>>Run diagnostics against your Active Directory domain. >> >>If you don't have the support tools installed, install them from your >>server >>install disk. >>d:\support\tools\setup.exe >> >>Run dcdiag, netdiag and repadmin in verbose mode. >>-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log >>-> netdiag.exe /v > c:\netdiag.log (On each dc) >>-> repadmin.exe /showrepl dc* /verbose /all /intersite > c:\repl.txt >>-> dnslint /ad /s "ip address of your dc" >> >>**Note: Using the /E switch in dcdiag will run diagnostics against ALL >>dc's >>in the forest. If you have significant numbers of DC's this test could >>generate significant detail and take a long time. You also want to take >>into >>account slow links to dc's will also add to the testing time. >>
Transcript
>>Run diagnostics against your Active Directory domain. >>
>>If you don't have the support tools installed, install them from your
>>server >>install disk.
>>d:\support\tools\setup.exe >>
>>Run dcdiag, netdiag and repadmin in verbose mode. >>-> DCDIAG /V /C /D /E /s:yourdcname > c:\dcdiag.log
>>-> netdiag.exe /v > c:\netdiag.log (On each dc) >>-> repadmin.exe /showrepl dc* /verbose /all /intersite >
c:\repl.txt >>-> dnslint /ad /s "ip address of your dc"
>> >>**Note: Using the /E switch in dcdiag will run diagnostics
against ALL >>dc's
>>in the forest. If you have significant numbers of DC's this test could
>>generate significant detail and take a long time. You also want to take >>into
>>account slow links to dc's will also add to the testing time. >>
>>If you download a gui script I wrote it should be simple to set and run
>>(DCDiag and NetDiag). It also has the option to run individual tests >>without
>>having to learn all the switch options. The details will be output in
>>notepad text files that pop up automagically. >>
>>The script is located on my website at >>http://www.pbbergs.com/windows/downloads.htm
>> >>Just select both dcdiag and netdiag make sure verbose is
set. (Leave the >>default settings for dcdiag as set when selected)
>> >>When complete search for fail, error and warning messages
Domain Naming Master RID Master Infrastructure Master PDC Emulator Global Catalog Server
Replication and effect of universal groups over Replication.
AD
Logical Structure Physical Structure
Server Relocation is nothing but creating sites. For each forest u will have one site. A site can have multiple domains. A domain can have multiple sites. AD divided into 2 parts.
Local Domain Info Other Domain Info in GC
Talk to 389 Talk to 3268
If a user from other domain want to login in another domain, no need to talk to DNS bcoz it will talk to GC since it contains complete information.
Because of replication topology it will take 6 hrs to become GC Server.
In Registry we can know which is acting as GC Localmac\system\currentcontrolset\services\ntds\parameters\global catalog promotion complete Here if the value is 1 then it is GC.(or) dssite.mscDC\NTDS settings\properties\check is it GC or not.
AD is a centralized repository of Entire Forest. In AD there are 2 types of partitions.1. Local Domain Partition2. Global Domain Partition
AD Sites and Services
Only one Domain in Multiple locations (Physical location) but each server should have different Network Address.
After Creating Sites u should create Subnets also.
Hyd 10.0.0.1 Malaysia 80.0.0.1
DC1
DNS1
DC_MALAYSIA
DNS2_MALAYSIA
Root DC is in Hyd.We have opened a branch in Malaysia then Create DC_Malaysia & DNS2_Malaysia in Hyd.Shutdown the PC’s and put in Malaysia and join all the pc’s in the domain. After Creating Sites, create subnet and create links between 2 sites.
Replication with in the site is called Intrasite. Replication across the sites is called Intersite. Any DC can replicate info to other DC’s that are only 3 hobs away. The Replication latency between 2 DC’s is 15 sec.
Replication is done by 2 methods.1. Poling Inbound2. Notification Outbound W2K3 automatically creates connections between 2 DC’s.If we
want to make manually we can make. These Connections are called DRA (Directory Replication Agent) connections. One inbound and one outbound will be created.
For Every 1hr Replication done with in a site.
Note: Not 3 hobs awayDC1
DC1
DC1DC1DC1DC1DC1
DC1
For DC1 Replication partners are DC2, DC3, DC4 & DC6, DC7, and DC8.
