- What is Active Directory?
An active directory is a directory structure used on Microsoft Windows
based computers and servers to store information and data about networks and
domains. It is primarily used for online information and was originally created
in 1996. It was first used with Windows 2000.
An active directory (sometimes referred to as an AD) does a variety of
functions including the ability to provide information on objects, helps
organize these objects for easy retrieval and access, allows access by end
users and administrators and allows the administrator to set security up for
the directory.
Active Directory is a hierarchical collection of network resources that can
contain users, computers, printers, and other Active Directories. Active Directory
Services (ADS) allow administrators to handle and maintain all network
resources from a single location . Active Directory stores information and
settings in a central database
- What is LDAP?
The Lightweight Directory Access Protocol, or LDAP , is an application
protocol for querying and modifying directory services running over TCP/IP.
Although not yet widely implemented, LDAP should eventually make it possible
for almost any application running on virtually any computer platform to obtain
directory information, such as email addresses and public keys. Because LDAP is
an open protocol, applications need not worry about the type of server hosting
the directory.
- Can you connect Active Directory to other 3rd-party Directory Services? Name a few options.
-Yes you can connect other vendors Directory Services with Microsoft’s
version.
-Yes, you can use dirXML or LDAP to connect to other directories (ie.
E-directory from Novell or NDS (Novel directory System).
-Yes you can Connect Active Directory to other 3rd -party Directory
Services such as dictonaries used by SAP, Domino etc with the help of MIIS (
Microsoft Identity Integration Server )
- Where is the AD database held? What other folders are related to AD?
AD Database is saved in %systemroot%/ntds. You can see other files also in
this folder. These are the main files controlling the AD structure
ntds.dit
edb.log
res1.log
res2.log
edb.chk
When a change is made to the Win2K database, triggering a write operation,
Win2K records the transaction in the log file (edb.log). Once written to the
log file, the change is then written to the AD database. System performance
determines how fast the system writes the data to the AD database from the log
file. Any time the system is shut down, all transactions are saved to the
database.
During the installation of AD, Windows creates two files: res1.log and
res2.log. The initial size of each is 10MB. These files are used to ensure that
changes can be written to disk should the system run out of free disk space.
The checkpoint file (edb.chk) records transactions committed to the AD database
(ntds.dit). During shutdown, a “shutdown” statement is written to the edb.chk
file. Then, during a reboot, AD determines that all transactions in the edb.log
file have been committed to the AD database. If, for some reason, the edb.chk
file doesn’t exist on reboot or the shutdown statement isn’t present, AD will
use the edb.log file to update the AD database.
The last file in our list of files to know is the AD database itself,
ntds.dit. By default, the file is located in\NTDS, along with the other files
we’ve discussed
- What is the SYSVOL folder?
- All active directory data base security related information store in
SYSVOL folder and its only created on NTFS partition.
- The Sysvol folder on a Windows domain controller is used to replicate
file-based data among domain controllers. Because junctions are used within the
Sysvol folder structure, Windows NT file system (NTFS) version 5.0 is required
on domain controllers throughout a Windows distributed file system (DFS)
forest.
This is a quote from microsoft themselves, basically the domain controller
info stored in files like your group policy stuff is replicated through this
folder structure
- How do you view all the GCs in the forest?
C:\>repadmin/showreps
domain_controller
domain_controller
OR
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
You can use Replmon.exe for the same purpose.
OR
AD Sites and Services and nslookup gc._msdcs.%USERDNSDOMAIN%
- Why not make all DCs in a large forest as GCs?
The reason that all DCs are not GCs to start is that in large (or even
Giant) forests the DCs would all have to hold a reference to every object in
the entire forest which could be quite large and quite a replication burden.
For a few hundred, or a few thousand users even, this not likely to matter
unless you have really poor WAN lines.
- Trying to look at the Schema, how can I do that?
adsiedit.exe
option to view the schema
register schmmgmt.dll using this command
c:\windows\system32>regsvr32 schmmgmt.dll
Open mmc –> add snapin –> add Active directory schema
name it as schema.msc
Open administrative tool –> schema.msc
- What is REPLMON? What is ADSIEDIT? What is NETDOM? What is REPADMIN?
