global catalog server is a domain controller that stores information about all objects in the forest. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting. In addition, a global catalog server stores a partial, read-only replica of every other domain in the forest. Partial replicas are stored on Global Catalog servers so that searches of the entire directory can be achieved without requiring referrals from one domain controller to another.
Partial information of other domains. Partial information nothing but classes and attributes (first name and last name and phones and addresses) attribute level security improvement in 2003…. OU:
"Organizational Units", are administrative-level containers on a computer, it allows administrators to organize groups of users together so that any changes, security privileges or any other administrative tasks could be accomplished more efficiently. Domain: Windows Domain is a logical grouping of computers that share common security and
user account information. Forest
A Windows forest is a group of 1 or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest. Tree: A Windows tree is a group of one or more trusted Windows domains with contiguous DNS domains. “Trusted” means that an authenticated account from one domain isn’t rejected by another domain. “Contiguous DNS domains” means that they all have the same root DNS name. Site: Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers, and can have a common set of group policies applied to them. Schema: The schema defines what attributes, objects, classes, and rules are available in the Active Directory. SID (Security Identifier): The SID is a unique name (alphanumeric character string) that is used to identify an object, such as a user or a group of users. Group Policy Group policy Architecture: Group Policy objects (GPO):
A GPO is a collection of Group Policy settings, stored at the domain level as a virtual object consisting of a Group Policy container (GPC) and a Group Policy template (GPT). password history will store Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy Group Policy Container (GPC)
The Group Policy container (GPC) is an Active Directory container that contains GPO properties, such as version information, GPO status, plus a list of other component settings. Group Polity Template (GPT)
The Group Policy template (GPT) is a file system folder that includes policy data specified by .adm files, security settings, script files, and information about applications that are available for installation. The GPT is located in the system volume folder (SysVol) in the domain \Policies sub-folder. Filtering the Scope of a GPO
By default, a GPO affects all users and computers that are contained in the linked site, domain, or organizational unit. The administrator can further specify the computers and users that are affected by a GPO by using membership in security groups.
Starting with Windows 2000, the administrator can add both computers and users to security groups. Then the administrator can specify which security groups are affected by the GPO by using the Access Control List editor. Knowledge Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) is a Windows component that automatically generates and maintains the intra-site and inter-site replication topology. Intrasite Replication Replication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed network wires. Intersite Replication
Intersite replication is replication between sites and must be set up by an administrator. Simple Mail Transfer Protocol (SMTP) may be used for replication between sites. Active Directory Replication?
Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows 2000 forest or a Windows 2000 domain for the installation of Windows Server 2003 domain controllers. USE:
When Microsoft Exchange Server is deployed in an organization, Exchange Server uses Active Directory as a data store and it extends the Windows 2000 Active Directory schema to enable it to store objects specific to Exchange Server. The ldapDisplayName of the attribute schema ms-Exch-AssistantName, ms-Exch- LabeledURI, and ms-Exch-House-Identifier defined by Exchange Server conflicts with the iNetOrgPerson schema that Active Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1 is installed, Adprep.exe will be able to detect the presence of the schema conflict and block the upgrade of the schema until the issue has been resolved. GUID:
When a new domain user or group account is created, Active Directory stores the account's SID in the Object-SID (objectSID) property of a User or Group object. It also assigns the new object a globally unique identifier (GUID), which is a 128-bit value that is unique not only in the enterprise but also across the world. GUIDs are assigned to every object created by Active Directory, not just User and Group objects. Each object's GUID is stored in its Object-GUID (objectGUID) property. Active Directory uses GUIDs internally to identify objects. SID:
A security identifier (SID) is a data structure in binary format that contains a variable number of values. When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security Principal SID created in a domain. Lingering objects
When a domain controller is disconnected for a period that is longer than the TSL, one or more objects that are deleted from Active Directory on all other domain controllers may remain on the disconnected domain controller. Such objects are called lingering objects. Because the domain controller is offline during the time that the tombstone is alive, the domain controller never receives replication of the tombstone Sysvol
Sysvol is a shared directory that stores the server copy of the domain’s public files, which are replicated among all domain controllers in the domain. The Sysvol contains the data in a GPO: the GPT, which includes Administrative Template-based Group Policy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the File Replication Service (FRS). File Replication Service (FRS)
In Windows 2000, the SYSVOL share is used to authenticate users. The SYSVOL share includes group policy information which is replicated to all local domain controllers. File replication service (FRS) is used to replicate the SYSVOL share. The "Active Directory Users and Computers" tool is used to change the file replication service schedule. Win logon A component of the Windows operating system that provides interactive
logon support, Winlogon is the service in which the Group Policy engine runs. Lightweight Directory Access Protocol (LDAP) It defines how clients and servers exchange information about a directory. LDAP version 2 and version 3 are used by Windows 2000 Server's Active Directory. An LDAP URL names the server holding Active Directory services and the Attributed Name of the object. For example: LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN =Division,DC=myco,DC=domain-controller USN
Each object has an Update Sequence Number (USN), and if the object is modified, the USN is incremented. This number is different on each domain controller. USN provides the key to multimaster replication. Universal group membership caching
Due to available network bandwidth and server hardware limitations, it may not be practical to have a global catalog in smaller branch office locations. For these sites, you can deploy domain controllers running Windows Server 2003, which can store universal group membership information locally.
By default, the universal group membership information contained in the cache of each domain controller will be refreshed every 8 hours. Up to 500 universal group memberships can be updated at once. Universal groups couldn't be created in Mixed mode. What is an ACL or access-control list? A list of security protections that applies to an object. (An object can be a file, process, event, or anything else having a security descriptor.)
What is an ACE or access-control entry? ACE contains a set of access rights and a security identifier (SID) that identifies a trustee for whom the rights are allowed, denied, or audited. Flexible Single Master Operations (FSMO) MultiMaster Operation:
In Windows 2000 & 2003, every domain controller can receive changes, and the changes are replicated to all other domain controllers. The day-to-day operations that are associated with managing users, groups, and computers are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which can only be done on a single controller. An administrator determines which operations must be done on the master controller. These operations are all set up on the master controller by default and can be transferred later. FSMO operations types include: Schema Master: The schema master domain controller controls all updates and modifications to the schema. There can be only one schema master in the whole forest. Domain naming master: The domain naming master domain controller controls
the addition or removal of domains in the forest and responsibility of ensuring that domain names are unique in the forest. There can be only one domain naming master in the whole forest. Infrastructure Master: Synchronizes cross-domain group membership changes. The infrastructure master cannot run on a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. This works when we are renaming any group member ship object this role takes care.
Note: The Infrastructure Master (IM) role should be held by a domain controller that is not a Global Catalog server (GC). If the Infrastructure Master runs on a Global Catalog server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a Global Catalog server holds a partial replica of every object in the forest. As a result, cross-domain object references in that domain will not be updated and a warning to that effect will be logged on that DC's event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. Relative ID (RID) Master:
It assigns RID and SID to the newly created object like Users and computers. If RID master is down (u can create security objects up to RID pools are available in DCs) else u can’t create any object one itSDs down
When a DC creates a security principal object such as a user or group, it attaches a unique Security ID (SID) to the object. This SID consists of a domain SID (the same for all SIDs created in a domain), and a relative ID (RID) that is unique for each security principal SID created in a domain. PDC Emulator - When Active Directory is in mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The first server that becomes a Windows
2000 domain controller takes the role of PDC emulator by default. Functions performed by the PDC emulator:
User account changes and password changes. SAM directory replication requests. Domain master browser requests Authentication requests. GPO Time synchronization New Active Directory features in Windows Server 2003 •Multiple selection of user objects. •Drag-and-drop functionality. •Efficient search capabilities. Search functionality is object-oriented and provides an efficient search that minimizes •Saved queries. Save commonly used search parameters for reuse in Active Directory Users and Computers •Active Directory command-line tools.
•InetOrgPerson class. The inetOrgPerson class has been added to the base schema as a security principal and can be used in the same manner as the user class. The userPassword attribute can also be used to set the account password.