High water mark vector (algorithm) and USN (Update Sequence Number).Using these 2 techniques DC1 will inform DC2.
DC5 DC1 DC1 DC5 DC2 DC6 DC3 DC7 DC4 DC8
DC1 DNS1
50 clients
DC2 DNS2
50 clients
Active Directory
WINNT WINDOWS
NTDS NTDS
Schema.ini Ntds.dit
Edb.log
Edbxxxx.log
Edb.chk
Res1.log
Res2.log
DC1 DNS1
50 clients
DC2 DNS2
50 clients
PC TCP/IP PC
LAN
PC PC
WAN
TCP/IPL2FL2TPPPTPPPPRAS
Active Directory & DNS will have information about sites. Two sites will differ by ip address & subnet.
Domain Naming Master: There should be only one domain naming master in the entire
forest at any time and it Controls the addition or removal of domains in the forest.
Domain Naming Master will have list of domains. Without Domain Naming Master u cannot add or demote domain
controllers. To know which is acting as DNM then type domain.mscRightclick AD
Domains and Trustsoperations master.
A Role can be transferred from one domain to other domain. SEIZE the Role if one is working.
Note: Seize = If the main domain is lost then seize the ADC. To Demote ADC u should get permission fm DC.
Note: According to Microsoft Both DNM & Schema Master should be in same Computer. All these roles are called flexible single master operation (FSMO) roles becoz u can move any role to any DC according to Microsoft.Schema Master:
It is a definition of Classes & Attributes. The first domain will hold the role called Schema Master.
If u wants to see Schema MMC Add/Rem snap-in Add AD Schema Right click operations masterthere u will know who is acting as Schema Master.
Always select a PC which is fast and having more space to make Schema Master.
Every Domain Controller will have a copy of Schema Master. In win2K u can add classes (ex: user, computer, etc) but u cannot delete or modify whereas in win2K3 u can add, modify and delete classes and attributes. Only members of Schema Admin can modify schema which will be the first DC in the forest which acts as a Schema Master. First Register dll by typing cmdregsvr32 c:\winnt\system32\schmmgmt.dll then u will get message succeeded. To see the attributes of user mmcA D Schemaclasses userProperties.
To Create Class right click classes create class but u cannot create bcoz u need to know object id etc for that u have to mail Microsoft. When u install Active Directory it will take default Schema from Schema.ini which will be in \\winnt\system32\schema.ini. Dcpromo = ntds.dit + schema.ini Before installing dcpromo schema.ini will be in Ntds folder. After installing dcpromo, schema.ini is no more bcoz all info will be stored in ntds.dit When a user is created, it will be in edb.log file, then entry is written in edb.chk(exchange database. checkpoint) file, then it will transfer to ntds.dit Maximum size of edb.log is 10 MB standard size according to Microsoft. If edb.log file is full then edbtemp.log file is automatically created and edb.log is renamed is edb00001.log and edbtemp.log will be renamed as edb.log.This process is called Circular Logging.
Schema is same through out the forest. The Official Recommendation from Microsoft is when u transfer Domain Naming Master then transfer Schema Master and when u seize DNM then seize Schema Master also.
User = Class
Attributes: age, sex, height, weight etc. Domain Wide Roles :
PDC Emulator : The First Domain Controller in every Domain holds this role. PDC Emulator will keep track of changing passwords in Native
Mode and helping NT BDC’s in Mixed mode.. Note: If a user pwd is changed in DC2 it will inform PDC Emulator
and this role can be seized to all the DC’s. Domain Wide Roles RID, PDC, Infrastructure can be
transferred to other DC’s.Relative Identity Master (RID):
The First Domain Controller in every Domain will act as RID Master.
It issues the numbers that are to be given to objects when created. When a Object is created a number is given i.e., SID When a user or computer is created it gives one SID and
PDC
When a file or folder is created it gives one GUID. SID is a Combination of Domain ID and RID. Example: These 3 are
constant
RIDSID
Constant Version no. Issuing NT 4.0 Authority These 3 is randomly
Generated Constant no.
Domain IDNote: Here in Domain ID, 21 are given by a program called NTLSA (Local Security Authority) in 2K3.
Every RID will start from 500 in W2K bcoz program is written like that. 1043
PDC is programmed to start RID’s from 1001. DC is programmed to start RID’s from 500. UNIX is programmed to start RID’s from 0.
