- What is Active Directory?
An active directory is a directory structure used on Microsoft
Windows based computers and servers to
store information and data about networks and domains. It is
primarily used for online information and
was originally created in 1996. It was first used with Windows
2000.
An active directory (sometimes referred to as an AD) does a
variety of functions including the ability to
rovide information on objects, helps organize these objects for
easy retrieval and access, allows access by
end users and administrators and allows the administrator to set
security up for the directory.
Active Directory is a hierarchical collection of network resources
that can contain users, computers,
printers, and other Active Directories. Active Directory Services
(ADS) allow administrators to handle and
maintain all network resources from a single location . Active
Directory stores information and settings in a
central database
· What is LDAP?
The Lightweight Directory Access Protocol, or LDAP , is an
application protocol for querying and modifying
directory services running over TCP/IP. Although not yet widely
implemented, LDAP should eventually make
it possible for almost any application running on virtually any
computer platform to obtain directory
information, such as email addresses and public keys. Because LDAP
is an open protocol, applications need
not worry about the type of server hosting the directory.
· Can you connect Active Directory to other 3rd-party Directory
Services? Name a few options.
-Yes you can connect other vendors Directory Services with
Microsoft’s version.
-Yes, you can use dirXML or LDAP to connect to other directories
(ie. E-directory from Novell or NDS (Novel
directory System).
-Yes you can Connect Active Directory to other 3rd -party
Directory Services such as dictonaries used by
SAP, Domino etc with the help of MIIS ( Microsoft Identity
Integration Server )
· Where is the AD database held? What other folders are related to
AD?
AD Database is saved in %systemroot%/ntds. You can see other files
also in this folder. These are the main
files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write
operation, Win2K records the transaction
in the log file (edb.log). Once written to the log file, the
change is then written to the AD database. System
performance determines how fast the system writes the data to the
AD database from the log file. Any time
the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log
and res2.log. The initial size of each is
10MB. These files are used to ensure that changes can be written
to disk should the system run out of free
disk space. The checkpoint file (edb.chk) records transactions
committed to the AD database (ntds.dit).
During shutdown, a “shutdown” statement is written to the edb.chk
file. Then, during a reboot, AD
determines that all transactions in the edb.log file have been
committed to the AD database. If, for some
reason, the edb.chk file doesn’t exist on reboot or the shutdown
statement isn’t present, AD will use the
edb.log file to update the AD database.
The last file in our list of files to know is the AD database
itself, ntds.dit. By default, the file is located
in\NTDS, along with the other files we’ve discussed
· What is the SYSVOL folder?
- All active directory data base security related information
store in SYSVOL folder and its only created on
NTFS partition.
- The Sysvol folder on a Windows domain controller is used to
replicate file-based data among domain
controllers. Because junctions are used within the Sysvol folder
structure, Windows NT file system (NTFS)
version 5.0 is required on domain controllers throughout a Windows
distributed file system (DFS) forest.
This is a quote from microsoft themselves, basically the domain
controller info stored in files like your
group policy stuff is replicated through this folder structure
· Name the AD NCs and replication issues for each NC
*Schema NC, *Configuration NC, Domain NC
Schema NC This NC is replicated to every other domain controller
in the forest. It contains information
about the Active Directory schema, which in turn defines the
different object classes and attributes within
Active Directory.
Configuration NC Also replicated to every other DC in the forest,
this NC contains forest-wide
configuration information pertaining to the physical layout of
Active Directory, as well as information about
display specifiers and forest-wide Active Directory quotas.
Domain NC This NC is replicated to every other DC within a single
Active Directory domain. This is the NC
that contains the most commonly-accessed Active Directory data:
the actual users, groups, computers, and
other objects that reside within a particular Active Directory
domain.
· What are application partitions? When do I use them
Application directory partitions: These are specific to Windows
Server 2003 domains.
An application directory partition is a directory partition that
is replicated only to specific domain
controllers. A domain controller that participates in the
replication of a particular application directory
partition hosts a replica of that partition. Only Domain
controllers running Windows Server 2003 can host a
replica of an application directory partition.
· How do you create a new application partition
http://wiki.answers.com/Q/How_do_you_create_a_new_application_partition
· How do you view replication properties for AD partitions and DCs?
By using replication monitor
go to start > run > type replmon
· What is the Global Catalog?
The global catalog contains a complete replica of all objects in
Active Directory for its Host domain, and
contains a partial replica of all objects in Active Directory for
every other domain in the forest.
The global catalog is a distributed data repository that contains
a searchable, partial representation of
every object in every domain in a multidomain Active Directory
forest. The global catalog is stored on
domain controllers that have been designated as global catalog
servers and is distributed through
multimaster replication. Searches that are directed to the global
catalog are faster because they do not
involve referrals to different domain controllers.
In addition to configuration and schema directory partition
replicas, every domain controller in a Windows
2000 Server or Windows Server 2003 forest stores a full, writable
replica of a single domain directory
partition. Therefore, a domain controller can locate only the
objects in its domain. Locating an object in a
different domain would require the user or application to provide
the domain of the requested object.
The global catalog provides the ability to locate objects from any
domain without having to know the
domain name. A global catalog server is a domain controller that,
in addition to its full, writable domain
directory partition replica, also stores a partial, read-only
replica of all other domain directory partitions in
the forest. The additional domain directory partitions are partial
because only a limited set of attributes is
included for each object. By including only the attributes that
are most used for searching, every object in
every domain in even the largest forest can be represented in the
database of a single global catalog
server.
