Part - 1 : Windows Administrator: L1: Interview question & Answer for AD, DNS, DHCP, WINS & DFS
Part - 1 : Interview question & Answer for AD, DNS, DHCP, WINS
& DFS
Active Directory
Active Directory is a centralized and standardized system, stores
information about objects in a network and makes this information available to
users and network administrators.
Domain Controller
In an Active Directory forest, the domain controller is a server
that contains a writable copy of the Active Directory database, participates in
Active Directory replication, and controls access to network resources.
Global catalog server
A global catalog server is a domain controller that stores
information about all objects in the forest. Like all domain controllers, a
global catalog server stores full, writable replicas of the schema and
configuration directory partitions and a full, writable replica of the domain
directory partition for the domain that it is hosting. In addition, a global
catalog server stores a partial, read-only replica of every other domain in the
forest. Partial replicas are stored on Global Catalog servers so that searches
of the entire directory can be achieved without requiring referrals from one
domain controller to another.
Partial information of other domains. Partial information nothing
but classes and attributes (first name and last name and phones and addresses)
attribute level security improvement in 2003….
OU:
"Organizational Units", are administrative-level
containers on a computer, it allows administrators to organize groups of users
together so that any changes, security privileges or any other administrative
tasks could be accomplished more efficiently.
Domain:
Windows Domain is a logical grouping of computers that share
common security
and user account information.
Forest
A Windows forest is a group of one or more trusted Windows trees. The trees do not need to have contiguous DNS names. A forest shares a schema and global catalog servers. A single tree can also be called a forest.
Tree:
A
Windows tree is a group of one or more trusted Windows domains with contiguous
DNS domains. “Trusted” means that an authenticated account from one domain
isn’t rejected by another domain. “Contiguous DNS domains” means that they all
have the same root DNS name.
Site:
Sites are manually defined groupings of subnets. Objects in a site share the same global catalog servers, and can have a common set of group policies applied to them.
Schema:
The
schema defines what attributes, objects, classes, and rules are available in
the Active Directory.
SID
(Security Identifier):
The SID is a unique name (alphanumeric character string) that is used to
identify an object, such as a user or a group of users.
Group Policy
Group policy Architecture:
Group Policy objects (GPO):
A GPO is a
collection of Group Policy settings, stored at the domain level as a virtual
object consisting of a Group Policy container (GPC) and a Group Policy template
(GPT).
Password
history will store
Computer Configuration\Windows
Settings\Security Settings\Account Policies\Password Policy
Group Policy Container (GPC)
The Group
Policy container (GPC) is an Active Directory container that contains GPO
properties, such as version information, GPO status, plus a list of other
component settings.
Group Policy Template (GPT)
The Group
Policy template (GPT) is a file system folder that includes policy data
specified by .adm files, security settings, script files, and information about
applications that are available for installation. The GPT is located in the
system volume folder (SysVol) in the domain \Policies sub-folder.
Filtering
the Scope of a GPO
By default,
a GPO affects all users and computers that are contained in the linked site,
domain, or organizational unit. The administrator can further specify the
computers and users that are affected by a GPO by using membership in security
groups.
Starting
with Windows 2000, the administrator can add both computers and users to
security groups. Then the administrator can specify which security groups are
affected by the GPO by using the Access Control List editor.
Knowledge
Consistency Checker (KCC)
The Knowledge Consistency Checker (KCC) is a Windows
component that automatically generates and maintains the intra-site and
inter-site replication topology.
Intrasite Replication
Replication
that happens between controllers inside one site. All of the subnets inside the
site should be connected by high speed network wires.
Intersite Replication
Intersite replication is
replication between sites and must be set up by an administrator. Simple Mail
Transfer Protocol (SMTP) may be used for replication between sites.
Active Directory Replication?
Replication must
often occur both (intrasite) within sites and (Intersite) between sites to keep
domain and forest data consistent among domain controllers that store the same
directory partitions
Adprep.exe
Adprep.exe is a command-line tool used to prepare a Microsoft Windows
2000 forest or a Windows 2000 domain for the installation of Windows Server
2003 domain controllers.