1043 1043 The Actual RID Pool Size is 500. The maximum size of Pool is 2^30=1073741824/500=21, 47,483. In PDC 1001 to 1042 users created. Now PDC promoted to DC then
1001 to 1042 will remain same and extra will start from 1043 in mixed mode Where as in Native Mode RID uses range randomly.Note: According to Mixed Mode it has to start from 1043 but RID will tell to BDC that do not Maintain Sequence.
To change RID value, Regeditlocal Mac\system\current controlset\services\NTDS\RID Values\
SP4 will come with w2K3 if u have sp4 then 50% remains it will ask RID master to issue RID’s otherwise without sp4 it will remain 20%. Note: According to Microsoft Both RID & PDC Emulator should be in same Computer.
PDC
S-1-5-21-1659004503-117609710-839522115-500
DC
BDC
DC
Special Role : Global Catalog Server
GC Contains other Domains Partial Information. Any number of GC’s can be present. Advice1: Let there be GC’s in every domain. Advice2: If u have 2 sites let there be 2GC’s in 2 sites. Advice3: If u have 3 mail servers then let there be 3 GC’s.
By Default when u install Server OS it will install AD that’s why it will not ask CD when u run dcpromo but for DNS it will ask CD.
Active Directory is common in all the DC’s. There are 2 types of Profiles:
1. Roaming Profiles.2. Mandatory Profiles.
File Server can be created in 2 ways.1. Group Policy2. Manual Settings (Home folder)
Note: Where there is a profile server there should be a file server.
PDC EmulatorMixed mode
When ur promoting BDC’ s to ADC’s, BDC will ask in
information fm DC1 in the form of SAM but it will shshow Active Directory.Note: U cannot install
NT BDC in Native Mode.(1-
100)users
RID Master
PDC
DC1AD
DC2
BDC5
BDC4
DC3 DC1
DC2
DC3
Note: Even if the objects are increased then it will contact DC1, which is acting as RID Master.
(101-1000) users 1001-10000) users
DFS(Distributed File System)
DFS Root DFS Link U can create n number of links. The moment u creates DFS Root it will be published in Active
Directory.
There are 2 types of roots.1. Domain Root It maintains copy of root in AD.2. Standalone Root It will display links in ur local pc and it
is not maintains in AD. Right Click on Root check status Green Link (ok). Dsa.msc system Dfs-Configuration.
In Win2K & 2K3 Standard Edition, A DFS Server can hold only one Root but In Win2K3 Enterprise A DFS Server can hold multiple roots. A DFS Server act as a traffic cop or receptionist. When a End-user contacts DFS for information it replies PKT (Partition Knowledge table) contains address, type of OS and referral time.
1800 W2K C100
Referral time Type of OS Address
Root Links are called Tree of DFS. DFS Structure will be stored in the Registry.
DFS Information is stored in Active Directory FTDFS (Fault Tolerance DFS).
In NT Lan Manager Replicator (LM Repel) will take care of Replication.
In 2K & 2K3 FRS (File Replication Service) will take care of Replication.
Note: DFS is replicated to all Dfs Replicas by using FRS FRS Use RPC Protocol. Domain Replication uses RPC & SMTP Recommended Links from Microsoft is 3-4 MB 1000 Links. No Replication in Standalone. Take Root Replica. In FRS At a time 8 files will be replicated. In a Domain u cannot create more than 32 Root Replica’s
including Main Root, but practically according to Microsoft 32 will not work only 15.
Disadvantages in Standalone Advantages in DomainNo Fault Tolerance Fault Tolerance
More Links Less LinksNo Replica Replica
Behind a Bridge or Router or in a network not more than 255 computers used when there is NetBIOS.
Modified Version of NetBIOS is SMB. NetBIOS is Interface and NetBEUI is protocol. A Program is written to act like bios is called Emulation means
changing NetBIOS to TCP/IP (netbt.sys). Using NetBIOS computers communicate through names MAC
Address. Every Computer will have hosts.txt file in
\\winnt\system32\drivers\etc. First when u ping a computer it will check in hosts.txt, if the entry
is not there then it will go to DNS. To know the broadcast after pinging type nbtstat –r UNICODE allocates 2 bytes to a character. According to OS, DNS servers are called BIND (Berkeley Internet
Naming Domain) Servers. WinNT uses BIND Version 4.9.4 Win2K & 2K3 uses BIND Version 8.1.2 RedHat Enterprise uses Latest BIND Version 9.2 Two Computers will communicate in frames(packets) through MAC
Address.