· How do you view all the GCs in the forest?
C:\>repadmin/showreps
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
· Why not make all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is that in large (or
even Giant) forests the DCs would all have to
hold a reference to every object in the entire forest which could
be quite large and quite a replication
burden.
For a few hundred, or a few thousand users even, this not likely
to matter unless you have really poor WAN
lines.
· Trying to look at the Schema, how can I do that?
adsiedit.exe
option to view the schema
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc
· What are the Support Tools? Why do I need them?
Support Tools are the tools that are used for performing the
complicated tasks easily. These can also be
the third party tools. Some of the Support tools include
DebugViewer, DependencyViewer, RegistryMonitor,
etc. -edit by Casquehead I beleive this question is reffering to
the Windows Server 2003 Support Tools,
which are included with Microsoft Windows Server 2003 Service Pack
2. They are also available for
download here:
http://www.microsoft.com/downloads/details.aspx?familyid=96A35011-FD83-419D-939BA772EA2DF90&
displaylang=en
You need them because you cannot properly manage an Active
Directory network without them.
Here they are, it would do you well to familiarize yourself with
all of them.
Acldiag.exe
Adsiedit.msc
Bitsadmin.exe
Dcdiag.exe
Dfsutil.exe
Dnslint.exe
Dsacls.exe
Iadstools.dll
Ktpass.exe
Ldp.exe
Netdiag.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repadmin.exe
Replmon.exe
Setspn.exe
> What is REPLMON? What is ADSIEDIT? What is NETDOM? What is
REPADMIN?
ADSIEdit is a Microsoft Management Console (MMC) snap-in that acts
as a low-level editor for Active
Directory. It is a Graphical User Interface (GUI) tool. Network
administrators can use it for common
administrative tasks such as adding, deleting, and moving objects
with a directory service. The attributes
for each object can be edited or deleted by using this tool.
ADSIEdit uses the ADSI application
programming interfaces (APIs) to access Active Directory. The
following are the required files for using this
tool:
. ADSIEDIT.DLL
. ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft
Management Console (MMC) is necessary
A: Replmon is the first tool you should use when troubleshooting
Active Directory replication issues. As it is
a graphical tool, replication issues are easy to see and somewhat
easier to diagnose than using its
command line counterparts. The purpose of this document is to
guide you in how to use it, list some
common replication errors and show some examples of when
replication issues can stop other network
installation actions.
for more go to
http://www.techtutorials.net/articles/replmon_howto_a.html
NETDOM is a command-line tool that allows management of Windows
domains and trust relationships. It is
used for batch management of trusts, joining computers to domains,
verifying trusts, and secure channels
A:
Enables administrators to manage Active Directory domains and
trust relationships from the command
prompt.
Netdom is a command-line tool that is built into Windows Server
2008. It is available if you have the Active
Directory Domain Services (AD DS) server role installed. To use
netdom, you must run
the netdom command from an elevated command prompt. To open an
elevated command prompt,
click Start, right-click Command Prompt, and then click Run as
administrator.
REPADMIN.EXE is a command line tool used to monitor and
troubleshoot replication on a computer running
Windows. This is a command line tool that allows you to view the
replication topology as seen from the
perspective of each domain controller.
REPADMIN is a built-in Windows diagnostic command-line utility
that works at the Active Directory level.
Although specific to Windows, it is also useful for diagnosing
some Exchange replication problems, since
Exchange Server is Active Directory based.
REPADMIN doesn’t actually fix replication problems for you. But,
you can use it to help determine the
source of a malfunction.
· What are sites? What are they used for?
Active directory sites, which consist of well-connected networks
defined by IP subnets that help define the
physical structure of your AD, give you much better control over
replication traffic and authentication
traffic than the control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized
by constructs such as domains, trees,
forests, trust relationships, organizational units (OUs), and sites.
· What’s the difference between a site link’s schedule and interval?
Schedule enables you to list weekdays or hours when the site link
is available for replication to happen in
the give interval. Interval is the re occurrence of the inter site
replication in given minutes. It ranges from
15 – 10,080 mins. The default interval is 180 mins.
· What is the KCC?
The KCC is a built-in process that runs on all domain controllers
and generates replication topology for the
Active Directory forest. The KCC creates separate replication
topologies depending on whether replication
is occurring within a site (intrasite) or between sites
(intersite). The KCC also dynamically adjusts the
topology to accommodate new domain controllers, domain controllers
moved to and from sites, changing
costs and schedules, and domain controllers that are temporarily
unavailable.
· What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible for the
connections among the sites. By default
Windows 2003 Forest level functionality has this role. By Default
the first Server has this role. If that server
can no longer preform this role then the next server with the
highest GUID then takes over the role of ISTG.
·
What are the requirements for installing AD on a new server?
. An NTFS partition with enough free space (250MB minimum)
. An Administrator’s username and password
. The correct operating system version
. A NIC
. Properly configured TCP/IP (IP address, subnet mask and –
optional – default gateway)
. A network connection (to a hub or to another computer via a
crossover cable)
. An operational DNS server (which can be installed on the DC
itself)
. A Domain name that you want to use
. The Windows 2000 or Windows Server 2003 CD media (or at least
the i386 folder)
From the Petri IT Knowledge base. For more info, follow this link:
http://www.petri.co.il/active_directory_installation_requirements.htm
· What can you do to promote a server to DC if you’re in a remote
location with slow WAN link?