USE:
When Microsoft Exchange Server is
deployed in an organization, Exchange Server uses Active Directory as a data
store and it extends the Windows 2000 Active Directory schema to enable it to
store objects specific to Exchange Server. The ldapDisplayName of the attribute
schema ms-Exch-Assistant-Name, ms-Exch-LabeledURI, and ms-Exch-House-Identifier
defined by Exchange Server conflicts with the iNetOrgPerson schema that Active
Directory uses in Windows Server 2003. When Windows Server 2003 Service Pack 1
is installed, Adprep.exe will be able to detect the presence of the schema
conflict and block the upgrade of the schema until the issue has been resolved.
GUID:
When a new domain user or group account is
created, Active Directory stores the account's SID in the Object-SID
(objectSID) property of a User or Group object. It also assigns the new object
a globally unique identifier (GUID), which is a 128-bit value that is unique
not only in the enterprise but also across the world. GUIDs are assigned to
every object created by Active Directory, not just User and Group objects. Each
object's GUID is stored in its Object-GUID (objectGUID) property.
Active Directory uses GUIDs internally to
identify objects.
SID:
A security identifier (SID) is a data structure in binary format
that contains a variable number of values. When a DC creates
a security principal object such as a user or group, it attaches a unique
Security ID (SID) to the object. This SID consists of a domain SID (the same
for all SIDs created in a domain), and a relative ID (RID) that is unique for
each security Principal SID created in a domain.
Lingering objects
When a domain controller is
disconnected for a period that is longer than the TSL, one or more objects that
are deleted from Active Directory on all other domain controllers may remain on
the disconnected domain controller. Such objects are called lingering objects.
Because the domain controller is offline during the time that the tombstone is
alive, the domain controller never receives replication of the tombstone
Sysvol
Sysvol is a shared directory that stores the server copy of the
domain’s public files, which are replicated among all domain controllers in the
domain. The Sysvol contains the data in a GPO: the GPT, which includes
Administrative Template-based Group Policy settings, security settings, script
files, and information regarding applications that are available for software
installation. It is replicated using the File Replication Service (FRS).
File Replication Service (FRS)
In Windows
2000, the SYSVOL share is used to authenticate users. The SYSVOL share includes
group policy information which is replicated to all local domain controllers.
File replication service (FRS) is used to replicate the SYSVOL share. The
"Active Directory Users and Computers" tool is used to change the
file replication service schedule.
Win logon
A component
of the Windows operating system that provides interactive logon support,
Winlogon is the service in which the Group Policy engine runs.
Lightweight Directory Access
Protocol (LDAP)
It defines
how clients and servers exchange information about a directory. LDAP version 2
and version 3 are used by Windows 2000 Server's Active Directory.
An
LDAP URL names the server holding Active Directory services and the Attributed
Name of the object. For example:
LDAP://SomeServer.Myco.Com/CN=jamessmith,CN=Sys,CN=Product,CN
=Division,DC=myco,DC=domain-controller
USN
Each object has an Update Sequence Number (USN), and if the object
is modified, the USN is incremented. This number is different on each domain
controller. USN
provides the key to multimaster replication.
Universal group membership
caching
Due to
available network bandwidth and server hardware limitations, it may not be
practical to have a global catalog in smaller branch office locations. For
these sites, you can deploy domain controllers running Windows Server 2003,
which can store universal group membership information locally.
By default,
the universal group membership information contained in the cache of each
domain controller will be refreshed every 8 hours. Up to 500 universal group
memberships can be updated at once. Universal groups couldn't be created in
Mixed mode.
What is an ACL or access-control list?
A list of security protections that applies to
an object. (An object can be a file, process, event, or anything else having a
security descriptor.)
What is an ACE or access-control entry?
ACE contains a set of access rights and a
security identifier (SID) that identifies a trustee for whom the rights are
allowed, denied, or audited.
Flexible Single Master Operations
(FSMO)
MultiMaster
Operation:
In Windows 2000 & 2003, every domain controller can
receive changes, and the changes are replicated to all other domain
controllers. The day-to-day operations that are associated with managing users,
groups, and computers are typically multimaster operations.