•Ability to add additional domain controllers using backup media. Reduce the time it takes to add an additional domain controller in an existing domain by using backup media.
•Universal group membership caching. Prevent the need to locate a global catalog across a WAN when logging on by storing universal group membership information on an authenticating domain controller.
•Secure LDAP traffic. Active Directory administrative tools sign and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.
•Active Directory quotas. Quotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and Enterprise Windows Functional levels
In Windows 2000 Active Directory domains is the concept of Mixed and Native Modes. The default mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once you convert to Native Mode, you are only allowed to have Windows 2000 domain controllers in your domain. The conversion is a one-way conversion -- it cannot be reversed. In Windows Server 2003, Microsoft introduced forest and domain functional levels. The concept is rather similar to switching from Mixed to Native Mode in Windows 2000. The new functional levels give you additional capabilities that the previous functional levels didn’t have. There are four domain functional levels:
1. Windows 2000 Mixed (supports NT4/2000/2003 DCs) 2. Windows 2000 Native (supports 2000/2003 DCs) 3. Windows Server 2003 Interim (supports NT4/2003 DCs)
4. Windows Server 2003 (supports only 2003 DCs) And three forest functional levels:
1. Windows 2000 (supports NT4/2000/2003 DCs) 2. Windows 2000 Interim (supports NT4/2003 DCs) 3. Windows Server 2003 (supports only 2003 DCs)
To raise the domain functional level, you go to the properties of your domain in Active Directory Domains and Trusts. To raise the forest functional level you go to the properties of Active Directory Domains and Trusts at the root. Of course, if your domains are not at the correct level, you won’t be able to raise the forest functional level. Directory partition
A directory partition, or naming context, is a contiguous Active Directory subtree replicated on one, or more, Windows 2000 domain controllers in a forest. By default, each domain controller has a replica of three partitions: the schema partition the Configuration partition and a Domain partition. Schema partition It contains all class and attributes definitions for the forest. There is one schema directory partition per forest.
Configuration partition It contains replication configuration information (and other information) for the forest. There is one configuration directory partition per forest. Domain partition It contains all objects that are stored by one domain. There is one domain directory partition for each domain in the forest. Application Directory Partition
Application directory partitions are most often used to store dynamic data. An application partition can not contain security principles (users, groups, and computers).The KCC generates and maintains the replication topology for an application directory partition Application: The application partition is a new feature introduced in Windows Server
2003. This partition contains application specific objects. The objects or data that applications and services store here can comprise of any object type excluding security principles. Security principles are Users, Groups, and Computers. The application partition typically contains DNS zone objects, and dynamic data from other network services such as Remote Access Service (RAS), and Dynamic Host Configuration Protocol (DHCP). Dynamic Data: A dynamic entry is an object in the directory which has an associated time-to-
live (TTL) value. The TTL for an entry is set when the entry is created. Security Principles - Objects that can have permissions assigned to them and each contain security identifiers. The following objects are security principles:
oUser oComputer oGroup RPC:
Active Directory uses RPC over IP to transfer both intersite and intrasite replication between domain controllers. To keep data secure while in transit, RPC over IP replication uses both the Kerberos authentication protocol and data encryption. SMTP:
If you have a site that has no physical connection to the rest of your network, but that can be reached using the Simple Mail Transfer Protocol (SMTP), that site has mail-based connectivity only. SMTP replication is used only for replication between sites. You also cannot use SMTP replication to replicate between domain controllers in the same domain—only inter-domain replication is supported over SMTP (that is, SMTP can be used only for inter-site, inter-domain replication). SMTP replication can be used only for schema, configuration, and global catalog partial replica replication.
SMTP replication observes the automatically generated replication schedule. Changing of ntds.dit file from one Drive to another
1. Boot the domain controller in Directory Services Restore mode and log on with the Directory Services Restore mode administrator account and password (this is the password you assigned during the Dcpromo process). 2. At a command prompt, typent dsut il.exe. You receive the following prompt: ntdsutil: 3. Typefiles to receive the following prompt:
file maintenance: 4. Typeinfo. Note the path of the database and log files. 5. To move the database, type move db to %s (where %s is the target folder).
6. To move the log files, type move logs to %s (where %s is the target folder). 7. Typequit twice to return to the command prompt. 8. Reboot the computer normally. DNS DNS (Domain Name system) Domain Name System (DNS) is a database system that translates a computer's fully qualified domain name into an IP address. The local DNS resolver The following graphic shows an overview of the complete DNS query process. DNS Zones Forward lookup zone - Name to IP address map. Reverse lookup zone - IP address to name map.
Primary Zones - It Holds Read and Write copies of all resource records (A, NS, _SRV). Secondary Zones- which hold read only copies of the Primary Zones. Stub Zones Conceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. Stub zones are more efficient and create less replication traffic.
Stub Zones only have 3 records, the SOA for the primary zone, NS record and a Host (A) record. The idea is that if a client queries a record in the Stub Zone, your DNS server can refer that query to the correct Name Server because it knows its Host (A) record. Queries Query types are: Inverse - Getting the name from the IP address. These are used by servers as a security check. Iterative - Server gives its best answer. This type of inquiry is sent from one server to another. Recursive - Cannot refer the query to another name server. Conditional Forwarding
Another classic use of forwards is where companies have subsidiaries, partners or
people they know and contact regularly query. Instead of going the long-way around using the root hints, the network administrators configure Conditional Forwarders Purpose of Resource Records
Without resource records DNS could not resolve queries. The mission of a DNS Query is to locate a server that is Authoritative for a particular domain. The easy part is for the Authoritative server to check the name in the query against its resource records. SOA (start of authority) recordeach zone has one SOA record that identifies which DNS server is authoritative for domains and sub domains in the zone. NS (name server) record An NS record contains the FQDN and IP address of a DNS server authoritative for the zone. Each primary and secondary name server authoritative in the domain should have an NS record. A (address) record By far the most common type of resource record, an A record is used to resolve the FQDN of a particular host into its associated IP address. CNAME (canonical name) record A CNAME record contains an alias (alternate name) for a host. PTR (pointer) record the opposite of an A record, a PTR record is used to resolve the IP address of a host into its FQDN. SRV (service) record
An SRV record is used by DNS clients to locate a server that is running a particular service—for example, to find a domain controller so you can log on to the network. SRV records are key to the operation of Active Directory. MX (mail exchange) record An MX record points to one or more computers that process SMTP mail for an organization or site. Where DNS resource records will be stored:
After running DCPROMO, A text file containing the appropriate DNS resource records for the domain controller is created. The file called Netlogon.dns is created in the %systemroot%\System32\config folder and contains all the records needed to register the resource records of the domain controller. Netlogon.dns is used by the Windows 2000 NetLogon service and to support Active Directory for non-Windows 2000 DNS servers. Procedures for changing a Server’s IP Address
Once DNS and replication are setup, it is generally a bad idea to change a servers IP address (at least according to Microsoft). Just be sure that is what you really want to do before starting the process. It is a bit kin to changing the Internal IPX number of A Novell server, but it can be done. 1. Change the Server’s IP address 2. Stop the NETLOGON service. 3. Rename or delete SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB 4.
Restart the NETLOGON service and run “IPconfig /registerDNS” 5.
