Windows Ad DNS Fsmo Gpo

8/7/2019 Windows Ad DNS Fsmo Gpo

1/34

ACTIVE DIRECTORY DNS FSMO GROUP POLICY

What Is Active Directory?

Active Directory consists of a series of components that constitute both its logical structureand its physical structure. It provides a way for organizations to centrally manage and storetheir user objects, computer objects, group membership, and define security boundaries in alogical database structure.

Purpose of Active Directory

Active Directory stores information about users, computers, and network resources andmakes the resources accessible to users and applications. It provides a consistent way toname, describe, locate, access, manage, and secure information about these resources

Functions of Active Directory

Active Directory provides the following functions:

Centralizes control of network resourcesBy centralizing control of resources such as servers, shared files, and printers, onlyauthorized users can access resources in Active Directory.

Centralizes and decentralizes resource managementAdministrators have Centralized Administration with the ability to delegate administrationof subsets of the network to a limited number of individuals giving them greatergranularity in resource management.

Store objects securely in a logical structureActive Directory stores all of the resources as objects in a secure, hierarchical logicalstructure.

Optimizes network trafficThe physical structure of Active Directory enables you to use network bandwidth moreefficiently. For example, it ensures that, when users log on to the network, theauthentication authority that is nearest to the user, authenticates them reducing the

amount of network traffic.

Sites within Active Directory

Sites are defined as groups of well-connected computers. When you establish sites, domain controllerswithin a single site communicate frequently. This communication minimizes the latency within the site;that is, the time required for a change that is made on one domain controller to be replicated to otherdomain controllers. You create sites to optimize the use of bandwidth between domain controllers thatare in different locations

Operations Master Roles

When a change is made to a domain, the change is replicated across all of the domaincontrollers in the domain. Some changes, such as those made to the schema, are replicatedacross all of the domains in the forest. This replication is called

Multimaster replication.

During multimaster replication, a replication conflict can occur if originating updates areperformed concurrently on the same object attribute on two domain controllers. To avoidreplication conflicts, Active Directory uses single master replication, which designates onedomain controller as the only domain controller on which certain directory changes can bemade. This way, changes cannot occur at different places in the network at the same time.Active Directory uses single master replication for important changes, such as the addition ofa new domain or a change to the forest-wide schema.

1


2/34

Operations that use single-master replication are arranged together in specific roles in a forestor domain. These roles are called operations master roles. For each operations master role,only the domain controller that holds that role can make the associated directory changes.The domain controller that is responsible for a particular role is called an operations master forthat role. Active Directory stores information about which domain controller holds a specificrole.

Forest-wide Roles

Forest-wide roles are unique to a forest, forest-wide roles are:

Schema masterControls all updates to the schema. The schema contains the master list of object classesand attributes that are used to create all Active Directory objects, such as users,computers, and printers.

Domain naming masterControls the addition or removal of domains in the forest. When you add a new domain tothe forest, only the domain controller that holds the domain naming master role can addthe new domain.

There is only one schema master and one domain naming master in the entire forest.

Domain-wide Roles

Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:

Primary domain controller emulator (PDC)Acts as a Windows NT PDC to support any backup domain controllers (BDCs) runningMicrosoft Windows NT within a mixed-mode domain. This type of domain has domaincontrollers that run Windows NT 4.0. The PDC emulator is the first domain controller that youcreate in a new domain.

Relative identifier master (RID)When a new object is created, the domain controller creates a new security principal thatrepresents the object and assigns the object a unique security identifier (SID). This SID

consists of a domain SID, which is the same for all security principals created in thedomain, and a RID, which is unique for each security principal created in the domain. TheRID master allocates blocks of RIDs to each domain controller in the domain. The domaincontroller then assigns a RID to objects that are created from its allocated block of RIDs.

Infrastructure masterwhen objects are moved from one domain to another, the infrastructure master updatesobject references in its domain that point to the object in the other domain. The objectreference contains the objects globally unique identifier (GUID), distinguished name, anda SID. Active Directory periodically updates the distinguished name and the SID on theobject reference to reflect changes made to the actual object, such as moves within andbetween domains and the deletion of the object.

The global catalog contains:

The attributes that are most frequently used in queries, such as a users first name, lastname, and logon name.

The information that is necessary to determine the location of any object in the directory.

The access permissions for each object and attribute that is stored in the global catalog. Ifyou search for an object that you do not have the appropriate permissions to view, theobject will not appear in the search results. Access permissions ensure that users canfind only objects to which they have been assigned access.

2


3/34

A global catalog server is a domain controller that, in addition to its full, writable domaindirectory partition replica, also stores a partial, read-only replica of all other domain directorypartitions in the forest. Taking a user object as an example, it would by default have manydifferent attributes such as first name, last name, phone number, and many more. The GC willby default only store the most common of those attributes that would be used in searchoperations (such as a users first and last names, or login name, for example). The partialattributes that it has for that object would be enough to allow a search for that object to beable to locate the full replica of the object in active directory. This allows searches doneagainst a local GC, and reduces network traffic over the WAN in an attempt to locate objects

somewhere else in the network.

Domain Controllers always contain the full attribute list for objects belonging to their domain.If the Domain Controller is also a GC, it will also contain a partial replica of objects from allother domains in the forest.

Active Directory uses DNS as the name resolution service to identify domains and domainhost computers during processes such as logging on to the network.

Similar to the way a Windows NT 4.0 client will query WINS for a NetBIOS DOMAIN[1B]record to locate a PDC, or a NetBIOS DOMAIN[1C] record for domain controllers, a Windows2000, 2003, or Windows XP client can query DNS to find a domain controller by looking forSRV records.

Integration of DNS and Active Directory

The integration of DNS and Active Directory is essential because a client computer in aWindows 2000 network must be able to locate a domain controller so that users can log on toa domain or use the services that Active Directory provides. Clients locate domain controllersand services by using A resource records and SRV records. The A resource record containsthe FQDN and IP address for the domain controller. The SRV record contains the FQDN ofthe domain controller and the name of the service that the domain controller provides.

What Are Active Directory Integrated Zones?

One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones intoan Active Directory database. A zone is a portion of the domain namespace that has a logicalgrouping of resource records, which allows zone transfers of these records to operate as oneunit.

Active Directory Integrated Zones

Microsoft DNS servers store information that is used to resolve host names to IP addressesand IP addresses to host names in a database file that has the extension .dns for each zone.

Active Directory integrated zones are primary zones that are stored as objects in the ActiveDirectory database. If zone objects are stored in an Active Directory domain partition, they arereplicated to all domain controllers in the domain.

What Are DNS Zones?

A zone starts as a storage database for a single DNS domain name. If other domains areadded below the domain used to create the zone, these domains can either be part of thesame zone or belong to another zone. Once a subdomain is added, it can then either be:

Managed and included as part of the original zone records, or

Delegated away to another zone created to support the subdomain

3


4/34

Types of Zones

There are two types of zones, forward lookup and reverse lookup. Forward lookup zonescontain information needed to resolve names within the DNS domain. They must include SOAand NS records and can include any type of resource record except the PTR resource record.Reverse lookup zones contain information needed to perform reverse lookups. They usuallyinclude SOA, NS, PTR, and CNAME records.

With most queries, the client supplies a name and requests the IP address that correspondsto that name. This type of query is typically described as a forward lookup. Active Directory

requires forward lookup zones.

However, what if a client already has a computer's IP address and wants to determine theDNS name for the computer? This is important for programs that implement security based onthe connecting FQDN, and is used for TCP/IP network troubleshooting. The DNS standardprovides for this possibility through reverse lookups.

Once you have installed Active Directory, you have two options for storing your zones whenoperating the DNS server at the new domain controller:

Standard Zone

Zones stored this way are located in .dns text files that are stored in the %SystemRoot

%\System32\Dns folder on each computer operating a DNS server. Zone file namescorrespond to the name you choose for the zone when creating it, such asExample.microsoft.com.dns if the zone name was example.microsoft.com .

This type offers the choice of using either a Standard Primary zone or a Standard Secondaryzone.

Standard Primary Zone

For standard primary-type zones, only a single DNS server can host and load the master copyof the zone. If you create a zone and keep it as a standard primary zone, no additional primaryservers for the zone are permitted. Only one server is allowed to accept dynamic updates,also known as DDNS, and process zone changes. The standard primary model implies asingle point of failure.