There is a set of Flexible Single Master Operations (FSMO) which
can only be done on a single controller. An administrator determines which
operations must be done on the master controller. These operations are all set
up on the master controller by default and can be transferred later. FSMO
operations types include:
Schema
Master: The schema master domain controller controls all updates and
modifications to the schema. There can be only one schema master in the whole
forest.
Domain
naming master: The domain naming master domain controller controls the addition
or removal of domains in the forest and responsibility of ensuring that domain
names are unique in the forest. There can be only one domain naming master in
the whole forest.
Infrastructure Master:
Synchronizes
cross-domain group membership changes. The infrastructure master cannot run on
a global catalog server (unless all DCs are also GCs.)
The infrastructure is responsible for updating references from
objects in its domain to objects in other domains. At any one time, there can
be only one domain controller acting as the infrastructure master in each
domain.
This works when we are renaming any group member ship object this
role takes care.
Note: The Infrastructure Master (IM) role
should be held by a domain controller that is not a Global Catalog server (GC).
If the Infrastructure Master runs on a Global Catalog server it will stop
updating object information because it does not contain any references to
objects that it does not hold. This is because a Global Catalog server holds a
partial replica of every object in the forest. As a result, cross-domain object
references in that domain will not be updated and a warning to that effect will
be logged on that DC's event log. If all the domain controllers in a domain
also host the global catalog, all the domain controllers have the current data,
and it is not important which domain controller holds the infrastructure master
role.
Relative ID (RID) Master:
It assigns
RID and SID to the newly created object like Users and computers. If RID master
is down (u can create security objects up to RID pools are available in DCs)
else u can’t create any object one itSDs down
When a DC
creates a security principal object such as a user or group, it attaches a
unique Security ID (SID) to the object. This SID consists of a domain SID (the
same for all SIDs created in a domain), and a relative ID (RID) that is unique
for each security principal SID created in a domain.
PDC Emulator - When Active Directory is in
mixed mode, the computer Active Directory is on acts as a Windows NT PDC. The
first server that becomes a Windows 2000 domain controller takes the role of
PDC emulator by default.
Functions performed by the PDC emulator:
User account changes and password changes.
SAM directory replication requests.
Domain master browser requests
Authentication requests.
GPO
Time synchronization
New Active Directory
features in Windows Server 2003
•
|
Multiple
selection of user objects. |
•
|
Drag-and-drop
functionality. |
•
|
Efficient
search capabilities. Search functionality is object-oriented
and provides an efficient search that minimizes |
•
|
Saved
queries. Save commonly used search parameters for reuse in Active
Directory Users and Computers |
•
|
Active Directory
command-line tools. |
•
|
InetOrgPerson
class. The inetOrgPerson class has been added to the base schema as a
security principal and can be used in the same manner as the user class. The
userPassword attribute can also be used to set the account password. |
•
|
Ability to
add additional domain controllers using backup media. Reduce
the time it takes to add an additional domain controller in an existing
domain by using backup media. |
•
|
Universal
group membership caching. Prevent the need to locate a global
catalog across a WAN when logging on by storing universal group membership
information on an authenticating domain controller. |
•
|
Secure
LDAP traffic. Active Directory administrative tools sign and encrypt all LDAP
traffic by default. Signing LDAP traffic guarantees that the packaged data
comes from a known source and that it has not been tampered with. |
•
|
Active
Directory quotas. Quotas can be specified in Active Directory to control the
number of objects a user, group, or computer can own in a given directory
partition. Domain Administrators and Enterprise |
Windows Functional levels
In Windows 2000
Active Directory domains is the concept of Mixed and Native Modes. The default
mixed mode allows both NT and Windows 2000 domain controllers to coexist. Once
you convert to Native Mode, you are only allowed to have Windows 2000 domain
controllers in your domain. The conversion is a one-way conversion -- it cannot
be reversed. In Windows Server 2003, Microsoft introduced forest and domain
functional levels. The concept is rather similar to switching from Mixed to
Native Mode in Windows 2000. The new functional levels give you additional
capabilities that the previous functional levels didn’t have.