Go to one of the other DCs and verify that its DNS is now pointing to the new IP address of the server. If not, change the records manually and give it 15 minutes to replicate the DNS changes out. 6. Run REPLMON and make sure that replication is working now. You may have to wait a little while for things to straighten out. Give it an hour or two if necessary. If a server shows that it isn’t replicating with one of its partners, there are several issues to address: A. Check to see that the servers can ping each other. B. Make sure that both servers’ DNS entries for each other point to the proper IP addresses
C. If server A says it replicated fine, but server B says it couldn’t contact Server A, check the DNS setup on Server B. Chances are it has a record for Server A pointing to the wrong place. D. Run Netdiag and see if it reports any errors or problems. Trust Relationship • One way trust - When one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. •
Two way trust - When two domains allow access to users on the other domain. • Trusting domain - The domain that allows access to users on another domain. • Trusted domain - The domain that is trusted, whose users have access to the trusting domain. • Transitive trust - A trust which can extend beyond two domains to other trusted domains in the tree. • Intransitive trust - A one way trust that does not extend beyond two domains. • Explicit trust - A trust that an administrator creates. It is not transitive and is one way only. • Cross-link trust - An explicit trust between domains in different trees or in the same tree when a descendent/ancestor (child/parent) relationship does not exist between the two domains. • Forest trust - When two forests have a functional level of Windows 2003, you can use a forest trust to join the forests at the root. • Shortcut trust - When domains that authenticate users are logically distant
from one another, the process of logging on to the network can take a long time. You can manually add a shortcut trust between two domains in the same forest to speed authentication. Shortcut trusts are transitive and can either be one way or two way. Windows 2000 only supports the following types of trusts: • Two way transitive trusts • One way non-transitive trusts. BACKUP Archive bit: The archive bit is used to determine what files have been backuped up previously on a Windows file system. The bit is set if a file is modified Types of Backups: Normal - Saves files and folders and shows they were backed up by clearing the archive bit. Copy - Saves files and folders without clearing the archive bit. Incremental- Incremental backup stores all files that have changed since the last Full, Differential or Incremental backup. The archive bit is cleared. Differential- A differential backup contains all files that have changed since the last FULL backup. The archive bit is not cleared. Daily - Saves files and folders that have been changed that day. The archive bit is
not cleared. Multiplexing:
Multiplexing sends data from multiple sources to a single tape or disk device. This is useful if you have a tape or disk device that writes faster than a single system can send data, which (at this point) is just about every tape device. Multistreaming:
Multistreaming establishes multiple connections, orthr e ads, from a single system to the backup server. This is useful if you have a large system with multiple I/O devices and large amounts of data that need backing up. To perform a backup, select "Start", "Programs", "Accessories", "System Tools", and "Backup". The Windows 2000 "Backup Utility" will start. It has these tabs: System data:
1. The registry 2. System startup files 3. Component services data class registration database 4. Active Directory (Windows 2000 & 2003 Servers only) 5. Certificate server database (Windows 2000 & 2003Servers only) 6. SYSVOL folder (Windows 2000 & 2003 Servers only) Non authoritative Active Directory restores– Changes are accepted from other domain controllers after the backup is done.
When you are restoring a domain controller by using backup and restore programs, the default mode for the restore is non authoritative. This means that the restored server is brought up-to-date with its replicas through the normal replication mechanism.
Authoritative Active Directory restores: Changes are NOT accepted from other domain controllers after the backup is done.
Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. Authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory. You can authoritatively restore only objects from the configuration and domain-naming contexts. Authoritative restores of schema-naming contexts are not supported. To perform an authoritative restore, you must start the domain controller in Directory Services Restore Mode. Authoritative Restore Example
E:\ntdsutil>ntdsutil ntdsutil: authoritative restore authoritative restore: restore sub tree OU=bosses,DC=ourdom,DC=com Opening DIT database... Done. The current time is 06-17-05 12:34.12. Most recent database update occurred at 06-16-05 00:41.25. Increasing attribute version numbers by 100000. Counting records that need updating... Records found:00 0 00 0 0012 Directory Store Files that are backed up Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and attributes. Contains these tables: • Ntds.dit is the Active Directory database which stores the entire active
directory objects on the domain controller. The .dit extension refers to the directory information tree. The default location is the %systemroot%\Ntds folder. Active Directory records each and every transaction log files that are associated with the Ntds.dit file. • Edb*.log is the transaction log file. Each transaction file is 10 megabytes (MB). When Edb.log file is full, active directory renames it to Edbnnnnn.log, wherennnnn is an increasing number starts from 1. • Edb.chk is a checkpoint file which is use by database engine to track the data
which is not yet written to the active directory database file. The checkpoint file act as a pointer that maintains the status between memory and database file on disk. It indicates the starting point in the log file from which the information must be recovered if a failure occurs. • Res1.log and Res2.log: These are reserved transaction log files. The
amount of disk space that is reserved on a drive or folder for this log is 20 MB. This reserved disk space provides a sufficient space to shut down if all the other disk space is being used. Recovery without Restore - Transaction logs are used to recover uncommitted AD changes after a system crash. This is done by the system automatically without using a restore from a tape backup. How to restore a domain controller system:
1. Reboot the domain controller. 2. Press F8 while booting. 3. Open Advanced Options Menu, select "Directory Services Restore Mode". 4. Select the correct Windows 2000 Server operating system if more than one system is on the computer. 5. During safe mode, press CTRL-ALT-DEL. 6. Log on as Administrator. 7. Select "Start", "Programs", "Accessories", "System Tools", and "Backup".
8. Use the "Restore Wizard". 9. After the restore, if an authoritative restore was done use the "ntdsutil" command line utility. Type "authoritative restore". Syntax for restoration of partial database format: restore subtree OU=OUname, DC=domainname, DC=rootdomain Type "restore database" to make the entire database authoritative. 10. Reboot the Domain Controller. How to Transfer the FSMO Roles: To Transfer the Schema Master Role: 1. Register theSchmmg mt. dl l library by pressing Start > RUN and typing: regsvr32 schmmgmt.dll 2. Press OK. You should receive a success confirmation. 3. From the Run command open an MMC Console by typingMMC.
4. On the Console menu, press Add/Remove Snap-in. 5. Press Add. Select Active Directory Schema. 6. Press Add and press Close. Press OK. 7.
If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller. 8. Press Specify... . and type the name of the new role holder. Press OK. 9.
Right-click right-click the Active Directory Schema icon again and press Operation Masters. 10. Press the Change button. 11. Press OK all the way out. Transferring the FSMO Roles via Ntdsutil To transfer the FSMO roles from the Ntdsutil command: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1.
On any domain controller, click Start, click Run, typeN tdsut il in the Open box, and then click OK. Microsof t Window s [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS>ntdsutil ntdsutil: 2. Typer o le s, and then press ENTER. ntdsutil: roles fsmo maintenance: Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type? And then press ENTER. 3. Typeco nne ctio ns, and then press ENTER. f smo maintenance: connections server connections: 4. Type connect to server ms-dc04 wherems- dc04 is the name of the server you want to use, and then press ENTER. server connections: connect to server ms-dc04 Binding to ms-dc04 ... Connected ms-dc04 using credentials of locally logg server connections: 5. At the server connections: prompt, typeq, and then press ENTER again. server connections: q
fsmo maintenance: 6. Type transfer <role>. where<r o le > is the role you want to transfer. For example, to transfer the RID Master role, you would type transfer rid master: Options are: Transf er domain naming master Transfer infrastructure master Transfer PDC Transfer RID master Transfer schema master 7. You will receive a warning window asking if you want to perform the transfer. Click on Yes. 8.
After you transfer the roles, typeq and press ENTER until you quit Ntdsutil.exe. 9. Restart the server and make sure you update your backup. To seize the FSMO roles by using Ntdsutil, follow these steps: Caution: Using the Ntdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 1. On any domain controller, click Start, click Run, typeN tdsut il in the Open box, and then click OK.
Microsof t Window s [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS>ntdsutil ntdsutil: 2. Typer o le s, and then press ENTER. ntdsutil: roles fsmo maintenance: Note: To see a list of available commands at any of the prompts in the Ntdsutil tool, type ?, and then press ENTER. 3. Typeco nne ctio ns, and then press ENTER. f smo maintenance: connections server connections: 4. Type connect to server ms-dc04, where ms-dc04 is the name of the server you want to use, and then press ENTER. server connections: connect to server ms-dc04 Binding to ms-dc04... Connected to ms-dc04 using credentials of locally lo server connections: 5. At the server connections: prompt, typeq, and then press ENTER again. server connections: q fsmo maintenance: 6.