MAC Address00 - 50 - BA - 80 - 2B - B7
Represents CompanyName
Note: U can Change the MAC Address of Reputed Companies like D-Link, Intel Etc.
Three types of communication1. Broadcast2. Unicast3. Multicast
Multicast Address starts from 224.0.0.0
FRAME
My Name Destination MAC Address
My MAC Note: All FF’s indicates Broadcast
Address
Destination computerName
(In RAM) ARP Cache Contains only Mac Address and IP Address. It will not remember host name.
ARP will be updating in every 15 min in RAM. We can change the behavior in Registry.
When u sees Preparing Network Connections is nothing but ARP is going on computer is shouting this is my hostname, this is my ipaddress, and this is my Mac address.
DNS
DNS is maintaining hosts.txt file in the form of database. A Zone is nothing but a database or a domain. A Zone contains list of hostnames and ipaddress. DNS always communicate in the form of Fully Qualified Name
ex: Proxy.xltelecom.com.
C1 - MAC - C4 - ff.ff.ff.ff.ff.ff
Forward Lookup zone: If u gives host name it will give ipaddress.
Reverse Lookup zone: If u gives ip address it will give hostname.
In Mail Servers Reverse Lookup zone is used. DNS Servers are always named as NS1 or NS2 etc. An entry in the zone is called Host Record or ‘A’ Type of Record. When creating MX Record, don’t include host name. DNS Client is called Resolver Service. Every Domain will have their own DNS Server(port no.53) Any Computer can talk to Active Directory through port no’s. 389,
3268, 88. Resource Record are also called as service (SRV) records will tell
the computer roles. It will tell to DNS which is a Domain Controller to clients.
To find out whether the port no is opened type :> telnet ip address 53
When Clients talk to DNS it uses UDP Protocol. There are 3 types of zones.1. Primary zone2. Secondary zone3. stub zone There will be only one primary zone in domain and there can be
unlimited secondary zones. The Option (Store in Active Directory) is there only in Root DC
not in other DC’s. If u want to check Reverse Lookup zone go to NsLookup. To Create SRV Records go to Forward lookup zone right click
other new records SRV DNS will communicate with Active Directory through LDAP. Minimum 16 to 18 Resource Records should be created in Active
Directory. Note: Kerberos=Realm takes care of Authentication. Mostly Authentication servers & Logon servers are Linux
Machines. There are 2 types of Records.1. IN (Internet Record)2. HESIOD (Massachusetts Institute of technology (MIT) will
use these type of records). Records will be stored in netlogon.dns
\\windows\system32\config\netlogon.dns A zone is created in the form of data base file
\\windows\system32\dns\xltelecom.com.dns
If ur web server and DNS Server are same then start this service :> iisstart
If u have 2 machines Linux & windows and u have created users in Linux machine but it is not in the domain even though there will be trust between Linux machine Kerberos and win2k machine Kerberos (Realm).
DNS Commands :1. ipconfig /registerdns2. ipconfig /flushdns3. ipconfig /displaydns TNSIG is a Security Protocol for DNS. Earlier Internet (Root Domains) was maintained by ICANN, IANA,
IETF, WWW. Now it is maintained by VERISIGN. RAS Server will have 17 slots and in each slot 30 customers can
connect. Root Domains will be in \\winnt\system32\cache.dns Primary zone is created in Forward Lookup zone. Secondary is created in Reverse Lookup zone. If a Parent Domain wants to talk to Child domain use Delegation. Delegation is done only in Primary zone (Main DNS Server). If a Child Domain wants to talk to Parent Domain DNS use Root
Hints. If any changes made in Child domain should immediately know to
Parent domain or replicated to parent domain then use stub zone. If u have multiple root domains or child domains use forwarders.
www.yahoo.com
Delegation
Forwarders
Chat.yahoo.commail.yahoo.com
NS1
hydNS1
MailNS1chat
Forwarders
Root Hints
Hyd.mail.yahoo.com
From Parent u will delegate to all child domains. In 2000 Root Hints will not be there. but when u connect internet it
will be displayed. When the primary DNS is talking to Secondary DNS it
communicates through TCP. When a Client talks to Primary DNS it uses UDP.