Standard Secondary Zone

A secondary name server gets the data for its zones from another name server (either aprimary name server or another secondary name server) for that zone across the network.The data in a Secondary zone is Read only, and updated information must come fromadditional zone transfers. The process of obtaining this zone information (i.e., the databasefile) across the network is referred to as a zone transfer. Zone transfers occur over TCP port53.

Secondary servers can provide a means to offload DNS query traffic in areas of the networkwhere a zone is heavily queried and used. Additionally, if a primary server is down, asecondary server can provide some name resolution in the zone until the primary server is

available.

Note A Standard Primary zone will not replicate its information to any other DNS servers, butmay allow zone transfers to Secondary zones. Win2003 also supports stub zones. Asecondary or stub zone cannot be hosted on a DNS server that hosts a primary zone for thesame domain name.

4


5/34

Directory-integrated Zone

Zones stored this way are located in the Active Directory tree under the domain objectcontainer. Each directory-integrated zone is stored in a dnsZone container object identified bythe name you choose for the zone when creating it. Active Directory integrated zones willreplicate this information to other domain controllers in that domain.

Note If DNS is running on a Windows 2000 server that is not a domain controller, it will not beable to use an Active Directory integrated zones, or replicate with other domain controllers

since it does not have Active Directory installed.

DNS Records

After you create a zone, additional resource records need to be added to it. The mostcommon resource records (RRs) to be added are:

Table 1. Record Types

Name Description

Host (A) For mapping a DNS domain name to an IP address used by a computer.

Alias (CNAME) For mapping an alias DNS domain name to another primary or canonicalname.

Mail Exchanger(MX)

For mapping a DNS domain, name to the name of a computer that exchangesor forwards mail.

Pointer (PTR) For mapping a reverse DNS domain name based on the IP address of acomputer that points to the forward DNS domain name of that computer.

Service location(SRV)

For mapping a DNS domain name to a specified list of DNS host computersthat offer a specific type of service, such as Active Directory domaincontrollers.

Other resource records as needed.

Q1. What does the logical component of the Active Directory structure include?

Objects:-Resources are stored in the Active Directory as objects.Sub category: object classAn object is really just a collection of attributes. A user object, for example, is made up of attributessuch as name, password, phone number, group membership, and so on. The attributes that make upan object are defined by an object class. The user class, for example, specifies the attributes thatmake up the user object.The Active Directory Schema:-The classes and the attributes that they define are collectively referred to as the Active DirectorySchemain database terms, a schema is the structure of the tables and fields and how they arerelated to one another. You can think of the Active Directory Schema as a collection of data (object

classes) that defines how the real data of the directory (the attributes of an object) is organized andstored DomainsThe basic organizational structure of the Windows Server 2003 networking model is the domain. Adomain represents an administrative boundary. The computers, users, and other objects within adomain share a common security database. TreesMultiple domains are organized into a hierarchical structure called a tree. Actually, even if you haveonly one domain in your organization, you still have a tree. The first domain you create in a tree iscalled the root domain. The next domain that you add becomes a child domain of that root. Thisexpandability of domains makes it possible to have many domains in a tree. Figure 1-1 shows an

5


6/34

example of a tree. Microsoft.com was the first domain created in Active Directory in this example and istherefore the root domain.

Figure 1-1 A tree is a hierarchical organization of multiple domains.All domains in a tree share a common schema and a contiguous namespace. In the example shown in

Figure 1-1, all of the domains in the tree under the microsoft.com root domain share the namespacemicrosoft.com. Using a single tree is fine if your organization is confined within a single DNSnamespace. However, for organizations that use multiple DNS namespaces, your model must be ableto expand outside the boundaries of a single tree. This is where the forest comes in. ForestA forest is a group of one or more domain trees that do not form a contiguous namespace but mayshare a common schema and global catalog. There is always at least one forest on a network, and it iscreated when the first Active Directoryenabled computer (domain controller) on a network is installed.This first domain in a forest, called the forest root domain, is special because it holds the schema andcontrols domain naming for the entire forest. It cannot be removed from the forest without removing theentire forest itself. Also, no other domain can ever be created above the forest root domain in the forestdomain hierarchy.

Figure 1-2 shows an example of a forest with two trees. Each tree in the forest has its own namespace.In the figure, microsoft.com is one tree and contoso.com is a second tree. Both are in a forest namedmicrosoft.com (after the first domain created)

6

Microsoft.com

sales.microsoft.co RND.Microsoft.com

West.Microsoft.comEast.Microsoft.com

Microsoft.com

sales.microsoft.co RND.Microsoft.com

West.Microsoft.comEast.Microsoft.com

Root domain ofmicrosoft.comforest & tree

Contoso.com

West.contoso.comEast.contoso.com

Root domain ofContoso.com


7/34

Figure 1-2 Trees in a forest share the same schema, but not the same namespace.A forest is the outermost boundary of Active Directory; the directory cannot be larger than the forest.However, you can create multiple forests and then create trust relationships between specific domainsin those forests; this would let you grant access to resources and accounts that are outside of aparticular forest.Organizational UnitsOrganizational Units (OUs) provide a way to create administrative boundaries within a domain.Primarily, this allows you to delegate administrative tasks within the domain.OUs serve as containers into which the resources of a domain can be placed. You can then assign

administrative permissions on the OU itself. Typically, the structure of OUs follows an organizationsbusiness or functional structure. For example, a relatively small organization with a single domainmight create separate OUs for departments within the organization.

Q2. What does the physical structure of active directory contain?Physical structures include domain controllers and sites.

Q3.What is nesting?The creation of an OU inside another OU.IMP: - once you go beyond about 12 OUs deep in a nesting structure, you start running into significantperformance issues.

Q4. What is trust relationship and how many types of trust relationship is there in exchange2003?Since domains represent security boundaries, special mechanisms called trust relationships allowobjects in one domain (called the trusted domain) to access resources in another domain (called thetrusting domain).Windows Server 2003 supports six types of trust relationships: Parent and child trusts Tree-root trusts External trusts Shortcut trusts Realm trusts Forest trusts

Q5. What is a site?A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets (seeLesson 3 for more on this) and are connected by a fast, reliable network connection. Fast meansconnections of at least 1Mbps. In other words, a site usually follows the boundaries of a local areanetwork (LAN). If different LANs on the network are connected by a wide area network (WAN), youlllikely create one site for each LAN.

Q6. What is the use of site?Sites are primarily used to control replication traffic. Domain controllers within a site are pretty muchfree to replicate changes to the Active Directory database whenever changes are made. Domaincontrollers in different sites compress the replication traffic and operate based on a defined schedule,

both of which are intended to cut down on network traffic.More specifically, sites are used to control the following: Workstation logon traffic Replication traffic Distributed File System (DFS)Distributed File System (DFS) is a server component that provides a unified naming convention forfolders and files stored on different servers on a network. DFS lets you create a single logical hierarchyfor folders and files that is consistent on a network, regardless of where on the network those items areactually stored. Files represented in the DFS might be stored in multiple locations on the network, so itmakes sense that Active Directory should be able to direct users to the closest physical location of the

7


8/34

data they need. To this end, DFS uses site information to direct a client to the server that is hosting therequested data within the site. If DFS does not find a copy of the data within the same site as the client,DFS uses the site information in Active Directory to determine which file server that has DFS shareddata is closest to the client.

File Replication Service (FRS)Every domain controller has a built-in collection of folders named SYSVOL (for System Volume). TheSYSVOL folders provide a default Active Directory location for files that must be replicated throughouta domain. You can use SYSVOL to replicate Group Policy Objects, startup and shutdown scripts, and

logon and logoff scripts. A Windows Server 2003 service named File Replication Service (FRS) isresponsible for replicating files in the SYSVOL folders between domain controllers. FRS uses siteboundaries to govern the replication of items in the SYSVOL folders.

Q7. What are the objects a site contains?Sites contain only two types of objects. The first type is the domain controllers contained in the site.The second type of object is the site links configured to connect the site to other sites.

Q8.What is a Site link?Within a site, replication happens automatically. For replication to occur between sites, you mustestablish a link between the sites. There are two components to this link: the actual physicalconnection between the sites (usually a WAN link) and a site link object. The site link object is created

within Active Directory and determines the protocol used for transferring replication traffic (InternetProtocol [IP] or Simple Mail Transfer Protocol [SMTP]). The site link object also governs whenreplication is scheduled to occur.