Type seize <role>, where<ro le > is the role you want to seize. For example, to seize the RID Master role, you would type seize rid master: Options are: Seize domain naming master Seize infrastructure master Seize PDC Seize RID master Seize schema master 7. You will receive a warning window asking if you want to perform the seize. Click on Yes. Note: All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. 8. Repeat steps 6 and 7 until you've seized all the required FSMO roles. 9. After you seize or transfer the roles, type q, and then press ENTER until you quit the Ntdsutil tool. Note: Do not put the Infrastructure Master (IM) role on the same domain
controller as the Global Catalog server. If the Infrastructure Master runs on a GC server it will stop updating object information because it does not contain any references to objects that it does not hold. This is because a GC server holds a partial replica of every object in the forest.
Dynamic host configuration protocol is used to automatically assign TCP/IP addresses to clients along with the correct subnet mask, default gateway, and DNS server. Two ways for a computer to get its IP address: DHCP Scopes Scope - A range of IP addresses that the DHCP server can assign to clients that are on one subnet. Super scope - A range of IP addresses that span several subnets. The DHCP server can assign these addresses to clients that are on several subnets. Multicast scope - A range of class D addresses from 184.108.40.206 to
220.127.116.11 that can be assigned to computers when they ask for them. A multicast group is assigned to one IP address. Multicasting can be used to send messages to a group of computers at the same time with only one copy of the message. The Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to request a multicast address from a DHCP server. DORA DHCP Lease Process DHCP leases are used to reduce DHCP network traffic by giving clients specific addresses for set periods of time. DHCP Lease Process 1. The DHCP client requests an IP address by broadcasting a DHCPDiscover message to the local subnet. 2.
The client is offered an address when a DHCP server responds with a DHCPOffer message containing IP address and configuration information for lease to the client. If no DHCP server responds to the client request, the client can proceed in two ways: •If it is a Windows 2000–based client, and IP auto-configuration has not been disabled, the client self-configures an IP address for its interface. •If the client is not a Windows 2000–based client, or IP auto-configuration has been
disabled, the client network initialization fails. The client continues to resend DHCPDiscover messages in the background (four times, every 5 minutes) until it receives a DHCPOffer message from a DHCP server. 3. The client indicates acceptance of the offer by selecting the offered address and replying to the server with a DHCPRequest message. 4.
The client is assigned the address and the DHCP server sends a DHCPAck message, approving the lease. Other DHCP option information might be included in the message. 5. Once the client receives acknowledgment, it configures its TCP/IP properties using any DHCP option information in the reply, and joins the network.
In rare cases, a DHCP server might return a negative acknowledgment to the client. This can happen if a client requests an invalid or duplicate address. If a client receives a negative acknowledgment (DHCPNak), the client must begin the entire lease process again.
When the client sends the lease request, it then waits one second for an offer. If a response is not received, the request is repeated at 9, 13, and 16 second intervals with additional 0 to 1000 milliseconds of randomness. The attempt is repeated every 5 minutes thereafter. The client uses port 67 and the server uses port 68. Client Reservation
Client Reservation is used to be sure a computer gets the same IP address all the time. Therefore since DHCP IP address assignments use MAC addresses to control assignments, the following are required for client reservation: 1) MAC (hardware) address 2) IP address Exclusion Range
Exclusion range is used to reserve a bank of IP addresses so computers with static IP addresses, such as servers may use the assigned addresses in this range. These addresses are not assigned by the DHCP server. Database files:
DCHP.MDB - The main database DHCP.TMP - Temporary DHCP storage.
JET*.LOG - Transaction logs used to recover data. SYSTEM.MDB - USed to track the structure of the DHCP database. APIPA If all else fails, then clients give themselves an Automatic IP address in the range 169.254.x.y where x and y are two random numbers between 1 and 254. BOOTP BOOTP or the bootstrap protocol can be used to boot diskless clients WINS WINS WINS stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that registers your NetBIOS names and resolves into IP addresses. DFS
The Distributed File System (DFS) allows files and directories in various places to be combined into one directory tree. Only Windows 2000 & 2003Servers can contain DFS root directories and they can have only one. DFS Components DFS root - A shared directory that can contain other shared directories, files, DFS links, and other DFS roots. One root is allowed per server. Types of DFS roots: Stand alone DFS root - Not published in Active Directory, cannot be replicated, and can be on any Windows 2000 & 2003 Server. This provides no fault tolerance with
the DFS topology stored on one computer. A DFS can be accessed using the Syntax: \\Server\DFSname Domain DFS root - It is published in Active Directory, can be replicated, and can be
on any Windows 2000 & 2003 Server. Files and directories must be manually replicated to other servers or Windows 2000 & 2003 must be configured to replicate files and directories. Configure the domain DFS root, then the replicas when configuring automatic replication. Links are automatically replicated. There may be up to 31 replicas. Domain DFS root directories can be accessed using the Syntax: \\domain\DFSname DFS link - A pointer to another shared directory. There can be up to 1000 DFS links for a DFS root. IIS Virtual Directory: A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were. What is ISAPI? Internet Server Application Programming Interface (ISAPI), is an API developed to provide the application developers with a powerful way to extend the functionality of Internet Information Server (IIS). Although ISAPI extensions by no means are limited to IIS, they are extensively used in conjunction with MS-IIS. What is application pool?
Application Pools” that can house a single or multiple web sites. It provides a convenient way to administer a set of Web sites and applications and increase reliability, What is a COM component? Any VB6 DLL is a COM component, as is any Windows DLL or EXE that supports the COM interfaces. How many types of authentication securities are there in IIS? In IIS there are 4 types of authentication security - Basic, Anonymous, Digest & Integrated windows Authentication. What is the Tombstone? What is the default tombstone life time? How to increase the tombstone life time?
The number of days before a deleted object is removed from the directory services. The default tombstone-lifetime of 60 days, Windows Server 2003 sp1 the new default tombstone-lifetime is 180 days. You can check your tombstone-lifetime using the following command which comes with Windows Server 2003:
dsquery * "CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=yourdomain,DC=com" -scope base -attr tombstonelifetime What is a session Object? A Session Object holds information relevant to a particular user’s session. How IIS can host multiple websites
To distinguish between websites, IIS looks at three attributes: • The host header name • The IP number • The port number What is a host header?
A host header is a string part of the request sent to the web server (it is in the HTTP header). This means that configuring IIS to use host headers is only one step in the approach to host multiple websites using host headers to distinguish between the websites. A configuration of the DNS server (usually means that you need to add an (A) record for the domain) is also required, so the client can find the web server. EXCHANGE SERVER DS PROXY
DSProxy is the component in Microsoft Exchange Server 2003 that provides an address book service to Microsoft Outlook clients. Although the name implies that this component provides only proxy services, DSProxy provides both of the following services: 1. DSProxy emulates a MAPI address book service and sends proxy requests to an Active Directory server. 2. DSProxy refers Outlook client queries to an Active Directory server. DSAccess
The Exchange components that need to interact with Active Directory use DSAccess to retrieve Active Directory information rather than communicating directly with domain controllers and global catalog servers
Forestprep When you use the /ForestPrep option, the Exchange Setup program extends the Active Directory schema to add Exchange-specific classes and attributes.
To verify that the setup /forestprep command completed successfully on a computer that is running Microsoft Windows 2000 Server in an Exchange 2000 environment, use either of the following methods: •Look for event ID 1575 DomainPrep:
DomainPrep creates the groups and permissions necessary for Exchange servers to read and modify user attributes in Active Directory. You must run DomainPrep before installing your first Exchange server in a domain MAPI(Messaging Application Programming Interface) It is an extensive set of functions that developers can use to create mailenabled applications. Enables an application to send and receive mail over a Microsoft Mail message system Recovery Storage Group:
Recovery Storage Group is a new feature in Exchange 2003. The biggest advantage of this method is that it reduces the impact of restoring a single mailbox from backup. Exmerge tool: ExMerge is to recover the mailbox data from the Recovery Storage Group. Since ExMerge creates a .pst file. List the services of Exchange Server 2003?
