Windows Active Directory Services

Windows Active Directory ServicesDNS (Domain Name Server) DNS-Domain Name System (DNS) is one of the industry-standard suite of protocols that comprise TCP/IP. Microsoft Windows Server2003. DNS is implemented using two software components: the DNS server and the DNS client (or resolver). Both components are run as background service applications. Network resources are identified by numeric IP addresses, but these IP addresses are difficult for network users to remember. The DNS database contains records that map user-friendly alphanumeric names for network resources to the IP address used by those resources for communication. In this way, DNS acts as a mnemonic device, making network resources easier to remember for network users.The Windows Server2003 DNS Server and Client services use the DNS protocol that is included in the TCP/IP protocol suite. DNS is part of the application layer of the TCP/IP reference model.DNS in TCP/IP

For more information and to view logical diagrams illustrating how DNS fits with other Windows Server2003 technologies, see How DNS Works" in this collection.By default, Windows Server2003 DNS is used for all name resolution in a Windows Server2003 network. In the most typical scenario, when a Windows Server2003 network user specifies the name of a network host or an internet DNS domain name, the DNS Client service running on the Windows Server2003 computer of the user contacts a DNS server to resolve the name to an IP address.

Bind-We require to Enable the BIND server at Windows DNS server if this server is require to transfer the zone inform to non-Windows OS.Round robin DNS-A load balancing technique in which balance power is placed in the DNS server instead of a strictly dedicated machine as other load techniques do.Round robin is a local balancing mechanism used by DNS servers to share and distribute network resource loads. You can use it to rotate all resource record (RR) types contained in a query answer if multiple RRs are found.Split DNS-In a split DNS infrastructure, you create two zones for the same domain, one to be used by the internal network, the other used by the external network. Split DNS directs internal hosts to an internal domain name server for name resolution and external hosts are directed to an external domain name server for name resolution.dynamic DNS- Short for dynamic Domain Name System, a method of keeping a domain name linked to a changing IP address as not all computers use static IP addresses. Typically, when a user connects to the Internet, the user's ISP assigns an unused IP address from a pool of IP addresses, and this address is used only for the duration of that specific connection. This method of dynamically assigning addresses extends the usable pool of available IP addresses. A dynamic DNS service provider uses a special program that runs on the user's computer, contacting the DNS service each time the IP address provided by the ISP changes and subsequently updating the DNS database to reflect the change in IP address. In this way, even though a domain name's IP address will change often, other users do not have to know the changed IP address in order to connect with the other computer.DNS SEC-Short for DNS Security Extensions, DNS SEC is a set of extensions used to add an additional layer of security to the Domain Name System (DNS). DNS SEC was designed to prevent specific types of popular attacks on the Internet and protect against these threats to the Domain Name System. The specific extensions provide origin authentication of DNS data, data integrity and also to authenticate denial of existence. May also be seen written as DNSSEC. Cache against pollution-you will see that pollution of the DNS cache can be a serious security issue. Essentially, the concept of cache pollution involves servers that will cache bad queries, which can in turn disrupt your networks functionality and cause inaccurate resolutions. By configuring this option, you can enable or disable the method of adding resource records to the cache. If enabled, the DNS server will prevent the caching of resource records that were not answers for the originally issued query.Fail on load if bad zone data-By default, Windows 2000 DNS servers will skip errors or incorrect data in the zone file. If you want the DNS server to fail when loading a zone with bad data, select this check box. Generally, this is a setting you would not enable.Zone- Microsoft defines a zone as a contiguous portion of the domain namespace for which a DNS server has authority to answer queries.Recursion- In DNS vernacular, there are two major methods by which a DNS query can be identified: iterative and recursive. In the former method, a client will issue a request for resolution to its DNS server, whereby the DNS server provides the best possible match it can find, or a pointer to a server that is authoritative for the domain name requested. A recursive query, on the other hand, is where the client will issue a look up to its server and the server will return the exact answer or nothing at allthere will be no pointing to another authoritative server.Enable Netmask Ordering-According to the Configuring Subnet Prioritization section in this Microsoft link, if the resolver client issuing the query receives multiple A resource records from a DNS server, and some have IP addresses from networks to which the computer is directly connected to, the resolver orders those resource records first. This reduces network traffic across subnets by forcing computers to connect to network resources that are closer to them.Disable Recursion-Configuring this setting will disable recursion for all clients that use this DNS server. If you wish to only allow iterative queries, then configure this setting. Sometimes, accepting a recursive query from the Internet might be a bad thing and could lead to hackers knowing more about your network than they should. Many IT pros suggest disabling recursion on servers that are available to the Internet, for security purposes.

Detecting and removing lingering objects

There are multiple methods that are available to detect or remove lingering objects from ActiveDirectory. This depends on the operating system version that the domain controller is running. Repadmin could be used to detect or remove lingering objects from a directory partition when the source and destination domain controllers are running WindowsServer2003 and therefore the scope here is limited to the following: Introduction to lingering objects Repadmin usage in WindowsServer2003A lingering object is an object that is present on one replica, but on another replica it has been deleted and removed from the directory by the garbage collection process.This condition can occur for a variety of reasons including: Prolonged misconfigurations (such as those that cause event ID 1311 messages) Prolonged errors in name resolution, authentication or the replication engine that block inbound replication. Bringing a domain controller online after it has been offline for a period greater than theTombStone Lifetime(TSL). Advancing system time or reducing TSL values in an attempt to accelerate garbage collection before end-to-end replication has taken place for all naming contexts in the forest.Symptoms that you may have lingering objects: ActiveDirectory replication is prevented from occurring. A user account that no longer exists still appears in the Global Address list for E-mail clients. A universal group that no longer exists still appears in a users access token. E-mail messages cannot be delivered due to duplicate e-mail address on two different user objects.Regardless of the reason, a deleted object can remain on a domain controller in either of the following circumstances: A domain controller goes offline immediately prior to the deletion of an object on another domain controller, and remains offline for a period that exceeds the tombstone lifetime. A domain controller goes offline immediately following the deletion of an object on another domain controller but prior to receiving replication of the tombstone, and remains offline for a period that exceeds the tombstone lifetime.What to do with a lingering object?Determining what to do with a lingering object depends on whether or not it was intended.ActionExplanationUnintendedUse repadmin to delete the lingering object on a domain controller that is running Windows Server2003.IntendedChange the replication consistency on the inbound domain controller (DC). The object will be re-animated on this DC. See strict and loose replication consistency below

Strict and loose replication consistencyIf the attributes of a lingering object never change, the object is never considered for replication. However, if an attribute changes, the attribute is considered for outbound replication. The problem with an attribute update for a lingering object is that the receiving domain controller does not hold the object for the attribute being replicated. An update cannot be performed because the entire object does not exist on the receiving domain controller. What happens next depends on the replication consistency set on the domain controller.Replication consistencyExplanation

LooseWhen replication consistency is set to loose, the receiving domain controller detects that it does not have the object for the attribute that is being replicated. The inbound partner requests the entire object from the outbound partner, and reanimates the object on its copy of the directory. The same process repeats on all domain controllers that do not have a copy of the object. This mechanism can be used to cause lingering objects to reanimate across the entire forest. If a lingering object is discovered and its presence is intended, then perform any update to the object. As long as replication consistency is set to loose on all domain controllers, the object will be reanimated as it replicates around the forest. Loose replication consistency is the default for Windows2000 domain controllers, with the exception of domain controllers that have the MS01-044 security rollup package installed. For more information about the MS01-044 security rollup package, see article297860 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkID=122508).

StrictThe default behavior for domain controllers that run WindowsServer2003 (and domain controllers that are upgraded from WindowsNT4.0) is to block inbound replication for each naming context when a domain controller receives an update to an object that it does not have. Replication is halted in the naming context for the object until the lingering object is removed or the replication mode is set to loose.

Storage for Consistency SettingThe setting for replication consistency is in the registry on each domain controller.HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersEntry name: Strict Replication ConsistencyData type: REG_DWORDValues: 1 for enabled; 0 for disabledDefault: 1 (enabled)Note

There was a post-SP2 hotfix (also included in the security rollup package from November2001) that used a different registry value. A setting of 0 will not recreate the missing object (strict), and a setting of 1 will create the missing object. This value is only needed with the November version of the hotfix. Value Name: Correct Missing Objects Data type: REG_DWORD Value data: 1

The repadmin /removelingeringobjects command does the following: Designates an up-to-date domain controller as the authority. Compares the ActiveDirectory database objects on the authoritative server with the objects that are on the suspected domain controller that contains the lingering objects. With/advisory_mode, the subcommand logs the potential deletions to the Directory Service log. Without/advisory_mode, the subcommand removes the lingering objects.SyntaxRepadmin /removelingeringobjects [/ADVISORY_MODE]ParameterDescription

The domain controller that is suspected to have lingering objects.

Source domain controller GUID used to compare with the suspected domain controller.

