|
MCSE Study Notes
Exam 70-217: Implementing and Administering a Microsoft Windows 2000 Directory
Services Infrastructure
© 2003, 2004
Mark Dabrowski, All Rights Reserved
February 16, 2003 –
October 4, 2004
Active Directory Overview..
1
Installing and Configuring
Active Directory.
2
Installing, Configuring,
Managing, Monitoring, and Troubleshooting DNS for Active Directory.
2
Group Policy.
2
Administrative Templates.
2
Security Settings.
2
Security Templates.
2
Scripting Environment
2
Folder Redirection.
2
Install, configure, manage,
and troubleshoot software by using Group Policy.
2
User and Group
Administration.
2
Delegation of
Administrative Control
2
Publish Resources in Active
Directory.
2
Implementing multiple tree
and forest structures.
2
AD Replication.
2
Operations Masters.
2
AD Database Maintenance.
2
Remote Installation Service.
2
Skills Being Measured.
2
This section is not a specific skill measured on the exam,
but an overview of some general concepts around Active Directory I thought will
be useful to understand other sections that follow. I used here some Active
Directory materials from my Study Notes for 70-215 (Windows 2000 Server) exam,
but updated it with lot of additional information relevant to this exam.
·
Active Directory (from now on referred to as
AD) stores data about
users, groups, shared folders, printers and other network resources
·
Centralized
method
of authentication - Managed from
single location
·
Changes are replicated
using "multiple masters replication"
·
Object
is
an item representing user, group, printer, computer, etc and has attributes that
define that object and make it unique.
o
AD is basically a
hierarchical repository of objects
o
Computer
– represents computers that are members of domain (in NT
called computer account)
o
Contact – represents user information without an actual security
account
o
Group – can contain users, computers, and other groups.
o
Printer – represents network printer published in the directory
(pointer to the printer share)
o
User – security principal in the directory.
o
Shared Folder
– pointer to network share published in the directory.
·
Schema defines objects
and their attributes (set of rules for
objects and attributes). It defines fields that are available for the object
o
Single schema per entire forest
o
Schema stores
object classes and attributes that define each object
o
Used every time
new object is added to domain.
·
LDAP
- protocol
standard used for querying a directory
service (Lightweight Directory Access Protocol)
o
AD supports LDAP
v2 and v3
·
X.500 -
naming standard allows different
directory services to communicate using common naming conventions
·
Every object in AD must have a unique Distinguished Name (DN):
o
CN – Common Name,
OU –
Organizational Unit, DC
– Domain Controller
o
Distinguished Name
(DN) - interpreted by X.500 and LDAP identifies the
location of an object in a domain (ex: CN=JohnDoe,CN=Users,DC=domain,DC=com)
o
Relative Distinguished Name (RDN) refers to
the object in a DN (ex: DN=JohnDoe) when LDAP already narrowed the criteria to
certain domain. (simply this is just a partial DN)
·
User Principle
Name
(UPN) is the users logon name (ex: johndoe@domain.net)
·
Downlevel Login
Name
(for compatibility) (ex: domain\JohnDoe)
·
Logical structure of a domain
– is the way domain is configured for administrative purposes
o
Domain
is a
group of computers that share a common security and user database (security
boundary).
§
Ex: company.net
§
All security data is replicated only within the boundaries of a
single domain
§
Domain cannot be renamed
(Win 2003 Server
can rename domains)
o
Tree
is a logical
structure that has more than one domain but shares contiguous naming hierarchy.
§
Ex: company.net
ß root domain
§
toronto.company.net
ß sub domain
§
Both domains have separate user and security databases but
because share the same base domain name (company.net) they form a tree.
§
Root domain cannot be deleted until all sub-domains are deleted
first
§
AD domain tree naming hierarchy mirrors DNS domain names
o
Forest is a two or more
trees that do not share the same domain namespace
§
All trees and domains in a forest share
the same schema.
o
Trust
relationships
automatically created
between adjacent domains (parent and child domains) when a domain is created in
a domain tree.
§
An agreement between domains allows them access and permissions
each other’s resources
§
In a forest trust relationship
is automatically created
between the forest root domain and the root domain of each domain tree
added to the forest.
§
Trust relationships are transitive, users and computers can be authenticated between any domains in
the domain tree or forest.
·
Two-Way Transitive Trusts are default in Windows
2000 – trusts carry from domain to domain within the forest
·
One-Way Nontransitive Trusts are for
compatibility with NT 4 domains.
o
OU is a container to
organize objects within AD
§
OU can have GPO
(Group Policy)
assigned to it.
§
Permissions can be applied to OU
§
Administration of objects in OU can be
delegated
§
To create OU you need read, List Contents, and
Create Child OU permissions
on the parent OU
or be member of “Domain Admins” or “Enterprise Admins” groups.
o
Containers
group objects together (contain other objects) – but
cannot have group policies assigned
to them.
o
Object
is an item representing user, group, printer, computer,
etc and has attributes that define that object
§
Computer
– represents
computers that are members of domain (in NT called computer account)
§
Contact – represents user
information without an actual security account
§
Group – can contain
users, computers, and other groups.
§
Printer – represents
network printer published in the directory (pointer to the printer share)
§
User – security
principal in the directory.
§
Shared Folder
–
pointer to network share published in the directory.
o
Policies
restrict
users from certain actions –
permissions restrict access to resources
·
Physical structure of a
domain – is defined by location of computers and network connections.
Defines network traffic and how it is configured and managed.
o
Site is a one
or more IP subnets connected by a high-speed link.
§
Logon first tries to logon to DC of local site.
§
Subnet – assigned
only to one site – but a site can have many subnets
o
Member server
is a Windows 2000, NT server that belongs to domain (or Windows 2000, or XP
workstation)
o
Domain controller
holds copy of the Active Directory database.
§
Manages user authentication (logons)
o
Global Catalog
Server is a domain controller that maintains a global catalog
§
Holds data about all objects in a forest - Can search for any
object in the forest
§
Main role of the GC is to allow universal logon authentication.
§
GCS contains only subset of attributes for each object
·
You can specify which attributes should be stores
in GC
§
Each site should have at least one
GCS (recommended two for redundancy)
§
To add
GC (have at least one for each site to minimize network traffic) use
AD Sites and Services, bring
Properties for
NTDS Settings and enable the
Global
Catalog option.
o
Operation Masters
(only one per domain or forest)
§
Forest Wide:
Schema Master
responsible for maintaining and distributing schema to rest of forest
·
Domain Naming Master
records additions and deletions of domains to the forest
§
Domain Wide:
·
Relative Identifier
Master (RID) assigns blocks of RIDs to all DCs in domain.
·
Primary Domain
Controller Emulator (PDC) emulates NT4.0 domain controller
·
Infrastructure Master
records changes made concerning objects in a domain. All changes are reported to
the Infrastructure Master first who then updates other DCs.
o
Replication – see Replication section
·
Delegation of control (allow selected users to
administer portions of AD):
o
At OU level
o
At attribute level
·
Active Directory must be installed after Windows
2000 Server or Advanced Server is installed (cannot install during Windows
setup)
·
New installations of Windows 2000 Server (or Adv
Server) leave the server either as a
stand alone server
(member of a workgroup) or a
member server
(of an existing domain)
·
The first domain created will be the top-level
domain (root domain) within the
forest, also called
forest root (see terminology
in Overview section)
·
System requirements for Windows 2000 Server /
Active Directory:
o
133Mhz,
128MB Minimum
RAM (256MB Recommended), 2 GB Hard drive (1 GB free space), one
NTFS partition for Active Directory
o
In addition 200MB required for AD
database and 50MB for
transaction
log (both can reside on FAT, FAT32,
or NTFS)
o
Root folder (SYSVOL) requires NTFS
partition
o
AD also requires DNS server (installed on the
same server or some other server on the network).