Q9. Explain Replication in Active directory?Windows Server 2003 uses a replication model called multimaster replication, in which all replicas ofthe Active Directory database are considered equal masters. You can make changes to the databaseon any domain controller and the changes will be replicated to other domain controllers in the domain.Domain controllers in the same site replicate on the basis of notification. When changes are made on adomain controller, it notifies its replication partners (the other domain controllers in the site); thepartners then request the changes and replication occurs. Because of the high-speed, low-costconnections assumed within a site, replication occurs as needed rather than according to a schedule.

You should create additional sites when you need to control how replication traffic occurs over slowerWAN links. For example, suppose you have a number of domain controllers on your main LAN and afew domain controllers on a LAN at a branch location. Those two LANs are connected to one anotherwith a slow (256K) WAN link. You would want replication traffic to occur as needed between thedomain controllers on each LAN, but you would want to control traffic across the WAN link to prevent itfrom affecting higher priority network traffic. To address this situation, you would set up two sites onesite that contained all the domain controllers on the main LAN and one site that contained all thedomain controllers on the remote LAN.

Q10. What are the different types of replication?Single site (called intrasite replication)Replication between sites (called intersite replication).

Intrasite Replication Intrasite replication sends replication traffic in an uncompressed format. This isbecause of the assumption that all domain controllers within the site are connected by high-bandwidthlinks. Not only is the traffic uncompressed, but replication occurs according to a change notificationmechanism. This means that if changes are made in the domain, those changes are quickly replicatedto the other domain controllers. Intersite Replication Intersite replication sends all data compressed. This shows an appreciation forthe fact that the traffic will probably be going across slower WAN links (as opposed to the LANconnectivity intrasite replication assumes), but it increases the server load becausecompression/decompression is added to the processing requirements. In addition to the compression,the replication can be scheduled for times that are more appropriate to your organization. For example,

8


9/34

you may decide to allow replication only during slower times of the day. Of course, this delay inreplication (based on the schedule) can cause inconsistency between servers in different sites.

Q11. What is LDAP?LDAP, Lightweight Directory Access Protocol, is an Internet protocol that email and other programsuse to look up information from a server.An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objectsstored in the directory and publishes them. LDAP-aware clients can query the server in a wide varietyof ways.

Q12.What types of naming convention active directory uses?Active Directory supports several types of names for the different formats that can accessActiveDirectory.These names include: Relative Distinguished NamesThe relative distinguished name (RDN) of an object identifies an object uniquely, but only within itsparent container. Thus the name uniquely identifies the object relative to the other objects within thesame container. In the exampleCN=wjglenn,CN=Users,DC=contoso,DC=com,

the relative distinguished name of the object is CN=wjglenn. The relative distinguished name of the

parent organizational unit is Users. For most objects, the relative distinguished name of an object is thesame as that objects Common Name attribute. Active Directory creates the relative distinguishedname automatically, based on information provided when the object is created. Active Directory doesnot allow two objects with the same relative distinguished name to exist in the same parent container.The notations used in the relative distinguished name (and in the distinguished name discussed in thenext section) use special notations called LDAP attribute tags to identify each part of the name. Thethree attribute tags used include: DC The Domain Component (DC) tag identifies part of the DNS name of the domain, such as COMor ORG. OU The Organizational Unit (OU) tag identifies an organizational unit container. CN The Common Name (CN) tag identifies the common name configured for an Active Directoryobject.

Distinguished NamesEach object in the directory has a distinguished name (DN) that is globally unique and identifies notonly the object itself, but also where the object resides in the overall object hierarchy. You can think ofthe distinguished name as the relative distinguished name of an object concatenated with the relativedistinguished names of all parent containers that make up the path to the object.An example of a typical distinguished name would be:CN=wjglenn,CN=Users,DC=contoso,DC=com.This distinguished name would indicate that the user object wjglenn is in the Users container, which inturn is located in the contoso.com domain. If the wjglenn object is moved to another container, its DNwill change to reflect its new position in the hierarchy. Distinguished names are guaranteed to beunique in the forest, similar to the way that a fully qualified domain name uniquely identifies an objects

placement in a DNS hierarchy. You cannot have two objects with the same distinguished name.

User Principal NamesThe user principal name that is generated for each object is in the form username@ domain_name.Users can log on with their user principal name, and an administrator can define suffixes for userprincipal names if desired. User principal names should be unique, but Active Directory does notenforce this requirement. Its best, however, to formulate a naming convention that avoids duplicateuser principal names.

9


10/34

Canonical NamesAn objects canonical name is used in much the same way as the distinguished name it just uses adifferent syntax. The same distinguished name presented in the preceding section would have thecanonical name:contoso.com/Users/wjglenn.As you can see, there are two primary differences in the syntax of distinguished names and canonicalnames. The first difference is that the canonical name presents the root of the path first and worksdownward toward the object name. The second difference is that the canonical name does not use theLDAP attribute tags (e.g., CN and DC).

Q13. What is multimaster replication?Active Directory follows the multimaster replication which every replica of the Active Directory partitionheld on every domain is considered an equal master. Updates can be made to objects on any domaincontroller, and those updates are then replicated to other domain controllers.

Q14.Which two operations master roles should be available when new security principals arebeing created and named?Domain naming master and the relative ID master

Q15. What are different types of groups? Security groups Security groups are used to group domain users into a single administrative unit.

Security groups can be assigned permissions and can also be used as e-mail distribution lists. Usersplaced into a group inherit the permissions assigned to the group for as long as they remain membersof that group. Windows itself uses only security groups. Distribution groups These are used for nonsecurity purposes by applications other than Windows.One of the primary uses is within an e-mailAs with user accounts, there are both local and domain-level groups. Local groups are stored in a localcomputers security database and are intended to control resource access on that computer. Domaingroups are stored in Active Directory and let you gather users and control resource access in a domainand on domain controllers.

Q16. What is a group scope and what are the different types of group scopes?Group scopes determine where in the Active Directory forest a group is accessible and what objects

can be placed into the group. Windows Server 2003 includes three group scopes: global, domain local,and universal. Global groups are used to gather users that have similar permissions requirements. Global groupshave the following characteristics:1. Global groups can contain user and computer accounts only from the domain in which the globalgroup is created.2. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i.e., thedomain contains only Windows 2000 or 2003 servers), global groups can also contain other globalgroups from the local domain.3. Global groups can be assigned permissions or be added to local groups in any domain in a forest. Domain local groups exist on domain controllers and are used to control access to resourceslocated on domain controllers in the local domain (for member servers and workstations, you use local

groups on those systems instead). Domain local groups share the following characteristics:1. Domain local groups can contain users and global groups from any domain in a forest no matterwhat functional level is enabled.2. When the domain functional level is set to Windows 2000 native or Windows Server 2003, domainlocal groups can also contain other domain local groups and universal groups. Universal groups are normally used to assign permissions to related resources in multiple domains.Universal groups share the following characteristics:1. Universal groups are available only when the forest functional level is set to Windows 2000 native orWindows Server 2003.

1


11/34

2. Universal groups exist outside the boundaries of any particular domain and are managed by GlobalCatalog servers.3. Universal groups are used to assign permissions to related resources in multiple domains.4. Universal groups can contain users, global groups, and other universal groups from any domain in aforest.5. You can grant permissions for a universal group to any resource in any domain.

Q17. What are the items that groups of different scopes can contain in mixed and native modedomains?

Q18. What is group nesting?Placing of one group in another is called as group nestingFor example, suppose you had juniorlevel administrators in four different geographic locations, asshown in Figure 4-10. You could create a separate group for each location (named something likeDallas JuniorAdmins). Then, you could create a single group named Junior Admins and make each of the location-based groups a member of the main group. This approach would allow you to set permissions on asingle group and have those permissions flow down to the members, yet still be able to subdivide the

junior administrators by location.

Q19. How many characters does a group name contain? ANS = 64

Q20. Is site part of the Active Directory namespace?NO: - When a user browses the logical namespace, computers and users are grouped into domainsand OUs without reference to sites. However, site names are used in the Domain Name System (DNS)records, so sites must be given valid DNS names.