Microsoft Exchange Event Monitors folders and triggers events for server applications compatible with Exchange Server 5.5. Microsoft Exchange IMAP4 It is a method of accessing electronic mail that are kept on a mail server. Microsoft Exchange Information Store
The information store, which is the key component for database management in Exchange Server, is actually two separate databases. The private information store database, Priv.edb, manages data in user mailboxes. The public information store, Pub.edb, manages data in public folders. Microsoft Exchange Management
Provides Exchange management information using Windows Management Instrumentation (WMI). If this service is stopped, WMI providers implemented to work in Microsoft Exchange Management, like message tracking and Directory Access, will not work. Microsoft Exchange MTA Stacks You use Exchange X.400 services to connect to Exchange 5.5 servers and other connectors (custom gateways). Microsoft Exchange POP3 POP3 is a Client/Service protocol in which e-mail is received and held for you by your Internet server. Microsoft Exchange Routing Engine
The Exchange Routing Engine uses Link State information for e-mail routing. The Routing Engine will forward this information to the Advanced Queuing Engine. The default size of routing table log file is 50 MB and default age is seven days.
Microsoft Exchange Site Replication Service
Provides directory interoperability between Exchange 5.5 and Exchange 2000 Server or Exchange 2003. Site Replication Service (SRS) acts as a directory replication bridgehead server for an Exchange site. SRS runs on Exchange 2000 and serves as a modified Exchange 5.5 directory. SRS uses Lightweight Directory Access Protocol (LDAP) to communicate to both the Active Directory® directory service and the Exchange 5.5 directory. To Exchange 5.5, SRS looks similar to another Exchange 5.5 configuration/recipients replication partner. Microsoft Exchange System Attendant
Provides monitoring, maintenance, and Active Directory lookup services (for example, monitoring of services and connectors, proxy generation, Active Directory to metabase replication, publication of free/busy information, offline address book generation, mailbox maintenance, and forwarding Active Directory lookups to a global catalog server). If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that explicitly depend on it cannot start. What are the Exchange Server 2003 - Troubleshooting Eseutil commands? Eseutil /mh
Here is a simple switch to verify the state of an Exchange database. All that eseutil /mh does is to determine whether the last shutdown was clean or dirty. Eseutil /mh is ideal to practice getting to the right path and executing eseutil without doing any harm to the mailstore databases. Eseutil /ml Similar to the /mh, except this switch performs an integrity check on log files, for example, E00.log. Eseutil /mm
Dumps metadata from the database file (not the logs). Specialist use only, I find the output fascinating but not very useful. Eseutil /mk
Provides information about the checkpoint file. Handy for troubleshooting backup / restore problems. Where /mh used priv1.edb, remember to substitute the name of the checkpoint file E00.chk with /mk.
Eseutil /k to check for damaged headers Eseutil /cc for troubleshooting Eseutil /d to defrag the .edb database Example: eseutil /d e:\exchsrvr\mdbdata\priv1.edb (Or other path to your store)
Eseutil /r to repair Exchange 2003 log files Eseutil /p will attempt to repair a corrupted store database Eseutil /y Copies a database, streaming file, or log file Eseutil /g Verifies the integrity of a database Eseutil /m Generates formatted output of various database file types. e.g. /mh Isinteg Utility (Information Store Integrity Checker) finds and eliminates errors from the public folder and mailbox databases at the application level. it can recover data that Eseutil cannot recover. Offline Storage Files (.OST) file
Microsoft Exchange Server locally stores its data in OST file on your storage Device. An OST file is a component Of Microsoft Exchange Server and can’t
be used with Microsoft Outlook.
At the time of when exchange server crashes or when mailbox is deleted from the exchange server, OST file gets inaccessible and remains on the users computer holding large part of emails, calendar, journals, notes, contacts, tasks etc. Advanced Queuing Engine (AQE)
The Advanced Queuing Engine (AQE) is responsible for creating and managing message queues for e-mail delivery. When AQE receives a Simple Mail Transfer Protocol (SMTP) mailmsg object, this object will be forwarded to the Message Categorizer. The Advanced Queuing Engine then queues the Mailmsg object for message delivery based on the Routing information provided by the Routing Engine process of Exchange Server 2003. Outbound Mail Flow in Exchange Server 2003 Outbound mail flows through an Exchange Server deployment in the following manner:
1. Mail messages are sent from a client (Microsoft Outlook, Outlook Express, or Outlook Web Access, for example) and are submitted to the local Exchange store. 2. The Exchange store submits the message to the Advanced Queuing Engine. 3. The Advanced Queuing Engine submits the message to the message categorizer. 4.The message categorizer validates the recipients of the message,
checks for proper recipient attributes, applies limits and restrictions, flags the message for local or remote delivery, and then returns the message to the Advanced Queuing Engine.
5. If for local delivery, the Advanced Queuing Engine submits the message to the Local Delivery queue, and the Exchange store receives the message from the Local Delivery queue. For more information about the Advanced Queuing Engine,
6. If for remote delivery, the Advanced Queuing Engine submits the message to the Routing Engine. The Routing Engine determines the most efficient route for mail delivery, returns the message to the Advanced Queuing Engine, and, in turn, submits the messages for remote delivery. The messages are then sent via SMTP to a remote SMTP host or to the Internet. The following are the minimum requirements for outbound mail flow: •
Exchange Server must have access to the Internet on port 25. This access should not be blocked by firewalls or other network settings. Anonymous connections should be allowed. • The Exchange Server SMTP virtual server should be configured to use the default settings. •
The public mail exchanger (MX) resource record configured on your public Domain Name System (DNS) service should be accessible to all other Internet domains. The MX record should point to the Exchange
server and must be identified before messages can be sent or received. INTERVIEW QUESTIONS What protocol and port does DHCP use? DHCP, like BOOTP runs over UDP, utilizing ports 67 and 68. What is the DHCP automatic backup time? In fact, by default it's 60 minutes. You can change the frequency though How many scopes you can create As a general recommendation, limit each DHCP server to having no more than 1,000 scopes defined for use.
When adding a large number of scopes to the server, be aware that each scope creates a corresponding need for additional incremental increases to the amount of disk space used for the DHCP server registry and for the server paging file For the best possible DHCP server design in most networks, it is recommended that you have, at most, 10,000 clients per server. Advantage of LDP tool: Reanimating Active Directory Tombstone Objects we use LDP tool. Repadmin to remove lingering objects repadmin /removelingeringobjects If there is set of 30 hard disk configured for raid 5 if two hard disk failed what about data
Because of parity, information all data are available in case one of the disks fails. If
extra (spare) disks are available, then reconstruction will begin immediately after the device failure. However if two hard disks fail at same time, all data are LOST. In short RAID 5 can survive one disk failure, but not two or more. In Raid 5, suppose I have 5 HDD of 10-10 GB, after configuring the Raid how much space does I have for utilized. -1 out of the total (eg- if u r using 5 u will get only 4 because 1 goes for parity).
Here I am playing a key role Active Directory and Backup Administration. I need to check the backup logs, backing is completed successfully. We have a MOM Team, it will generate the alerts in respective to MOM. I am taking care of AD Alert’s and backups. Like Disk space low issues, automated services, CPU Utilization, Server Availability, Server Health check, Hardware Failures and DNS issues and moreover I can say user creations, DL Creations, Mail Box moments and I am in a part of taking care about the Anti virus bad clients. We are using HP OVSD tool to monitor the Queue. All these issues. RAID 5 and 10?
Common Name(s): RAID 5. Technique(s) Used: Block-level striping with distributed parity. Description: One of the most popular RAID levels, RAID 5 stripes both data and parity
information across three or more drives. It is similar to RAID 4 except that it exchanges the dedicated parity drive for a distributed parity algorithm, writing data and parity blocks across all the drives in the array. This removes the "bottleneck" that the dedicated parity drive represents, improving write performance slightly and allowing somewhat better parallelism in a multiple-transaction environment, though the overhead necessary in dealing with the parity continues to bog down writes. Fault tolerance is maintained by ensuring that the parity information for any given block of data is placed on a drive separate from those used to store the data itself. The performance of a RAID 5 array can be "adjusted" by trying different stripe sizes until one is found that is well-matched to the application being used.