Specifies the distinguished name of the directory partition.

/ADVISORY_MODERead-only mode.

Duringlingering object removal, Event ID 1937 is logged to the Directory Service log. This information includes the source domain controller, the objects that are removed, and a total count of all the objects that are removed.LDAP Servicea client needs to connect to the server known as the Directory System Agent, which is set by default to use TCP port 389. After the connection is established, the client and server exchange packets of data.LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programs use to look up information from a server

SIDaSecurity Identifier(commonly abbreviatedSID) is a unique, immutable identifier of a user, user group, or othersecurity principal. A security principal has a single SID for life, and all properties of the principal, including its name, are associated with the SID. This design allows a principal to be renamed (for example, from "John" to "Jane") without affecting the security attributes of objects that refer to the principal.SIDs are useful for troubleshooting issues with security audits, Windows server and domain migrations.The format of an SID can be illustrated using the following example: "S-1-5-21-3623811015-3361044348-30300820-1013";S1521-3623811015-3361044348-303008201013

The string is a SID.The revision level (the version of the SID specification).The identifier authority value.Domain or local computer identifierARelative ID(RID). Any group or user that is not created by default will have a Relative ID of 1000 or greater.

Possible identifier authority values are: 0 - Null Authority 1 - World Authority 2 - Local Authority 3 - Creator Authority 4 - Non-unique Authority 5 - NT Authority 9 - Resource Manager Authority

The machine SID is stored in theSECURITYregistry hive located atSECURITY\SAM\Domains\Account, this key has two valuesFandV. TheVvalue is a binary value that has the computer SID embedded within it at the end of its data (last 96 bits).

Decoding Machine SID[edit]The SID number is used in file, registry, service and users permissions. The machine SID is determined in hexadecimal form from here: regedit.exe: \HKEY_LOCAL_MACHINE\SAM\SAM\Domains\Account\V (last 12 bytes) explorer.exe: \%windir%\system32\config\SAMIf the SAM file is missing at startup, a backup is retrieved in hexadecimal form here: regedit.exe: \HKEY_LOCAL_MACHINE\SECURITY\Policy\PolAcDmS\@ (last 12 bytes) explorer.exe: \%windir%\system32\config\SECURITYService SIDs[edit]Service SIDs are a feature ofservice isolation, a security feature introduced inWindows VistaandWindows Server 2008.[7]Any service with the "unrestricted" SID-type property will have a service-specific SID added to the access token of the service host process.The purpose of Service SIDs is to allow permissions for a single service to be managed without necessitating the creation of service accounts, an administrative overhead.Each service SID is a local, machine-level SID generated from the service name using the following formula:S-1-5-80-{SHA-1(service name in upper case)}The sc.exe utility can be used to generate an arbitrary service SID:sc.exe showsid dnscacheNAME: dnscache SERVICE SID: S-1-5-80-859482183-879914841-863379149-1145462774-2388618682 STATUS: ActiveThe service can also be referred to as NT SERVICE\ (e.g. "NT SERVICE\dnscache").

The following are well-known SIDs: SID: S-1-0Name: Null AuthorityDescription: An identifier authority. SID: S-1-0-0Name: NobodyDescription: No security principal. SID: S-1-1Name: World AuthorityDescription: An identifier authority. SID: S-1-1-0Name: EveryoneDescription: A group that includes all users, even anonymous users and guests. Membership is controlled by the operating system.

NoteBy default, the Everyone group no longer includes anonymous users on a computer that is running Windows XP Service Pack 2 (SP2). SID: S-1-2Name: Local AuthorityDescription: An identifier authority. SID: S-1-2-0Name: LocalDescription: A group that includes all users who have logged on locally. SID: S-1-2-1Name: Console LogonDescription: A group that includes users who are logged on to the physical console.

NoteAdded in Windows 7 and Windows Server 2008 R2 SID: S-1-3Name: Creator AuthorityDescription: An identifier authority. SID: S-1-3-0Name: Creator OwnerDescription: A placeholder in an inheritable access control entry (ACE). When the ACE is inherited, the system replaces this SID with the SID for the object's creator. SID: S-1-3-1Name: Creator GroupDescription: A placeholder in an inheritable ACE. When the ACE is inherited, the system replaces this SID with the SID for the primary group of the object's creator. The primary group is used only by the POSIX subsystem. SID: S-1-3-2Name: Creator Owner ServerDescription: This SID is not used in Windows 2000. SID: S-1-3-3Name: Creator Group ServerDescription: This SID is not used in Windows 2000. SID: S-1-3-4 Name: Owner RightsDescription: A group that represents the current owner of the object. When an ACE that carries this SID is applied to an object, the system ignores the implicit READ_CONTROL and WRITE_DAC permissions for the object owner. SID: S-1-5-80-0Name: All ServicesDescription: A group that includes all service processes configured on the system. Membership is controlled by the operating system.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-4Name: Non-unique AuthorityDescription: An identifier authority. SID: S-1-5Name: NT AuthorityDescription: An identifier authority. SID: S-1-5-1Name: DialupDescription: A group that includes all users who have logged on through a dial-up connection. Membership is controlled by the operating system. SID: S-1-5-2Name: NetworkDescription: A group that includes all users that have logged on through a network connection. Membership is controlled by the operating system. SID: S-1-5-3Name: BatchDescription: A group that includes all users that have logged on through a batch queue facility. Membership is controlled by the operating system. SID: S-1-5-4Name: InteractiveDescription: A group that includes all users that have logged on interactively. Membership is controlled by the operating system. SID: S-1-5-5-X-YName: Logon SessionDescription: A logon session. The X and Y values for these SIDs are different for each session. SID: S-1-5-6Name: ServiceDescription: A group that includes all security principals that have logged on as a service. Membership is controlled by the operating system. SID: S-1-5-7Name: AnonymousDescription: A group that includes all users that have logged on anonymously. Membership is controlled by the operating system. SID: S-1-5-8Name: ProxyDescription: This SID is not used in Windows 2000. SID: S-1-5-9Name: Enterprise Domain ControllersDescription: A group that includes all domain controllers in a forest that uses an Active Directory directory service. Membership is controlled by the operating system. SID: S-1-5-10Name: Principal SelfDescription: A placeholder in an inheritable ACE on an account object or group object in Active Directory. When the ACE is inherited, the system replaces this SID with the SID for the security principal who holds the account. SID: S-1-5-11Name: Authenticated UsersDescription: A group that includes all users whose identities were authenticated when they logged on. Membership is controlled by the operating system. SID: S-1-5-12Name: Restricted CodeDescription: This SID is reserved for future use. SID: S-1-5-13Name: Terminal Server UsersDescription: A group that includes all users that have logged on to a Terminal Services server. Membership is controlled by the operating system. SID: S-1-5-14Name: Remote Interactive LogonDescription: A group that includes all users who have logged on through a terminal services logon. SID: S-1-5-15Name: This OrganizationDescription: A group that includes all users from the same organization. Only included with AD accounts and only added by a Windows Server 2003 or later domain controller. SID: S-1-5-17Name: This OrganizationDescription: An account that is used by the default Internet Information Services (IIS) user. SID: S-1-5-18Name: Local SystemDescription: A service account that is used by the operating system. SID: S-1-5-19Name: NT AuthorityDescription: Local Service SID: S-1-5-20Name: NT AuthorityDescription: Network Service SID: S-1-5-21domain-500Name: AdministratorDescription: A user account for the system administrator. By default, it is the only user account that is given full control over the system. SID: S-1-5-21domain-501Name: GuestDescription: A user account for people who do not have individual accounts. This user account does not require a password. By default, the Guest account is disabled. SID: S-1-5-21domain-502Name: KRBTGTDescription: A service account that is used by the Key Distribution Center (KDC) service. SID: S-1-5-21domain-512Name: Domain AdminsDescription: A global group whose members are authorized to administer the domain. By default, the Domain Admins group is a member of the Administrators group on all computers that have joined a domain, including the domain controllers. Domain Admins is the default owner of any object that is created by any member of the group. SID: S-1-5-21domain-513Name: Domain UsersDescription: A global group that, by default, includes all user accounts in a domain. When you create a user account in a domain, it is added to this group by default. SID: S-1-5-21domain-514Name: Domain GuestsDescription: A global group that, by default, has only one member, the domain's built-in Guest account. SID: S-1-5-21domain-515Name: Domain ComputersDescription: A global group that includes all clients and servers that have joined the domain. SID: S-1-5-21domain-516Name: Domain ControllersDescription: A global group that includes all domain controllers in the domain. New domain controllers are added to this group by default. SID: S-1-5-21domain-517Name: Cert PublishersDescription: A global group that includes all computers that are running an enterprise certification authority. Cert Publishers are authorized to publish certificates for User objects in Active Directory. SID: S-1-5-21root domain-518Name: Schema AdminsDescription: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make schema changes in Active Directory. By default, the only member of the group is the Administrator account for the forest root domain. SID: S-1-5-21root domain-519Name: Enterprise AdminsDescription: A universal group in a native-mode domain; a global group in a mixed-mode domain. The group is authorized to make forest-wide changes in Active Directory, such as adding child domains. By default, the only member of the group is the Administrator account for the forest root domain. SID: S-1-5-21domain-520Name: Group Policy Creator OwnersDescription: A global group that is authorized to create new Group Policy objects in Active Directory. By default, the only member of the group is Administrator. SID: S-1-5-21domain-553Name: RAS and IAS ServersDescription: A domain local group. By default, this group has no members. Servers in this group have Read Account Restrictions and Read Logon Information access to User objects in the Active Directory domain local group. SID: S-1-5-32-544Name: AdministratorsDescription: A built-in group. After the initial installation of the operating system, the only member of the group is the Administrator account. When a computer joins a domain, the Domain Admins group is added to the Administrators group. When a server becomes a domain controller, the Enterprise Admins group also is added to the Administrators group. SID: S-1-5-32-545Name: UsersDescription: A built-in group. After the initial installation of the operating system, the only member is the Authenticated Users group. When a computer joins a domain, the Domain Users group is added to the Users group on the computer. SID: S-1-5-32-546Name: GuestsDescription: A built-in group. By default, the only member is the Guest account. The Guests group allows occasional or one-time users to log on with limited privileges to a computer's built-in Guest account. SID: S-1-5-32-547Name: Power UsersDescription: A built-in group. By default, the group has no members. Power users can create local users and groups; modify and delete accounts that they have created; and remove users from the Power Users, Users, and Guests groups. Power users also can install programs; create, manage, and delete local printers; and create and delete file shares. SID: S-1-5-32-548Name: Account OperatorsDescription: A built-in group that exists only on domain controllers. By default, the group has no members. By default, Account Operators have permission to create, modify, and delete accounts for users, groups, and computers in all containers and organizational units of Active Directory except the Builtin container and the Domain Controllers OU. Account Operators do not have permission to modify the Administrators and Domain Admins groups, nor do they have permission to modify the accounts for members of those groups. SID: S-1-5-32-549Name: Server OperatorsDescription: A built-in group that exists only on domain controllers. By default, the group has no members. Server Operators can log on to a server interactively; create and delete network shares; start and stop services; back up and restore files; format the hard disk of the computer; and shut down the computer. SID: S-1-5-32-550Name: Print OperatorsDescription: A built-in group that exists only on domain controllers. By default, the only member is the Domain Users group. Print Operators can manage printers and document queues. SID: S-1-5-32-551Name: Backup OperatorsDescription: A built-in group. By default, the group has no members. Backup Operators can back up and restore all files on a computer, regardless of the permissions that protect those files. Backup Operators also can log on to the computer and shut it down. SID: S-1-5-32-552Name: ReplicatorsDescription: A built-in group that is used by the File Replication service on domain controllers. By default, the group has no members. Do not add users to this group. SID: S-1-5-64-10Name: NTLM AuthenticationDescription: A SID that is used when the NTLM authentication package authenticated the client SID: S-1-5-64-14Name: SChannel AuthenticationDescription: A SID that is used when the SChannel authentication package authenticated the client. SID: S-1-5-64-21Name: Digest AuthenticationDescription: A SID that is used when the Digest authentication package authenticated the client. SID: S-1-5-80Name: NT ServiceDescription: An NT Service account prefix SID: S-1-5-80-0SID S-1-5-80-0 = NT SERVICES\ALL SERVICESName: All ServicesDescription: A group that includes all service processes that are configured on the system. Membership is controlled by the operating system.