Q21. What is DFS?The Distributed File System is used to build a hierarchical view of multiple file servers and shares onthe network. Instead of having to think of a specific machine name for each set of files, the user willonly have to remember one name; which will be the 'key' to a list of shares found on multiple servers

on the network. Think of it as the home of all file shares with links that point to one or more servers thatactually host those shares.DFS has the capability of routing a client to the closest available file server by using Active Directorysite metrics. It can also be installed on a cluster for even better performance and reliability.

Understanding the DFS TerminologyIt is important to understand the new concepts that are part of DFS. Below is an definition of each ofthem.

1


12/34

Dfs root:You can think of this as a share that is visible on the network, and in this share you can haveadditional files and folders.

Dfs link: A link is another share somewhere on the network that goes under the root. When a useropens this link they will be redirected to a shared folder.

Dfs target (or replica): This can be referred to as either a root or a link. If you have two identicalshares, normally stored on different servers, you can group them together as Dfs Targets under thesame link.The image below shows the actual folder structure of what the user sees when using DFS and loadbalancing.

Figure 1: The actual folder structure of DFS and load balancing

Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000, whichhas been improved to better performance and add additional fault tolerance, load balancing andreduced use of network bandwidth. It also comes with a powerful set of command-line scripting toolswhich can be used to make administrative backup and restoration tasks of the DFS namespaceseasier. The client windows operating system consists of a DFS client which provides additionalfeatures as well as caching.

Q22. What are the types of replication in DFS?

There are two types of replication:

* Automatic - which is only available for Domain DFS* Manual - which is available for stand alone, DFS and requires all files to be replicated manually.

Q23. Which service is responsible for replicating files in SYSVOL folder?File Replication Service (FRS)

Q24. What all can a site topology owner do?The site topology owner is the name given to the administrator (or administrators) that oversee the sitetopology. The owner is responsible for making any necessary changes to the site as the physicalnetwork grows and changes. The site topology owners responsibilities include: Making changes to the site topology based on changes to the physical network topology. Tracking subnetting information for the network. This includes IP addresses, subnet masks, and the

locations of the subnets. Monitoring network connectivity and setting the costs for links between sites.

Q1. What is DNS.

DNS provides name registration and name to address resolution capabilities. And DNS drasticallylowers the need to remember numeric IP addresses when accessing hosts on the Internet or anyother TCP/IP-based network.Before DNS, the practice of mapping friendly host or computer namesto IP addresses was handled via host files. Host files are easy to understand. These are static ASCIItext files that simply map a host name to an IP address in a table-like format. Windows ships with aHOSTS file in the \winnt\system32\drivers\etc subdirectory

1


13/34

The fundamental problem with the host files was that these files were labor intensive. A host file ismanually modified, and it is typically centrally administrated.

The DNS system consists of three components: DNS data (called resource records), servers (calledname servers), and Internet protocols for fetching data from the servers.

Q2. Which are the four generally accepted naming convention

NetBIOS Name (for instance, SPRINGERS01)

TCP/IP Address (121.133.2.44)

Host Name (Abbey)

Media Access Control (MAC)this is the network adapter hardware addressQ3. How DNS reallyworks DNS uses a client/server model in which the DNS server maintains a static database ofdomain names mapped to IP addresses. The DNS client, known as the resolver, perform queriesagainst the DNS servers. The bottom line? DNS resolves domain names to IP address using thesestepstep 1. A client (or resolver) passes its request to its local name server. For example, the URLterm www.idgbooks.com typed into Internet Explorer is passed to the DNS server identified in the

client TCP/IP configuration. This DNS server is known as the local name server.Step 2. If, as oftenhappens, the local name server is unable to resolve the request, other name servers are queried sothat the resolver may be satisfied.Step 3. If all else fails, the request is passed to more and more,higher-level name servers until the query resolution process starts with far-right term (for instance

Figure 8-5:

Q4. Which are the major records in DNS?

1. Host or Address Records (A):- map the name of a machine to its numeric IP address. In clearerterms, this record states the hostname and IP address of a certain machine. Have three fields: HostName, Domain, Host IP Address.

E.g.:- eric.foobarbaz.com. IN A 36.36.1.6

It is possible to map more than one IP address to a given hostname. This often happens for peoplewho run a firewall and have two 13thernet cards in one machine. All you must do is add a second A

record, with every column the same save for the IP address.

2. Aliases or Canonical Name Records (CNAME)CNAME records simply allow a machine to be known by more than one hostname. There mustalways be an A record for the machine before aliases can be added. The host name of a machinethat is stated in an A record is called the canonical, or official name of the machine. Other recordsshould point to the canonical name. Here is an example of a CNAME:

www.foobarbaz.com. IN CNAME eric.foobarbaz.com.

You can see the similarities to the previous record. Records always read from left to right, with thesubject to be queried about on the left and the answer to the query on the right. A machine can havean unlimited number of CNAME aliases. A new record must be entered for each alias.

1


14/34

You can add A or CNAME records for the service name pointing to the machines you want to loadbalance.

3. Mail Exchange Records (MX)

MX records are far more important than they sound. They allow all mail for a domain to be routed toone host. This is exceedingly useful it abates the load on your internal hosts since they do not haveto route incoming mail, and it allows your mail to be sent to any address in your domain even if thatparticular address does not have a computer associated with it. For example, we have a mail server

running on the fictitious machine eric.foobarbaz.com. For convenience sake, however, we want ouremail address to be [email protected] rather than [email protected]. This isaccomplished by the record shown below:

foobarbaz.com. IN MX 10 eric.foobarbaz.com.

The column on the far left signifies the address that you want to use as an Internet email address.The next two entries have been explained thoroughly in previous records. The next column, thenumber 10, is different from the normal DNS record format. It is a signifier of priority. Often largersystems will have backup mail servers, perhaps more than one. Obviously, you will only want thebackups receiving mail if something goes wrong with the primary mail server. You can indicate thiswith your MX records. A lower number in an MX record means a higher priority, and mail will be sentto the server with the lowest number (the lowest possible being 0). If something happens so that this

server becomes unreachable, the computer delivering the mail will attempt every other server listedin the DNS tables, in order of priority.

Obviously, you can have as many MX records as you would like. It is also a good idea to include anMX record even if you are having mail sent directly to a machine with an A record. Some sendmailprograms only look for MX records.

It is also possible to include wildcards in MX records. If you have a domain where your users eachhave their own machine running mail clients on them, mail could be sent directly to each machine.Rather than clutter your DNS entry, you can add an MX record like this one:

*.foobarbaz.com. IN MX 10 eric.foobarbaz.com.

This would make any mail set to any individual workstation in the foobarbaz.com domain go through

the server eric.foobarbaz.com.

One should use caution with wildcards; specific records will be given precedence over onescontaining wildcards.

4. Pointer Records (PTR)

Although there are different ways to set up PTR records, we will be explaining only the mostfrequently used method, called in-addr.arpa.

In-addr.arpa PTR records are the exact inverse of A records. They allow your machine to berecognized by its IP address. Resolving a machine in this fashion is called a reverse lookup. It isbecoming more and more common that a machine will do a reverse lookup on your machine before

allowing you to access a service (such as a World Wide Web page). Reverse lookups are a goodsecurity measure, verifying that your machine is exactly who it claims to be. In-addr.arpa records lookas such:

6.1.36.36.in-addr.arpa. IN PTR eric.foobarbaz.com.

As you can see from the example for the A record in the beginning of this document, the recordsimply has the IP address in reverse for the host name in the last column.

1


15/34

A note for those who run their own name servers: although Allegiance Internet is capable of pullingzones from your name server, we cannot pull the inverse zones (these in-addr.arpa records) unlessyou have been assigned a full class C network. If you would like us to put PTR records in our nameservers for you, you will have to fill out the online web form on the support.allegianceinternet.compage.

5. Name Server Records (NS)

NS records are imperative to functioning DNS entries. They are very simple; they merely state the

authoritative name servers for the given domain. There must be at least two NS records in everyDNS entry. NS records look like this:

foobarbaz.com. IN NS draven.foobarbaz.com.

There also must be an A record in your DNS for each machine you enter as A NAME server in yourdomain.

If Allegiance Internet is doing primary and secondary names service, we will set up these records foryou automatically, with nse.algx.net and nsf.algx.net as your two authoritative name servers.