There are four domain functional levels:
- Windows 2000 Mixed (supports
NT4/2000/2003 DCs)
- Windows 2000 Native (supports 2000/2003
DCs)
- Windows Server 2003 Interim (supports
NT4/2003 DCs)
- Windows Server 2003 (supports only 2003
DCs)
And three forest functional levels:
- Windows 2000 (supports NT4/2000/2003 DCs)
- Windows 2000 Interim (supports NT4/2003
DCs)
- Windows Server 2003 (supports only 2003
DCs)
To raise the domain
functional level, you go to the properties of your domain in Active Directory
Domains and Trusts. To raise the forest functional level you go to the
properties of Active Directory Domains and Trusts at the root. Of course, if
your domains are not at the correct level, you won’t be able to raise the
forest functional level.
Directory
partition
A directory
partition, or naming context, is a contiguous Active Directory sub tree
replicated on one, or more, Windows 2000 domain controllers in a forest.
By default, each domain controller has a replica of three partitions: the
schema partition the Configuration partition and a Domain partition.
Schema
partition
It contains all class and attributes
definitions for the forest. There is one schema directory partition per
forest.
Configuration
partition
It contains replication configuration information (and other
information) for the forest. There is one configuration directory partition per
forest.
Domain
partition
It contains all objects that are stored by one domain. There is
one domain directory partition for each domain in the forest.
Application Directory Partition
Application
directory partitions are most often used to store dynamic data. An application partition can not contain security principles (users,
groups, and computers).The KCC generates and maintains the replication topology for an
application directory partition
Application: The application
partition is a new feature introduced in Windows Server 2003. This partition
contains application specific objects. The objects or data that applications
and services store here can comprise of any object type excluding security
principles. Security principles are Users, Groups, and Computers. The
application partition typically contains DNS zone objects, and dynamic data
from other network services such as Remote Access Service (RAS), and Dynamic
Host Configuration Protocol (DHCP).
Dynamic Data:
A dynamic
entry is an object in the directory which has an associated time-to-live (TTL)
value. The TTL for an entry is set when the entry is created.
Security
Principles - Objects that can have permissions assigned to them and
each contain security identifiers. The following objects are security
principles:
o
User
- Computer
- Group
RPC:
Active
Directory uses RPC over IP to transfer both intersite and intrasite replication
between domain controllers. To keep data secure while in transit, RPC over IP
replication uses both the Kerberos authentication protocol and data encryption.
SMTP:
If you have
a site that has no physical connection to the rest of your network, but that
can be reached using the Simple Mail Transfer Protocol (SMTP), that site has
mail-based connectivity only. SMTP replication is used only for replication
between sites. You also cannot use SMTP replication to replicate between domain
controllers in the same domain—only inter-domain replication is supported over
SMTP (that is, SMTP can be used only for inter-site, inter-domain replication).
SMTP replication can be used only for schema, configuration, and global catalog
partial replica replication. SMTP replication observes the automatically
generated replication schedule.
Changing of ntds.dit
file from one Drive to another
1.
|
Boot
the domain controller in Directory Services Restore mode and log on with the
Directory Services Restore mode administrator account and password (this is
the password you assigned during the Dcpromo process).
|
2.
|
At
a command prompt, type ntdsutil.exe. You receive the following prompt:
ntdsutil:
|
3.
|
Type
files to receive the following prompt:
file
maintenance:
|
4.
|
Type
info. Note the path of the database and log files.
|
5.
|
To
move the database, type move db to %s (where %s is the target folder).
|
6.
|
To
move the log files, type move logs to %s (where %s is the target
folder).
|
7.
|
Type
quit twice to return to the command prompt.
|
8.
|
Reboot
the computer normally.
|
DNS
DNS (Domain Name system)
Domain Name System (DNS) is a database system
that translates a computer's fully qualified domain name into an IP address.
The local DNS
resolver
The following graphic shows an
overview of the complete DNS query process.
DNS Zones
Forward lookup zone -
Name to IP address map.
Reverse lookup zone - IP address to name map.
Primary
Zones - It Holds Read and Write copies of all
resource records (A, NS, _SRV).
Secondary Zones- which hold read only copies of
the Primary Zones.
Stub Zones
Conceptually, stub
zones are like secondary zones in that they have a read only copy of a primary
zone. Stub zones are more efficient and create less replication traffic.
Stub Zones only have
3 records, the SOA for the primary zone, NS record and a Host (A) record.