NoteAdded in Windows Server 2008 R2 SID: S-1-5-83-0Name: NT VIRTUAL MACHINE\Virtual MachinesDescription: A built-in group. The group is created when the Hyper-V role is installed. Membership in the group is maintained by the Hyper-V Management Service (VMMS). This group requires the "Create Symbolic Links" right (SeCreateSymbolicLinkPrivilege), and also the "Log on as a Service" right (SeServiceLogonRight).

NoteAdded in Windows 8 and Windows Server 2012 SID: S-1-16-0Name: Untrusted Mandatory LevelDescription: An untrusted integrity level. Note Added in Windows Vista and Windows Server 2008

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-4096Name: Low Mandatory LevelDescription: A low integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-8192Name: Medium Mandatory LevelDescription: A medium integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-8448Name: Medium Plus Mandatory LevelDescription: A medium plus integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-12288Name: High Mandatory LevelDescription: A high integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-16384Name: System Mandatory LevelDescription: A system integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-20480Name: Protected Process Mandatory LevelDescription: A protected-process integrity level.

NoteAdded in Windows Vista and Windows Server 2008 SID: S-1-16-28672Name: Secure Process Mandatory LevelDescription: A secure process integrity level.

NoteAdded in Windows Vista and Windows Server 2008The following groups appear as SIDs until a Windows Server 2003 domain controller is made the primary domain controller (PDC) operations master role holder. The "operations master" is also known as flexible single master operations (FSMO). The following additional built-in groups are created when a Windows Server 2003 domain controller is added to the domain: SID: S-1-5-32-554Name: BUILTIN\Pre-Windows 2000 Compatible AccessDescription: An alias added by Windows 2000. A backward compatibility group which allows read access on all users and groups in the domain. SID: S-1-5-32-555Name: BUILTIN\Remote Desktop UsersDescription: An alias. Members in this group are granted the right to logon remotely. SID: S-1-5-32-556Name: BUILTIN\Network Configuration OperatorsDescription: An alias. Members in this group can have some administrative privileges to manage configuration of networking features. SID: S-1-5-32-557Name: BUILTIN\Incoming Forest Trust BuildersDescription: An alias. Members of this group can create incoming, one-way trusts to this forest. SID: S-1-5-32-558Name: BUILTIN\Performance Monitor UsersDescription: An alias. Members of this group have remote access to monitor this computer. SID: S-1-5-32-559Name: BUILTIN\Performance Log UsersDescription: An alias. Members of this group have remote access to schedule logging of performance counters on this computer. SID: S-1-5-32-560Name: BUILTIN\Windows Authorization Access GroupDescription: An alias. Members of this group have access to the computed tokenGroupsGlobalAndUniversal attribute on User objects. SID: S-1-5-32-561Name: BUILTIN\Terminal Server License ServersDescription: An alias. A group for Terminal Server License Servers. When Windows Server 2003 Service Pack 1 is installed, a new local group is created. SID: S-1-5-32-562Name: BUILTIN\Distributed COM UsersDescription: An alias. A group for COM to provide computerwide access controls that govern access to all call, activation, or launch requests on the computer.

The following groups appear as SIDs until a Windows Server 2008 or Windows Server 2008 R2 domain controller is made the primary domain controller (PDC) operations master role holder. The "operations master" is also known as flexible single master operations (FSMO). The following additional built-in groups are created when a Windows Server 2008 or Windows Server 2008 R2 domain controller is added to the domain: SID: S-1-5- 21domain-498Name: Enterprise Read-only Domain ControllersDescription: A Universal group. Members of this group are Read-Only Domain Controllers in the enterprise SID: S-1-5- 21domain-521Name: Read-only Domain ControllersDescription: A Global group. Members of this group are Read-Only Domain Controllers in the domain SID: S-1-5-32-569Name: BUILTIN\Cryptographic OperatorsDescription: A Builtin Local group. Members are authorized to perform cryptographic operations. SID: S-1-5-21domain-571Name: Allowed RODC Password Replication GroupDescription: A Domain Local group. Members in this group can have their passwords replicated to all read-only domain controllers in the domain. SID: S-1-5- 21domain-572Name: Denied RODC Password Replication GroupDescription: A Domain Local group. Members in this group cannot have their passwords replicated to any read-only domain controllers in the domain SID: S-1-5-32-573Name: BUILTIN\Event Log ReadersDescription: A Builtin Local group. Members of this group can read event logs from local machine. SID: S-1-5-32-574Name: BUILTIN\Certificate Service DCOM AccessDescription: A Builtin Local group. Members of this group are allowed to connect to Certification Authorities in the enterprise.