§
AD can work with Windows 2000 DNS Server or any other DNS
server that supports:
·
SRV resource records (RFC 2052 compliant) (required)
·
Dynamic updates (RFC 2136 compliant)
(recommended)
·
To install
AD use “dcpromo.exe”
– this is the “AD Installation Wizard”. Use to:
o
Create Domain Controller for a
new domain
(new domain forest, new
domain tree, or new child domain)
o
Create an
additional Domain Controller for an existing domain
o
The following is a flowchart explaining different
options and sequences of screens when running dcpromo.exe
·
If
upgrading NT4.0 Domain Controller, the upgrade process will automatically
install AD and convert old NT4.0 domain to AD.
o
Active Directory Migration Tool (ADMT)
can be used to migrate objects in NT4.0 domains to Windows 2000 Domain
·
When specifying file locations for AD database
and log, it is recommended to place them on separate physical drives to increase
disk performance.
·
Active Directory Installation Wizard also (done
by the wizard – no user input required):
o
Checks that user who runs it is member of local
Administrators group
o
Validates NetBIOS server name uniqueness
o
Validates server can communicate with DNS server (if DNS
does not support dynamic updates manually create
SRV records for DC)
·
AD installation involves also (done by the wizard
– no user input required):
o
Installation of Kerberos services and X.509 certificate
acceptance
o
Setting LSA policies and necessary registry entries
o
Adding Perfmon performance counters for Active Directory
·
Additional
Domain Controllers for existing domain can be installed to balance the load
on single DC and provide redundancy
o
DCs replicate copy of the AD database among themselves.
This increases network traffic on domain.
o
If one DC fails the other DC will continue working
o
Use “AD
Installation Wizard” to install additional DC – select “Additional domain
controller for existing domain” option on 1st screen
·
Verify and
troubleshoot Active Directory installation
o
Common problems when running AD Installation Wizard:
§
“Access Denied” error message:
·
If installing new DC ensure account you are
logged in with is member of local “Administrators” group
·
If installing additional DC to existing domain
ensure account logged in with is member of “Domain Admins” group
§
Error message indicating
DNS or NetBIOS exist on the network:
·
Use unique DNS and NetBIOS names for the server
computer to be promoted to DC. If existing orphan computer accounts exist in AD
you must remove them first.
§
Message that DC cannot be contacted when installing additional DC to existing domain:
·
Either network problem (ping existing DC) or
can’t resolve DNS for the existing domain or DC
SRV records missing
o
AD files –
these files are found on the server which has been made successfully a DC:
§
By default
database and log files
are in: %SYSTEMROOT%\NTDS (specified during AD Install
– step #12 on diagram above)
§
DB subdirectory:
·
ntds.dit – the main AD database
file –contains all AD objects and data
·
edb.chk – holds pointers to
transaction logs that have been committed to the AD database
§
LOG subdirectory:
·
edb.log – transaction log file –
temporary storage of all changes to AD before they are written to the main AD DB
file
·
res1.log
and res2.log – reserved files
always 10MB in space. In case server is out of disk space transactions are
written to these files to avoid data loss.
§
SYSVOL directory is by default in
%SYSTEMROOT%\SYSVOL (can be changed
during AD install – step #13 on
diagram)
|
|
o
Contains copy of shared files, scripts and group
policies.
o
The structure of the SYSVOL folder is shown to the right
§
The >domain name< folder is actually names as your DNS domain
name (ex. dabrowski.ca)
o
scripts – folder in the folder
name after your domain name is shared as NETLOGON. It is for backwards
compatibility with NT which uses this folder for distribution of start-up
scripts
|
C:\WINNT\SYSVOL
├───domain
│ ├───Policies
│ └───scripts
├───staging
├───staging areas
└───sysvol
ß
shared as SYSVOL
└───>domain.name<
(ex. dabrowski.ca)
├───Policies
└───scripts
ß
shared as NETLOGON
|
|
o
SYSVOL
requires NTFS, but
DATABASE and LOG folders can go on
FAT
o
Use Event Viewer to
troubleshoot problems with AD.
§
AD install adds “Directory Services” and “File
Replication Service” log files to Event Viewer. You can find problems by
reviewing entries in these two log files (as well as System log file)
|
|
|
|
|
·
To
remove DC from AD
use dcpromo.exe (AD Installation Wizard) as well.
o
The AD wizard does the following when removing domain
controller (after doing final replication with other DCs):
§
Removed group policy settings – re-enables “Local Security”
policy
§
SYSVOL folder structure is removed – including SYSVOL and
NETLOGON file shares
§
If other DC exist in the domain all Master Operations roles are
transferred to other domains
§
DNS updated to remove
SRV records for the domain controller
o
When removing last DC in a domain and there are orphan
entries for child domains (that no longer exist) DC cannot be removed. Those
entries must be manually removed first.
·
Unattended
AD Installation
o
Installation of AD can be automated such it is completed
without user intervention (instead of clicking Next through AD Wizard)
o
Dcpromo.exe
(the AD Installation Wizard) can be run with a “/answer” parameter to indicate file
containing AD configuration
§
The answer file is unattend.txt (same as for Win2K installation) but is using only the
[DCInstall]
portion of the file.
§
dcpromo
/answer:DCunnatend.txt
(DCunnatend.txt can contain only [DCInstall] section
o
To install AD at the
same time Win2K is
installed using unattended mode add above command to
[GuiRunOnce]
of the unattend.txt file
o
The user that logs in to the server after installation
is finished needs to be member of Domain Admins group.
o
Some of the most important [DCInstall] keys:
(if no value specified
default is used)
§
AutoConfigDNS
(Yes|No) - whether wizard
should config DNS for the new domain if detected dynamic DNS updates are not
available
§
CreateOrJoin
(Create|Join) - new tree domain created is part of an existing forest of domains
or a new forest of domains
§
NewDomainDNSName
(name) – DNS name for the new domain
o
Complete list of keys can be found in
unattend.doc in
d:\support\tools\deploy.cab on the Win2K CD
·
There are two
domain modes:
- switch from mixed to native is one way!
o
Mixed mode –
(default) supports both Win2000 and pre-Win2000 domain controllers
o
Native mode –
supports only Win2000 domain controllers, allows new features such as:
§
Group nesting –
place groups within other groups
§
Universal groups –
forest-wide groups
§
SID history
·
To
troubleshoot AD Installation Wizard examine the
dcpromo.log and
dcpromoui.log files located in the
%SystemRoot%\debug folder
More complete explanation of DNS can be found in my notes for
exam 70-216 (Windows 2000 Network) (http://www.dabrowski.ca/mcse/products/sn70216.asp). This exam (70-217 - Windows 2000 Active Directory) only
looks at DNS aspects required for AD operation.
|
Reference: Good explanation of
DNS name resolution and how it all works (Title: Windows 2000 DNS):
(http://www.microsoft.com/windows2000/techinfo/reskit/en-us/default.asp?url=/windows2000/techinfo/reskit/en-us/cnet/cncf_imp_absq.asp)
|
·
DNS (Domain Name System) is a hierarchical,
distributed database, which with related set of protocols
allows computers to translate DNS names into IP addresses and vice-versa.