First available in Windows 2003, you will create a copy of the
system state from an existing DC and copy it
to the new remote server. Run “Dcpromo /adv”. You will be prompted
for the location of the system state
files
· How can you forcibly remove AD from a server, and what do you do
later? • Can I get user passwords
from the AD database?
Demote the server using dcpromo /forceremoval, then remove the
metadata from Active directory using
ndtsutil. There is no way to get user passwords from AD that I am
aware of, but you should still be able to
change them.
Another way out too
Restart the DC is DSRM mode
a. Locate the following registry subkey:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions
b. In the right-pane, double-click ProductType.
c. Type ServerNT in the Value data box, and then click OK.
Restart the server in normal mode
its a member server now but AD entries are still there. Promote
teh server to a fake domain say ABC.com
and then remove gracefully using DCpromo. Else after restart you
can also use ntdsutil to do metadata as
told in teh earlier post
· What tool would I use to try to grab security related packets from
the wire?
you must use sniffer-detecting tools to help stop the snoops. … A
good packet sniffer would be “ethereal”
www.ethereal.com
· Name some OU design considerations ?
OU design requires balancing requirements for delegating
administrative rights – independent of Group
Policy needs – and the need to scope the application of Group
Policy. The following OU design
recommendations address delegation and scope issues:
Applying Group Policy An OU is the lowest-level Active Directory
container to which you can assign Group
Policy settings.
Delegating administrative authority
usually don’t go more than 3 OU levels
· What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the
directory services. This assists in
removing objects from replicated servers and preventing restores
from reintroducing a deleted object. This
value is in the Directory Service object in the configuration NIC
by default 2000 (60 days) 2003 (180 days)
·
What do you do to install a new Windows 2003 DC in a Windows 2000
AD?
If you plan to install windows 2003 server domain controllers into
an existing windows 2000 domain or
upgrade a windows 2000 domain controllers to windows server 2003,
you first need to run the Adprep.exe
utility on the windows 2000 domain controllers currently holding
the schema master and infrastructure
master roles. The adprep / forestprer command must first be issued
on the windows 2000 server holding
schema master role in the forest root doman to prepare the
existing schema to support windows 2003
active directory. The adprep /domainprep command must be issued on
the sever holding the infrastructure
master role in the domain where 2000 server will be deployed.
· What do you do to install a new Windows 2003 R2 DC in a Windows
2003 AD?
A. If you’re installing Windows 2003 R2 on an existing Windows
2003 server with SP1 installed, you require
only the second R2 CD-ROM. Insert the second CD and the r2auto.exe
will display the Windows 2003 R2
Continue Setup screen.
If you’re installing R2 on a domain controller (DC), you must
first upgrade the schema to the R2 version
(this is a minor change and mostly related to the new Dfs
replication engine). To update the schema, run
the Adprep utility, which you’ll find in the Cmpnents\r2\adprep
folder on the second CD-ROM. Before
running this command, ensure all DCs are running Windows 2003 or
Windows 2000 with SP2 (or later)
· How would you find all users that have not logged on since last
month?
http://wiki.answers.com/Q/How_would_you_find_all_users_that_have_not_logged_on_since_last_month
· What are the DScommands?
New DS (Directory Service) Family of built-in command line
utilities for Windows Server 2003 Active
Directory
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two
families. In one branch are DSadd, DSmod,
DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory
objects, you really are spoilt for choice. The
the DS family of built-in command line executables offer
alternative strategies to CSVDE, LDIFDE and
VBScript.
Let me introduce you to the members of the DS family:
DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
· What are the FSMO roles? Who has them by default? What happens
when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
· Schema Master:
The schema master domain controller controls all updates and
modifications to the schema. Once the
Schema update is complete, it is replicated from the schema master
to all other DCs in the directory. To
update the schema of a forest, you must have access to the schema
master. There can be only one schema
master in the whole forest.
· Domain naming master:
The domain naming master domain controller controls the addition
or removal of domains in the forest.
This DC is the only one that can add or remove a domain from the
directory. It can also add or remove
cross references to domains in external directories. There can be
only one domain naming master in the
whole forest.
· Infrastructure Master:
When an object in one domain is referenced by another object in
another domain, it represents the
reference by the GUID, the SID (for references to security principals),
and the DN of the object being
referenced. The infrastructure FSMO role holder is the DC
responsible for updating an object’s SID and
distinguished name in a cross-domain object reference. At any one
time, there can be only one domain
controller acting as the infrastructure master in each domain.
Note: The Infrastructure Master (IM) role should be held by a
domain controller that is not a Global Catalog
server (GC). If the Infrastructure Master runs on a Global Catalog
server it will stop updating object
information because it does not contain any references to objects
that it does not hold. This is because a
Global Catalog server holds a partial replica of every object in
the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to
that effect will be logged on that DC’s event
log. If all the domain controllers in a domain also host the
global catalog, all the domain controllers have
the current data, and it is not important which domain controller
holds the infrastructure master role.
· Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests
from all domain controllers in a particular
domain. When a DC creates a security principal object such as a
user or group, it attaches a unique Security
ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a
relative ID (RID) that is unique for each security principal SID
created in a domain. Each DC in a domain is
allocated a pool of RIDs that it is allowed to assign to the
security principals it creates. When a DC’s
allocated RID pool falls below a threshold, that DC issues a
request for additional RIDs to the domain’s RID
master. The domain RID master responds to the request by
retrieving RIDs from the domain’s unallocated
RID pool and assigns them to the pool of the requesting DC. At any
one time, there can be only one
domain controller acting as the RID master in the domain.