6. Start Of Authority Records (SOA)

The SOA record is the most crucial record in a DNS entry. It conveys more information than all the

other records combined. This record is called the start of authority because it denotes the DNS entryas the official source of information for its domain. Here is an example of a SOA record, then eachpart of it will be explained:

foobarbaz.com. IN SOA draven.foobarbaz.com. hostmaster.foobarbaz.com.

1996111901 ; Serial

10800 ; Refresh

3600 ; Retry

3600000 ; Expire

86400 ) ; Minimum

The first column contains the domain for which this record begins authority for. The next two entriesshould look familiar. The draven.foobarbaz.com entry is the primary name server for the domain.The last entry on this row is actually an email address, if you substituted a @ for the first .. Thereshould always be a viable contact address in the SOA record.

The next entries are a little more unusual then what we have become used to. The serial number is arecord of how often this DNS entry has been updated. Every time a change is made to the entry, theserial number must be incremented. Other name servers that pull information for a zone from theprimary only pull the zone if the serial number on the primary name servers entry is higher than theserial number on its entry. In this way the name servers for a domain are able to update themselves.A recommended way of using your serial number is the YYYYMMDDNN format shown above, wherethe NN is the number of times that day the DNS has been changed.

Also, a note for Allegiance Internet customers who run their own name servers: even if the serialnumber is incremented, you should still fill out the web form and use the comment box when youmake changes asking us to pull the new zones.All the rest of the numbers in the record aremeasurements of time, in seconds. The refresh number stands for how often secondary nameservers should check the primary for a change in the serial number. Retry is how long a secondaryserver should wait before trying to reconnect to primary server if the connection was refused. Expireis how long the secondary server should use its current entry if it is unable to perform a refresh, andminimum is how long other name servers should cache, or save, this entry.

1


16/34

There can only be one SOA record per domain. Like NS records, Allegiance Internet sets upthis record for you if you are not running your own name server.

Quick Summary of the major records in DNS

Record Type Definition5

Host (A) Maps host name to IP address in a DNS zone. Has three fields: Domain,Host Name, Host IP Address.

Aliases (CNAME) Canonical name resource record that creates an alias for a host name.CNAME records are typically used to hide implementation details fromclients. Fields include: Domain, Alias Name, For Host DNS Name.

Nameservers (NS) Identifies the DNS name servers in the DNS domain. NS records appear inall DNS zones and reverse zones. Fields include: Domain, Name ServerDNS Name.

Pointer (PTR) Maps IP address to host name in a DNS reverse zone. Fields include: IPAddress, Host DNS Name.

Mail Exchange (MX) Specifies a mail exchange server for a DNS domain name. Note that theterm exchange does not refer to Microsoft Exchange, a BackOffice e-mail

application. However, to connect Microsoft Exchange to the Internet via theInternet Mail Server (IMS), the MX record must be correctly configured byyour ISP.

A mail exchange server is a host that will either process or forward mail forthe DNS domain name. Processing the mail means either delivering it to theaddressee or passing it to a different type of mail transport. Forwarding themail means sending it to its final destination server, sending it using SimpleMail Transfer Protocol to another mail server that is closer to the finaldestination, or queuing it for a specified amount of time.

Fields include: Domain, Host Name (Optional), Mail Exchange Server DNS

Name, Preference Number.

Q5.What is a DNS zone

A zone is simply a contiguous section of the DNS namespace. Records for a zone are stored andmanaged together. Often, subdomains are split into several zones to make manageability easier.For example, support.microsoft.com and msdn.microsoft.com are separate zones, where supportand msdn are subdomains within the Microsoft.com domain.

Q6. Name the two Zones in DNS?

DNS servers can containprimaryand secondaryzones. A primary zone is a copy of a zone whereupdates can be made, while a secondary zone is a copy of a primary zone. For fault tolerancepurposes and load balancing, a domain may have several DNS servers that respond to requests forthe same information.

The entries within a zone give the DNS server the information it needs to satisfy requests from othercomputers or DNS servers.

Q7. How many SOA record does each zone contain?

Each zone will have one SOA record. This records contains many miscellaneous settings for thezone, such as who is responsible for the zone, refresh interval settings, TTL (Time To Live) settings,and a serial number (incremented with every update).

1


17/34

Q8. Short summary of the records in DNS.

The NS records are used to point to additional DNS servers. The PTR record is used for reverselookups (IP to name). CNAME records are used to give a host multiple names. MX records are usedwhen configuring a domain for email.

Q9. What is an AD-integrated zone?AD-integrated zones store the zone data in Active Directory and use the same replication process usedto replicate other data between domain controllers. The one catch with AD-integrated zones is that the

DNS server must also be a domain controller. Overloading DNS server responsibilities on your domaincontrollers may not be something you want to do if you plan on supporting a large volume of DNSrequests.

Q10.What is a STUB zone?

A stub zone is a copy of a zone that contains only those resource records necessary to identify the

authoritative Domain Name System (DNS) servers for that zone. A stub zone is used to resolve names

between separate DNS namespaces. This type of resolution may be necessary when a corporate merger

requires that the DNS servers for two separate DNS namespaces resolve names for clients in bothnamespaces.

The master servers for a stub zone are one or more DNS servers authoritative for the child zone, usually

the DNS server hosting the primary zone for the delegated domain name.

Q11. What does a stub zone consists of?

A stub zone consists of:

The start of authority (SOA) resource record, name server (NS) resource records, and the glue A

resource records for the delegated zone.

The IP address of one or more master servers that can be used to update the stub zone.

Q12. How the resolution in a stub zone takes place?

When a DNS client performs a recursive query operation on a DNS server hosting a stub zone, the DNSserver uses the resource records in the stub zone to resolve the query. The DNS server sends an iterative

query to the authoritative DNS servers specified in the NS resource records of the stub zone as if it were

using NS resource records in its cache. If the DNS server cannot find the authoritative DNS servers inits stub zone, the DNS server hosting the stub zone attempts standard recursion using its root hints.

The DNS server will store the resource records it receives from the authoritative DNS servers listed in a

stub zone in its cache, but it will not store these resource records in the stub zone itself; only the SOA,

NS, and glue A resource records returned in response to the query are stored in the stub zone. Theresource records stored in the cache are cached according to the Time-to-Live (TTL) value in each

resource record. The SOA, NS, and glue A resource records, which are not written to cache, expire

according to the expire interval specified in the stub zone's SOA record, which is created during thecreation of the stub zone and updated during transfers to the stub zone from the original, primary zone.

If the query was an iterative query, the DNS server returns a referral containing the servers specified in

the stub zone.

Q 13.What is the benefits of Active Directory Integration?

For networks deploying DNS to support Active Directory, directory-integrated primary zones arestrongly recommended and provide the following benefits:

* Multimaster update and enhanced security based on the capabilities of Active Directory

In a standard zone storage model, DNS updates are conducted based upon a single-master updatemodel. In this model, a single authoritative DNS server for a zone is designated as the primary source

for the zone.

1


18/34

This server maintains the master copy of the zone in a local file. With this model, the primary server for

the zone represents a single fixed point of failure. If this server is not available, update requests fromDNS clients are not processed for the zone.

With directory-integrated storage, dynamic updates to DNS are conducted based upon a multimaster

update model.In this model, any authoritative DNS server, such as a domain controller running a DNS server, is

designated as a primary source for the zone. Because the master copy of the zone is maintained in the

Active Directory database, which is fully replicated to all domain controllers, the zone can be updated

by the DNS servers operating at any domain controller for the domain.With the multimaster update model of Active Directory, any of the primary servers for the directory-

integrated zone can process requests from DNS clients to update the zone as long as a domain controller

is available and reachable on the network.Also, when using directory-integrated zones, you can use access control list (ACL) editing to secure a

dnsZone object container in the directory tree. This feature provides granulated access to either the zone

or a specified RR in the zone.For example, an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a

specified client computer or a secure group such as a domain administrators group. This security feature

is not available with standard primary zones.Note that when you change the zone type to be directory-integrated, the default for updating the zone

changes to allow only secure updates. Also, while you may use ACLs on DNS-related Active Directoryobjects, ACLs may only be applied to the DNS client service.