·
Each AD site should have at least one DNS server
so name resolution traffic does not have to travel across sites
·
DNS schema (domain namespace hierarchy) looks
like a tree (DNS domains and trees
are independent from AD domains, but AD domains require corresponding
DNS domains to match the AD hierarchy). The hierarchy (typically) consists of
(from right to left):
o
Root domain –
at the top of the tree represented by a dot (.) – not necessary to type since
DNS adds automatically at the end
o
Top-Level domain
– usually referred to as domain suffix (“com”,
“net”, “org”, “ca”, “us”, etc) represents type of domain
o
Second-Level
domain – usually represents the company or organization name (“dabrowski.ca”, “microsoft.com”, etc)
o
Host name –
represents unique host within the organization (“hurricane.dabrowski.ca”, “www.microsoft.com”, etc)
o
The domain can be split further more granular
(“www.city.toronto.on.ca”), where “www” is the host, within “city” organization,
within “toronto” organization, within “on” organization (second-level domain),
within “ca” top-level domain.
·
There are different types of domain names in DNS:
o
FQDN (Fully Qualified Domain Name)
consists domain name stating absolute location within hierarchy ending with a
period ( for example: www.dabrowski.ca. )
o
RDN (Relative Distinguished Name) –
refers to a portion of domain namespace already within a context of a higher
level domain
§
Single-label, unqualified domain name contain no periods ( for example:
www )
§
Multiple-label,
unqualified domain name consist of one or more periods but are not
terminated with a period ( for example:
www.dabrowski )
To understand
RDN, think of city, street, and home number example. “135
Umbrella Street, Rainytown, ON” is a FQDN address since no matter where you are
in the world you will be able to find
house “135” on “Umbrella Street” in town called “Rainytownm” in province of
“Ontario”. But “135 Umbrella St” is a
RDN since it assumes you are in “Rainytown” as there may be
“135 Umbrella St”
in other cities. Also “135” is a
RDN since it assumes you are already on “Umbrella St” and just looking
for house “135”.
·
Zone (physically) is a file containing
resource records for a particular domain and its sub-domains, (logically) is data represented in
zone file(s).
o
Forward lookup
zones are standard lookup zones providing name to IP address resolution.
o
Reverse lookup
zones are providing IP address to name resolution. Contains only
PTR records (in addition to standard SOA and NS records).
o
Typically one forward lookup zone is created for each
domain name and one reverse lookup zone is created for each IP subnet or class
C.
o
Zone must encompass
contiguous namespace – single second level domain name (for example
toronto.dabrowski.ca and dabrowski.ca have contiguous namespace and can be
within the same zone)
§
Contiguous namespace can be divided in separate zones to
delegate administration (ex: toronto.dabrowski.ca can be in a separate zone from
dabrowski.ca) – zone dabrowski.ca would have to have a NS record for
toronto.dabrowski.ca delegating to a different DNS server.
·
Resource
Records (RR) contained within this database, which map DNS domain
names to different network resources. Most important RRs:
o
A (Hostname)
maps DNS name to IP address
o
CNAME
(Canonical Name Alias) maps DNS name to another A (Hostname)
o
MX (Mail
eXchange) – address of mail server handling email for this zone (along with
priority number in case multiple MX records – the lower number the higher
priority)
o
NS (Name
Server) address of all authoritative name servers in a zone
o
PTR (Pointer)
maps IP address to a DNS name
o
SRV (Service
Locator) allows multiple servers providing a similar
TCP/IP-based service to be located using a single DNS query
operation.
o
SOA (Start of
Authority) specifies information about this zone, such as:
§
Primary name server – server which is authoritative for
this zone
§
Responsible mail address – email address of person
responsible for this zone
§
Serial number – this number is incremented each time a
record in the zone is updated – this is how other dns servers know their data is
out of date (when the cached serial number is lower than the number when
querying authoritative server)
§
Refresh – how often secondary servers should check if
their copy of zone data is up to date
§
Retry – how long secondary server will wait before
sending another request for zone transfer (AXFR or IXFR) in case previous
request failed.
§
Expire – how long secondary server will respond to
queries before invalidating the cached zone data (in case cannot contact
primary)
§
Default TTL (Time To Live) time how long record is valid
·
Four types of DNS servers:
o
Primary
(authoritative) name server is where all changes to the DNS database for
specific zone are made. There is only one primary server per each DNZ zone (only
exception is Active Domain Integrated zone).
o
Secondary
name servers receive copies of the zone records from primary server via zone
transfer. Ok to have multiple secondary servers.
o
Caching-only
server is DNS server with no zones, it forwards queries to other zone-holding
servers and cache results based on TTL. Negative caching (optional) is caching
of failed lookups to reduce timeouts for nonexistent lookups.
o
Forwarding
servers forward all requests from local network to the internet, can be in two
modes:
§
Exclusive – forwarding server does not try to resolve the query
on it’s own if the server it forwarded to fails to resolve it.
§
Nonexclusive – forwarding server resolves the query if server
if forwarded request to fails to resolve.
·
Active
Directory Integrated
zones are replicated among all domain controllers within Active Directory
domain
o
All domain controllers in AD-integrated zone act as
primary servers accepting changes
o
Can only be created on servers that are also AD
controllers
o
AD-integrated zones are using
multimaster replication because
multiple master servers can update the zone.
o
In case of update
collision the last entry written to database wins.
o
Standard zone
transfers to a secondary server can be also done from AD-integrated domain
server
o
Zone Conversions:
§
Standard primary and secondary zones can be converted to
AD-integrated zones.
§
AD-integrated zones can be converted to standard primary zones
o
When creating a new Active Directory domain an
equivalent AD-integrated DNS forward lookup zone can also be created by the
wizard. (Reverse lookup zone is not created by the wizard. Has to be created
manually afterwards).
o
Reverse lookup zones (containing
PTR records) are not required for Active Directory
operation.
·
Zone transfer
replicates DNS zone data from one name server to another.
o
Full or
Incremental (only Win 2000 supports incremental in addition to full. Earlier
versions support Full only)
§
In incremental zone transfer master server maintains version
history for the zone including all changes.
§
When incremental zone transfer is attempted an
IXFR query instead of standard
AXFR query is sent to master server.
§
SOA record for the zone tells secondary servers when to poll
master server for zone transfer. (in both incremental and full)
§
Local DNS server configuration of secondary zone tells which
server is master and should be contacted for zone transfer.
§
If primary server does not support IXFR (incremental) then it
sends full zone information.
o
AD zone transfer
(for all AD Integrated zones) relies on Active Directory replication mechanism
to replicate zone information among all AD domain controllers.