· PDC Emulator:
The PDC emulator is necessary to synchronize time in an
enterprise. Windows 2000/2003 includes the
W32Time (Windows Time) time service that is required by the
Kerberos authentication protocol. All
Windows 2000/2003-based computers within an enterprise use a
common time. The purpose of the time
service is to ensure that the Windows Time service uses a
hierarchical relationship that controls authority
and does not permit loops to ensure appropriate common time usage.
The PDC emulator of a domain is authoritative for the domain. The
PDC emulator at the root of the forest
becomes authoritative for the enterprise, and should be configured
to gather the time from an external
source. All PDC FSMO role holders follow the hierarchy of domains
in the selection of their in-bound time
partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder
retains the following functions:
:: Password changes performed by other DCs in the domain are
replicated preferentially to the PDC
emulator.
Authentication failures that occur at a given DC in a domain
because of an incorrect password are
forwarded to the PDC emulator before a bad password failure
message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done
from the GPO copy found in the PDC
Emulator’s SYSVOL share, unless configured not to do so by the
administrator.
The PDC emulator performs all of the functionality that a
Microsoft Windows NT 4.0 Server-based PDC or
earlier PDC performs for Windows NT 4.0-based or earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and
domain controllers that are running Windows NT 4.0 or earlier are
all upgraded to Windows 2000/2003.
The PDC emulator still performs the other functions as described
in a Windows 2000/2003 environment.
· What FSMO placement considerations do you know of?
Windows 2000/2003 Active Directory domains utilize a Single
Operation Master method called FSMO
(Flexible Single Master Operation), as described in Understanding
FSMO Roles in Active Directory.
In most cases an administrator can keep the FSMO role holders (all
5 of them) in the same spot (or actually,
on the same DC) as has been configured by the Active Directory
installation process. However, there are
scenarios where an administrator would want to move one or more of
the FSMO roles from the default
holder DC to a different DC.
Windows Server 2003 Active Directory is a bit different than the
Windows 2000 version when dealing with
FSMO placement. In this article I will only deal with Windows
Server 2003 Active Directory, but you should
bear in mind that most considerations are also true when planning
Windows 2000 AD FSMO roles
· What’s the difference between transferring a FSMO role and seizing
one? Which one should you NOT
seize? Why?
Certain domain and enterprise-wide operations that are not good
for multi-master updates are performed
by a single domain controller in an Active Directory domain or
forest. The domain controllers that are
assigned to perform these unique operations are called operations
masters or FSMO role holders.
The following list describes the 5 unique FSMO roles in an Active
Directory forest and the dependent
operations that they perform:
· Schema master – The Schema master role is forest-wide and there is
one for each forest. This role is
required to extend the schema of an Active Directory forest or to
run theadprep
/domainprep command.
· Domain naming master – The Domain naming master role is
forest-wide and there is one for each
forest. This role is required to add or remove domains or
application partitions to or from a forest.
· RID master – The RID master role is domain-wide and there is one
for each domain. This role is required
to allocate the RID pool so that new or existing domain
controllers can create user accounts, computer
accounts or security groups.
· PDC emulator – The PDC emulator role is domain-wide and there is
one for each domain. This role is
required for the domain controller that sends database updates to
Windows NT backup domain
controllers. The domain controller that owns this role is also
targeted by certain administration tools
and updates to user account and computer account passwords.
· Infrastructure master – The Infrastructure master role is
domain-wide and there is one for each domain.
This role is required for domain controllers to run the adprep
/forestprep command successfully and to
update SID attributes and distinguished name attributes for
objects that are referenced across domains.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all
5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller
in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue
to own FSMO roles until they are
reassigned by using one of the following methods:
· An administrator reassigns the role by using a GUI administrative
tool.
· An administrator reassigns the role by using the ntdsutil /roles
command.
· An administrator gracefully demotes a role-holding domain controller
by using the Active Directory
Installation Wizard. This wizard reassigns any locally-held roles
to an existing domain controller in the
forest. Demotions that are performed by using the dcpromo
/forceremoval command leave FSMO roles
in an invalid state until they are reassigned by an administrator.
We recommend that you transfer FSMO roles in the following
scenarios:
· The current role holder is operational and can be accessed on the
network by the new FSMO owner.
· You are gracefully demoting a domain controller that currently
owns FSMO roles that you want to assign
to a specific domain controller in your Active Directory forest.
· The domain controller that currently owns FSMO roles is being
taken offline for scheduled maintenance
and you need specific FSMO roles to be assigned to a “live” domain
controller. This may be required to
perform operations that connect to the FSMO owner. This would be
especially true for the PDC Emulator
role but less true for the RID master role, the Domain naming master
role and the Schema master roles.
We recommend that you seize FSMO roles in the following scenarios:
· The current role holder is experiencing an operational error that
prevents an FSMO-dependent
operation from completing successfully and that role cannot be
transferred.
· A domain controller that owns an FSMO role is force-demoted by
using the dcpromo
/forceremoval command.
· The operating system on the computer that originally owned a
specific role no longer exists or has been
reinstalled.
As replication occurs, non-FSMO domain controllers in the domain
or forest gain full knowledge of changes
that are made by FSMO-holding domain controllers. If you must
transfer a role, the best candidate domain
controller is one that is in the appropriate domain that last
inbound-replicated, or recently inboundreplicated
a writable copy of the “FSMO partition” from the existing role
holder. For example, the Schema
master role-holder has a distinguished name path of
CN=schema,CN=configuration,dc=<forest root
domain>, and this mean that roles reside in and are replicated
as part of the CN=schema partition. If the
domain controller that holds the Schema master role experiences a
hardware or software failure, a good
candidate role-holder would be a domain controller in the root
domain and in the same Active Directory
site as the current owner. Domain controllers in the same Active
Directory site perform inbound replication
every 5 minutes or 15 seconds.