The following groups appear as SIDs until a Windows Server 2012 domain controller is made the primary domain controller (PDC) operations master role holder. The "operations master" is also known as flexible single master operations (FSMO). The following additional built-in groups are created when a Windows Server 2012 domain controller is added to the domain: SID: S-1-5-21-domain-522Name: Cloneable Domain ControllersDescription: A Global group. Members of this group that are domain controllers may be cloned. SID: S-1-5-32-575Name: BUILTIN\RDS Remote Access ServersDescription: A Builtin Local group. Servers in this group enable users of RemoteApp programs and personal virtual desktops access to these resources. In Internet-facing deployments, these servers are typically deployed in an edge network. This group needs to be populated on servers running RD Connection Broker. RD Gateway servers and RD Web Access servers used in the deployment need to be in this group. SID: S-1-5-32-576Name: BUILTIN\RDS Endpoint ServersDescription: A Builtin Local group. Servers in this group run virtual machines and host sessions where users RemoteApp programs and personal virtual desktops run. This group needs to be populated on servers running RD Connection Broker. RD Session Host servers and RD Virtualization Host servers used in the deployment need to be in this group. SID: S-1-5-32-577Name: BUILTIN\RDS Management ServersDescription: A Builtin Local group. Servers in this group can perform routine administrative actions on servers running Remote Desktop Services. This group needs to be populated on all servers in a Remote Desktop Services deployment. The servers running the RDS Central Management service must be included in this group. SID: S-1-5-32-578Name: BUILTIN\Hyper-V AdministratorsDescription: A Builtin Local group. Members of this group have complete and unrestricted access to all features of Hyper-V. SID: S-1-5-32-579Name: BUILTIN\Access Control Assistance OperatorsDescription: A Builtin Local group. Members of this group can remotely query authorization attributes and permissions for resources on this computer. SID: S-1-5-32-580Name: BUILTIN\Remote Management UsersDescription: A Builtin Local group. Members of this group can access WMI resources over management protocols (such as WS-Management via the Windows Remote Management service). This applies only to WMI namespaces that grant access to the user.

RID

In a Windows Active Directory (AD) domain, the process of generating unique Relative IDs (RIDs) is a single-master operation that's assigned to one specific domain controller (DC). This DC is then referred to as the RID master of the domain.

The RID master gives a pool of RIDs to each of the other DCs in the domain and keeps track of the sets of allocated RIDs for each DC. The domain-level RID pool controlled by the RID master can hold approximately one billion RIDs.RIDs are never reused because the RID can't be reclaimed after a security principal is deleted. Reusing a RID could lead to unauthorized access to resources if the resources' access control settings referred to previously issued security IDs (SIDs) and RIDs.

To reduce the chance of running out of RIDs, you can increase the number of RIDs that are allocated by the RID master to each DC's RID pool by adjusting the RID Block Size value (REG_DWORD) on the RID master DC. The RID Block Size value is located in the following registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\RID Values

Users, computers, and groups stored in Active Directory are collectively known as security principals. Each security principal is assigned a unique alphanumeric string called a SID. The SID includes a domain prefix identifier that uniquely identifies the domain and a relative identifier (RID) that uniquely identifies the security principal within the domain. The RID is a monotonically increasing number at the end of the SID.

Each domain controller is assigned a pool of RIDs from the global RID pool by the domain controller that holds the RID master role (also known as flexible single master operations or FSMO) in each Active Directory domain. The RID master (also known as the RID pool manager, RID manager, or RID operations master) is responsible for issuing a unique RID pool to each domain controller in its domain. By default, RID pools are obtained in increments of 500. Since RIDs are 30 bits in length, a maximum of 1,073,741,824 (230) security principals can be created in an Active Directory domain. Newly promoted domain controllers must acquire a RID pool before they can advertise their availability to Active Directory clients or share the SYSVOL. Existing domain controllers require additional RID allocations in order to continue creating security principals when their current RID pool becomes depleted.

Active Directory RestoreThree types of System State restores exist: Authoritative, Non-Authoritative, and Primary. An Authoritative restore consists of running the NTDSUTIL after the restore is complete. Running NTDSUTIL updates the USN (updated sequence numbers) to be greater than any other member domain controller to which the machine formerly replicated. After restoring Authoritatively, the domain controller will replicate its new changes to its member domain controllers, updating them to the point where the backup last took place. Use this option if a number of users were accidentally deleted through Active Directory.At NTDSUTIL.EXE enter to active instance ntds and then go to authoritative restore option, then restore subtree/object with path. A Non-Authoritative restore is any System State restore, Active Directory or not, overwriting the System State to the point at which it was backed up. This is the recommended way of fully restoring a machine from a File-by-File backup. If the machine's registry is damaged or corrupt, but bootable into "Safe Mode," the machine may have its System State restored instead of re-installing the operating system. A Primary Restore is performed when the first domain controller in a domain that is being entirely rebuilt, and when no other domain controllers are present on the network. You may also use this type of restore when the machine is the only functioning server in a replicated data set. For instance, the SYSVOL directory is considered a replicated data set, as it is automatically replicated to other domain controllers via the file replication service.

Get Forest and Domain Functional LevelGet Forest Functional Level usingdsquery:dsquery * "CN=Partitions,CN=Configuration,DC=lab,DC=local" -scope base -attr msDS-Behavior-VersionConversion table:0 = Windows 20001 = Windows 2003 interim2 = Windows 20033 = Windows 20084 = Windows 2008 R25 = Windows 2012Referencehere.GetDomain Functional Level using dsquery:dsquery * "DC=lab,DC=local" -scope base -attr msDS-Behavior-VersionntMixedDomainConversion table:0, 0 = Windows 2000 Native0, 1 = Windows 2000 Mixed2, 0 = Windows 20033, 0 = Windows 20084, 0 = Windows 2008 R25, 0 = Windows 2012Referencehere.Get the Active Directory Schema version usingdsquery:dsquery * "CN=Schema,CN=Configuration,DC=lab,DC=local" -scope base -attr objectVersion13 = Windows 2000 Server30 = Windows Server 2003 RTM, Windows Server 2003 with Service Pack 1, Windows Server 2003 with Service Pack 231 = Windows Server 2003 R244 = Windows Server 2008 RTM47 = Windows Server 2008 R256 = Windows Server 2012 RTM

Active Directory Partitions

Schema information contains -definitional details about objects and attributes that one CAN store in the AD. Replicates to all domain controllers. Static in nature. Configuration information contains -configuration data about forest and trees. Replicates to all domain controllers. Static as your forest is. Domain information contains -object information for a domain. Replicates to all domain controllers within a domain. The object portion becomes part of Global Catalog. Application Partition contains -information about applications in Active Directory. E.g. when AD integrated DNS is used there are two application partitions for DNS zones ForestDNSZones and DomainDNSZones.

Aging

Aging is a feature that allows identifying stale DNS records. It actually uses two intervals and a DNS record is considered as stale once both are elapsed.

Scavenging

Scavenging is a feature that allows the cleanup and removal of stale resource records in DNS zones.

stub zones

A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names between separate DNS namespaces. This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces.A stub zone consists of: The start of authority (SOA) resource record, name server (NS) resource records, and the glue A resource records for the delegated zone. The IP address of one or more master servers that can be used to update the stub zone.The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually the DNS server hosting the primary zone for the delegated domain name.

A stub zone zone contains NS RECORDS of the master zone which is updated regularly. Stub zones can be used in the following situations:

In case you have multiple levels of domain hiearchy you can use stub zones to simplify name resolution instead of DNS servers querying the root server. It can replace secondary zones when configuring fault tolerance. They can facilitate DNS connectivity across domains. Consider this example you have forest contoso.com and the following domain tree ny.contoso.com (with acc.ny.contoso.com as sub domain) and sa.contoso.com (with fin.sa.contoso.com as sub domains).

So if a client in acc.ny.contoso.com tries to access resources in fin.sa.contoso.com and stub zones are not configured then multiple dns servers will have to be contacted i.e in following order (acc.ny.contoso.com>ny.contoso.com>contoso.com>sa.contoso.com>fin.sa.contos.com)

Instead if a stub zone was created in acc.ny.contoso.com then it contains the list of authoritative DNS servers for the zone and queries from acc.ny.contoso.com can be directly sent to fin.sa.contos.com.

You could argue that same thing can be configured through conditional fowarding but if there are changes in DNS records then conditional fowarding would fail. Conditional fowarding can be used in situations where you want to resolve Internet names or if you have a DNS server in your organisation that is responsible for your entire namespace. Stub zones can be used in sites to avoid querying other DNS servers toreduce DNS related traffic.

Also stub zones help in delegation. For example when a parent zone contains information about a child zone i.e contains NS records for 2 DNS servers configured for the child zone. If the administrator of the child adds additional DNS servers or makes changes to existing DNS infrastructure then the Parent zone won't know about this change. Instead if the parent DNS server is configured with a stub zone for its child zone then all changes made to the child zone DNS server's NS records would become available to the parent zone.

Stub zones are dynamic and the name servers for the zone are automatically updated in the stub zone.