§
Secondary servers can still query all servers with AD
Integrates zones and receive updates / full transfer
·
Dynamic DNS Updates
allow the client computer to update DNS server directly with it’s IP address
o
Configured
separately for each zone in DNS server (3 options: Enabled, Disabled,
Enabled but only secure)
o
DHCP server must be configured to point to dynamic DNS
server
o
It is
performed by “DHCP Client” service running on Windows 2000 Server or
Workstation.
o
Dynamic updates by a client happen when:
§
TCP/IP configuration on the client is changed
§
DHCP address is renewed or new lease obtained by the client
§
Network interface event occurs (ex. Plug & Play event involving
plugging a network cable)
§
IP address is added or removed manually on the client
§
Every 24 hours
o
Only Windows 2000
clients can update A (forward
lookup) records and
PTR (reverse
lookup) records. Windows 2000 clients update A record and let DHCP server update
PTR record unless instructed otherwise (see DHCP section on
DNS integration for more info). Other clients need DHCP server to perform both
updates for them.
o
If DHCP server
does not support dynamic updates, (or not configured) Win 2000 client
registers A and
PTR records.
o
During dynamic
update client first queries it’s DNS server to find out primary for the zone
it is updating and with that information it contacts primary name server
directly with request for dynamic update.
o
Dynamic DNS updates are
not required for Active Directory
operation.
·
Secure Dynamic DNS
Updates allow only authorized users or groups to perform dynamic
updates (as per ACLs)
o
Available only with AD-integrated zones
o
Default option when creating AD-integrated zone but not
enabled when zone converted from standard.
o
By default “Authenticated Users” security group is
allowed to make dynamic updates.
o
All RR (resource records) for a single FQDS share the same
ACL (for example A for toronto.dabrowski.ca and MX
for toronto.dabrowski.ca share the same
ACL)
·
DNS
Installation
o
In Windows 2000 DNS Server is installed through
“Add/Remove Windows Components” applet of Control Panel (under “Networking
Services” section). It is not installed by default.
o
Machine running DNS server requires a static IP address
o
Order of
installation: It is recommended to install DNS first, configure forward
lookup zone, and then run dcpromo.exe to turn the server into Domain Controller,
and then convert the DNS zone to AD Integrated.
·
DNS
Administration and Troubleshooting
o
DNS
MMC snap-in is used for administration of a DNS server
o
Nslookup is
used for querying of DNS servers and troubleshooting various problems. Nslookup
is a dns client that connects to server.
o
Ipconfig is
used to view IP configuration (including DNS info). The following switches are
relevant.
§
/registerdns
attempts to register client name and IP address in DNS
§
/flushdns clears DNS
cache on the client
§
/displaydns displays
DNS cache on the client
o
netdiag
(located on original Windows 2000 CD-Rom in D:\Support\tools\support.cab).
Allows more extensive testing.
o
Event Viewer and
DNS Log to view activity and error messages (DNS logs stored in
c:\winnt\system32\dns directory)
Configuring, Managing, Monitoring, Optimizing, and
Troubleshooting Change and Configuration Management
·
Group Policy is feature of AD that enables to
centrally manage and
control desktops and user experience.
o
Collection of Group Policy settings are saved in a GPO –
Group Policy Object
o
Only works for Windows 2000 / 2003 and XP machines
(cannot work with NT, 9x clients)
o
Group Policies replace
System Policies edited using System
Policy Editor from Windows NT
§
Windows NT / 9x System Policies are
applied only to domains and
stored in non-secured Registry
o
GPOs can be applied to following objects (and are
applied in that order): Local
Computer, Site, Domain,
OU -- (LSDOU)
§
Settings applied later will override settings applied earlier
§
GPO cannot be linked to generic AD containers like
“Builtin”, “Computer”, “Users”, etc
o
Account policies
for DC computers are NOT inherited. For DCs account policies set at the
domain level always in effect. Account policies that may be set at lower levels
are ignored!
·
Local GPO
is stored locally on computer in
\WINNT\SYSTEM32\GROUPPOLICY – only
one local GPO per computer
·
Global GPO
(non-local – used in domain) is stored in 2 places:
o
GPO container
in AD (in /SYSTEM/POLICIES/<GUID>)
§
Stores only GPO data small in size or infrequently changed
o
GPO template
in %systemroot%\SYSVOL\sysvol\<DOMAINNAME>\Policies/<GUID>
§
Stores only large in
size or frequently changed
o
GUID is a unique 32-character long identifier generated
for each GPO
·
GPOs are divided into Computer Configuration and
User Configuration (computer
settings are applied first)
o
Computer
Configuration applies to every computer in SDOU and by default to all child
OUs.
o
User
Configuration applies to every user in the SDOU
o
Either of these can be disabled per each GPO –
properties of GPO box
·
Cross-domain GPOs
o
GPO is stored in AD in domain where was created (called
“storage domain”)
o
GPO can be applied to objects
in another domain but this is
not recommended for
performance reasons
o
Site Policy
is stored in the root domain. Consider traffic required for each child domain to
go to root domain to retrieve the site policy.
·
Managing GPOs
o
Create new GPO
by clicking “New” button
on the “Group Policy” tab of AD
object’s properties dialog box
o
Link existing GPO
to an object by clicking “Add” button on
the “Group Policy” tab of AD object’s
properties dialog box
o
Edit GPO by
clicking “Edit” or using
Group Policy
MMC snap-in (clicking on Edit in the GPO properties
actually opens GPO
MMC)
o
To apply GPO to
computer use Local
Group Policy
MMC.
o
To apply GPO to
site use Active Directory Sites and
Services
MMC
o
To apply GPO to
domain or OU use Active Directory
Users and Computers
MMC
o
Delegating
Administrative control of GPO – three tasks can be delegated:
§
Management of GPO links – use “Delegation of
Control Wizard” and select “Manage
Group Policy links” task
§
Creation of new GPOs
– add users or groups to be delegated to “Group Policy Creator Owners” group
§
Editing of existing GPOs
– in “AD Users and Computers”
MMC click on “Properties” of the GPO and use “Security” tab to add users or groups to be delegated this task the
Read and Write permissions.
·
GPOs are
inherited
from parent OUs – the inheritance can be
blocked per OU – “Block
Policy Inheritance” settings on OU properties when enabled will not
inherit higher level GPOS
·
Lower GPOs
override previous GPOs – the
override can be disabled per each GPO
– select GPO and click “Options” button
·
Multiple GPOs per OU are applied in the order
they appear in the Group Policy tab.
·
To limit
the scope of group policy from being
applied to certain users or groups use the
Security tab in Properties box for
a GPO. The following permissions must be set to true in order for the GPO to be
applied to that object: Read and
Apply Group Policy
·
Security Configuration
and Analysis (MMC Snap-In or SECEDIT.EXE – command line) snap-in allows to capture security settings of a
system as a database which can be re-applied when configuration changes and
exported to other systems or saved as a template
·
GPOs are applied when:
Computer is booted,
user logs in,
user or application requests update (using:
secedit /refreshpolicy
[machine_policy | user_policy]),
policy interval has been reached (parameter in Computer Configuration
section of the policy)
o
Default refresh is
90 minutes
for member server and workstations
and 5 minutes for domain controllers
·
Administrative Templates allow applying
additional registry changes to the target computer.
·
Simply they are text files with extension
.adm –
Windows ships with some templates located in
%systemroot%\inf
folder
o
Conf.adm,
inetres.adm and system.adm are
loaded to new policy by default
·
When added to GPO the template is copied to
%systemroot%\SYSVOL\sysvol\sysvol\<DOMAIN NAME>\policies\<GUID>\Adm folder
o
To
add to GPO
right click on “Administrative Templates”
node in Group Policy Editor and select “Add/Remove
Templates”
o
Custom made templates must be added to each GPO
separately – the default ones in %systemroot%\inf are already added
·
 There
are five default templates
o
System.adm, Inetres.adm, Windows.adm, Winnt.adm,
Common.adm
·
Structure of the template – entries:
o
CLASS – can be “machine” or “user” – specifies where it
will be installed
o
CATEGORY – category name displayed in the GPO Editor
o
POLICY – string keyword name defined in the STRINGS
section
§
KEYNAME – Windows Registry key location for this policy
§
EXPLAIN – explanation help text
§
VALUENAME – options for this POLICY – values for the KEYNAME in
Registry
o
STRINGS – variable names with friendly names
·
Administrative templates can be installed under
Computer Configuration and under
User Configuration sections of GPO
·
There are some default categories created by
ADM templates in %systemroot%\inf
o
Windows
Components – configuration for common Windows components such as Explorer,
Windows Installer, Internet Explorer, etc.