In DNS Server Properties -->Debug logging --> u have to create a log file(txt file) in any drive and give path in debug logging.
When ur creating Primary DNS and if it is not AD Integrated then the information will be maintained in Local Registry and in \\winnt\system32\dns\xltelecom.dns.
In Registry --> software --> winnt --> current version --> dns server --> zone --> from here computer will take the information.
In Registry --> HKEY_LOCAL_MACHINE --> system --> tcpip --> parameters --> here if u create key and automatic updates and put value 1 then it will not talk to DNS.
AD Integrated option will be enabled only when ur installing Primary DNS in DC.
If u want AC Integrated Primary zone then create in DC and u can change this into Secondary and If the DNS Server is not created in DC then u cannot change it to Primary or secondary.
If u want to know whether ur DNS Server is AD Integrated then go to dsa.msc --> view --> advanced features --> system --> Microsoft DNS.SOA: Start of Authority (For Secondary zones).
1. When do I talk to Primary for changes?2. Who is responsible person?3. when to stop its work4. TTL (If any client is asking secondary for ip address DNS Server
will give ip address and tell to remember for 3 minutes.
5. Who is my Primary?6. TTL 2 types
(a) TTL – DNS Zone (Resolved ip)(b) TTL – SOA
SOA is a record maintained by Primary (when secondary communicating with Primary).
In SOA Primary Server xltelecomdc.xltelecom.com; In Responsible personimtiaz.xltelecom.com
Note: There should be. In the end of Primary server and responsible person.
In Zone Properties Name Servers By default there will be only Primary DNS Server is added, if u have secondary server’s u have to add manually.
Secondary zone means a copy of primary zone is maintained in Secondary.
WINS cannot have Resource Records. It contains only ip address and host names.
WINS is very fast compare to DNS.It is implemented in Sites. Zone aging/scavenging properties: No-refresh interval: By default it will be 7 days becoz DNS tell
to client, don’t talk to metill 7 days bcoz it increases Network traffic.
Refresh Interval: It is nothing but Renewal time. Note: In ISP’s Refresh-Interval will be kept for 1 day. If u creates records manually then u has to delete manually. Stub zone is copied from SUN Systems. If u has 10 sub domains then u have to add 10 domain ip’s in root
hints and give delegation to all 10 domains, otherwise one domain will not have information about other domain.
Delegation is Per Domain Basis, it does not care hierarchy. Stub zone remembers 3 records:1. SOA Records2. Host Records3. Name Servers Advantage of Stub zone: If IP or any setting is changed in child
domain it will be intimated to parent domain. Note: Even there is Delegation, without stub zone it will not update.
Even DNS is AD integrated its information will be stored in Registry & AD & \\winnt\system32\dns\xltelecom.com.dns
If AD fails then first take System State Backup and make one Dummy domain and install Active Directory and restore System State Backup.
Stub zones are used only in internet domains not in intranet. Delegation: Changes in DNS in child domain will not be replicated
to parent domain. Stub zone: Changes in DNS in child domain will replicated to
parent domain. Note: Never use stub zone in Intranet becoz Performance will be
slow. stub zone is only for External domains.
DHCP
Earlier DHCP called as BootP. ISSUES: 1. Migration2. Backup DHCP3. IP Release Duration.Note: When a Client broadcast it will ask DHCP Server what is my IP, then Client will send a packet to DHCP Server i.e., called DHCP Discover. So DHCP will also broadcast.
Excluded IP means it will be static for DC’s & NS & web servers. Mostly DHCP Server based on NT because Migration is a problem. DHCP Server will listen in Port no.67 DHCP Client will listen in Portno.68 In WINNT IP Release Duration is 3 days. In W2K & W2K3 duration is 8 days. After 8 days u have to renew. Reservation will be used mostly for Mobile Users. Static Servers, which will not move will be excluded. Two types of Classes.
User Class. Vendor Class.
Two different range of ip’s wanted to communicate then we need a router. Suppose we do not have router then add other ip’s in each Tcpip properties and ping.