The idea is that if a client queries a record in the Stub Zone, your DNS server
can refer that query to the correct Name Server because it knows its Host (A)
record.
Queries
Query types are:
Inverse - Getting the name from the IP address. These are used by servers
as a security check.
Iterative - Server gives its best answer. This type of inquiry is sent from
one server to another.
Recursive - Cannot refer the query to another name server.
Conditional
Forwarding
Another classic use
of forwards is where companies have subsidiaries, partners or people they know
and contact regularly query. Instead of going the long-way around using
the root hints, the network administrators configure Conditional Forwarders
Purpose of Resource Records
Without resource
records DNS could not resolve queries. The mission of a DNS Query is to
locate a server that is Authoritative for a particular domain. The easy
part is for the Authoritative server to check the name in the query against its
resource records.
SOA (start of authority) record each
zone has one SOA record that identifies which DNS server is authoritative for
domains and sub domains in the zone.
NS (name server) record An
NS record contains the FQDN and IP address of a DNS server authoritative for
the zone. Each primary and secondary name server authoritative in the domain
should have an NS record.
A (address) record By
far the most common type of resource record, an A record is used to resolve the
FQDN of a particular host into its associated IP address.
CNAME (canonical name) record A
CNAME record contains an alias (alternate name) for a host.
PTR (pointer) record the opposite of an A record, a
PTR record is used to resolve the IP address of a host into its FQDN.
SRV (service) record An
SRV record is used by DNS clients to locate a server that is running a
particular service—for example, to find a domain controller so you can log on
to the network. SRV records are key to the operation of Active Directory.
MX (mail exchange) record An
MX record points to one or more computers that process SMTP mail for an
organization or site.
Where DNS resource records will
be stored:
After
running DCPROMO, A text file containing the appropriate DNS resource records
for the domain controller is created. The file called Netlogon.dns is created
in the %systemroot%\System32\config folder and contains all the records needed
to register the resource records of the domain controller. Netlogon.dns is used
by the Windows 2000 NetLogon service and to support Active Directory for
non-Windows 2000 DNS servers.
Procedures for changing a
Server’s IP Address
Once DNS and
replication are setup, it is generally a bad idea to change a servers IP
address (at least according to Microsoft). Just be sure that is what you really
want to do before starting the process. It is a bit kin to changing the
Internal IPX number of A Novell server, but it can be done.
1. Change the Server’s IP address
2. Stop the NETLOGON service.
3. Rename or delete
SYSTEM32\CONFIG\NETLOGON.DNS and NETLOGON.DNB
4. Restart the NETLOGON service and run
“IPconfig /registerDNS”
5. Go to one of the other DCs and verify
that its DNS is now pointing to the new IP address of the server. If not,
change the records manually and give it 15 minutes to replicate the DNS changes
out.
6. Run REPLMON and make sure that
replication is working now. You may have to wait a little while for things to
straighten out. Give it an hour or two if necessary.
If a server shows that it isn’t
replicating with one of its partners, there are several issues to address:
A. Check to see that the servers can ping
each other.
B. Make sure that both servers’ DNS entries
for each other point to the proper IP addresses
C. If server A says it replicated fine, but
server B says it couldn’t contact Server A, check the DNS setup on Server B.
Chances are it has a record for Server A pointing to the wrong place.
D. Run Netdiag and see if it reports any
errors or problems.
Trust Relationship
- One way trust - When one domain allows
access to users on another domain, but the other domain does not allow
access to users on the first domain.
- Two way trust - When two domains allow
access to users on the other domain.
- Trusting domain - The domain that allows
access to users on another domain.
- Trusted domain - The domain that is trusted,
whose users have access to the trusting domain.
- Transitive trust - A trust which can extend
beyond two domains to other trusted domains in the tree.
- Intransitive trust - A one way trust that does
not extend beyond two domains.
- Explicit trust - A trust that an
administrator creates. It is not transitive and is one way only.
- Cross-link trust - An explicit trust between
domains in different trees or in the same tree when a descendent/ancestor
(child/parent) relationship does not exist between the two domains.
- Forest trust - When two forests have a
functional level of Windows 2003, you can use a forest trust to join the
forests at the root.