Blue Screen of Death

BSoDs have been present in Windows NT 3.1 (the first release of the NT family) and all Windows operating system released afterwards. (See History of Microsoft Windows.) BSoDs can be caused by poorly written device drivers or malfunctioning hardware, such as faulty memory, power supply issues, overheating of components, or hardware running beyond its specification limits. In the Windows 9x era, incompatible DLLs or bugs in the operating system kernel could also cause BSoDs. Because of the instability and lack of memory protection in Windows 9x, BSoDs were much more common

The most common BSoD is on a 2580 screen which is the operating system's way of reporting an interrupt caused by a processor exception; it is a more serious form of the general protection fault dialog boxes. The memory address of the error is given and the error type is a hexadecimal number from 00 to 11 (0 to 17 decimal). The error codes are as follows:[17] 00: Division fault 02: Non-Maskable Interrupt 04: Overflow Trap 05: Bounds Check Fault 06: Invalid Opcode Fault 07: "Coprocessor Not Available" Fault 08: Double Fault 09: Coprocessor Segment Overrun 0A: Invalid Task State Segment Fault 0B: Not Present Fault 0C: Stack Fault 0D: General Protection Fault 0E: Page Fault 10: Coprocessor Error Fault 11: Alignment Check FaultCommon reasons for BSoDs are: Problems that occur with incompatible versions of DLLs: Windows loads these DLLs into memory when they are needed by application programs; if versions are changed, the next time an application loads the DLL it may be different from what the application expects. These incompatibilities increase over time as more new software is installed, and is one of the main reasons why a freshly-installed copy of Windows is more stable than an "old" one. Faulty or poorly written device drivers Hardware incompatibilitiesDamaged hardware may also cause a BSoD.

Operations master roles" and "FSMO Roles".-In addition to that, lets discuss what happens when a specific FSMO is not online/available: Schema Master/FSMO unavailable: this is not visible to users directly as users do not need it. Only admins need this FSMO to extend the AD schema. When not available you cannot extend the AD schema to support your custom extensions or other extensions to support other (Microsoft) products (e.g. Exchange, OCS/Lync, etc). These activities are not done on a day to day basis, so relatively speaking it is not critical when not available. Domain Naming Master/FSMO unavailable: this not visible to users directly as users do not need it. Only admins need this FSMO to add new partitions/naming contexts (e.g. AD domains, application partitions) and cross-references to other partitions outside the AD forest. When not available you cannot do what I mentioned earlier. These activities are not done on a day to day basis, so relatively speaking it is not critical when not available. Infrastructure Master/FSMO unavailable: this may not be visible to users directly as users or admins. Only admins may need to execute ADPREP (during AD upgrades) or migrate objects between AD domains (intra-forest migrations only). The infrastructure master (IM) keeps placeholder objects (so called phantoms) used in references up-to-date. The following only applies to objects within the same AD forest. For example, if a group in domain A contains a user from domain B. The IM will create a placeholder object (a phantom) in domain A that represents the user from domain B, but only if the IM is not a GC. The DC with the IM FSMO should not be a GC if there is at least ANOTHER DC in the same AD domain that is ALSO NOT a GC. The IM also keeps the phantom object up-to-date within information from the real object (e.g. distinguishedName, objectGUID, objectSid). The IM is also used by ADPREP to perform actions against domain NCs and application NCs. And if Im not mistaken, the IM is also used for intra-forest migrations of objects (I need to blog about this!). Also see "The Infrastructure Master FSMO And The GC Role" and "Phantoms, tombstones and the infrastructure master". Remember that when the Recycle Bin is enabled in a W2K8R2 AD, every DC becomes an infrastructure master. In that last case the regular IM FSMO becomes unimportant. In a single domain AD forest, the IM is also less important as it does not need to update phantoms and you cannot perform an intra-forest migration as you only have one AD domain. RID Master/FSMO unavailable: this is not visible to users directly as users do not need it. Only admins and provisioning systems need this FSMO to be available to be able to created security principals (groups, computers, users). In time, every RWDC (RODCs do not!) has two RID pools, the current RID pool and the reserve RID pool and each is a block of 500 RIDs. When the current RID pool is exhausted, the DC copies the value of the reserve RID pool to the current RID pool. When the current RID pool is exhausted for at least 50%, the RWDC requests a new RID pool from the RID FSMO and stores the value in the reserve RID pool, etc., etc. When the RID FSMO is not available, RWDCs cannot request RID pools. You can still create security principals on a RWDC as long as its RID pools are not fully exhausted. When the RID pools are fully exhausted on any RWDC, you can still use any other RWDC as long as its RID pools are not fully exhausted. When the RID pools of all RWDCS in the AD domain are fully exhausted. Did you know that the domain RID pool is limited? If you did not, it actually is! The top limit is "1073741823" (over 1 billion RIDs!). Also see "RID Master FSMO Explained". PDC Master/FSMO unavailable: the RWDC with the PDC FSMO role is the most busy FSMO as it performs all kinds of functions. This is actually also the FSMO role that will impact users most. The PDC FSMO performs the following functions: [1] act as the central time sync authority within an AD forest (this only applies to the PDC FSMO in the forest root AD domain). For this also see "Configuring And Managing The Windows Time Service (Part 1)", "Configuring And Managing The Windows Time Service (Part 2)", "Configuring And Managing The Windows Time Service (Part 3)" and "Configuring And Managing The Windows Time Service (Part 4)", [2] Any password changes or account lockouts that occur on any DC are communicated to the RWDC with the PDC FSMO over the secure channel directly, [3] When a logon is attempted against a RWDC that fails (because of an incorrect password), that RWDC will check with the RWDC hosting the PDC FSMO if it has a newer password, [4] Editing GPOs by default occur against the RWDC with the PDC FSMO, [5] When root scalability mode is not enabled (the default), DFS root servers get updates from the RWDC with the PDC FSMO. When root scalability is enabled, DFS root servers get updates from the closest DC instead, [5] The PDC FSMO is the only DC that applies the Password policy settings and the account lockout policy settings specified at domain level and writes the information to the domain NC, [6] The AdminSDHolder process is not executed to check protected groups/users and reconfigure the ACLs if needed, [7] If you have NT style applications that want/need to target the PDC, those apps will probably break as soon as the PDC is not available.-For more information about FSMO failures, see "Responding to operations master failures"

Operations master Roles failures

Some of the operations master roles are crucial to the operation of your network. Others can be unavailable for quite some time before their absence becomes a problem. Generally, you will notice that a single master operations role holder is unavailable when you try to perform some function controlled by the particular operations master.If an operations master is not available due to computer failure or network problems, you can seize the operations master role. This is also referred to as forcing the transfer of the operations master role. Do not seize the operations master role if you can transfer it instead. For more information, seeTransferring operations master roles.Note The operations master roles are sometimes called flexible single master operations (FSMO) roles.Before forcing the transfer, first determine the cause and expected duration of the computer or network failure. If the cause is a networking problem or a server failure that will be resolved soon, wait for the role holder to become available again. If the domain controller that currently holds the role has failed, you must determine if it can be recovered and brought back online.In general, seizing an operations master role is a drastic step that should be considered only if the current operations master will never be available again. The decision depends upon the role and how long the particular role holder will be unavailable. The impact of various role holder failures is discussed in the following topics.Schema master failureTemporary loss of the schema master is not visible to network users. It will not be visible to network administrators either, unless they are trying to modify the schema or install an application that modifies the schema during installation.If the schema master will be unavailable for an unacceptable length of time, you can seize the role to the standby operations master. However, seizing this role is a drastic step that you should take only when the failure of the schema master is permanent.Important A domain controller whose schema master role has been seized mustneverbe brought back online.For procedures on how to seize the schema master role, seeSeize the schema master role.Domain naming master failureTemporary loss of the domain naming master is not visible to network users. It will not be visible to network administrators either, unless they are trying to add a domain to the forest or remove a domain from the forest.If the domain naming master will be unavailable for an unacceptable length of time, you can seize the role to the standby operations master. However, seizing this role is a drastic step that you should take only when the failure of the domain naming master is permanent.Important A domain controller whose domain naming master role has been seized mustneverbe brought back online.For procedures on how to seize the domain naming master role, seeSeize the domain naming master role.RID master failureTemporary loss of the RID master is not visible to network users. It will not be visible to network administrators either, unless they are creating objects and the domain in which they are creating the objects runs out of relative IDs (RIDs).If the RID master will be unavailable for an unacceptable length of time, you can seize the role to the operations master. However, seizing this role is a drastic step that you should take only when the failure of the RID master is permanent.Important A domain controller whose RID master role has been seized mustneverbe brought back online.For procedures on how to seize the RID master role, seeSeize the RID master role.PDC emulator master failureThe severity of a PDC outage depends on your Service Level Agreement (SLA) and the actual behavior and configuration of the environment. For example, inconsistent password change behavior may affect users beyond what your SLAs allow, or the lack of time synchronization may cause resource access failures.Also, in smaller environments, it may happen that the PDC as the first server in the domain is the only DNS or Global Catalog Server, or is the only domain controller (DC) with a valid SYSVOL in case other DCs did not successfully initiate or maintain SYSVOL replication. The PDC role holder may also be the target for regular file server access. When this is done for folder redirection or logon script activities, it may also affect users when logging on and while they work.Other than the conditions described above, there is no direct dependency of the domain members on the PDC role holder. However, you might be using applications that are coded to contact the PDC only. You should try to avoid having this single point of failure.Often, these applications were written for Windows NT 3.x and 4.0 deployments where the PDC was the only writable DC. However, since Active Directory, all DCs except Read-Only DCs are writable. The DsGetDcName API allows you to pick the right type; similar options are available in AD API interfaces like ADSI (ADS_READONLY_SERVER) or the .NET runtime.The loss of the primary domain controller (PDC) emulator master may affect network users. Therefore, when the PDC emulator master is not available, you may need to immediately seize the role.For procedures on how to seize the PDC emulator role, seeSeize the PDC emulator role.Infrastructure master failureTemporary loss of the infrastructure master is not visible to network users. It will not be visible to network administrators either, unless they have recently moved or renamed a large number of accounts.If the infrastructure master will be unavailable for an unacceptable length of time, you can seize the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any domain), ideally in the same site as the current global catalog. When the original infrastructure master is returned to service, you can transfer the role back to the original domain controller.