ADSIEdit is a Microsoft
Management Console (MMC) snap-in that acts as a low-level editor for Active
Directory. It is a Graphical User Interface (GUI) tool. Network administrators
can use it for common administrative tasks such as adding, deleting, and moving
objects with a directory service. The attributes for each object can be edited
or deleted by using this tool. ADSIEdit uses the ADSI application programming
interfaces (APIs) to access Active Directory. The following are the required
files for using this tool:
· ADSIEDIT.DLL
· ADSIEDIT.MSC
Regarding system requirements, a connection to an Active Directory
environment and Microsoft Management Console (MMC) is necessary
A: Replmon is the first tool you should use when troubleshooting Active Directory replication issues. As it is a graphical tool, replication issues are easy to see and somewhat easier to diagnose than using its command line counterparts. The purpose of this document is to guide you in how to use it, list some common replication errors and show some examples of when replication issues can stop other network installation actions.
NETDOM is a command-line tool
that allows management of Windows domains and trust relationships. It is used
for batch management of trusts, joining computers to domains, verifying trusts,
and secure channels
Enables administrators to manage Active Directory domains and trust
relationships from the command prompt.
Netdom is a command-line tool
that is built into Windows Server 2008. It is available if you have the Active
Directory Domain Services (AD DS) server role installed. To use netdom,
you must run the netdom command from an elevated command prompt. To open
an elevated command prompt, click Start, right-click Command Prompt,
and then click Run as administrator.
REPADMIN.EXE is a command line tool
used to monitor and troubleshoot replication on a computer running Windows.
This is a command line tool that allows you to view the replication topology as
seen from the perspective of each domain controller.
REPADMIN is a built-in Windows diagnostic command-line utility that works
at the Active Directory level. Although specific to Windows, it is also useful
for diagnosing some Exchange replication problems, since Exchange Server is
Active Directory based.
REPADMIN doesn’t actually fix replication problems for you. But, you can
use it to help determine the source of a malfunction.
- What are sites? What are they used for?
Active directory sites, which consist of well-connected networks defined by
IP subnets that help define the physical structure of your AD, give you much
better control over replication traffic and authentication traffic than the
control you get with Windows NT 4.0 domains.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
Using Active Directory, the network and its objects are organized by constructs such as domains, trees, forests, trust relationships, organizational units (OUs), and sites.
- What’s the difference between a site link’s schedule and interval?
Schedule enables you to list weekdays or hours when the site link is
available for replication to happen in the give interval. Interval is the re
occurrence of the inter site replication in given minutes. It ranges from 15 –
10,080 mins. The default interval is 180 mins.
- What is the KCC?
The KCC is a built-in process that runs on all domain controllers and
generates replication topology for the Active Directory forest. The KCC
creates separate replication topologies depending on whether replication is occurring
within a site (intrasite) or between sites (intersite). The KCC also
dynamically adjusts the topology to accommodate new domain controllers, domain
controllers moved to and from sites, changing costs and schedules, and domain
controllers that are temporarily unavailable.
- What is the ISTG? Who has that role by default?
Intersite Topology Generator (ISTG), which is responsible for the
connections among the sites. By default Windows 2003 Forest level functionality
has this role. By Default the first Server has this role. If that server
can no longer preform this role then the next server with the highest GUID then
takes over the role of ISTG.
- What are the requirements for installing AD on a new server?
· An NTFS partition with enough free space (250MB minimum)
· An Administrator’s username and password
· The correct operating system version
· A NIC
· Properly configured TCP/IP (IP address, subnet mask and – optional –
default gateway)
· A network connection (to a hub or to another computer via a crossover
cable)
· An operational DNS server (which can be installed on the DC itself)
· A Domain name that you want to use
· The Windows 2000 or Windows Server 2003 CD media (or at least the i386
folder)
- What can you do to promote a server to DC if you’re in a remote location with slow WAN link?
First available in Windows 2003, you will create a copy of the system state
from an existing DC and copy it to the new remote server. Run “Dcpromo /adv”.
You will be prompted for the location of the system state files
- What is tombstone lifetime attribute?
The number of days before a deleted object is removed from the directory
services. This assists in removing objects from replicated servers and
preventing restores from reintroducing a deleted object. This value is in the
Directory Service object in the configuration NIC by default 2000 (60 days)
2003 (180 days)
Windows 2000 Server 60 days
Windows Server 2003 no service pack 60 days
Windows Server 2003 SP1 180 days
Windows Server 2003 R2 60 days
Windows Server 2003 SP2 180 days
Windows Server 2008 180 days
- What are the DScommands?
New DS (Directory Service) Family of built-in command line
utilities for Windows Server 2003 Active Directory
New DS built-in tools for Windows Server 2003
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
The DS (Directory Service) group of commands are split into two families. In one branch are DSadd, DSmod, DSrm and DSMove and in the other branch are DSQuery and DSGet.