* Directory replication is faster and more efficient than standard DNS replication.Because Active Directory replication processing is performed on a per-property basis, only relevant

changes are propagated. This allows less data to be used and submitted in updates for directory-stored

zones.Note: Only primary zones can be stored in the directory. A DNS server cannot store secondary zonesin the directory. It must store them in standard text files. The multimaster replication model of ActiveDirectory removes the need for secondary zones when all zones are stored in Active Directory.

Q14. What is Scavenging?DNS scavenging is the process whereby resource records are automatically removed if they are notupdated after a period of time. Typically, this applies to only resource records that were added viaDDNS, but you can also scavenge manually added, also referred to as static, records. DNSscavenging is a recommended practice so that your DNS zones are automatically kept clean of staleresource records.

Q15. What is the default interval when DNS server will kick off the scavenging process?

The default value is 168 hours, which is equivalent to 7 days.

DNS Q&A corner

Q1. How do I use a load balancer with my name servers?

Just wanted to ask a question about load balanced DNS servers> via an external network load balancing appliance (i.e - F5's Big IP,

> Cisco's Content Switches/ Local Directors).

> The main question being the configuration whether to use 2

> Master/Primary Servers or is it wiser to use 1 Primary and 1> Secondary? The reason is that I feel there are two configurations

> that could be setup. One in which only the resolvers query the

> virtual IP address on the load balancing appliance or actually> configure your NS records to point to the Virtual Address so that all

1


19/34

> queries, ie - both by local queries directly from local users and> also queries from external DNS servers. I've included a text> representation of the physical configuration. Have you ever> heard or architected such a configuration?>VIP = 167.147.1.5> ------------------------------------>> Load Balancer Device |> ------------------------------------

>------------------------------>> DNS 1|| DNS 2|> ------------------------------> 1.1.1.11.1.1.2

There's usually not much need to design solutions like these, since mostname server implementations will automatically choose the name server

that responds most quickly. In other words, if DNS 1 fails, remote

name servers will automatically try DNS 2, and vice versa.However, it can be useful for resolvers. In that case, you don't need to

worry about NS records (since resolvers don't use them), just setting up

a virtual IP address.

> Also, Is there any problems in running two Master/Primaries?Just that you'd have to synchronize the zone data between the two

manually.Q2. How does reverse mapping work?

How can reverse lookup possibly work on the Internet - how can a local> resolver or ISP's Dns server find the pointer records please? E.g. I run> nslookup 161.114.1.206 & get a reply for a Compaq server> - how does it know where to look? Is there a giant reverse lookup zone in> the sky?Yes, actually, there is: in-addr.arpa.If a resolver needs to reverse map, say, 161.114.1.206 to a domain name, it first inverts theoctets of the IP address and appends "in-addr.arpa." So, in this case, the IP address wouldbecome the domain name 206.1.114.161.in-addr.arpa.Then the resolver sends a query for PTR records attached to that domain name. If necessary,the resolution process starts at the root name servers. The root name servers refer the querierto the 161.in-addr.arpa name servers, run by an organization called ARIN, the AmericanRegistry for Internet Numbers. These name servers refer the querier to 1.114.161.in-addr.arpaname servers, run by Compaq. And, finally, these name servers map the IP address toinmail.compaq.com.

Q3. What are the pros and cons of running slaves versus caching-only name servers?

> Question: I am in the process of setting up dns servers in several locations for my> business. I have looked into having a primary master server running in my server

> room and adding slave servers in the other areas. I then thought I could just> setup a primary and a single slave server and run caching only servers in the other> areas. What are the pros and cons of these two options, or should I run a slave

> server in every location and still have a caching server with it? I just don't

> know what the best way would be. Please help.

The main advantage of having slaves everywhere is that you have asource of your own zone data on each name server. So if you have

a community of hosts near each slave that look up domain names in

your zones, the local name server can answer most of their queries.

1


20/34

On the other hand, administering slaves is a little more work thanadministering caching-only name servers, and a little greater burdenon the primary master name server.

Q4. Can I set a TTL on a specific record?

> Is it possible to setup ttl values for individual records in bind?

Sure. You specify explicit TTLs in a record's TTL field, between the ownerfield and the class field:

foo.example. 300 IN A 10.0.0.1Q5. Can I use an A record instead of an MX record?> I have a single machine running DNS mail and web for a domain

> and I'm not sure that I have DNS setup properly. If the machine

> that is running the mail is the name of the domain does there need> to be an MX record for mail?

Technically, no. Nearly all mailers will look up A records for a

domain name in a mail destination if no MX records exist.> If an MX record is not needed, how would you put in an MX

> record for a backup mailserver.

You can't. If you want to use a backup mailer, you need to use

MX records.

> www cname 192.168.0.1> mail cname 192.168.0.1> pop cname 192.168.0.1> smtp cname 192.168.0.1

These CNAME records are all incorrect. CNAME records createan alias from one domain name to another, so the field after "CNAME"must contain a domain name, not an IP address. For example:www CNAME foo.example.

Q6. What are a zone's NS records used for?> Could you elaborate a little bit on why do we need to put NS records for

> the zone we are authoritative for ?

> The parent name server handles these already. Is there any problem if our> own NS records have lower TTLs than the records from parent name server ?

That's a good question. The NS records from your zone data file are used for several things:

- Your name servers returns them in responses to queries, in the authority section of the DNS message.Moreover, the set of NS records that comes directly from your name server supersedes the set that a

querier gets from your parent zone's name servers, so if the two sets are different, yours "wins."

- Your name servers use the NS records to determine where to send NOTIFY messages.

- Dynamic updaters determine where to send updates using the NS records, which they often get fromthe authoritative name servers.

Q7. Do slaves only communicate with their masters over TCP?

> When the slave zone checks in with the master zone for the serial number, is

> all this traffic happening on TCP. For example, if you have acl's blocking> udp traffic but allowing tcp traffic will the transfer work or will it fail

> due to the slaves inability to query for the SOA record on udp?

No. The refresh query (for the zone's SOA record) is usually done over UDP.

2


21/34

Q8. What's the largest number I can use in an MX record?

> Could you tell us the highest possible number we can use for the MX> preference ?

Preference is an unsigned, 16-bit number, so the largest number you

can use is 65535.

Q9. Why are there only 13 root name servers?

> I'm very wondering why there are only 13 root servers on globally.

> Some documents explain that one of the reason is technical limit on Domain> Name System (without any detailed explanation).

> From my understanding, it seems that some limitation of NS record numbers

> in DNS packet that specified by certain RFCs, or just Internet policy stuff.>

> Which one is proper reason?

It's a technical limitation. UDP-based DNS messages can be up to 512 bytes

long, and only 13 NS records and their corresponding A records will fit into a DNS message that size.

IMP information

http://www.menandmice.com/online_docs_and_faq/glossary/glossarytoc.htmQ1.Which is the FIVE FSMO roles?

Schema Master Forest Level One per forest

Domain Naming Master Forest Level One per forest

PDC Emulator Domain Level One per domain

RID Master Domain Level One per domain

Infrastructure Master Domain Level One per domain

Q2. What are their functions?

1. Schema Master(Forest level)The schema master FSMO role holder is the Domain Controller responsible for performingupdates to the active directory schema. It contains the only writable copy of the AD schema.This DC is the only one that can process updates to the directory schema, and once theschema update is complete, it is replicated from the schema master to all other DCs in theforest. There is only one schema master in the forest.

2. Domain Naming Master(Forest level)

The domain naming master FSMO role holder is the DC responsible for making changes tothe forest-wide domain name space of the directory. This DC is the only one that can add orremove a domain from the directory, and that is it's major purpose. It can also add or removecross references to domains in external directories. There is only one domain naming master

in the active directory or forest.3. PDC Emulator(Domain level)

In a Windows 2000 domain, the PDC emulator server role performs the following functions:Password changes performed by other DCs in the domain are replicated preferentially to the

PDC emulator first.Authentication failures that occur at a given DC in a domain because of an incorrect

password are forwarded to the PDC emulator for validation before a bad password failuremessage is reported to the user.Account lockout is processed on the PDC emulator.Time synchronization for the domain.

2


22/34

Group Policy changes are preferentially written to the PDC emulator.

Additionally, if your domain is a mixed mode domain that contains Windows NT 4 BDCs, thenthe Windows 2000 domain controller, that is the PDC emulator, acts as a Windows NT 4 PDCto the BDCs.There is only one PDC emulator per domain.Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. This isnot true. Even after you have changed your domain to native mode (no more NT 4 domaincontrollers), the PDC emulator is still necessary for the reasons above.