[Computer and User]
o
System –
miscellaneous system settings
[Computer and User]
o
Network –
network settings like offline filer and dial-up connections
[Computer and User]
o
Printers –
printer properties
[Computer only]
o
Start Menu &
Taskbar – appearance and behaviour of the taskbar and Start menu
[User Only]
o
Desktop –
desktop behaviour, wallpapers, etc
[User Only]
o
Control Panel
– customize control panel
[User Only]
·
Security Settings is an important category of GPO
used to control miscellaneous security options
·
Most settings are under
Computer Configuration / Windows Settings nodes
o
Settings under User Configuration / Windows Settings /
Security Settings apply only to Public Key Policies
·
The following are sections under Security
Settings:
o
Account Policies
– used to control security settings associated with currently logged in user
– password settings, account lockouts etc.
§
Password Policy –
used to determine minimum and maximum password length, when users need to change
passwords, etc.
§
Account Lockout Policy
– used to determine settings related to locking out user for unsuccessful
login attempts
§
Kerberos Policy –
kerberos specific settings (enabled only if machine is a member server or domain
controller)
o
Local Policies
– local system security settings including:
§
Audit
Policy – used to determine which
security events are logged in the Event Viewer
§
User
Rights
Assignment – used to determine the tasks user can perform on the local
system - They override object permissions if the two are in conflict.
§
Security
Options – used to determine how to
protect local system from intrusion – for example:
·
Disable Ctrl+Alt+Delete requirement for logon
·
Clear the virtual memory pagefile when the system
shuts down
·
Do not display last username in logon screen
o
Event Log –
configures how logs are maintained on a local system
o
Restricted Groups
– defines members of restricted groups
o
System Services
– allows to specify which serves should be started or stopped on a system
o
Registry –
enables security to be set on registry keys and enable registry key auditing
o
File System –
allows setting security permissions on the local file system for particular
files and folders
·
Security
templates can be imported into GPO to quickly apply all security settings
according to the purpose of the template.
·
To apply
security template right click on Security Settings node and select
Import Policy from the menu
o
Select “Clear
this database before importing” option to replace previous security settings
·
Default templates are stored in
%systemroot%\SECURITY\TEMPLATES
directory.
o
BASICXX.INF – default settings for Windows 2000 -- used to
reverse changes by other templates or bring system upgraded from NT to Windows
2000 standards. Excludes user rights
§
3 basic templates basicdc.inf: for domain controller, basicsv.inf: for server, and
basicwk.inf: for workstation
o
COMPATWS.INF – allows users to have the same relaxed privileges
as power users to run NT4 compatible apps.
o
SECUREWS.INF – secure configuration – except files,
folders, and registry keys – removes all members from the Power Users
group
§
2 secure templates securedc.inf: for domain controller, and
securews.inf: for workstation
o
HISECWS.INF – very secure – only win2K to win2K
communication (encryption)
§
2 high-secure templates
hisecdc.inf: for domain controller, and
hisecws.inf: for workstation
·
There are 4 types of scripts that can be executed
to enable additional maintenance and administration. They are assigned through
GPO.
o
Startup/Shutdown
– found under Computer Configuration / Windows Settings
§
Executed when computer is started (before User Logon dialog
box) or shut down
under Local System
privileges.
o
Logon/Logoff
– found under User Configuration / Windows Settings
§
Executed when user is logging in or logging off
under user’s privileges
·
 Scripts are placed in the
following default directories
o
Startup –
%systemroot%\sysvol\sysvol\<DOMAIN NAME>\policies\<GUID>\machine\scripts\startup
o
Shutdown –
%systemroot%\sysvol\sysvol\<DOMAIN NAME>\policies\<GUID>\machine\scripts\shutdown
o
Logon –
%systemroot%\sysvol\sysvol\<DOMAIN NAME>\policies\<GUID>\user\scripts\logon
o
Logoff –
%systemroot%\sysvol\sysvol\<DOMAIN NAME>\policies\<GUID>\user\scripts\logoff
o
Scripts can be in
any directory the system has access to, but it is recommended to keep them in
default because SYSVOL is replicated to all domain controllers
o
If Win 9x or NT 4.0 need to use scripts, copy them to
%systemroot%\sysvol\sysvol\<DOMAIN NAME>\scripts which is Win 2000 location
of Windows NT 4.0 NETLOGON share
·
Scripts can be written in
.bat Batch format or more advanced WSH (Windows Scripting Host) language
o
VBScript –
extension .vbs
o
JavaScript –
extension .js
·
Windows 2000 comes with WSH 2.0 – can be executed
using:
o
Wscript.exe –
graphical version of WSH
o
Cscript.exe –
command-line version of WSH
o
Both versions allows number of parameters such as //b
(batch mode), //i (interactive mode), etc.
(wscript.exe /? for list of all parameters)
·
To run scripts synchronously (one after another)
configure Logon/Logoff section under System Administrative Template
·
Allows changing location of some specific Windows
folders for the user based on GPO settings. The folders that can be redirected
are:
o
Application Data
– default location: “c:\documents and
settings\<USERNAME>\application data” (set in variable %APPDATA%)
o
Desktop –
default location: “c:\documents and
settings\<USERNAME>\desktop”
o
My Documents
and My Pictures – default location:
“c:\documents and settings\<USERNAME>\my documents\”
o
Start Menu –
default location: “c:\documents and
settings\<USERNAME>\start menu”
·
Folder redirection is configured under
User Configuration / Windows Settings
in the GPO
·
One of the three settings can be set for each
folder:
o
No administrative
policy specified (default setting) – keeps the user’s folder in their
default locations
o
Basic – Redirect
everyone’s folder to the same location – folder will be redirected to
network location specified followed by username
o
Advanced –
Specify locations for various groups – can specify different folders for
different security groups
·
When Basic or Advanced option is specified
additional settings cane be set:
o
Grant the user
exclusive rights to <special folder> - by default enabled
o
Move the contents
of <special folder> to the new location – if enabled the contents of
existing folder will be redirected to new location
o
Policy removal
option specifies what to do when policy will be removed – leave the special
folder in the GPO location or move back to original default location.
·
Software Installation is a GPO feature that
allows deploying, upgrading existing or uninstalling software from computers on
the network.
·
Only Windows 2000, XP and
2003 computers can
take advantage of Software Installation.
Windows 9x and NT4 are not supported.
·
Software Installation can be found under
Software Settings section of GPO in
both Computer Configuration and
User Configuration
o
To configure default settings right click on Software
Installation and select Properties
o
Separate properties for Software Installation under User
and under Computer Settings
§
General tab allows
define default package location
(network share using UNC path), how much information display when installing, and other default settings –
all of these settings can be changed for separate packages – these are just
defaults.