On Router BootP Forwarding Protocol is used. Ping uses ICMP Protocol. If ur configuring router then u have to enable ip forwarding in RRAS. There is a new feature called Media-Sense in W2K3.
In Routing and Remote AccessIP Routingright click on General New Routing Protocolright click RIPNew Interface(Internal & External) Assign ur ip. Cmd: net stop rras; net start rras. In Registry we have to enable ip forwarding \\localmac\system\currentcontrolset\services\tcpip\parameters\IP Enable Router Make it 1 from 0.
Every Computer will have Routing table. To see that type :> route print, for this we need not depend on RIP. According to Microsoft there should not be more than 2 DHCP Servers. After installing DHCP we have to authorize to A D. For that Right Click on the server and click Authorize. :> ntdsutil : metadata cleanup :> server connections: connect to server proxy.xltelecom.com If u see RPC unavailable error, i.e., it is DNS error. Configuring Scope options in DHCP is nothing but Assigning Gateway & DNS. There is an extra tab in 2K3 DHCP.If u select obtain ip address automatically then Alternate Configuration tab is seen. In Scope Options u has to select DNS Servers and ARP Cache timeout. In Vendor Class: system identifies by vendor. suppose ur using SUN machines then u need to create a vendor class, for that u have to get an id from SUN or they will give a floppy through that it will automatically assigns id. In User Class: we can assign different range of ip addresses or classes in user class. :> Ipconfig /set classid RTL8139 HR. If u have 95, 98, NT, UNIX clients in DHCP then there is a setting in DHCP where it will update DNS behalf of clients. These clients (old) are called legacy clients bcoz old OS cannot update DNS except OS2k clients. DHCP Communicates with DNS through authentication protocol called Kerberos; there DHCP generates TSIG-keys. Knowledge Consistency Checker (KCC), USN, High water mark vector. These will take care of Replication between DC’s. A user contains 470 attributes. In W2K 470 attributes will be replicated between DC’s whereas in W2K3 we can select which attributes should be replicated. There are 2 types of lists.
(a) DACL (Discretionary Access Control List)
(b) SACL (Security Access Control List) Discretionary Access Control List (DACL) contains SID’s (system identifiers). Security Access Control List (SACL) contains audit of PC’s.
If u want to know shares in Local Computer :> net share
WELL KNOWN SID’S
S-1-0-0 = Null Session ID S-1-1-0 = Every Group S-1-2-0 = Local Group S-1-3-0 = Creator Owner Group S-1-3-1 = Users Primary Group S-1-5 = NT Authority S-1-5-1 = Dialup User S-1-5-2 = Network User S-1-5-3 = Batch Jobs S-1-5-4 = Interactive Group S-1-5-6 = Service S-1-5-7 = Anonymous Login S-1-5-8 = Proxy S-1-5-9 = Enterprise Admen’s Group S-1-5-11 = Authenticated User Group -----(Important) S-1-5-13 = Terminal Services User S-1-5-18 = Local System S-1-5-19 = Local Service (New in 2K3) S-1-5-20 = Network Service (New in 2K3) S-1-5-30 = All Built-in Local Groups.
Group Policy Editor (2K & 2K3) Group Policy Management Control +SP1(GPMC) SMS (System Management Console) ---- used in NT MARIMBA FAZAM (Full Armor) Tivoli (IBM) ELM (Enterprise LAN Manager)
When Policy is created it is called GPO (Group Policy Object) Every Computer will have Local Group Policy Policies can be created for DC’s, Domain, OU and Site. When a Computer starts it will load computer settings (policies)
from DC(if there r policies). When a User logins it will load settings (policies) from DC (if there
r policies). By Default 2 Policies are created in SYSVOL.1. Domain Level2. Domain Controller Level Group Policies are identified by GUID’s. When Ever a Group policy is created, a GPC (group policy
container) and GPT (group policy template) is created in AD. Template is nothing but Predefined fill in the blanks. We can Add Templates by right clicking Administrative templates. GP is a Combination of Administrative (Predefined & independent)
template. Win logon is a file which loads computer police’s at client place
when computer starts. USENV (user environment) is a file which loads user policies at
client place when user logins.usenv.dll will download policies from SYSVOL.
Dll’s responsible at client level will be in HLM\software\Microsoft\windowsnt\currentversion\winlogon\gpextentions\------------ (guid’s).