Understanding SYSVOL/GPO replication

Group policy template (GPT) and group policy container (GPC) are two types of Group policy settings, Its stored in two different locations and uses different replication technology to replicate the changes, however both should be available up-to-date on domain controller to function properly

Group policy templates are stored in SYSVOL, its a folder structure in SYSVOL share on a domain controller, if you create a new Group Policy it will create a Group policy templates folder on SYSVOL share for the new policy that contain the group policy setting related to this policy, GPT folder name would be Globally Unique Identifier (GUID) of the GPO that you created, you can view all the GPT folders from the below Path (its a default GPT path)

C:\Windows\Sysvol\Sysvol\DomainName\Policies

Group Policy template (GPT)is replicated by SYSVOL through FRS, FRS uses state-based replication. As soon as there is a change to any file under the Sysvol folder structure, replication is triggered and entire file get replicated

Group policy containers are stored in Active Directory, mostly all the GPO setting are stored in GPT (Group policy templates), GPC only have the reference information of the corresponding GPO, like GPT path, GUID of the GPO, version information, WMI filter information, and a list of components that have settings in the GPO, you can view the GPC from Active Directory Users and Computers (ADUC)

\System\Policies

Group policy container (GPC)is replicated through Active Directory replication

Note: By default the Group Policy Management Editor console (GPME) uses the PDC Emulator so that all administrators can work on the same domain controller, if you want a different Domain controller you can change through Group Policy Management console (GPMC)

File Replication Services (FRS)

I will try to explain step by step, let say you modify the Policy A from Server001 and how this change get replicated to Server002 (Server002 is a downstream replication partner for server001)

Once you modify the Policy A from server001, the corresponding GPT folder on SYSVOL gets updated on the server001 (also updates the Group policy containers in Active Directory on server001)

NTFS will change the USN journal according to the file and folder change.

FRS monitors the USN journal for changes on the SYSVOL folder

FRS updates the inbound log on server001, FRS not only updates the local changes on inbound log, also updates the inbound log for the changes from entire upstream replication partner (all inbound partners)

FRS creates a file in staging folder on server001 by using APIs (backup application programming interfaces) based on the change.

This change has been updated on outbound log on server001 by FRS. And also send change notification to entire downstream replication partner about the change (all outbound partners)

Server002 get the change notification from Server001 and store the change order in inbound log, Server002 copies the staging file from Server001 to the staging folder on Server002. Server002 then update outbound log so other outbound partners can pick up the change

Using Restore APIs, Server002 reconstructs the file and folder in the preinstall folder, and then FRS renames the file or folder into the replica tree

In FRS replication process theentire changed file and folderget replicate to source to destination server

What is NTFS USN journal?

Logs all the changes to an NTFS volume, including file creations, deletions, and changes, Separate log on each NTFS volume and it has a size limit (Windows server 2003 SP2 & Windows server 2008 is 128 MB) if require you can increase the size up to 2 TB, however MS Recommends increasing by 128 MB for every 100,000 files/folders

What happens when the NTFS USN change journal fills up?

If the USN journal log fills up then NTFS will be overwrite the old entrys, thats why in some scenarios before the change get updated, NTFS delete the entries in USN journal log, its called journal_wrap

USN journal wrap Error

An error that occurs when large numbers of files change so quickly that the USN journal must remove the oldest changes (before FRS has a chance to detect the changes) to stay within the specified size limit, to resolve this issue you have to perform a non-authoritative restore also called D2

Morphed folder

Replication conflict will occur if identically named directories are created in different servers, to resolve this conflict FRS create a folder and this folder called morphed folder

Lets say two identical directories are created in different replication members, FRS identifies the conflict during replication, and the receiving member protects the original copy of the folder and renames (morphs) the later inbound copy of the folder. The morphed folder names have a suffix of _NTFRS_xxxxxxxx, where xxxxxxxx represents eight random hexadecimal digits.

Version vector join (vvjoin)

Till now we are discussing about the SYSVOL replication, how the SYSVOL replication works for the newly added replication partner, newly added replication member doesnt have any updates, and it should build the folder structure from the beginning, this process is called vvjoin, in which a downstream partner joins with an upstream partner for the first time.

Vvjoin is a CPU-intensive operation that can affect the performance of the server and increase the replication traffic

Distributed File System (DFS)

Now we are coming to the point, how the SYSVOL replicating using DFS and how its been improved to provide better replication performance, to use this feature you should have Windows Server 2008 domain functional level that means all the domain controller has to be Windows Server 2008

SYSVOL replication using DFS is called DFS-Replicated SYSVOL (DFSR)

DFSR is a multimaster replication engine and changes that occur on one of the replication member are then replicated to all of the other servers in the replication group

DFSR also monitors the NTFS for the update sequence number (USN) journal to detects changes on the volume, and then DFSR replicate the changes only after the file closed

And before sending or receiving a file, DFSR uses a staging folder to stage the file

If any changes in SYSVOL share, FRS replicate the entire file unlike the DFSR,DFSR replicates only the changes blocks and not the entire file, sounds like a attribute level Active Directory replication, it compare the source and destination file using remote differential compression (RDC), it reduce the SYSVOL replication traffic

Other Difference between DFRS and FRS

DFSR and Journal Wraps, DFSR also monitors the NTFS change journal, but DFSR always heals itself hence no Journal Wrap error

Morphed files and folders automatically taken care of

FRS silently fails if the volume SYSVOL resides on < 1GB of free space

Copies the changes on files and folder not entire files and folder

Uses Version Vector tables to confirm the changes, also to resolve the conflicts

Support read-only replication on a particular members in which users cannot add or change files

You can also make the changes to the SYSVOL folder of an RODC

DFSR does not require the version vector join (vvjoin) operation

Active Directory Replication Topology DependenciesActive Directory replication topology has the following dependencies: Routable IP infrastructure. The replication topology is dependent upon a routable IP infrastructure from which you can map IP subnet address ranges to site objects. This mapping generates the information that is used by client workstations to communicate with domain controllers that are close by, when there is a choice, rather than those that are located across WAN links. DNS. The Domain Name System (DNS) resolves DNS names to IP addresses. Active Directory replication topology requires that DNS is properly designed and deployed so that domain controllers can correctly resolve the DNS names of replication partners.

DNS also stores service (SRV) resource records that provide site affinity information to clients searching for domain controllers, including domain controllers that are searching for replication partners. Every domain controller registers these records so that they can be located according to site. Net Logon service. Net Logon is required for DNS registrations. RPC. Active Directory replication requires IP connectivity and RPC to transfer updates between replication partners within sites. RPC is required for replication between two sites containing domain controllers in the same domain, but SMTP is an alternative where RPC cannot be used and domain controllers for the same domain are all located in one site so that intersite replication of domain data is not required. Intersite Messaging. Intersite Messaging is required for SMTP intersite replication and for site coverage calculations. If the forest functional level is Windows2000, Intersite Messaging is also required for intersite topology generation.

2 types of replication.1> AD replication2> Sysvol replicationAD replication uses RPC.Sysvol uses DFS Replication (DFSR)service,if Domain is at2008 functional level and all DCs are WIndows Server2008 or higher OS version. If domain functional level is2003, Sysvol uses NT File Replication Service (NTFS).

File replication service is responsible for replication of sysvol folders and distributed file system between replica servers. it will replicate what ever changes which happends to sysvol with replica servers. ntdutil command line tool is used to monitor replication process.

Below2008 R2 Forest Function Level (FFL) --> "Windows File Replication Service".Afterraising the FFL to at least2008 R2, then migrating your SYSVOL folderfrom"File Replication Service" to"Distributed File System Replication(DFS-R)" then another service will be found in the DC which is DFSR "Distributed File System Replication service"

What is Active Directory replication?

Replication must often occur both (intrasite) within sites and (Intersite) between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions.

Intrasite replication or Replication within site:The KCC creates separate replication topologies to transfer Active Directory updates within a site and between all configured sites in the forest. The connections that are used for replication within sites are created automatically with no additional configuration. Intrasite replication takes advantage of LAN network speeds by providing replication as soon as changes occur, without the overhead of data compression, thus maximizing CPU efficiency. Intrasite replication connections form a ring topology with extra shortcut connections where needed to decrease latency. The fast replication of updates within sites facilitates timely updates of domain data. In deployments where large datacenters constitute hub sites for the centralization of mission-critical operations, directory consistency is critical.