RAID5 versus RAID10 (or even RAID3 or RAID4) First let's get on the same page so we're all talking about apples. What is RAID5?
OK here is the deal, RAID5 uses ONLY ONE parity drive per stripe and many RAID5 arrays are 5 (if your counts are different adjust the calculations appropriately) drives (4 data and 1 parity though it is not a single drive that is holding all of the parity as in RAID 3 & 4 but read on). If you have 10 drives or say 20GB each for 200GB
RAID5 will use 20% for parity (assuming you set it up as two 5 drive arrays) so you will have 160GB of storage. Now since RAID10, like mirroring (RAID1), uses 1 (or more) mirror drive for each primary drive you are using 50% for redundancy so to get the same 160GB of storage you will need 8 pairs or 16 - 20GB drives, which is why RAID5 is so popular. This intro is just to put things into perspective.
RAID5 is physically a stripe set like RAID0 but with data recovery included. RAID5 reserves one disk block out of each stripe block for parity data. The parity block contains an error correction code which can correct any error in the RAID5 block, in effect it is used in combination with the remaining data blocks to recreate any single missing block, gone missing because a drive has failed. The innovation of RAID5 over RAID3 & RAID4 is that the parity is distributed on a round robin basis so that There can be independent reading of different blocks from the several drives. This is why RAID5 became more popular than RAID3 & RAID4 which must synchronously read the same block from all drives together. So, if Drive2 fails blocks 1,2,4,5,6 & 7 are data blocks on this drive and blocks 3 and 8 are parity blocks on this drive. So that means that the parity on Drive5 will be used to recreate the data block from
Disk2 if block 1 is requested before a new drive replaces Drive2 or during the rebuilding of the new Drive2 replacement. Likewise the parity on Drive1 will be used to repair block 2 and the parity on Drive3 will repair block4, etc. For block 2 all the data is safely on the remaining drives but during the rebuilding of Drive2's replacement a new parity block will be calculated from the block 2 data and will be written to Drive 2.
Now when a disk block is read from the array the RAID software/firmware calculates which RAID block contains the disk block, which drive the disk block is on and which drive contains the parity block for that RAID block and reads ONLY the one data drive. It returns the data block. If you later modify the data block it recalculates the parity by subtracting the old block and adding in the new version then in two separate operations it writes the data block followed by the new parity block. To do this it must first read the parity block from whichever drive contains the parity for that stripe block and reread the unmodified data for the updated block from the original drive. This read-read-write-write is known as the RAID5 write penalty since these two writes are sequential and synchronous the write system call cannot return until the reread and both writes complete, for safety, so writing to RAID5 is up to
50% slower than RAID0 for an array of the same capacity. (Some software RAID5's avoid the re-read by keeping an unmodified copy of the original block in memory.) Now what is RAID10?
RAID10 is one of the combinations of RAID1 (mirroring) and RAID0 (striping) which are possible. There used to be confusion about what RAID01 or RAID10 meant and different RAID vendors defined them differently. About five years or so ago I proposed the following standard language which seems to have taken hold. When N mirrored pairs are striped together this is called RAID10 because the mirroring (RAID1) is applied before striping (RAID0). The other option is to create two stripe Sets and mirror them one to the other, this is known as RAID01 (because the RAID0 is applied first). In either a RAID01 or RAID10 system each and every disk block is completely duplicated on its drive's mirror. Performance-wise both RAID01 and RAID10 are functionally equivalent. The difference comes in during recovery where RAID01 suffers from some of the same problems I will describe affecting RAID5 while RAID10 does not. Now if a drive in the RAID5 array dies, is removed, or is shut off data is returned by reading the blocks from the remaining drives and calculating the missing data using
the parity, assuming the defunct drive is not the parity block drive for that RAID block. Note that it takes 4 physical reads to replace the missing disk block (for a 5 drive array) for four out of every five disk blocks leading to a 64% performance degradation until the problem is discovered and a new drive can be mapped in to begin recovery. Performance is degraded further during recovery because all Drives are being actively accessed in order to rebuild the replacement drive (see below).
If a drive in the RAID10 array dies data is returned from its mirror drive in a single read with only minor (6.25% on average for a 4 pair array as a whole) performance reduction when two non-contiguous blocks are needed from the damaged pair (since the two blocks cannot be read in parallel from both drives) and none otherwise. Mirroring?
Mirroring is one of the two data redundancy techniques used in RAID (the other beingpar ity). In a RAIDsyste m using mirroring, all data in the system is written simultaneously to two hard disks instead of one; thus the "mirror" concept. The principle behind mirroring is that this 100% data redundancy provides full protection against the failure of either of the disks containing the duplicated data. Mirroring setups always require an even number of drives for obvious reasons. The chief advantage of mirroring is that it provides not only complete
redundancy of data, but also reasonably fast recovery from a disk failure. Since all the data is on the second drive, it is ready to use if the first one fails. Mirroring also improves some forms of readpe r for mance (though it actually hurts write performance.) The chief disadvantage of RAID 1 is expense: that data duplication means half the space in the RAID is "wasted" so you must buy twice the capacity that you want to end up with in the array. Performance is also not as good as some RAID levels. Parity
Mirroring is a data redundancy technique used by some RAID levels, in particular RAID level 1, to provide data protection on a RAID array. While mirroring has some advantages and is well-suited for certain RAID implementations, it also has some limitations. It has a high overhead cost, because fully 50% of the drives in the array are reserved for duplicate data; and it doesn't improve performance as much as data striping does for many applications. For this reason, a different way of protecting data is provided as an alternate to mirroring. It involves the use ofpar ity information, which is redundancy information calculated from the actual data values. Cross realm uses for ticket granting service for cross domain authentication. Kerberos Authentication:After giving the password at client end checks the
stamp with domain controller of Global catalogue with the use of NTP protocol ( port number 123 ) If the time difference between the DC and client should not be exceed more than 5 mins.
After finishing the time stamp matching session ticket with encrypted password and it releases the two tickets with help of KDC ( Key distribution Centre ). One is for sends the request to logon and another one sends the permission whether accepting or not. After providing the authentication from Kerberos LDAP finishes the logon process with port number 389 Kerberos uses to protocols UDP and TCP with same port number 88. After that it checks for password which is maintaining in DC if it matches it will start authenticating with domain. Replmon
Replmon.exe: Active Directory Replication Monitor This GUI tool enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a
graphical format, and monitor the status and performance of domain controller replication. You can use ReplMon to do the following: 1. See when a replication partner fails. 2. View the history of successful and failed replication changes for troubleshooting purposes. 3. Create your own applications or scripts written in Microsoft Visual Basic Scripting Edition (VBScript) to extract specific data from Active Directory. 4. View a snapshot of the performance counters on the computer, and the registry configuration of the server. 5. Generate status reports that include direct and transitive replication partners,
and detail a record of changes. 6. Find all direct and transitive replication partners on the network. 7. Display replication topology. 8. Poll replication partners and generate individual histories of successful and failed replication events. 9. Force replication. 10. Trigger the Knowledge Consistency Checker (KCC) to recalculate the
replication topology. 11. Display changes that have not yet replicated from a given replication partner. 12. Display a list of the trust relationships maintained by the domain controller being monitored.
13. Display the metadata of an Active Directory object's attributes. 14. Monitor replication status of domain controllers from multiple forests. Repadmin.exe: Replication Diagnostics Tool
This command-line tool assists administrators in diagnosing replication problems between Windows domain controllers. Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be used to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view both the replication metadata and up-to-dateness vectors. Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to check for replication problems. Usually, the Knowledge Consistency Checker (KCC) manages the replication topology for each naming context held on domain controllers.