§
File Extensions tab
allows to pick a file type and set the order which application will open files
with this particular extension
§
Categories tab is
just for creating categories to help with organization of software packages into
categories
·
To create
new package first place it in a
network folder accessible to users or computers it will apply to.
o
If under Computer Configuration ensure computer accounts
this GPO will apply to have access to the share
§
If Everyone permission is not set, individual computer accounts
(DOMAIN\COMPUTERNAME$) need to have access
o
If under User Configuration ensure all users this GPO
will apply to have access to the share
o
Upgrades tab
is used to specify whether this package will upgrade an existing package and
whether it will be mandatory upgrade.
·
Packages can be either
Published or Assigned
§
Published –
application appears in the “Add/Remove Programs” menu and installation must be
initiated by the user.
§
Available only when
creating new package in User
Configuration section.
o
Assigned –
Available in both User Configuration and Computer Configuration
§
When used in User
Configuration – the application appears in user’s Start menu but is
installed user first time launches this application or opens document with
extension associated with this application
§
When used in Computer
Configuration – the application is installed when computer starts up
§
Assigned software cannot be permanently uninstalled – when user
uninstalls it the icon will still appear in the menu and will be automatically
reinstalled next time user opens it
·
Security tab in the package’s properties
determines if user or group has access to execute managed application
·
Microsoft recommends the following phases when
deploying software using Software Installation:
o
Preparation –
analyze requirements of your company to determine needs, decide if you will be
publishing or assigning, etc
o
Distribution –
setup network distribution points for the software installation files, copy
them to the locations and permission properly
o
Targeting –
using appropriate GPOs create packages and configure all options
o
Pilot –
enable policy to install software to selected group of test users
o
Installation –
deploy to all computers of all users
Managing, Monitoring, and Optimizing the Components of Active
Directory
·
User accounts – can be created as:
o
Domain – can be used anywhere in domain and forest
o
Local – can be used only on the computer they were
created on
o
Built-in – special accounts
·
User accounts have
two types of logon names:
o
User Principal Name
(UPN) [ex: mark@dabrowski.local]
§
Default logon name in Windows 2000
§
Consists of UPN prefix and suffix separated by @ symbol – for
example: mark@dabrowski.local (mark
ß prefix, @ , dabrowski.local
ß
suffix)
§
Suffix is by default the root domain name – but can be any
domain name.
§
If using root domain name, then users can be moved from one
domain to another without changing their logon name.
§
Must be unique within a forest
o
Logon Name
[ex: mark]
§
Backwards-compatible username (for users logging in from Windows NT or 95
machines)
§
Must be used together with domain name to indicate which domain
this logon name exists (ex: DABROWSKI\mark)
§
Must be unique within the domain it was created
·
Administer groups and users using “Active Directory Users and
Computers”
MMC
·
Copy
accounts – when copying account you will be asked to provide new first, last
and logon names and new password.
o
Effective way to create new accounts – create “template”
account – add group permissions and then just copy it instead adding new users
·
Bulk-importing users
– Two command line utilities can be used:
o
CSVDE –
imports comma separated file
§
Each line in the text file is a user account – first line is
list of attributes
§
In each line attributes are separated by comma
§
Cannot be used to modify or delete existing accounts
o
LDIFDE –
imports line separated file (using LDIF format – LDAP Interchange Format)
§
Each line is an attribute and each user is separate by a blank
line
§
Can be used to modify or delete existing accounts
o
In both cases
passwords are set to blank always and
accounts disabled by default
·
Groups
contain user accounts or other groups – used for ease of administration
o
You can nest groups only in Native mode
·
Types of Groups –
A group is a collection of user accounts. Two types of groups:
o
Security Groups
– are used to simplify management and assignment of permissions
o
Distribution
Groups – used for email distribution – cannot be assigned permissions
·
Group Scopes
(three scopes)
o
Local – can
include members (users and global groups) from
ANY
DOMAIN. Can
access
LOCAL
COMPUTER resources.
§
Cannot contain other local groups.
o
Domain Local
– can include members from
ANY DOMAIN. Can access
only
LOCAL DOMAIN
resources.
o
Global – can
include members from
LOCAL DOMAIN only. Can
access resources in
ANY DOMAIN.
o
Universal – (only in native mode) can include
members from
ANY DOMAIN. Can access
resources in
ANY DOMAIN.
§
All members of these groups are published in GC
§
LSA queries GC for the user’s universal group membership only
when users logs on
§
Do not add individual users to universal groups – add only
other groups
§
Can be created in mixed mode but as Distribution Groups only
·
Good practice is the
AGDLP
rule – Accounts go into Global
groups, Global into Domain Local,
Domain Local gets Permissions.
·
If have multiple domains use
AGUDLP rule –
Accounts into
Global, Global into Universal,
Universal into Domain Local, which
get Permissions
·
Not recommended to have more than 5,000 members
in one group
·
Active Directory Security
o
Security
principal – object (user, group, computer, etc) in AD to which permissions
can be assigned
o
Security ID (SID)
– unique ID assigned for each security principal
o
Security
descriptor – attached to each object – defines access control for that
object – consists of:
§
Discretionary access
control list (DACL)
– specifies the groups or users that can access the object, and the types of
access (permissions) granted to those groups or users
§
System access control
list (SACL) –
auditing information containing group or user accounts to audit when accessing
the object and access events to be audited for each group or user
§
Access control entry
(ACE) –entry in
DACL grants permission (Deny, Allow, etc) to user or group. In SACL specifies
security events to be audited
·
Deny Access entries are on the top of the ACE
list. Deny takes precedence over allow.
o
Use Sdcheck.exe
(Security Descriptor Check Utility) to display security descriptor for any
object stored in Active Directory.
§
This is a Support Tools utility
o
Access token
is assigned to user when he logs in. Contains user
SID and SIDs of groups the user belongs to. When user
accesses an object SIDs in the access token are matched with the SIDs in the
DACL of the object to determine level of access for this object.
§
Access token also includes user rights
o
Permissions on AD objects – five (5) standard
permissions for OU object (and most of the other objects):
§
Full Control |
Write
|
Read
| Create All Child Objects | Delete All Child Objects
§
Can be viewed / set from
Security tab of object’s Properties
box (need to enable “Advanced Features” option from
View menu to see Security tab)
§
Additional permissions can be set through “Advanced” button on the Security tab
(also Audit and
Owner settings)
§
Permissions are inherited by child objects by default – all changes at
the top level are propagated to all child objects
·
Disable permission inheritance by removing the
checkbox in the “Advanced” box.
o
Object owner
- All objects in AD have owner – usually the creator of the object (same concept
as file system owner)
§
Except when created by member of Domain Admins group – in this
case owner is Domain Admins group.
§
User with “Modify Owner”
right can take ownership.
·
Some guidelines
o
Set permissions at the top OU level for easier
administration – avoid at the object within OU level because too granular
o
Have small number of trusted users in Domain Admins
group
o
Use “Delegation
of Control Wizard” to delegate administration of OU to other users
§
Wizard basically sets the permissions accordingly – you can
achieve the same thing by setting the OU permissions manually
§
Delegation of control means you allow particular user or group of users to
administer objects in OU without the need to make them Domain Administrators.
·
Publishing printers and shared folders into
Active Directory enables users to easily locate them without knowing specific
path or location
·
Printers shared on Win
2000 or XP are automatically published in AD (unless the option “List in the
directory” when sharing printer is disabled)
o
Their print queue is published as well
o
Printers are viewed in AD Users and Computers
MMC after enabling “Users, Groups and Computers as
containers” option View menu.