Intersite Replication or Replication between sites:Replication between sites is made possible by user-defined site and site link objects that are created in Active Directory to represent the physical LAN and WAN network infrastructure. When Active Directory sites and site links are configured, the KCC creates an intersite topology so that replication flows between domain controllers across WAN links. Intersite replication occurs according to a site link schedule so that WAN usage can be controlled, and is compressed to reduce network bandwidth requirements. Site link settings can be managed to optimize replication routing over WAN links. The connections that are created between sites form a spanning tree for each directory partition in the forest, merging where common directory partitions can be replicated over the same connection.

What is FRS?File Replication service (FRS) is related to Active Directory replication because it requires the Active Directory replication topology. FRS is a multimaster replication service that is used to replicate files and folders in the system volume (SYSVOL) shared folder on domain controllers and in Distributed File System (DFS) shared folders. FRS works by detecting changes to files and folders and then replicating the updated files and folders to other replica members, which are connected in a replication topology.

FRS uses the replication topology that is generated by the KCC to replicate the SYSVOL files to all domain controllers in the domain. SYSVOL files are required by all domain controllers for Active Directory to function.

What are the two protocols that are used in replication?RPCover IP andSMTPover IP.

SMTPSimple Mail Transfer Protocol (SMTP) is a packaging protocol that can be used as an alternative to the remote procedure call (RPC) replication transport. SMTP can be used to transport nondomain replication over IP networks in mail-message format. Where networks are not fully routed, e-mail is sometimes the only transport method available

Replication transports provide the wire protocols that are required for data transfer. There are three levels of connectivity for replication of Active Directory information:

Uniform high-speed, synchronous RPC over IP within a site.

Point-to-point, synchronous, low-speed RPC over IP between sites.

Low-speed, asynchronous SMTP between sites.

The following rules apply to the replication transports:

Replication within a site always uses RPC over IP.

Replication between sites can use either RPC over IP or SMTP over IP.

Replication between sites over SMTP is supported for only domain controllers of different domains. Domain controllers of the same domain must replicate by using the RPC over IP transport. Therefore, replication between sites over SMTP is supported for only schema, configuration, and global catalog replication, which means that domains can span sites only when point-to-point, synchronous RPC is available between sites.

Synchronous and Asynchronous CommunicationThe RPC intersite and intrasite transport (RCP over IP within sites and between sites) and the SMTP intersite transport (SMTP over IP between sites only) correspond to synchronous and asynchronous communication methods, respectively. Synchronous communication favors fast, available connections, while asynchronous communication is better suited for slow or intermittent connections.

KCC: It creates the replication topology within the site.

ISTG: It creates the topology for the replication between the sites of the same domain.

Bridgehead server: These servers are responsible to receive the receiving the replication data from another site and then replicate to the servers within the site. Any replication originating from its site will be sent to other sites by this server only.

What is FRS?The File Replication service (FRS) is a multi-threaded, multi-master replication engine that replaces the LMREPL (LanMan Replication) service in the 3.x/4.0 versions of Microsoft Windows NT. Windows 2000 domain controllers and servers use FRS to replicate system policy and logon scripts for Windows 2000 and earlier clients that are located in the System Volume (Sysvol).FRS can also replicate content between Windows 2000 servers hosting the same fault-tolerant Distributed File System (DFS) roots or child node replicas. In Windows 2008 and Windows 2012 Active Directory, FRS has been replaced by DFS.

What is Journal Wrap?Journal wrap errors occur if a sufficient number of changes take place while FRS is turned off such that the last USN change that FRS recorded during shutdown no longer exists in the USN journal during startup. The risk is that changes to files and folders for FRS replicated trees may have taken place while the service was turned off, and no record of the change exists in the USN journal. To guard against data inconsistency, FRS asserts into a journal wrap state.

Port Assignments for Active Directory ReplicationService Name UDPTCPLDAP 389389LDAP636LDAP 3268Kerboros8888DNS 5353smb over IP 445445

ldap start queries from port no 3268 & after that it goes to 368636 is LDAP on SSL

Active Directory Health CheckNote : The following commands and script are to be run from a domain controller with enterprise / domain admin privileges. You may run the individual commands one by one or run the script. The script will run all the commands listed and generate a report1. Replsummary operation quickly and concisely summarizes the replication state and relative health of a forest.repadmin /replsummary

2. Synchronizes a specified domain controller with all replication partners, and reports if the sync was successful or notrepadmin /syncall /erepadmin /syncall /ApedA ( All partitions ) P ( Push ) E( Enterprise ) D ( Distinguished Name )

3. Forces the KCC on targeted domain controller(s) to immediately recalculate its inbound replication topologyrepadmin /kcc *

4. Find the last time your DCs were backed up, by reading the DSASignature attribute from all serversRepadmin /showbackup *

5. Output all replication summary information from all DCsRepadmin /showrepl *

6. Displays inbound replication requests that the domain controller has to issue to become consistent with its source replication partners.Repadmin / queue *

7. List all the Domain Controllers in Active DirectoryDSQUERY Server -o rdn

8. Identifies domain controllers that are failing inbound replication or outbound replication, and summarizes the results in a report.Repadmin /replsummary

9. Displays calls that have not yet been answered, made by the specified server to other serversrepadmin /showoutcalls *

10. List the Topology information of all the bridgehead serversrepadmin /bridgeheads * /verbose

11.InterSiteTopologyGenerator Reportrepadmin /istg * /verbose

12. Displays a list of failed replication events detected by the Knowledge Consistency Checker (KCC).repadmin /failcache *

13. Lists all domains trusted by a specified domainRepadmin /showtrust *

14. Displays the replication features for, a directory partition on a domain controller.repadmin /bind *

15. Dcdiag analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshootingdcdiag /c /e /v16. AD Health Check ScriptThis script will run all the commands mentioned in this document and generate an output/log fileThis script will work under the following conditionsDSQUERY.exeis present in C:\Windows\System32Repadmin.exeis present in C:\Windows\System32Dcdiag.exeis present in C:\Windows\System32

Protocol and Port

AD and AD DS UsageType of traffic

TCP 25ReplicationSMTP

TCP 42If using WINS in a domain trust scenario offering NetBIOS resolutionWINS

TCP 135ReplicationRPC, EPM

TCP 137NetBIOS Name resolutionNetBIOS Name resolution

TCP 139User and Computer Authentication, ReplicationDFSN, NetBIOS Session Service, NetLogon

TCP and UDP 389Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP

TCP 636Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP SSL

TCP 3268Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC

TCP 3269Directory, Replication, User and Computer Authentication, Group Policy, TrustsLDAP GC SSL

TCP and UDP 88User and Computer Authentication, Forest Level TrustsKerberos

TCP and UDP 53User and Computer Authentication, Name Resolution, TrustsDNS

TCP and UDP 445Replication, User and Computer Authentication, Group Policy, TrustsSMB, CIFS, SMB2, DFSN, LSARPC, NbtSS, NetLogonR, SamR, SrvSvc

TCP 9389AD DS Web ServicesSOAP

TCP 5722File ReplicationRPC, DFSR (SYSVOL)

TCP and UDP 464Replication, User and Computer Authentication, TrustsKerberos change/set password

UDP 123Windows Time, TrustsWindows Time

UDP 137 User and Computer AuthenticationNetLogon, NetBIOS Name Resolution

UDP 138DFS, Group Policy, NetBIOS Netlogon, BrowsingDFSN, NetLogon, NetBIOS Datagram Service

UDP 67 and UDP 2535DHCP (Note: DHCP is not a core AD DS service but these ports may be necessary for other functions besides DHCP, such as WDS)DHCP, MADCAP, PXE