4. RID Master(Domain level)

The RID master FSMO role holder is the single DC responsible for processing RID Poolrequests from all DCs within a given domain. It is also responsible for removing an objectfrom its domain and putting it in another domain during an object move.

When a DC creates a security principal object such as a user, group or computer account, itattaches a unique Security ID (SID) to the object. This SID consists of a domain SID (thesame for all SIDs created in a domain), and a relative ID (RID) that makes the object uniquein a domain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the securityprincipals it creates. When a DC's allocated RID pool falls below a threshold, that DC issuesa request for additional RIDs to the domain's RID master. The domain RID master respondsto the request by retrieving RIDs from the domain's unallocated RID pool and assigns them tothe pool of the requesting DC.There is one RID master per domain in a directory.

5. Infrastructure Master(Domain level)

The DC that holds the Infrastructure Master FSMO role is responsible for cross domainupdates and lookups. When an object in one domain is referenced by another object inanother domain, it represents the reference by the GUID, the SID (for references to securityprincipals), and the distinguished name (DN) of the object being referenced. TheInfrastructure role holder is the DC responsible for updating an object's SID and distinguished

name in a cross-domain object reference.When a user in DomainA is added to a group in DomainB, then the Infrastructure master isinvolved. Likewise, if that user in DomainA, who has been added to a group in DomainB,then changes his username in DomainA, the Infrastructure master must update the groupmembership(s) in DomainB with the name change.There is only one Infrastructure master per domain.

Q3. What if a FSMO server fails?

Schema Master No updates to the Active Directory schema will be possible. Sinceschema updates are rare (usually done by certain applications andpossibly an Administrator adding an attribute to an object), then themalfunction of the server holding the Schema Master role will not posea critical problem.

Domain Naming Master The Domain Naming Master must be available when adding orremoving a domain from the forest (i.e. running DCPROMO). If it is not,then the domain cannot be added or removed. It is also needed whenpromoting or demoting a server to/from a Domain Controller. Like theSchema Master, this functionality is only used on occasion and is notcritical unless you are modifying your domain or forest structure.

PDC Emulator The server holding the PDC emulator role will cause the most problems

2


23/34

if it is unavailable. This would be most noticeable in a mixed modedomain where you are still running NT 4 BDCs and if you are usingdownlevel clients (NT and Win9x). Since the PDC emulator acts as aNT 4 PDC, then any actions that depend on the PDC would be affected(User Manager for Domains, Server Manager, changing passwords,browsing and BDC replication).In a native mode domain the failure of the PDC emulator isn't as criticalbecause other domain controllers can assume most of the

responsibilities of the PDC emulator.RID Master The RID Master provides RIDs for security principles (users, groups,

computer accounts). The failure of this FSMO server would have littleimpact unless you are adding a very large number of users or groups.Each DC in the domain has a pool of RIDs already, and a problemwould occur only if the DC you adding the users/groups on ran out ofRIDs.

Infrastructure Master This FSMO server is only relevant in a multi-domain environment. Ifyou only have one domain, then the Infrastructure Master is irrelevant.Failure of this server in a multi-domain environment would be aproblem if you are trying to add objects from one domain to another.

Q4. Where are these FSMO server roles found?

The first domain controller that is installed in a Windows 2000 domain, by default,holds all five of the FSMO server roles. Then, as more domain controllers are added tothe domain, the FSMO roles can be moved to other domain controllers.

Q5. Can you Move FSMO roles?

Yes, moving a FSMO server role is a manual process, it does not happenautomatically. But what if you only have one domain controller in your domain? Thatis fine. If you have only one domain controller in your organization then you have oneforest, one domain, and of course the one domain controller. All 5 FSMO server roleswill exist on that DC. There is no rule that says you have to have one server for eachFSMO server role.

Q6. Where to place the FSMO roles?

Assuming you do have multiple domain controllers in your domain, there are some best practices tofollow for placing FSMO server roles.

The Schema Master and Domain Naming Master should reside on the same server, and that machine

should be a Global Catalog server. Since all three are, by default, on the first domain controller

installed in a forest, then you can leave them as they are.Note: According to MS, the Domain Naming master needs to be on a Global Catalog Server. If you are

going to separate the Domain Naming master and Schema master, just make sure they are both on

Global Catalog servers.

IMP:- Why Infrastructure Master should not be on the same server that acts as a Global Catalogserver?The Infrastructure Master should not be on the same server that acts as a Global Catalog server.

The reason for this is the Global Catalog contains information about every object in the forest. When

2


24/34

the Infrastructure Master, which is responsible for updating Active Directory information about crossdomain object changes, needs information about objects not in it's domain, it contacts the GlobalCatalog server for this information. If they both reside on the same server, then the InfrastructureMaster will never think there are changes to objects that reside in other domains because the GlobalCatalog will keep it constantly updated. This would result in the Infrastructure Master never replicatingchanges to other domain controllers in its domain.Note: In a single domain environment this is not an issue.

Microsoft also recommends that the PDC Emulator and RID Master be on the same server. This is not

mandatory like the Infrastructure Master and the Global Catalog server above, but is recommended.Also, since the PDC Emulator will receive more traffic than any other FSMO role holder, it should be ona server that can handle the load.

It is also recommended that all FSMO role holders be direct replication partners and they have highbandwidth connections to one another as well as a Global Catalog server.

Q7.What permissions you should have in order to transfer a FSMO role?

Before you can transfer a role, you must have the appropriate permissions depending on which role youplan to transfer:

Schema Master member of the Schema Admins group

Domain Naming Master member of the Enterprise Admins group

PDC Emulatormember of the Domain Admins group and/or the

Enterprise Admins group

RID Mastermember of the Domain Admins group and/or the

Enterprise Admins group

Infrastructure Mastermember of the Domain Admins group and/or theEnterprise Admins group

FSMO TOOLS

Q8. Tools to find out what servers in your domain/forest hold what server roles?

1. Active Directory Users and Computers:- use this snap-in to find out where the domain levelFSMO roles are located (PDC Emulator, RID Master, Infrastructure Master), and also to change the

location of one or more of these 3 FSMO roles.

Open Active Directory Users and Computers, right click on the domain you want to view the FSMOroles for and click "Operations Masters". A dialog box (below) will open with three tabs, one for each

FSMO role. Click each tab to see what server that role resides on. To change the server roles, you must

first connect to the domain controller you want to move it to. Do this by right clicking "ActiveDirectory Users and Computers" at the top of the Active Directory Users and Computers snap-in and

choose "Connect to Domain Controller". Once connected to the DC, go back into the Operations

Masters dialog box, choose a role to move and click the Change button.When you do connect to another DC, you will notice the name of that DC will be in the field below the

2


25/34

Change button (not in this graphic).

2. Active Directory Domains and Trusts - use this snap-in to find out where the DomainNaming Master FSMO role is and to change it's location.The process is the same as it is when viewing and changing the Domain level FSMO roles in

Active Directory Users and Computers, except you use the Active Directory Domains andTrusts snap-in. Open Active Directory Domains and Trusts, right click "Active DirectoryDomains and Trusts" at the top of the tree, and choose "Operations Master". When you do,you will see the dialog box below. Changing the server that houses the Domain NamingMaster requires that you first connect to the new domain controller, then click the Changebutton. You can connect to another domain controller by right clicking "Active DirectoryDomains and Trusts" at the top of the Active Directory Domains and Trusts snap-in andchoosing "Connect to Domain Controller".

2


26/34

3. Active Directory Schema - this snap-in is used to view and change the Schema MasterFSMO role. However... the Active Directory Schema snap-in is not part of the default Windows2000 administrative tools or installation. You first have to install the Support Tools from the\Support directory on the Windows 2000 server CD or install the Windows 2000 ServerResource Kit. Once you install the support tools you can open up a blank MicrosoftManagement Console (start, run, mmc) and add the snap-in to the console. Once the snap-inis open, right click "Active Directory Schema" at the top of the tree and choose "OperationsMasters". You will see the dialog box below. Changing the server the Schema Masterresides on requires you first connect to another domain controller, and then click the Change

button.