§
Expand computer object sharing the printer to see the printer
object
·
Printers shared on
non-Windows 2000 machines are not
automatically published and need to be manually published
o
Publish using AD Users and Computers
MMC – find OU where to publish, right click it, select New
and Printer.
§
Use UNC path to the printer (ex: \\server1\printername)
o
Publish using
pubprn.vbs file in %systemroot%\system32 directory.
§
Cscript
c:\windows\system32\pubprn.vbs \\server1\printername
“ldap://ou=Toronto,DC=dabrowski,DC=ca”
§
If provide \\server1 instead of specific printer, all printers
found on \\server1 will be published.
·
You can search for printers by going to Start /
Search / Find Printers menu – users can search by printer name or location.
·
Printer
location tracking is feature that allows clients to find printers on their
local network.
o
To enable it you need to define and name subnets using
AS Sites and Services
MMC and enable specific GPO setting (“Pre-populate printer
search location”)
·
Shared folders are never automatically published
in AD
o
Publish using AD Users and Computers
MMC - find OU where to publish, right click it, select New
and Shared Folder
o
Use UNC path to the file share (ex: \\server1\fileshare)
o
You can add keywords and description to the shared
folder to make it easier for users to search for it
·
However, I could not figure out how to search for
folders in AD (from workstastion)??
·
Tree -
Multiple Domains
o
Reasons for multiple domains in a tree:
§
Allows multiple domain-level security settings (each domain has
it’s own security settings)
§
Separate administrative control
§
Limit replication issues to changes in the AD
§
Upgrading – preserving upgraded Windows NT 4.0 domains
o
Automatic transitive
two-way trusts are automatically created when child domain joins a
tree.
o
All domains in a tree share the same schema (same with
the forest), site and service configuration, and GC information
o
Transitive = by extension – transitive between every
domain in the tree
o
Permissions are not transitive (except Enterprise Admins
group which has admin rights in every domain of the forest)
o
First domain in the
forest is called Forest Root Domain (even if it is single tree forest)
§
Includes configuration, schema and GC
§
Has two FSMO roles:
·
Schema Master
·
Domain Naming Master
§
Only Forest Root Domain contains two groups:
Enterprise Admins and
Schema Admins
·
Under mixed mode they are Global groups
·
When domain is upgraded to native mode they
become universal groups
o
Each domain has its own:
§
RID Master
§
PDC Emulator
§
Infrastructure Master
o
To create child domain select “Create a New Child Domain in an Existing
Domain Tree” (step #4 in the diagram above)
§
You will need to specify network credentials of user who is
member of Enterprise Admins group
·
Forest - Multiple Trees
o
Create forest if want to have two separate domain
namespaces but share security
o
To create multiple tree forest select “Create a New Domain Tree” and then “Join an Existing Forest” when
running DCPROMO.
o
Automatic two-way transitive trusts are automatically
created between tree root domains when new tree joins existing forest
o
Shortcut trust
– is a two-way transitive trust that
shortens the trust path of verification within forest
§
It is an
explicit trust –
created manually using AD Domains and
Trusts (Trusts tab)
·
Multiple
Forests
o
Create if don’t want to share common schema and global
directory
o
Two forests do not trust or exchange any security
information unless external trust is
created
o
External trust
– is a one-way non-transitive trust
that is established between two domains in separate forests
§
Can be used to connect domain with a
Windows NT domain or
Kerberos v5 security realm
§
Use AD Domains and
Trusts to create or delete existing external trust
·
Alternatively trusts can be manages using
netdom.exe
utility (from Windows 2000 Support Tools).
You can:
o
Join computer to domain
o
Create, view and verify trusts between domains
·
I am trying to explain it all – domains, trees
and forests – on the diagram below:
·
Movetree.exe (Support Tools utility) allows moving objects (OU, Users,
Groups) between domains in the same forest
o
Objects are initially copied to the Lost and
Found container in the source domain, and then they are moved to the
destination domain.
o
Local and domain global groups are not moved during a
MoveTree operation – however, group memberships remain intact.
o
When OU is moved the GPO is not moved – remains in the
original domain – but is linked from the OUs location in the new domain
·
AD Replication ensures data modified in one copy
of AD database (in DC) is copied to all other copies in the domain (other DCs)
·
Occurs when update is made to copy of AD database
·
Data is always is pulled – never pushed
·
Changes are replicated
at attribute level
not at object level
·
Two types of updates:
o
Originating
update
§
A write request that commits – Initiated and committed at a
specific DC replica.
§
Enforces schema restrictions according to the schema that
exists on the domain controller at the moment of the update.
o
Replicated update
§
Replication of committed changes to other Domain Controllers
·
There are three
Directory Partitions
that are replicated in AD – each holding different type of data
o
Domain partition
– Holds all domain objects (users, groups, computers, etc)
o
Schema partition
– Hold forest schema
o
Configuration
partition – Holds forest structure and configuration (list of domains, GCs,
etc)
o
Each DC in the forest contains the same copy of Schema
and Configuration partitions
o
Each DC in domain contains the same copy of Domain
partition
§
Other domain in the same forest will have different Domain
partition
o
GC server
holds subset of Domain partition data from all domains in the forest
·
USN (Update
Sequence Number) is used to ensure replication is not duplicated
unnecessarily
o
Each DC maintains its own USN which is incremented every
time write to database succeeds on this DC and is sent to its replication
partners with the update.
o
Each DC also maintains table of USNs received from its
replication partners with the highest USN from each partner and only received
updates when the new USN is higher than the one already in the table
·
Intra-Site
Replication
(replication between DCs within the site) is
automatic
o
Replication traffic within sites is uncompressed.
o
By
default is set to
5 minutes (can be between
?? and
??)
§
When a change is
performed in its database, a domain controller waits a configurable interval
(default 5 minutes), accepts more
changes during this time, then sends a notification to its replication partners, which
pull the changes.
If no changes are performed for a configurable period (default 6 hours) the domain
controller initiates a replication sequence anyway, just to make sure that it
did not miss anything.
o
If more than one replication partner exist DC will wait
30 seconds (default) after finishing first replication to send notification to
another
o
Security-sensitive changes are
immediately replicated
§
lockout of user accounts
§
change of domain trust passwords
§
some changes in the roles of domain controllers
o
Replication should never exceed 3 hops (steps) – under
default settings take more than 15 minutes (5 minutes per each hop)
o
Only IP
(RPC) protocol can be used for intra-site replication
·
Inter-Site
Replication
(replication between sites) is scheduled
o
Replication traffic between sites is compressed,
o
Replication
schedule says when replication can occur
o
Replication
interval says how often DC should check for changes during time replication
is allowed
§
By
default is set to
3 hours (180
minutes) (can be between 15 mins and
7 days)
o
Supports IP (RPC)
protocol and SMTP protocol for
inter-site replication
§
SMTP can be only used to replicate configuration
and schema partitions
o
Configure using
AD Sites and Services
§
“Inter-Site Transports” section – create a new Site Link or use
the existing one
o
Site Link –
used to manage replication – can be created for IP and SMTP protocols
§
Sites in this link
box: Add sites that are parts of this site link
§
Cost – used to
determine which site link is used if there are multiple site links available –
lower # is used
§
Replicate every
(default is 3 hours (180 minutes)) – sets replication interval for this link
§
Schedule – select
what day and time of day replication can happen
o
Site
Link
Bridge – Allows one site in a string of sites to
replicate through one or two sites to a second or third site.