- Shortcut trust - When domains that
authenticate users are logically distant from one another, the process of
logging on to the network can take a long time. You can manually add a
shortcut trust between two domains in the same forest to speed
authentication. Shortcut trusts are transitive and can either be one way
or two way.
Windows 2000
only supports the following types of trusts:
- Two way transitive trusts
- One way non-transitive trusts.
BACKUP
Archive
bit:The archive bit is used to determine what files have been backuped up previously on a Windows file system. The bit is set if a file is modified
Types of Backups:
Normal - Saves files and folders and shows they were backed up by clearing the archive bit.
Copy - Saves files and folders without clearing the archive bit.
Incremental - Incremental backup stores all files that have changed since the last Full, Differential or Incremental backup. The archive bit is cleared.
Differential - A differential backup contains all files that have changed since the last FULL backup. The archive bit is not cleared.
Daily - Saves files and folders that have been changed that day. The archive bit is not cleared.
Multiplexing:
Multiplexing sends data from
multiple sources to a single tape or disk device. This is useful if you have a
tape or disk device that writes faster than a single system can send data,
which (at this point) is just about every tape device.
Multistreaming:
Multistreaming establishes
multiple connections, or threads, from a single system to the backup
server. This is useful if you have a large system with multiple I/O devices and
large amounts of data that need backing up.
To perform a backup, select "Start",
"Programs", "Accessories", "System Tools", and
"Backup". The Windows 2000 "Backup Utility" will start. It
has these tabs: System data:
1. The registry
2. System startup files
3. Component services data class registration database
4. Active Directory (Windows 2000 & 2003 Servers only)
5. Certificate server database (Windows 2000 & 2003Servers only)
6. SYSVOL folder (Windows 2000 & 2003 Servers only)
Non authoritative Active Directory restores –
Changes are accepted from other domain controllers after the backup is done.
When you are restoring a domain controller by using backup and
restore programs, the default mode for the restore is non authoritative. This
means that the restored server is brought up-to-date with its replicas through
the normal replication mechanism.
Authoritative Active Directory restores:
Changes are NOT accepted from other domain controllers after the backup is done.
Authoritative restore allows the administrator to recover a domain
controller, restore it to a specific point in time, and mark objects in Active
Directory as being authoritative with respect to their replication partners. Authoritative restore has the ability to increment the version number
of the attributes of all objects in an entire directory. You can authoritatively
restore only objects from the configuration and domain-naming contexts.
Authoritative restores of schema-naming contexts are not supported. To perform
an authoritative restore, you must start the domain controller in Directory
Services Restore Mode.
Authoritative Restore Example
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore sub tree OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12.
Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.
Counting records that need updating...
Records found: 0000000012
Directory
Store Files that are backed upntdsutil: authoritative restore
authoritative restore: restore sub tree OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05 12:34.12.
Most recent database update occurred at 06-16-05 00:41.25.
Increasing attribute version numbers by 100000.
Counting records that need updating...
Records found: 0000000012
Database file - Stored in SystemRoot\NTDS\ntds.dit, it holds all AD objects and attributes. Contains these tables:
- Ntds.dit is the Active Directory
database which stores the entire active directory objects on the domain
controller. The .dit extension refers to the directory information tree.
The default location is the %systemroot%\Ntds folder. Active Directory
records each and every transaction log files that are associated with the
Ntds.dit file.
- Edb*.log is the transaction log
file. Each transaction file is 10 megabytes (MB). When Edb.log file is
full, active directory renames it to Edbnnnnn.log, where nnnnn is an
increasing number starts from 1.
- Edb.chk is a checkpoint file which
is use by database engine to track the data which is not yet written to
the active directory database file. The checkpoint file act as a pointer
that maintains the status between memory and database file on disk. It
indicates the starting point in the log file from which the information
must be recovered if a failure occurs.
- Res1.log and Res2.log: These are reserved
transaction log files. The amount of disk space that is reserved on a
drive or folder for this log is 20 MB. This reserved disk space provides a
sufficient space to shut down if all the other disk space is being used.