A domain controller whose FSMO roles have been seized should not
be permitted to communicate with
existing domain controllers in the forest. In this scenario, you
should either format the hard disk and
reinstall the operating system on such domain controllers or
forcibly demote such domain controllers on a
private network and then remove their metadata on a surviving
domain controller in the forest by using
the ntdsutil /metadata cleanup command. The risk of introducing a
former FSMO role holder whose role
has been seized into the forest is that the original role holder
may continue to operate as before until it
inbound-replicates knowledge of the role seizure. Known risks of
two domain controllers owning the same
FSMO roles include creating security principals that have
overlapping RID pools, and other problems.
Transfer
FSMO roles
To transfer the FSMO roles by using the Ntdsutil utility, follow
these steps:
1. Log on to a Windows 2000 Server-based or Windows Server
2003-based member computer or domain
controller that is located in the forest where FSMO roles are being
transferred. We recommend that you
log on to the domain controller that you are assigning FSMO roles
to. The logged-on user should be a
member of the Enterprise Administrators group to transfer Schema
master or Domain naming master
roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID
master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK.
3. Type roles, and then press ENTER.Note To see a list of
available commands at any one of the prompts in
the Ntdsutil utility, type ?, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain
controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that
you can
transfer, type ? at the fsmo maintenance prompt, and then press
ENTER, or see the list of roles at the
start of this article. For example, to transfer the RID master
role, type transfer rid master. The one
exception is for the PDC emulator role, whose syntax is transfer
pdc, not transfer pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to
gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.
Seize
FSMO roles
To seize the FSMO roles by using the Ntdsutil utility, follow
these steps:
1. Log on to a Windows 2000 Server-based or Windows Server
2003-based member computer or domain
controller that is located in the forest where FSMO roles are
being seized. We recommend that you log
on to the domain controller that you are assigning FSMO roles to.
The logged-on user should be a
member of the Enterprise Administrators group to transfer schema
or domain naming master roles, or a
member of the Domain Administrators group of the domain where the
PDC emulator, RID master and
the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then
click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER,
where servername is the name of the domain
controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you
can seize, type ?
at the fsmo maintenance prompt, and then press ENTER, or see the
list of roles at the start of this
article. For example, to seize the RID master role, type seize rid
master. The one exception is for the
PDC emulator role, whose syntax is seize pdc, not seize pdc
emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to
gain access to the ntdsutil prompt.
Type q, and then press ENTER to quit the Ntdsutil utility.Notes
o Under typical conditions, all five roles must be assigned to “live”
domain controllers in the
forest. If a domain controller that owns a FSMO role is taken out
of service before its roles are
transferred, you must seize all roles to an appropriate and
healthy domain controller. We
recommend that you only seize all roles when the other domain
controller is not returning to
the domain. If it is possible, fix the broken domain controller
that is assigned the FSMO roles.
You should determine which roles are to be on which remaining
domain controllers so that all
five roles are assigned to a single domain controller. For more
information about FSMO role
placement, click the following article number to view the article
in the Microsoft Knowledge
Base: 223346 (http://support.microsoft.com/kb/223346/ ) FSMO
placement and optimization
on Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not
present in the domain and if it
has had its roles seized by using the steps in this article,
remove it from the Active Directory by
following the procedure that is outlined in the following
Microsoft Knowledge Base article:
216498 (http://support.microsoft.com/kb/216498/ ) How to remove
data in active directory
after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version
or the Windows Server
2003 build 3790 version of the ntdsutil /metadata cleanup command
does not relocate FSMO
roles that are assigned to live domain controllers. The Windows
Server 2003 Service Pack 1
(SP1) version of the Ntdsutil utility automates this task and
removes additional elements of
domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO
role-holders in case the
role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain
controller as the global catalog
server. If the Infrastructure master runs on a global catalog
server it stops updating object
information because it does not contain any references to objects
that it does not hold. This is
because a global catalog server holds a partial replica of every
object in the forest.
To test whether a domain controller is also a global catalog
server:
1. Click Start, point to Programs, point to Administrative Tools,
and then click Active Directory Sites and
Services.
2. Double-click Sites in the left pane, and then locate the
appropriate site or click Default-first-sitename
if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller’s folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if
it is selected.
For more information about FSMO roles, click the following article
numbers to view the articles in the
Microsoft Knowledge Base:
· How do you configure a “stand-by operation master” for any of the
roles?
1. Open Active Directory Sites and Services.
2. Expand the site name in which the standby operations master is
located to display the Servers folder.
3. Expand the Servers folder to see a list of the servers in that
site.
4. Expand the name of the server that you want to be the standby
operations master to display its NTDS
Settings.
5. Right-click NTDS Settings, click New, and then click
Connection.
6. In the Find Domain Controllers dialog box, select the name of
the current role holder, and then click OK.
7. In the New Object-Connection dialog box, enter an appropriate
name for the Connection object or
accept the default name, and click OK.
· How do you backup AD?
Backing up Active Directory is essential to maintain an Active
Directory database. You can back up Active
Directory by using the Graphical User Interface (GUI) and
command-line tools that the Windows Server
2003 family provides.
You frequently backup the system state data on domain controllers
so that you can restore the most
current data. By establishing a regular backup schedule, you have
a better chance of recovering data when
necessary.