§
These are only used for fine control of how replication will
occur across WAN links.
§
This is actually done automatically by AD, without fine
control.
§
To use this feature, automatic bridging of site links must be
turned off.
·
“Bridge all site links” option in Properties of
protocol folder under “Inter-Site Transports”
·
Replication topology – configuration formed by the connections used to
replicate directory information between domain controllers
o
Connection object
(for intra-site replication) defines two
replication partners
– one way path between DCs
§
Usually created in pairs to enable two-way communication
between partners
o
KCC (Knowledge
Consistency Checker) – process running on every DC
§
Automatically generates replication topology for entire forest
by creating connection objects
·
Based on the Site Link objects connecting each
site (under “Inter-Site Transports” node in “AD Sites & Services”)
§
Ensures originating update never takes more than three hops to
be replicated
§
Manually created connection objects override automatically
created ones
§
KCC will not delete manually created objects
§
If DC cannot replicate with partners it will use KCC to make
additional connection objects
o
First site is
created automatically (called “Default-First-Site-Name”)
§
Create additional sites manually
§
Add subnet to a site to indicate they have fast connectivity
between them
·
Add servers to site to indicate they are on the
same fast network
§
The DCs in a site do not have to be for the same domain (the
Configuration and Schema partitions will still be replicated)
o
Direct
replication partner is the partner receiving update directly from DC which
originated the update
o
Transitive
replication partner is partner which receive data from DC which did not
originated the update (just passed it on)
·
Manage replication using
AD Sites and Services
MMC
o
Force replication
to happen right away – right click on connection object and select
Replicate Now
·
Bridgehead
Server is a server designated for receiving updates for the site (from
another site) and then replicating the changes to other DCs in the site using
normal (intra-site) replication.
o
It is chosen automatically by the
ISTG (InterSite Topology Generator)
process.
o
Bridgehead server can be selected by adding it to list
of preferred bridgehead servers in Properties of the server (under site)
·
Conflicts
(collisions) – can occur under three different conditions when:
o
Change to the same
attribute is made on two different DCs.
§
To resolve this conflict a
globally unique stamp
attached to every attribute is used in the following order:
·
PVN (property value number) – starts at
1 and each time attribute is changed it is increased by one.
·
In case of conflict attribute with higher
PVN wins.
·
Timestamp
– if both PVNs are the same then attribute with the most recent timestamp wins
·
Server
GUID – if both timestamps are the same attribute with higher DC Server GUID
wins
o
Object is added or moved
to particular container, but this contained has been deleted on other DC
§
In this case the object is placed in
LostAndFound container
o
Naming conflicts
occur when two objects with the same name are added to the same container
§
In this case globally unique stamp is used (same order as above) and the object that wins
is kept.
§
The object that lost is renamed based on the following format:
·
Object name + “CFN:” + object’s GUID
·
Troubleshooting replication using Replication
Monitor and Repadmin utilities
·
Both tools are installed by Windows 2000 Support
Tools (CD:\Support\tools\support.cab)
·
Replication Monitor (replmon.exe)
o
Graphical tool to examine replication topology and
status of replication
o
View USN number of server, number of replication
attempts, error messages, objects to be replicated, trigger replication, etc)
·
Repadmin
(repadmin.exe)
o
Command line tool which gives data about specific DC
·
There are five Operations Masters roles any DC
can have – 2 are forest-wide and 3 are domain-wide
|
Role
|
Scope
|
Quick Description
|
|
Domain Naming Master
|
Forest
|
Manages addition and deletion of domains in the forest
|
|
Schema Master
|
Forest
|
Only server where changes to the AD schema can be made
|
|
PDC Emulator (Primary Domain Controller)
|
Domain
|
Acts as WinNT BDC – replicates AD data to emulated BDC – also has other roles
|
|
Infrastructure Master
|
Domain
|
Records changes to referenced objects from other domains
|
|
RID Master (Relative Identifier)
|
Domain
|
Assigns unique RID pools to domain controllers
|
·
The first DC server in
the forest takes all five roles
·
The first DC server in additional domain joined
to forest assumes all three domain-wide roles for that domain
·
Domain
Naming Master
o
Responsible for addition and deletion of domains in the
forest
o
Only one per each forest
o
When DCPROMO is run on server, it contacts the Domain
Naming Master
o
Domain Naming Master must be also a Global Catalog Server
because needs to be aware of all domains in the forest
·
Schema
Master
o
Responsible for making changes to the forest-wide AD
schema (this is only read/write copy of schema in forest)
o
Only one per each forest
o
Only members of Schema Admins group can make schema
changes
·
PDC
Emulator
o
Primary Domain Controller emulates pre-Windows 2000 PDC:
§
Emulates PDC functions for pre-Windows 2000 machines (appears
to them as NT4 PDC)
§
Replication to other BDCs (Backup Domain Controllers)
§
Accepts changes made by pre-Windows 2000 machines and
replicates back to AD
o
In addition it has the following Windows 2000 roles:
§
Preferential password replication DC (all password changes are
replicated to PDC emulator first)
§
Preferential account lockouts replication (all account status
changes replicated first to PDC emulator)
§
Other DCs contact PDC emulator first before they reject invalid
password attempts
·
It is because PDC Emulator gets all password
changes first
§
Time synchronization master – other DC synchronize time with
this PDC emulator
·
The PDC in domain synchronizes the time with PDC
emulator in root domain
·
The root domain PDC emulator should synchronize
time with external clock.
§
All GPO edits are done on PDC to avoid conflicts
o
Only one per each domain
·
Infrastructure Master
o
Responsible for keeping track of objects (their GUIDs
and SIDs) from other domains that are referenced in the domain Infrastructure
Master resides in.
o
Cannot be a GC server
o
Only one per each domain
·
RID Master
o
Relative Identifier master is responsible for assigning
blocks of RID (unique IDs) for creation of SIDs to DC in the domain
o
Responsible for moving objects to another domain (and
removing object form current domain)
o
Only one per each domain
·
AD contains information in its database about
which server is acting as operations masters
·
To view
and change
domain-level operation master roles use
AD Users and Computers
o
Right-click on the top entry in the tree and select
Operations Masters (three tabs: RID,
PDC and Infrastructure)
o
Only Domain Admins can change these roles
·
To view
and change
Domain Naming Master role use AD Domains and Trusts
o
Right-click on the top entry in the tree and select
Operations Master
o
Only Enterprise Admin can change this role
·
To view
and change
Schema Master role use Active
Directory Schema
MMC snap-in
o
You need to register DLL with this snap-in first. Use
this command line command: “regsvr32
schmmgmt.dll”
o
Right-click on the “Active Directory Schema” in the tree
and select Operations Master
o
Only Schema Admin can change this role
·
To seize
operation master role from a non-existent domain use
ntdsutil command line utility (roles
command)
·
Once role is seized the old domain should never
come online or it will mess up all the things
·
ESENT (Extensible Storage Engine) is used by AD
to physically store its database on every DC server
·
Each change (add, modify or delete) to AD is a
“transaction”
·
Before changes are stored in the AD database they
are first stored in a log file
·
ndts.dit
– AD database file – holds all the data (objects, schema).
(DIT
– Directory Information Tree)
·
</ |