How to restore a domain controller system:
1. Reboot the domain controller.
2. Press F8 while booting.
3. Open Advanced Options Menu, select "Directory Services Restore Mode".
4. Select the correct Windows 2000 Server operating system if more than one system is on the computer.
5. During safe mode, press CTRL-ALT-DEL.
6. Log on as Administrator.
7. Select "Start", "Programs", "Accessories", "System Tools", and "Backup".
8. Use the "Restore Wizard".
9. After the restore, if an authoritative restore was done use the "ntdsutil" command line utility. Type "authoritative restore". Syntax for restoration of partial database format:
restore subtree OU=OUname, DC=domainname, DC=rootdomain
Type "restore database" to make the entire database authoritative.
10. Reboot the Domain Controller.
How to Transfer the FSMO Roles:
To Transfer the Schema Master Role:
1.
Register the
Schmmgmt.dll library by pressing Start > RUN and typing:
2.
Press OK.
You should receive a success confirmation.
3.
From the Run
command open an MMC Console by typing MMC.
4.
On the
Console menu, press Add/Remove Snap-in.
5.
Press Add.
Select Active Directory Schema.
6.
Press Add
and press Close. Press OK.
7.
If you are
NOT logged onto the target domain controller, in the snap-in, right-click the
Active Directory Schema icon in the Console Root and press Change Domain
Controller.
8.
Press
Specify .... and type the name of the new role holder. Press OK.
9.
Right-click
right-click the Active Directory Schema icon again and press Operation Masters.
10.
Press the
Change button.
11.
Press OK all
the way out.
Transferring the FSMO Roles via Ntdsutil
To transfer the FSMO roles from the Ntdsutil command:
Caution: Using the Ntdsutil utility
incorrectly may result in partial or complete loss of Active Directory
functionality.
1.
On any
domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
2.
Type roles,
and then press ENTER.
Note: To see a list of available commands at any
of the prompts in the Ntdsutil tool, type? And then press ENTER.
3.
Type connections,
and then press ENTER.
4.
Type connect
to server ms-dc04 where ms-dc04 is the name of the server you want
to use, and then press ENTER.
5.
At the
server connections: prompt, type q, and then press ENTER again.
6.
Type transfer
<role>. where <role> is the role you want to transfer.
For example, to transfer the RID Master role, you would type transfer
rid master:
Options are:
7.
You will
receive a warning window asking if you want to perform the transfer. Click on
Yes.
8.
After you
transfer the roles, type q and press ENTER until you quit Ntdsutil.exe.
9.
Restart the
server and make sure you update your backup.
To
seize the FSMO roles by using Ntdsutil, follow these steps:
Caution: Using the Ntdsutil utility
incorrectly may result in partial or complete loss of Active Directory
functionality.
1.
On any
domain controller, click Start, click Run, type Ntdsutil in the Open
box, and then click OK.
2.
Type roles,
and then press ENTER.
Note: To see a list of available commands at any
of the prompts in the Ntdsutil tool, type ?, and then press ENTER.
3.
Type connections,
and then press ENTER.
4.
Type connect
to server ms-dc04, where ms-dc04 is the name of the server you want to use,
and then press ENTER.
5.
At the
server connections: prompt, type q, and then press ENTER again.
6.
Type seize
<role>, where <role> is the role you want to seize. For
example, to seize the RID Master role, you would type seize rid master:
Options are:
7.
You will
receive a warning window asking if you want to perform the seize. Click on Yes.
Note: All five roles need to be in the forest. If
the first domain controller is out of the forest then seize all roles.
Determine which roles are to be on which remaining domain controllers so that
all five roles are not on only one server.
8.
Repeat steps
6 and 7 until you've seized all the required FSMO roles.
9.
After you
seize or transfer the roles, type q, and then press ENTER until you quit the
Ntdsutil tool.
Note: Do not put the Infrastructure Master (IM)
role on the same domain controller as the Global Catalog server. If the
Infrastructure Master runs on a GC server it will stop updating object
information because it does not contain any references to objects that it does
not hold. This is because a GC server holds a partial replica of every object
in the forest.
DHCP
Dynamic host configuration protocol is
used to automatically assign TCP/IP addresses to clients along with the correct
subnet mask, default gateway, and DNS server. Two ways for a computer to get
its IP address:
DHCP
Scopes
Scope - A
range of IP addresses that the DHCP server can assign to clients that are on
one subnet.