Important: During the normal course of operations, there is no need to create the replication topology manually. Incorrect use of this tool can adversely impact the replication
topology. The primary use of this tool is to monitor replication so that problems such as offline servers or unavailable LAN/WAN connections can be identified. 1.How to conform if the software package deployed using group policy. Has got installed in the user PC. 2.in one DC one user has been deleted the OU by admin1 ……delete by one administrator, in other DC the same OU is getting updated in admin 2 (Lost and found object) 3. what are the two attributes, which reflect while replication happening 4.how do u see the by using GPO …which software has been installed in the machines 5.hw to install the software package for 500 machines…….can u just give the steps 6. hw do deploy patch in enterprise environment 7. hw to un-install a package 8.if Kerberos fail, what will happen, is there any other authentication 9. when you need to install DNS server in member servers, what is the use of it 10. Active directory integrated DNS in member server install? 11. what the log files and what is the use of log files Answers: 1.Software deployment tools are there …SMS …..Package……how to diploye…..SMs or some other tool……
MBSA 2.0.1 is compatible with Microsoft Update and Windows Server Update Services and the SMS Inventory Tool for Microsoft Update (ITMU). MBSA 2.0.1 offers customers
improved Windows component support, expanded platform support for XP Embedded and 64-bit Windows, as well as more consistent and less complex security update management experience. Unless specifically noted, all references to MBSA 2.0 in the MBSA TechNet pages also apply to MBSA 2.0.1. Legacy Product Support: For customers using legacy products not supported by MBSA 2.0.1, Microsoft Update, and WSUS, Shavlik Technologies provides a free MBSA 2.0.1 companion tool called Shavlik NetChk Limited. 2.only one OU you can create and delete …hw the same OU name will come in
other machines 3. GPMC………..gpo is one object in in group policy 4. whats is the GPMC……..password policy……….hw u will apply……where u will apply
5.hirarchichy……site and domain and OU…. 6.500……Distribution point(SMS)……. 7.hw to deployed …..the enterprise environement…..
SUS: Microsoft SUS is a free patch management tool provided by Microsoft to help network administrators deploy security patches more easily. In simple terms, Microsoft SUS is a version of Windows Update that you can run on your network.
Software Update Services leverages the successful Windows Automatic Updates service first available in Windows XP, and allows information technology professionals to configure a server that contains content from the live Windows Update site in their own Windows-based intranets to service corporate servers and clients. Software Update Services The server features include: •
Built-in security. The administrative pages are restricted to local administrators on the computer that hosts the updates. The synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from Microsoft, the packages are deleted. •
Selective content approval. Updates synchronized to your server running Software Update Services are not made automatically available to the computers that have been configured to get updates from that server. The administrator approves the updates before they are made available for download. This allows the administrator to test the packages being deploying them. •
Content synchronization. The server is synchronized with the public Windows Update service either manually or automatically. The administrator can set a schedule or have the synchronization component of the server do it automatically at preset times. Alternatively, the administrator can use the Synchronize Now button to manually synchronize. •
Server-to-server synchronization. Because you may need multiple servers running Microsoft SUS inside your corporation in order to bring the updates closer to your desktops and servers for downloading, Microsoft SUS will allow you to point to another server running Microsoft SUS instead of Windows Update, allowing these critical software updates to be distributed around your enterprise. •
Update package hosting flexibility. Administrators have the flexibility of downloading the actual updates to their intranet, or pointing computers to a worldwide network of download servers maintained by Microsoft. Downloading updates might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the Microsoft maintained download servers. These are the actual Windows Update download servers. In a scenario like this, an administrator would download and test updates at a central site, then point
computers requiring updates to one of the Windows Update download servers. Microsoft maintains a worldwide network of these type servers. •
Multi-language support. Although the Software Update Services administrative interface is available only in English or Japanese, the server supports the publishing of updates to multiple operating-system language versions. Administrators can configure the list of languages for which they want updates downloaded. •
Remote administration via HTTP or HTTPS. The administrative interface is Web-based and therefore allows for remote (internal) administration using Internet Explorer 5.5 or higher. •
Update status logging. You can specify the address of a Web server where the Automatic Updates client should send statistics about updates that have been downloaded, and whether the updates have been installed. These statistics are sent using the HTTP protocol and appear in the log file of the Web server. Download Software Update Services Server 1.0 with Service Pack 1HER E (33mb) Microsoft SUS Server limitations
Though very good as what it does, Microsoft’s patch management tool does have a few limitations: • It does not push out service packs; you need a separate solution for that. •
It only handles patches at operating system level (including Internet Explorer and IIS), but not application patches such as Microsoft Office, Microsoft Exchange Server, Microsoft SQL Server, etc. • It requires Windows 2000 and up, so it cannot patch Windows NT 4 systems. • It cannot deploy custom patches for third party software. •
It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. There is no easy reporting system for this.
This means that you still require a patch management solution to perform the above tasks. Microsoft does not plan to add the above features, since it promotes Microsoft SMS server as a tool for that. So, Microsoft SUS server is ideal for operating system patches if used in conjunction with a patch management tool. Read more on how to overcome SUS's limitations by using a 3rd party tool
called GFI LANguard Network Security Scanner. Windows Automatic Update Client
To use SUS on your network you will need to use the Windows Automatic Update Client. The client is based on the Windows Automatic Updates technology that was significantly updated for Windows XP. Automatic Updates is a proactive pull service that enables users with administrative privileges to automatically download and install Windows updates such as critical operating-system fixes and Windows security patches. The features include: • Built-in security: Only users with local administrative privileges can interact
with Automatic Updates. This prevents unauthorized users from tampering with the installation of critical updates. Before installing a downloaded update, Automatic Updates verifies that Microsoft has digitally signed the files. • Just-in-time validation: Automatic Updates uses the Windows Update service technologies to scan the system and determine which updates are applicable to a particular computer. • Background downloads: Automatic Updates uses the Background
Intelligent Transfer Service (BITS), an innovative bandwidth-throttling technology built into Windows XP and newer operating systems, to download updates to the computer. This bandwidth-throttling technology uses only idle bandwidth so that downloads do not interfere with or slow down other network activity, such as Internet browsing. • Chained installation: Automatic Updates uses the Windows Update
technologies to install downloaded updates. If multiple updates are being installed and one of them requires a restart, Automatic Updates installs them all together and then requests a single restart. • Multi-user awareness: Automatic Updates is multi-user aware, which means that it displays different UI depending on which administrative user is logged on. • Manageability: In an Active Directory environment, an administrator can
configure the behavior of Automatic Updates using Group Policy. Otherwise, an administrator can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism. • Multi-language support: The client is supported on localized versions of Windows. This update applies to the following operating systems: •
Windows 2000 Professional with Service Pack 2 • Windows 2000 Server with Service Pack 2 • Windows 2000 Advanced Server with Service Pack 2 • Windows XP Professional • Windows XP Home Edition Note: Windows 2000 Service Pack 3 (SP3) and Windows XP Service Pack 1 (SP1) include the Automatic Updates component,elimin a t in g the need to download the client component separately. Download Windows automatic updating (SUS Client)HER E (1mb) Administrator Control via Policies
The Automatic Updates behavior can be driven by configuring Group Policy settings in an Active Directory environment. Administrators can use Group Policy in an Active Directory environment or can configure registry keys to specify a server running Software Update Services. Computers running Automatic Updates then use this specified server to get updates. The Software Update Services installation package includes a policy template file, WUAU.ADM, which contains the Group Policy settings described earlier in this paper. These settings can be loaded into Group Policy Editor for deployment. These
policies are also included in the System.adm file in Windows 2000 Service Pack 3, and will be included in the Windows Server 2003 family, and in Windows XP Service Pack 1. 8. NTLM System Login Process: Kerberos uses as its basis theNee dham- Schr oe de r protocol. It makes use of a trusted third party, termed a key distribution center (KDC), which consists of two
logically separate parts: an Authentication Server (AS) and a Ticket Granting Server (TGS). Kerberos works on the basis of "tickets" which serve to prove the identity of users.