To ensure a good backup includes at least the system state data
and contents of the system disk, you must
be aware of the tombstone lifetime. By default, the tombstone is
60 days. Any backup older than 60 days is
not a good backup. Plan to backup at least two domain controllers
in each domain, one of at least one
backup to enable an authoritative restore of the data when
necessary.
System State Data
Several features in the windows server 2003 family make it easy to
backup Active Directory. You can
backup Active Directory while the server is online and other
network function can continue to function.
System state data on a domain controller includes the following
components:
Active Directory system state data does not contain Active
Directory unless the server, on which you are
backing up the system state data, is a domain controller. Active
Directory is present only on domain
controllers.
The SYSVOL shared folder: This shared folder contains Group policy
templates and logon scripts. The
SYSVOL shared folder is present only on domain controllers.
The Registry: This database repository contains information about
the computer’s configuration.
System startup files: Windows Server 2003 requires these files
during its initial startup phase. They include
the boot and system files that are under windows file protection
and used by windows to load, configure,
and run the operating system.
The COM+ Class Registration database: The Class registration is a
database of information about
Component Services applications.
The Certificate Services database: This database contains
certificates that a server running Windows server
2003 uses to authenticate users. The Certificate Services database
is present only if the server is operating
as a certificate server.
System state data contains most elements of a system’s
configuration, but it may not include all of the
information that you require recovering data from a system
failure. Therefore, be sure to backup all boot
and system volumes, including the System State, when you back up
your server.
Restoring Active Directory
In Windows Server 2003 family, you can restore the Active Directory
database if it becomes corrupted or is
destroyed because of hardware or software failures. You must
restore the Active Directory database when
objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways.
Replication synchronizes the latest changes
from every other replication partner. Once the replication is
finished each partner has an updated version
of Active Directory. There is another way to get these latest
updates by Backup utility to restore replicated
data from a backup copy. For this restore you don’t need to
configure again your domain controller or no
need to install the operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory
from backup media: primary restore,
normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller
in a domain when there is no other way to
rebuild the domain. Perform a primary restore only when all the
domain controllers in the domain are lost,
and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on
local computer, or user should have
been delegated with this responsibility to perform restore. On a
domain controller only Domain Admins can
perform this restore.
Normal restore: This method reinstates the Active Directory data
to the state before the backup, and then
updates the data through the normal replication process. Perform a
normal restore for a single domain
controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a
normal restore. An authoritative restore
marks specific data as current and prevents the replication from
overwriting that data. The authoritative
data is then replicated through the domain.
Perform an authoritative restore individual object in a domain
that has multiple domain controllers. When
you perform an authoritative restore, you lose all changes to the
restore object that occurred after the
backup. Ntdsutil is a command line utility to perform an
authoritative restore along with windows server
2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active
Directory objects as authoritative so that they receive a higher
version recently changed data on other
domain controllers does not overwrite system state data during
replication.
· How do you restore AD?
Restoring Active Directory :
In Windows Server 2003 family, you can restore the Active
Directory database if it becomes corrupted or is
destroyed because of hardware or software failures. You must
restore the Active Directory database when
objects in Active Directory are changed or deleted.
Active Directory restore can be performed in several ways.
Replication synchronizes the latest changes
from every other replication partner. Once the replication is
finished each partner has an updated version
of Active Directory. There is another way to get these latest
updates by Backup utility to restore replicated
data from a backup copy. For this restore you don’t need to
configure again your domain controller or no
need to install the operating system from scratch.
Active Directory Restore Methods
You can use one of the three methods to restore Active Directory
from backup media: primary restore,
normal (non authoritative) restore, and authoritative restore.
Primary restore: This method rebuilds the first domain controller
in a domain when there is no other way to
rebuild the domain. Perform a primary restore only when all the
domain controllers in the domain are lost,
and you want to rebuild the domain from the backup.
Members of Administrators group can perform the primary restore on
local computer, or user should have
been delegated with this responsibility to perform restore. On a
domain controller only Domain Admins can
perform this restore.
Normal restore: This method reinstates the Active Directory data
to the state before the backup, and then
updates the data through the normal replication process. Perform a
normal restore for a single domain
controller to a previously known good state.
Authoritative restore: You perform this method in tandem with a
normal restore. An authoritative restore
marks specific data as current and prevents the replication from
overwriting that data. The authoritative
data is then replicated through the domain.
Perform an authoritative restore individual object in a domain
that has multiple domain controllers. When
you perform an authoritative restore, you lose all changes to the
restore object that occurred after the
backup. Ntdsutil is a command line utility to perform an
authoritative restore along with windows server
2003 system utilities. The Ntdsutil command-line tool is an
executable file that you use to mark Active
Directory objects as authoritative so that they receive a higher
version recently changed data on other
domain controllers does not overwrite system state data during
replication.
METHOD
A.
You can’t restore Active Directory (AD) to a domain controller
(DC) while the Directory Service (DS) is
running. To restore AD, perform the following steps.
Reboot the computer.
At the boot menu, select Windows 2000 Server. Don’t press Enter.
Instead, press F8 for advanced options.
You’ll see the following text. OS Loader V5.0
Windows NT Advanced Options Menu
Please select an option:
Safe Mode
Safe Mode with Networking
Safe Mode with Command Prompt
Enable Boot Logging
Enable VGA Mode
Last Known Good Configuration
Directory Services Restore Mode (Windows NT domain controllers
only)
Debugging Mode
Use | and | to move the highlight to your choice.