If the server name is dcsA, the domain name is corp.mycompany.com, and the DC uses an IP address of 10.19.174.98, then the RR records created during the installation process will be:dcsA.corp.mycompany.com. A 10.19.174.98_ldap._tcp.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com_kerberos._tcp.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.com_ldap._tcp.dc._msdcs.corp.mycompany.com. SRV 0 0 389 dcsA.corp.mycompany.com_kerberos._tcp.dc. msdcs.corp.mycompany.com. SRV 0 0 88 dcsA.corp.mycompany.comIf you don't see these records in DNS for each DC, then you need to manually correct or add them.The NetLogon Service will register various SRV DNS records for the DC depending on what services or capabilities the system hosts:(Note: SITE is the name of a site. The name of the forest is mycompany.com. GUID is a placeholder for the actual globally unique identifier for the domain.)_ldap._tcp.corp.mycompany.com(used for finding an LDAP server) - registered by all DCs and servers_ldap._tcp.SITE._sites.corp.mycompany.com(used for finding an LDAP server in a particular site) - registered by all DCs_ldap._tcp.dc._msdcs.corp.mycompany.com(used for finding a DC in a particular domain) - registered by all DCs_ldap._tcp.SITE._sites.dc._msdcs.corp.mycompany.com(used for finding a DC in a particular domain and site) - registered by all DCs_ldap._tcp.pdc._msdcs.corp.mycompany.com(used for finding the PDC or PDC emulator) - registered by PDCs and PDC emulators_ldap._tcp.gc._msdcs.mycompany.com(used for finding a Global Catalog server in the forest) - registered by Global Catalog servers_ldap._tcp.SITE._sites.gc._msdcs.mycompany.com(used for finding a Global Catalog server for a particular site) - registered by all Global Catalog servers_gc._tcp.mycompany.com(used for finding a Global Catalog server) - registered by an LDAP server serving a GC server_gc._tcp.SITE._sites.mycompany.com(used for finding a Global Catalog server in a particular site) - registered by an LDAP server serving a GC server_ldap._tcp.GUID.domains._msdcs.mycompany.com(used for finding a domain using a GUIDused only if the domain name has been changed) - registered by all DCs_kerberos._tcp.corp.mycompany.com(used for finding a Kerberos Key Distribution Center (KDC) in the domain) - registered by all servers with Kerberos_kerberos._udp.corp.mycompany.com(used for finding a KDC in the domain using UDP) - registered by all servers with Kerberos_kerberos._tcp.SITE._sites.corp.mycompany.com(used for finding a KDC in the domain and site) - registered by all servers with Kerberos_kerberos._tcp.dc._msdcs.corp.mycompany.com(used for finding a KDC in the domain) - registered by all DCs with Kerberos_kerberos._tcp.SITE._sites.dc._msdcs.corp.mycompany.com(used for finding a DC with KDC in the domain and site) - registered by all DCs with Kerberos_kpasswd._tcp.corp.mycompany.com(used for finding a KDC that changes passwords on Kerberos in the domain) - registered by all servers with Kerberos_kpasswd._udp.corp.mycompany.com(used for finding a KDC that changes passwords on Kerberos in the domain using UDP) - registered by all servers with KerberosPointer (PTR) resource recordsPointer (PTR) resource records support the reverse lookup process, based on zones that are created and rooted in the in-addr.arpa domain. These records locate a computer by its IP address and resolve this information to the DNS domain name for that computer. Service location (SRV) resource recordsService location (SRV) resource records are required for location of ActiveDirectory domain controllers. Typically, you can avoid manual administration of service location (SRV) resource records when you install ActiveDirectory Domain Services (ADDS).By default, the ActiveDirectory Domain Services Installation Wizard attempts to locate a DNS server based on the list of preferred or alternate DNS servers, which are configured in any of its TCP/IP client properties, for any of its active network connections. If a DNS server that can accept dynamic update of the service location (SRV) resource record is contacted, the configuration process is complete. (This is also true for other resource records that are related to registering ADDS as a service in DNS.)If, during the installation, a DNS server that can accept updates for the DNS domain name that is used to name your directory is not found, the wizard can install a DNS server locally and automatically configure it with a zone to support the ActiveDirectory domain.

Mail exchanger (MX) resource recordsE-mail applications use the mail exchanger (MX) resource record to locate a mail server based on a DNS domain name in the destination address for the e-mail recipient of a message. For example, a DNS query for the name example.tailspintoys.com can be used to find a mail exchanger (MX) resource record, which makes it possible for an e-mail application to forward or exchange mail to a user with the e-mail address [email protected] mail exchanger (MX) resource record shows the DNS domain name for the computer or computers that process mail for a domain. If multiple mail exchanger (MX) resource records exist, the DNS Client service attempts to contact mail servers in the order of preference from lowest value (highest priority) to highest value (lowest priority). The following example shows the basic syntax of a mail exchanger (MX) resource record:

Alias (CNAME) resource recordsAlias (CNAME) resource records are also sometimes called canonical name resource records. With these records, you can use more than one name to point to a single host, which makes it easy to do such things as host both a File Transfer Protocol (FTP) server and a Web server on the same computer. For example, the well-known server names (ftp, www) are registered with alias (CNAME) resource records that map to the DNS host name (such as server-1) for the server computer that hosts these services.We recommend alias (CNAME) resource records for the following scenarios: When a host that is specified in an host (A) resource record in the same zone must be renamed When a generic name for a well-known server, such as www, must resolve to a group of individual computers (each with individual host (A) resource records) that provide the same service, for example, in a group of redundant Web servers.Host (A) resource recordsYou use host (A) resource records in a zone to associate DNS domain names of computers (or hosts) to their IP addresses. You can add them to a zone in several ways: You can manually create a host (A) resource record for a static TCP/IP client computer by using DNS Manager. Windows clients and servers use the DNS Client service to dynamically register and update their own host (A) resource records in DNS when an IP configuration change occurs. Dynamic Host Configuration Protocol (DHCP)enabled client computers running earlier versions of Microsoft operating systems can have their host (A) resource records registered and updated by proxy if they obtain their IP lease from a qualified DHCP server. (Only the Windows2000, Windows Server2003, and Windows Server2008 DHCP Server service support this feature.)Stub zoneAstub zoneis a copy of azonethat contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for thatzone. Astub zoneis used to resolve names between separate DNS namespacesRequired DNS Records

MnemonicTypeDNS RecordRequirements

PdcSRV_ldap._tcp.pdc._msdcs.One per domain

GCSRV_ldap._tcp.gc._msdcs.At least one per forest

GcIpAddressA_gc._msdcs.At least one per forest

DsaCnameCNAME._msdcs.One per domain controller

KdcSRV_kerberos._tcp.dc._msdcs.At least one per domain

DcSRV_ldap._tcp.dc._msdcs.At least one per domain

AOne per domain controller (domain controllers that have multiple IP addresses can have more than one A resource record)

Adprep-Related ErrorsAdprep is a utility that you run to prepare an existing Active Directory (AD) environment for the first DC that runs a newer OS, such as Server 2008 R2. If you have an AD environment in which all DCs run Server 2008 or Windows 2003, and you want to add the first DC that runs Server 2008 R2, then you need to run certain Adprep commands:1. Run adprep /forestprep on the schema master.2. Run adprep /domainprep on each domain's infrastructure master.3. If you plan to install a read-only DC (RODC -- new in Server 2008), then you also need to run adprep /rodcprep for every domain that will have an RODC.4. adprep32 /domainprep /gpprep

Primary domain controller (PDC) is down

The primary domain controller (PDC) in a Windows NT 3.51 or Windows NT 4.0 domain is responsible for the following: Processing password changes from both users and computers Replicating updates to backup domain controllers Running the Domain Master Browser

If you don't have a PDC Emulator role, users won't be able to change their domain passwords.

"Directory Service Access (DSAccess) is an internal component in Exchange 2010 Server, in Exchange Server 2007, in Exchange Server 2003, and in Exchange Server 2000 that controls how all Exchange Server components access Active Directory. The primary function of DSAccess is to maintain information about various directory-related events and operations. For example, DSAccess discovers the Active Directory topology and detects if domain controllers and global catalog servers are available and responding to queries."

The RID master helps to create unique GUIDs for new Objects and the infrastructure master updates references from objects to objects in other domains.

PDC EmulatorOf the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0 BDC's complain, but also there will be no time synchronization. Another problem is that you probably will not be able to change or troubleshoot group policies as the default setting is for the PDC emulator also to be the group policy master.Implications for DuplicatesIf the old PDC emulator returns, then it is not as serious as duplicates with some of the other roles. Quickly seize PDC role from another machine.RID MasterOne Domain Controller is responsible for giving all the rest of the Domain Controllers a pack of unique numbers so that no two new objects have the same GUID (Globally Unique Identifier).If you lose the RID master the chances are good that the existing Domain Controllers will have enough unused RIDs to last a week or so do not be in a hurry to seize.Implications for DuplicatesYou must not allow two RID masters, as the possibility of two objects with the same RID would be disastrous. So if the original is found it must be reformatted and reinstalled before re-joining the forest.Infrastructure MasterThe consequence for a missing Infrastructure master is that group memberships may be incomplete. If you only have one domain, then there will be no impact as the Infrastructure Master is responsible for updating your user's membership in other domains in the forest.Implications for DuplicatesNo damage occurs if the old Infrastructure master returns, just check out the Roles and decide which machine should hold the role.Forest Wide RolesSchema MasterIf you lose the Schema Master, then long term it is serious because you cannot install Exchange 2003 or extend the schema. However, short term no-one will notice a missing Schema Master, so try and repair the old one rather than seize the role.Implications for DuplicatesYou must not allow two Schema Masters, so if the original is found or repaire

Date post:	06-Mar-2016
Category:	Documents
Upload:	kamal-s-magar
View:	250 times
Download:	0 times

Windows Active Directory Services

Documents