Super
scope - A range of IP addresses that span several subnets. The DHCP server
can assign these addresses to clients that are on several subnets.
Multicast
scope - A range of class D addresses from 224.0.0.0 to 239.255.255.255 that
can be assigned to computers when they ask for them. A multicast group is
assigned to one IP address. Multicasting can be used to send messages to a
group of computers at the same time with only one copy of the message. The
Multicast Address Dynamic Client Allocation Protocol (MADCAP) is used to
request a multicast address from a DHCP server.
DORA
DHCP
Lease Process
DHCP leases are used to reduce DHCP
network traffic by giving clients specific addresses for set periods of time.
DHCP Lease
Process
1.
|
The DHCP client requests an IP address by
broadcasting a DHCPDiscover message to the local subnet.
|
||||
2.
|
The client is offered an address when a
DHCP server responds with a DHCPOffer message containing IP address and
configuration information for lease to the client. If no DHCP server responds
to the client request, the client can proceed in two ways:
|
||||
3.
|
The client indicates acceptance of the
offer by selecting the offered address and replying to the server with a
DHCPRequest message.
|
||||
4.
|
The client is assigned the address and the
DHCP server sends a DHCPAck message, approving the lease. Other DHCP option
information might be included in the message.
|
||||
5.
|
Once the client receives acknowledgment, it
configures its TCP/IP properties using any DHCP option information in the
reply, and joins the network.
|
In rare cases, a DHCP server might return a
negative acknowledgment to the client. This can happen if a client requests an
invalid or duplicate address. If a client receives a negative acknowledgment
(DHCPNak), the client must begin the entire lease process again.
When the client
sends the lease request, it then waits one second for an offer. If a response
is not received, the request is repeated at 9, 13, and 16 second intervals with
additional 0 to 1000 milliseconds of randomness. The attempt is repeated every
5 minutes thereafter. The client uses port 67 and the server uses port 68.
Client
Reservation
Client Reservation is used to be sure a
computer gets the same IP address all the time. Therefore since DHCP IP address
assignments use MAC addresses to control assignments, the following are
required for client reservation:
1) MAC (hardware) address
2) IP address
Exclusion
Range
Exclusion range is used to reserve a
bank of IP addresses so computers with static IP addresses, such as servers may
use the assigned addresses in this range. These addresses are not assigned by
the DHCP server.
Database
files:
DCHP.MDB - The main database
DHCP.TMP - Temporary DHCP storage.
JET*.LOG - Transaction logs used to recover data.
SYSTEM.MDB - USed to track the structure of the DHCP database.
APIPA
If all else fails, then clients give themselves an Automatic IP
address in the range 169.254.x.y where x and y are two random numbers between 1
and 254.
BOOTP
BOOTP or the bootstrap protocol can be used to boot diskless clients
WINS
WINS
WINS
stands for Windows Internet Name Service. WINS is a NetBIOS Name Server that
registers your NetBIOS names and resolves into IP addresses.
DFS
The Distributed File System (DFS) allows files and directories in
various places to be combined into one directory tree. Only Windows 2000 &
2003Servers can contain DFS root directories and they can have only one.
DFS Components
DFS root - A shared directory that can contain other shared directories,
files, DFS links, and other DFS roots. One root is allowed per server.
Types of DFS roots:
Stand alone DFS root - Not published in Active Directory, cannot be replicated, and
can be on any Windows 2000 & 2003 Server. This provides no fault tolerance
with the DFS topology stored on one computer. A DFS can be accessed using the
Syntax: \\Server\DFSname
Domain DFS root - It is published in Active Directory, can be replicated, and can
be on any Windows 2000 & 2003 Server. Files and directories must be
manually replicated to other servers or Windows 2000 & 2003 must be
configured to replicate files and directories. Configure the domain DFS root,
then the replicas when configuring automatic replication. Links are
automatically replicated. There may be up to 31 replicas. Domain DFS root
directories can be accessed using the
Syntax: \\domain\DFSname
DFS link - A pointer to another shared directory. There can be up
to 1000 DFS links for a DFS root.
Comments
Post a Comment