Press Enter to choose.
Scroll down, and select Directory Services Restore Mode (Windows
NT domain controllers only).
Press Enter.
When you return to the Windows 2000 Server boot menu, press Enter.
At the bottom of the screen, you’ll
see in red text Directory Services Restore Mode (Windows NT domain
controllers only).
The computer will boot into a special safe mode and won’t start
the DS. Be aware that during this time the
machine won’t act as a DC and won’t perform functions such as
authentication.
Start NT Backup.
Select the Restore tab.
Select the backup media, and select System State.
Click Start Restore.
Click OK in the confirmation dialog box.
After you restore the backup, reboot the computer and start in
normal mode to use the restored
information. The computer might hang after the restore completes;
Sometimes it takes a 30-minute wait
on some machines.
· How do you change the DS Restore admin password?
When you promote a Windows 2000 Server-based computer to a domain
controller, you are prompted to
type a Directory Service Restore Mode Administrator password. This
password is also used by Recovery
Console, and is separate from the Administrator password that is
stored in Active Directory after a
completed promotion.
The Administrator password that you use when you start Recovery
Console or when you press F8 to start
Directory Service Restore Mode is stored in the registry-based
Security Accounts Manager (SAM) on the
local computer. The SAM is located in the\System32\Config folder.
The SAM-based account and password
are computer specific and they are not replicated to other domain
controllers in the domain.
For ease of administration of domain controllers or for additional
security measures, you can change the
Administrator password for the local SAM. To change the local
Administrator password that you use when
you start Recovery Console or when you start Directory Service
Restore Mode, use the following method.
1. Log on to the computer as the administrator or a user who is a
member of the Administrators group. 2.
Shut down the domain controller on which you want to change the
password. 3. Restart the computer.
When the selection menu screen is displayed during restar, press
F8 to view advanced startup options. 4.
Click the Directory Service Restore Mode option. 5. After you log
on, use one of the following methods to
change the local Administrator password: • At a command prompt,
type the following command:
net user administrator
• Use the Local User and Groups snap-in (Lusrmgr.msc) to change
the Administrator password. 6. Shut
down and restart the computer. You can now use the Administrator
account to log on to Recovery Console
or Directory Services Restore Mode using the new password.
· Why can’t you restore a DC that was backed up 4 months ago?
Because of the tombstone life which is set to only 60 days
· What are GPOs?
Group Policy gives you administrative control over users and
computers in your network. By using Group
Policy, you can define the state of a user’s work environment
once, and then rely on Windows Server 2003
to continually force the Group Policy settings that you apply
across an entire organization or to specific
groups of users and computers.
Group Policy Advantages
You can assign group policy in domains, sites and organizational
units.
All users and computers get reflected by group policy settings in
domain, site and organizational unit.
No one in network has rights to change the settings of Group
policy; by default only administrator has full
privilege to change, so it is very secure.
Policy settings can be removed and can further rewrite the
changes.
Where GPO’s store Group Policy Information
Group Policy objects store their Group Policy information in two
locations:
Group Policy Container: The GPC is an Active Directory object that
contains GPO status, version
information, WMI filter information, and a list of components that
have settings in the GPO. Computers can
access the GPC to locate Group Policy templates, and domain
controller does not have the most recent
version of the GPO, replication occurs to obtain the latest
version of the GPO.
Group Policy Template: The GPT is a folder hierarchy in the shared
SYSVOL folder on a domain controller.
When you create GPO, Windows Server 2003 creates the corresponding
GPT which contains all Group Policy
settings and information, including administrative templates,
security, software installation, scripts, and
folder redirection settings. Computers connect to the SYSVOL
folder to obtain the settings.
The name of the GPT folder is the Globally Unique Identifier (GUID)
of the GPO that you created. It is
identical to the GUID that Active Directory uses to identify the
GPO in the GPC. The path to the GPT on a
domain controller is systemroot\SYSVOL\sysvol.
Managing GPOs
To avoid conflicts in replication, consider the selection of
domain controller, especially because the GPO
data resides in SYSVOL folder and the Active Directory. Active
Directory uses two independent replication
techniques to replicate GPO data among all domain controllers in
the domain. If two administrator’s
changes can overwrite those made by other administrator, depends
on the replication latency. By default
the Group Policy Management console uses the PDC Emulator so that
all administrators can work on the
same domain controller.
WMI Filter
WMI filters is use to get the current scope of GPOs based on
attributes of the user or computer. In this way,
you can increase the GPOs filtering capabilities beyond the
security group filtering mechanisms that were
previously available.
Linking can be done with WMI filter to a GPO. When you apply a GPO
to the destination computer, Active
Directory evaluates the filter on the destination computer. A WMI
filter has few queries that active Directory
evaluates in place of WMI repository of the destination computer.
If the set of queries is false, Active
Directory does not apply the GPO. If set of queries are true,
Active Directory applies the GPO. You write the
query by using the WMI Query Language (WQL); this language is
similar to querying SQL for WMI repository.
Planning a Group Policy Strategy for the Enterprise
When you plan an Active Directory structure, create a plan for GPO
inheritance, administration, and
deployment that provides the most efficient Group Policy management
for your organization.
Also consider how you will implement Group Policy for the
organization. Be sure to consider the delegation
of authority, separation of administrative duties, central versus
decentralized administration, and design
flexibility so that your plan will provide for ease of use as well
as administration.
Planning GPOs
Create GPOs in way that provides for the simplest and most
manageable design — one in which you can
use inheritance and multiple links.