DeploymentDisk Quotas Registry.pol Diskquota.dllEfs or pki (encryption)
Certificates stored in AD
Scecli.dll
I E Install.ins Iedkis32.dllRIS Oscfilter.ini BINL(Binary info
negotiation layer)QOS(Quality of Service)
AD Gptext.dll
There are 5 levels of Policies.1. Local Policy2. Site3. Domain Policy4. Domain Controller Policy5. OU
Regular group policy will not apply to administrator. Group Policy Filtering Winlogon.exe is a process through which a client downloads policies
from SYSVOL. When u Create a Policy, link it to their respective levels. U can delete the link but u cannot delete the DC Policy permanently. U cannot delete default policies, which is created by system.
Auditing:1. Create a folder--> Properties--> security--> auditing--> add-->
eventvwr--> security3. Audit account logon events ----- DC Authentication4. Audit logon events ------ Client computer authentication5. Audit Process tracing ----- only for programmers.6. Do not add authenticated users in a policy bcoz some policy will
apply to administrators. So create group and then create policy and apply.
Note: Plug-in is a mediator between browser and application. It is a tiny component to enhance the browser behavior.
BACKUP & RESTORE
1. Who can backup2. What files and folders to backup3. Where to backup4. When to backup5. How to backup6. What software’s are available to backup
Cmd: ntbackup.exeSoftware’s:
VERITAS LEGATO SUNBELT ARC SERVE ULTRA BKUP WINDOWS BKUP In 2K3 Automated System Recovery and Volume Shadow Copy features are there. U cannot take Registry backup remotely. Backup format should be like ex: Sdata_14jul04_9.30pm_imi.bkf. When u starts backup, first it will check the status of volume shadow copy n 2K3 but in 2K it will start bkp immediately. Differential will not effect archive bit Normal & Incremental will affect archive bit. To Restore users, policies, group memberships in NT we need to take the backup of
1. Emergency Repair Disk2. Registry
How to view and transfer FSMO roles in the graphical user interface
SUMMARYThere are five Flexible Single Master Operations (FSMO) roles in
a Windows 2000...There are five Flexible Single Master Operations (FSMO) roles in a
Windows 2000 forest. There are two ways to transfer a FSMO role in Windows 2000. This article describes how to transfer all five FSMO roles by using Microsoft Management Console (MMC) snap-ins. The five FSMO roles are:
Schema Master - One master role holder per forest. The schema master FSMO role holder is the domain controller responsible for performing updates to the directory schema.
Domain Naming Master - One master role holder per forest. The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory.
Infrastructure Master - One master role holder per domain. The infrastructure FSMO role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference.
RID Master - One master role holder per domain. The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain.
PDC Emulator - One master role holder per domain. The PDC emulator FSMO role holder is a Windows 2000 DC that advertises itself as the primary domain controller (PDC) to earlier version workstations, member servers, and domain controllers. It is also the Domain Master Browser and handles password discrepancies.
Back to the topTransferring FSMO Roles with MMC Tools
You can transfer all five FSMO roles through the MMC tool in Windows 2000. In order for a transfer to work both computers must be available on-line. If a computer no longer exists, then the role must be seized. To seize a role, you must use a utility called Ntdsutil. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
Back to the topTransferring the Domain-Specific Roles: RID, PDC, and Infrastructure Master
Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
1. 1.Right-click the icon next to Active Directory Users and Computers, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
2. 2.Click the domain controller which will be the new role holder, and then click OK.
3. Right-click Active Directory Users and Computers icon, and then click Operation Masters.
4. In the Change Operations Master dialog box, click the appropriate tab (RID, PDC, or Infrastructure) for the role you want to transfer.
5. Click Change in the Change Operations Master dialog box.6. Click OK to confirm that you want to transfer the role.
Click OK.
7.Click Cancel to close the dialog box.
Back to the topTransferring the Domain Naming Master role
1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory Domains and Trusts.
2. Right-click the Active Directory Domains and Trusts icon, and then click Connect to Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
3. click the domain controller that will be the new role holder, and then click OK.
4. Right-click Active Directory Domains and Trusts, and then click Operation Masters.
5. In the Change Operations Master dialog box, click Change.6. Click OK to confirm that you want to transfer the role.7. Click OK.8. Click Cancel to close the dialog box.