The KDC maintains a database of secret keys; each entity on the network — whether a client or a server — shares a secret key known only to itself and to the KDC. Knowledge of this key serves to prove an entity's identity. For communication between two entities, the KDC generates a session key which they can use to secure their interactions These cur ity of the protocol relies heavily on participants maintaining loosely synchronized time and on short lived assertions of authenticity calledKe r ber os tickets. What follows is a simplified description of the protocol. The following abbreviations will be used:
• AS = Authentication Server • TGS = Ticket Granting Server • SS = Service Server. • TGT = Ticket Granting Ticket
Briefly, the client authenticates to AS using a long-term shared secret and receives a ticketfro m the AS. Later the client can use this ticket to get additional tickets for SS without resorting to using the shared secret. These tickets can be used to prove authentication to SS. In more detail: User Client-based Logon Steps: 1. A user enters a username and password on theclie nt. 2.
The client performs a one-way function on the entered password, and this becomes the secret key of the client. Client Authentication Steps:
The client sends acle ar te xt message to the AS requesting services on behalf of the user. Sample message: "User XYZ would like to request services". Note: Neither the secret key nor the password is sent to the AS. 2.
The AS checks to see if the client is in its database. If it is, the AS sends back the following two messages to the client: o Message A: Client/TGS session key encrypted using the secret key of the user. o
Message B: Ticket-Granting Ticket (which includes the client ID, client network address, ticket validity period, and the client/TGS session key) encrypted using the secret key of the TGS. 3. Once the client receives messages A and
B, it decrypts message A to obtain the client/TGS session key. This session key is used
for further communications with TGS. (Note: The client cannot decrypt Message B, as it is encrypted using TGS's secret key.) At this point, the client has enough information to authenticate itself to the TGS. Client Service Authorization Steps: 1. When requesting services, the client sends the following two messages to the TGS: o Message C: Composed of the Ticket-Granting Ticket from message B and the ID of the requested service. o Message D: Authenticator (which is composed of the client ID and the timestamp), encrypted using the client/TGS session key. 2.
Upon receiving messages C and D, the TGS retrieves message B out of message C. It decrypts message B using the TGS secret key.
This gives it the "client/TGS session key". Using this key, the TGS decrypts message D (Authenticator) and sends the following two messages to the client: o
Message E: Client-to-server ticket (which includes the client ID, client network address, validity period and Client/server session key) encrypted using the service's secret key. o Message F: Client/server session key encrypted with the client/TGS session key. Client Service Request Steps: 1.
Upon receiving messages E and F from TGS, the client has enough information to authenticate itself to the SS. The client connects to the SS and sends the following two messages: o Message E from the previous step (the client-to-server ticket, encrypted using service's secret key).
Message G: a new Authenticator, which includes the client ID, timestamp and is encrypted usingclie nt/se r ve r session key. 2.
The SS decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client: o
Message H: the timestamp found in client's recent Authenticator plus 1, encrypted using the client/server session key. 3.
The client decrypts the confirmation using the client/server session key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service requests to the server. 4. The server provides the requested services to the client.
Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers. •
Kerberos requires the clocks of the involved hosts to be synchronized. The tickets have time availability period and, if the host clock is not synchronized with the clock of Kerberos server, the authentication will fail. The default configuration requires that clock times are no more than 10 minutes apart. In practice, Network Time Protocol daemons are usually used to keep the host clocks synchronized. • The administration protocol is not standardized, and differs between server implementations. Password changes are described in RFC 3244. • Since the secret keys for all users are stored on the central server, a compromise of that server will compromise all users' secret keys.
Group policies successive event id 1704 For GPUpdate events: 1500,1501,1502 and 1503 For SMB erros event id:1058 and in 2000 id 1000 solution: 1. On the domain controller, click Start, click Run, type regedit, and then click OK.
2. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\par am eters 3. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box,
and then click OK. 4. Double-click requiresecuritysignature, type 1 in the Value data box, and then click OK. 5. Locate and then click the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstatio n\ parameters 6. In the right pane, double-click enablesecuritysignature, type 1 in the Value data box,
and then click OK. 7. Double-click requiresecuritysignature, type 0 in the Value data box, and then click OK. 8. After you change these registry values, restart the Server and Workstation services. Do not restart the domain controller, because this action may cause Group Policy to change the registry values back to the earlier values.
9. Open the domain controller’s Sysvol share. To do this, click Start, click Run, type \\Server_Name\Sysvol, and then press ENTER. If the Sysvol share does not open, repeat
steps 1 through 8. 10. Repeat steps 1 through 9 on each affected domain controller to make sure that each domain controller can access its own Sysvol share.
11. After you connect to the Sysvol share on each domain controller, open the Domain Controller Security Policy snap-in, and then configure the SMB signing policy settings. To do this, follow these steps:a. Click Start, point to Programs, point to Administrative Tools, and then click Domain Controller Security Policy. b. In the left pane, expand Local Policies, and then click Security Options. c. In the right pane, double-click Microsoft network server: Digitally sign communications (always). Note In Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (always).
Important If you have client computers on the network that do not support SMB signing, you must not enable the Microsoft network server: Digitally sign communications (always) policy setting. If you enable this setting, you require SMB signing for all client communication, and client computers that do not support SMB signing will not be able to connect to other computers. For example, clients that are running Apple Macintosh OS X or Microsoft Windows 95 do not support SMB signing. If your network includes clients that do not support SMB signing, set this policy to disabled. d. Click to select the Define this policy setting check box, click Enabled, and
then click OK. e. Double-click Microsoft network server: Digitally sign communications (if client agrees). Note For Windows 2000 Server, the equivalent policy setting is Digitally sign server communication (when possible). f. Click to select the Define this policy setting check box, and then click Enabled. g. Click OK.
h. Double-click Microsoft network client: Digitally sign communications (always). i. Click to clear the Define this policy setting check box, and then click OK. j. Double-click Microsoft network client: Digitally sign communications (if server agrees). k. Click to clear the Define this policy setting check box, and then click OK. 12. Run the Group Policy Update utility (Gpupdate.exe) with the force switch. To do this,
follow these steps:a. Click Start, click Run, type cmd, and then click OK. b. At the command prompt, type gpupdate /force, and then press ENTER. For more information about the Group Policy Update utility, click the following article number to view the article in the Microsoft Knowledge Base: 298444 (http://support.microsoft.com/kb/298444/) A description of the Group Policy
Note The Group Policy Update utility does not exist in Windows 2000 Server. In Windows 2000, the equivalent command is secedit /refreshpolicy machine_policy /enforce. For more information about using the Secedit command in Windows 2000, click the following article number to view the article in the Microsoft Knowledge Base: 227302 (http://support.microsoft.com/kb/227302/) Using SECEDIT to force a Group Policy refresh immediately
13. After you run the Group Policy Update utility, check the application event log to make sure that the Group Policy settings were updated successfully. After a successful Group Policy update, the domain controller logs Event ID 1704. This event appears in the Application Log in Event Viewer. The source of the event is SceCli. 14. Check the registry values that you changed in steps 1 through 7 to make sure that the registry values have not changed.
Note This step makes sure that a conflicting policy setting is not applied at another group or organizational unit (OU) level. For example, if the Microsoft network client: Digitally sign communications (if server agrees) policy is configured as "Not Defined" in Domain Controller Security Policy, but this same policy is configured as disabled in Domain
Security Policy, SMB signing will be disabled for the Workstation service.
15. If the registry values have changed after you run the Group Policy Update utility, open the Resultant Set of Policy (RSoP) snap-in in Windows Server 2003. To start the RSoP snap-in, click Start, click Run, type rsop.msc in the Open box, and then click OK. In the RSoP snap-in, the SMB signing settings are located in the following path: Computer Configuration/Windows Settings/Security Settings/Local Policies/Security Options
Note If you are running Windows 2000 Server, install the Group Policy Update utility from the Windows 2000 Resource Kit, and then type the following at the commmand prompt: gpresult /scope computer /v
After you run this command, the Applied Group Policy Objects list appears. This list shows all Group Policy objects that are applied to the computer account. Check the SMB signing policy settings for all these Group Policy objects.