You can connect to another domain controller by right clicking "Active Directory Schema" atthe top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller

4.Netdom

The easiest and fastest way to find out what server holds what FSMO role is by using theNetdom command line utility. Like the Active Directory Schema snap-in, the Netdom utility isonly available if you have installed the Support Tools from the Windows 2000 CD or theWin2K Server Resource Kit.To use Netdom to view the FSMO role holders, open a command prompt window and type:netdom query fsmo and press enter. You will see a list of the FSMO role servers:

2


27/34

5. Active Directory Relication Monitoranother tool that comes with the Support Tools is theActive Directory Relication Monitor. Open this utility from Start, Programs, Windows 2000Support Tools. Once open, click Edit, Add Monitored Server and add the name of a DomainController. Once added, right click the Server name and choose properties. Click the FSMORoles tab to view the servers holding the 5 FSMO roles (below). You cannot change rolesusing Replication Monitor, but this tool has many other useful purposes in regard to ActiveDirectory information. It is something you should check out if you haven't already.

Finally, you can use the Ntdsutil.exe utility to gather information about and change serversfor FSMO roles. Ntdsutil.exe, a command line utility that is installed with Windows 2000server, is rather complicated and beyond the scope of this document.

6. DUMPFSMOS

Command-line tool to query for the current FSMO role holders

Part of the Microsoft Windows 2000 Server Resource Kit

Downloadable from http://www.microsoft.com/windows2000

/techinfo/reskit/default.asp

Prints to the screen, the current FSMO holders

Calls NTDSUTIL to get this information

7. NLTEST

Command-line tool to perform common network administrative tasks

Type nltest /? for syntax and switches

Common uses

Get a list of all DCs in the domain

Get the name of the PDC emulator

Query or reset the secure channel for a server

2


28/34

Call DsGetDCName to query for an available domain controller

8. Adcheck (470k) (3rd party)

A simple utility to view information about AD and FSMO roles

http://www.svrops.com/svrops/downloads/zipfiles/ADcheck.msi

Q9. How to Transfer and Seize a FSMO Role

http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504

GROUP POLICY

Q1. What are Group Policies?Group Policies are settings that can be applied to Windows computers, users or both. In Windows2000 there are hundreds of Group Policy settings. Group Policies are usually used to lock down someaspect of a PC. Whether you don't want users to run Windows Update or change their DisplaySettings, or you want to insure certain applications are installed on computers - all this can be donewith Group Policies.Group Policies can be configured eitherLocally or by Domain Polices. Local policies can beaccessed by clicking Start, Run and typing gpedit.msc. They can also be accessed by opening theMicrosoft Management Console (Start, Run type mmc), and adding the Group Policy snap-in. You

must be an Administrator to configure/modify Group Policies. Windows 2000 Group Policies can onlybe used on Windows 2000 computers or Windows XP computers. They cannot be used on Win9x orWinNT computers.

Q2. Domain policy gets applied to whom ?Domain Policies are applied to computers and users who are members of a Domain, and thesepolicies are configured on Domain Controllers. You can access Domain Group Polices by openingActive Directory Sites and Services (these policies apply to the Site level only) or Active DirectoryUsers and Computers (these policies apply to the Domain and/or Organizational Units).

Q3. From Where to create a Group Policy?To create a Domain Group Policy Object open Active Directory Sites and Services and right click

Default-First-Site-Name or another Site name, choose properties, then the Group Policy tab, then clickthe New button. Give the the GPO a name, then click the Edit button to configure the policies.For Active Directory Users and Computers, it the same process except you right click the Domain or anOU and choose properties.

Q4. Who can Create/Modify Group Policies?

You have to have Administrative privileges to create/modify group policies. The following table showswho can create/modify group policies:

Policy Type Allowable Groups/Users

Site Level Group Policies Enterprise Administrators and/or Domain Administrators in theroot domain. The root domain is the first domain created in a treeor forest. The Enterprise Administrators group is found only in theroot domain.

Domain Level Group Policies Enterprise Administrators, Domain Administrators or members ofthe built-in group - Group Policy Creator Owners. By default onlythe Administrator user account is a member of this group

OU Level Group Policies Enterprise Administrators, Domain Administrators or members ofthe Group Policy Creator Owners. By default only the

2
http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504http://support.microsoft.com/default.aspx?scid=kb;en-us;Q255504


29/34

Administrator user account is a member of this group.

Additionally, at the OU level, users can be delegated control forthe OU Group Policies by starting the Delegate Control Wizard(right click the OU and choose Delegate Control). However, thewizard only allows the delegated user to Link already createdgroup policies to the OU. If you want to give the OUadministrators control over creating/modifying group policies, add

them to the Group Policy Creator Owners group for the domain.Local Group Policies The local Administrator user account or members of the local

Administrators group.

Q5. How are Group Policies Applied?Group Polices can be configured locally, at the Site level, the Domain level or at the OrganizationalUnit (OU) level. Group Policies are applied in a Specific Order, LSDO - Local policies first, then Sitebased policies, then Domain level policies, then OU polices, then nested OU polices (OUs withinOUs). Group polices cannot be linked to a specific user or group, only container objects.In order to apply Group Polices to specific users or computers, you add users (or groups) and

computers to container objects. Anything in the container object will then get the policies linked to thatcontainer. Sites, Domains and OUs are considered container objects.Computer and User Active Directory objects do not have to put in the same container object. Forexample, Sally the user is an object in Active Directory. Sally's Windows 2000 Pro PC is also an objectin Active Directory. Sally the user object can be in one OU, while her computer object can be anotherOU. It all depends on how you organize your Active Directory structure and what Group Policies youwant applied to what objects.User and Computer Policies

There are two nodes in each Group Policy Object that is created. A Computernode and a UserNode. They are called Computer Configuration and User Configuration (see image above). Thepolices configured in the Computer node apply to the computer as a whole. Whoever logs onto thatcomputer will see those policies.

2


30/34

Note: Computer policies are also referred to as machine policies.User policies are user specific. They only apply to the user that is logged on. When creating DomainGroup Polices you can disable either the Computer node or User node of the Group Policy Object youare creating. By disabling a node that no policies are defined for, you are decreasing the time it takesto apply the polices.To disable the node polices: After creating a Group Policy Object, click that Group Policy Object onthe Group Policy tab, then click the Properties button. You will see two check boxes at the bottom ofthe General tab.It's important to understand that when Group Policies are being applied, all the policies for a node are

evaluated first, and then applied. They are not applied one after the other. For example, say Sally theuser is a member of the Development OU, and the Security OU. When Sally logs onto her PC thepolicies set in the User node of the both the Development OU and the Security OU Group PolicyObjects are evaluated, as a whole, and then applied to Sally the user. They are not appliedDevelopment OU first, and then Security OU (or visa- versa).The same goes for Computer policies. When a computer boots up, all the Computer node polices forthat computer are evaluated, then applied.When computers boot up, the Computer policies are applied. When users login, the User policies areapplied. When user and computer group policies overlap, the computer policy wins.

Note: IPSec and EFS policies are not additive. The last policy applied is the policy the user/computerwill have.

When applying multiple Group Policies Objects from any container, Group Policies are applied from

bottom to top in the Group Policy Object list. The top Group Policy in the list is the last to be applied. Inthe above image you can see three Group Policy Objects associated with the Human Resources OU.These polices would be applied No Windows Update first, then No Display Settings, then NoScreenSaver. If there were any conflicts in the policy settings, the one above it would takeprecedence.

Q6.How to disable Group Policy ObjectsWhen you are creating a Group Policy Object, the changes happen immediately. There is no "saving"of GPOs. To prevent a partial GPO from being applied, disable the GPO while you are configuring it.To do this, click the Group Policy Object on the Group Policy tab and under the Disable column, double

3


31/34

click - a little check will appear. Click the Edit button, make your changes, then double click under theDisable column to re-enable the GPO. Also, if you want to temporarily disable a GPO fortroubleshooting reasons, this is the place to do it. You can also click the Options button on the GroupPolicy tab and select the Disabled check box.

Q7. When does the group policy Scripts run?Startup scripts are processed at computer bootup and before the user logs in.Shutdown scripts are processed after a user logs off, but before the computer shuts down.Login scripts are processed when the user logs in.

Logoffscripts are processed when the user

Date post:	08-Apr-2018
Category:	Documents
Upload:	mohan-thakur
View:	233 times
Download:	0 times

Windows Ad DNS Fsmo Gpo

Documents