When it comes to choosing a scripting tool for Active Directory objects,
you really are spoilt for choice. The the DS family of built-in command line
executables offer alternative strategies to CSVDE, LDIFDE and VBScript.
Let me introduce you to the members of the DS family:
DSadd – add Active Directory users and groups
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
DSmod – modify Active Directory objects
DSrm – to delete Active Directory objects
DSmove – to relocate objects
DSQuery – to find objects that match your query attributes
DSget – list the properties of an object
- What are the FSMO roles? Who has them by default? What happens when each one fails?
FSMO stands for the Flexible single Master Operation
It has 5 Roles: -
- Schema Master:
The schema master domain controller controls all updates and modifications
to the schema. Once the Schema update is complete, it is replicated from the
schema master to all other DCs in the directory. To update the schema of a
forest, you must have access to the schema master. There can be only one schema
master in the whole forest.
- Domain naming master:
The domain naming master domain controller controls the addition or removal
of domains in the forest. This DC is the only one that can add or remove a
domain from the directory. It can also add or remove cross references to
domains in external directories. There can be only one domain naming master in
the whole forest.
- Infrastructure Master:
When an object in one domain is referenced by another object in another
domain, it represents the reference by the GUID, the SID (for references to
security principals), and the DN of the object being referenced. The
infrastructure FSMO role holder is the DC responsible for updating an object’s
SID and distinguished name in a cross-domain object reference. At any one time,
there can be only one domain controller acting as the infrastructure master in
each domain.
Note: The Infrastructure Master (IM) role should be held by a domain
controller that is not a Global Catalog server (GC). If the Infrastructure
Master runs on a Global Catalog server it will stop updating object information
because it does not contain any references to objects that it does not hold.
This is because a Global Catalog server holds a partial replica of every object
in the forest. As a result, cross-domain object references in that domain will
not be updated and a warning to that effect will be logged on that DC’s event
log. If all the domain controllers in a domain also host the global catalog,
all the domain controllers have the current data, and it is not important which
domain controller holds the infrastructure master role.
- Relative ID (RID) Master:
The RID master is responsible for processing RID pool requests from all
domain controllers in a particular domain. When a DC creates a security
principal object such as a user or group, it attaches a unique Security ID
(SID) to the object. This SID consists of a domain SID (the same for all SIDs
created in a domain), and a relative ID (RID) that is unique for each security
principal SID created in a domain. Each DC in a domain is allocated a pool of
RIDs that it is allowed to assign to the security principals it creates. When a
DC’s allocated RID pool falls below a threshold, that DC issues a request for
additional RIDs to the domain’s RID master. The domain RID master responds to
the request by retrieving RIDs from the domain’s unallocated RID pool and
assigns them to the pool of the requesting DC. At any one time, there can be
only one domain controller acting as the RID master in the domain.
- PDC Emulator:
The PDC emulator is necessary to synchronize time in an enterprise. Windows
2000/2003 includes the W32Time (Windows Time) time service that is required by
the Kerberos authentication protocol. All Windows 2000/2003-based computers
within an enterprise use a common time. The purpose of the time service is to
ensure that the Windows Time service uses a hierarchical relationship that
controls authority and does not permit loops to ensure appropriate common time
usage.
The PDC emulator of a domain is authoritative for the domain. The PDC
emulator at the root of the forest becomes authoritative for the enterprise,
and should be configured to gather the time from an external source. All PDC FSMO
role holders follow the hierarchy of domains in the selection of their in-bound
time partner.
:: In a Windows 2000/2003 domain, the PDC emulator role holder retains the
following functions:
:: Password changes performed by other DCs in the domain are replicated
preferentially to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an
incorrect password are forwarded to the PDC emulator before a bad password
failure message is reported to the user.
Account lockout is processed on the PDC emulator.
Editing or creation of Group Policy Objects (GPO) is always done from the
GPO copy found in the PDC Emulator’s SYSVOL share, unless configured not to do
so by the administrator.
The PDC emulator performs all of the functionality that a Microsoft Windows
NT 4.0 Server-based PDC or earlier PDC performs for Windows NT 4.0-based or
earlier clients.
This part of the PDC emulator role becomes unnecessary when all
workstations, member servers, and domain controllers that are running Windows
NT 4.0 or earlier are all upgraded to Windows 2000/2003. The PDC emulator still
performs the other functions as described in a Windows 2000/2003 environment.
No comments:
Post a Comment