Guidelines for Planning GPOs
Apply GPO settings at the highest level: This way, you take
advantage of Group Policy inheritance.
Determine what common GPO settings for the largest container are
starting with the domain and then link
the GPO to this container.
Reduce the number of GPOs: You reduce the number by using multiple
links instead of creating multiple
identical GPOs. Try to link a GPO to the broadest container
possible level to avoid creating multiple links of
the same GPO at a deeper level.
Create specialized GPOs: Use these GPOs to apply unique settings
when necessary. GPOs at a higher level
will not apply the settings in these specialized GPOs.
Disable computer or use configuration settings: When you create a
GPO to contain settings for only one of
the two levels-user and computer-disable the logon and prevents
accidental GPO settings from being
applied to the other area.
· What is the order in which GPOs are applied?
Local, Site, Domain, OU
Group Policy settings are processed in the following order:
1:- Local Group Policy object-each computer has exactly one Group
Policy object that is stored locally. This
processes for both computer and user Group Policy processing.
2:- Site-Any GPOs that have been linked to the site that the
computer belongs to are processed next.
Processing is in the order that is specified by the administrator,
on the Linked Group Policy Objects tab for
the site in Group Policy Management Console (GPMC). The GPO with
the lowest link order is processed last,
and therefore has the highest precedence.
3:- Domain-processing of multiple domain-linked GPOs is in the
order specified by the administrator, on
the Linked Group Policy Objects tab for the domain in GPMC. The
GPO with the lowest link order is
processed last, and therefore has the highest precedence.
4:- Organizational units-GPOs that are linked to the
organizational unit that is highest in the Active
Directory hierarchy are processed first, then GPOs that are linked
to its child organizational unit, and so on.
Finally, the GPOs that are linked to the organizational unit that
contains the user or computer are
processed.
At the level of each organizational unit in the Active Directory
hierarchy, one, many, or no GPOs can be
linked. If several GPOs are linked to an organizational unit,
their processing is in the order that is specified
by the administrator, on the Linked Group Policy Objects tab for
the organizational unit in GPMC. The GPO
with the lowest link order is processed last, and therefore has
the highest precedence.
This order means that the local GPO is processed first, and GPOs
that are linked to the organizational unit
of which the computer or user is a direct member are processed
last, which overwrites settings in the
earlier GPOs if there are conflicts. (If there are no conflicts,
then the earlier and later settings are merely
aggregated.)
· Name a few benefits of using GPMC.
Microsoft released the Group Policy Management Console (GPMC)
years ago, which is an amazing
innovation in Group Policy management. The tool provides control
over Group Policy in the following
manner:
· Easy administration of all GPOs across the entire Active Directory
Forest
· View of all GPOs in one single list
· Reporting of GPO settings, security, filters, delegation, etc.
· Control of GPO inheritance with Block Inheritance, Enforce, and
Security Filtering
· Delegation model
· Backup and restore of GPOs
· Migration of GPOs across different domains and forests
With all of these benefits, there are still negatives in using the
GPMC alone. Granted, the GPMC is needed
and should be used by everyone for what it is ideal for. However,
it does fall a bit short when you want to
protect the GPOs from the following:
· Role based delegation of GPO management
· Being edited in production, potentially causing damage to desktops
and servers
· Forgetting to back up a GPO after it has been modified
· Change management of each modification to every GPO
· How can you determine what GPO was and was not applied for a user?
Name a few ways to do that.
Simply use the Group Policy Management Console created by MS for
that very purpose, allows you to run
simulated policies on computers or users to determine what
policies are enforced. Link in sources
· What are administrative templates?
Administrative Templates are a feature of Group Policy, a Microsoft technology for centralised
management
of machines and users in an Active Directory environment.
Administrative Templates facilitate the management of
registry-based policy. An ADM file is used to
describe both the user interface presented to the Group Policy
administrator and the registry keys that
should be updated on the target machines. An ADM file is a text
file with a specific syntax which describes
both the interface and the registry values which will be changed
if the policy is enabled or disabled.
ADM files are consumed by the Group Policy Object Editor (GPEdit).
Windows XP Service Pack 2 shipped with
five ADM files (system.adm, inetres.adm, wmplayer.adm, conf.adm
and wuau.adm). These are merged into
a unified “namespace” in GPEdit and presented to the administrator
under the Administrative Templates
node (for both machine and user policy).
· What’s the difference between software publishing and assigning?
ANS An administrator can either assign or publish software
applications.
Assign Users
The software application is advertised when the user logs on. It
is installed when the user clicks on the
software application icon via the start menu, or accesses a file
that has been associated with the software
application.
Assign Computers
The software application is advertised and installed when it is
safe to do so, such as when the computer is
next restarted.
Publish to users
The software application does not appear on the start menu or
desktop. This means the user may not know
that the software is available. The software application is made
available via the Add/Remove Programs
option in control panel, or by clicking on a file that has been
associated with the application. Published
applications do not reinstall themselves in the event of
accidental deletion, and it is not possible to publish
to computers.
· Can I deploy non-MSI software with GPO?
How to create a third-party Microsoft Installer package
http://support.microsoft.com/kb/257718/
· You want to standardize the desktop environments (wallpaper, My
Documents, Start menu, printers etc.)
on the computers in one department. How would you do that?
Login on client as Domain Admin user change whatever you need add
printers etc go to system-User
profiles copy this user profile to any location by select Everyone
in permitted to use after copy change
ntuser.dat
to ntuser.man and assgin this path under user profile
No comments:
Post a Comment