Back to the topTransferring the Schema Master Role
You can use the Schema Master tool to transfer the role. However, the Schmmgmt.dll dynamic-link library must be registered in order to make the Schema tool available as an MMC snap-in.
Type regsvr32 schmmgmt.dll, and then click OK. A message should be displayed stating that the registration was successful.
Transferring the Schema Master Role
1. Click Start, click run, type mmc, and then click OK.2. On the Console, menu click Add/Remove Snap-in.3. Click Add.4. Click Active Directory Schema.5. Click Add.6. Click Close to close the Add Standalone Snap-in dialog box.7. Click OK to add the snap-in to the console.8. Right-click the Active Directory Schema icon, and then click
Change Domain Controller.NOTE: If you are not on the domain controller where you want to transfer the role ,you need to take this step. It is not necessary if you are connected to the domain controller whose role you want to transfer.
9. Click Specify Domain Controller, type the name of the domain controller that will be the new role holder, and then click OK.
10. Right-click Active Directory Schema, and then click Operation Masters.
11. In the Change Schema Master dialog box, click Change.12. Click OK.13. Click OK .14. Click Cancel to close the dialog box.
How to view and transfer FSMO roles in Windows Server 2003SUMMARYThis article describes how to transfer Flexible Single Master Operations (FSMO) roles (also known as operations master roles) by using the Active Directory snap-in tools in Microsoft Management Console (MMC) in Windows Server 2003.
You can transfer FSMO roles by using the Ntdsutil.exe command-line utility or by using an MMC snap-in tool. Depending on the FSMO role that you want to transfer, you can use one of the following three MMC snap-in tools: Active Directory Schema snap-in
Active Directory Domains and Trusts snap-inActive Directory Users and Computers snap-in If a computer no longer exists, the role must be seized. To seize a role, use the Ntdsutil.exe utility.
Transfer the Schema Master RoleUse the Active Directory Schema Master snap-in to transfer the schema master role. Before you can use this snap-in, you must register the Schmmgmt.dll file.
Register Schmmgmt.dll1. Click Start, and then click Run. 2. Type regsvr32 schmmgmt.dll in the Open box, and then click OK. 3. Click OK when you receive the message that the operation succeeded.
Transfer the Schema Master Role1. Click Start, click Run, type mmc in the Open box, and then click OK. 2. On the File, menu click Add/Remove Snap-in. 3. Click Add. 4. Click Active Directory Schema, click Add, click Close, and then click OK. 5. In the console tree, right-click Active Directory Schema, and then click Change Domain Controller. 6. Click Specify Name, type the name of the domain controller that will be the new role holder, and then click OK. 7. In the console tree, right-click Active Directory Schema, and then click Operations Master. 8. Click Change. 9. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the Domain Naming Master Role1. Click Start, point to Administrative Tools, and then click Active Directory Domains and Trusts. 2. Right-click Active Directory Domains and Trusts, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or- • In the Or, select an available domain controller list, click the domain controller that will
4. In the console tree, right-click Active Directory Domains and Trusts, and then click Operations Master. 5. Click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close.
Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles1. Click Start, point to Administrative Tools, and then click Active Directory Users and Computers. 2. Right-click Active Directory Users and Computers, and then click Connect to Domain Controller.
NOTE: You must perform this step if you are not on the domain controller to which you want to transfer the role. You do not have to perform this step if you are already connected to the domain controller whose role you want to transfer. 3. Do one of the following: • In the Enter the name of another domain controller box, type the name of the domain controller that will be the new role holder, and then click OK.
-or- • In the Or, select an available domain controller list, click the domain controller that will be the new role holder, and then click OK.
4. In the console tree, right-click Active Directory Users and Computers, point to All Tasks, and then click Operations Master. 5. Click the appropriate tab for the role that you want to transfer (RID, PDC, or Infrastructure), and then click Change. 6. Click OK to confirm that you want to transfer the role, and then click Close.
![[MS-FRS1]: File Replication Service Protocol€¦ · Active Directory Active Directory. ,](https://static.documents.pub/doc/80x56/5e9a50be94d9c610711a8630/ms-frs1-file-replication-service-protocol-active-directory-active-directory.jpg)
