What is Active Directory?
AD is the directory service. A directory
service stores information about network resources and make the resources accessible
to Users and Computers. It helps to centrally manage, organize and control
access to resources. AD objects include users, groups, computers, printers,
etc. Servers, domains and sites are also considered as AD objects.
The Directory Data Store?
All the data in the ADS database is
stored in a file named NTDS.DIT and transaction logs on the domain controller.
These data files are stored by default in the %System Root% NTDS folder on the
domain controller. These files store all the directory information for the
domain as well as information that are shared by all domain controllers in a
given organization.
Global catalog servers also
store the global catalog data in the same file.
What if forest?
Forest is collection of single or
multiple trees. A forest consists of multiple domain trees. The domain trees in
a forest do not form a contiguous namespace but share a common schema and GC.
A common schema
Common configuration information
A common global catalog
Explain schema?
Schema is collection of Objects and
its Classes.
Example:
Object = User Name
Attribute: Home Dir, Home Address
Schema object cannot be deleted.
Objects can be marked as deactivated,
This is managed by Schema Master.
What is a tree?
Trees are collection of single or
multiple domain arrange in hierarchy using child-parent relationship.
What is a Domain?
A
Grouping of objects in Active Directory that can be managed together. A domain can function as a security
boundary for access to resources such as computers, printers, servers,
applications and file systems. A domain is a logical grouping of
network resources and device that are administered as a single unit.
The information within the domain
is replicated from domain controller to domain controller to provide
redundancy, fault tolerance and load balancing for active directory. You might
use more than one domain for a variety of reasons.
For example suppose your company
has separate business units or is separated by distances. In this case you
might want to create separate domains to cut down on the replication and
authentication traffic. That would be required to maintain a consistent
environment.
What
are the components on Active Directory?
There are two
types of components are there
ü
One is logical
structures (Domains, Organization Units, Tress and Forest)
ü
Second one is Physical structures (Sites and Domain Controller)
Active
Directory Partitions:
The information
stored in the directory [in the NTDS.DIT file] is logically partitioned in to
four categories. Each of these information categories is referred to as a
directory partitions are the units of replication. The directory contains the
following partitions.
There
are four types of partitions are there.
ü
Schema Partition
ü
Configuration Partition
ü
Domain Partition
ü
Application Directory Partition
Schema
Partition:
This partition
defines the objects that can be created in the directory and the attributes
those objects can have. This data is common to all domains in a forest and is
replicated to all domain controllers in a forest.
Configuration
Partition:
This partition
describes the logical structure
of the deployment, including data such as domain structure or replication
topology, this data is common to all domains in a forest and is replicated to
all domain controllers in a forest.
Domain
Partition:
This partition
describes all of the objects in a domain. This data is domain specific and is
not replicated to any other domains. However the data is replicated to every
domain controller in that domain.
Application
Directory Partition:
A new partition to windows server
2003 that allows information to be replicated to administratively chosen domain
controllers. An example of information that is commonly stored in an
application partition is DNS data. Domain a grouping of objects in active
directory that can be managed together. A domain can function as a security
boundary for access to resources such as computers printers’ application and
field systems.
What
is the function of the KCC?
The KCC is a
built-in process that runs on all domain controllers. The KCC configures
connection objects between domain controllers. Within a site, each KCC
generates its own connections. For replication between sites, a single KCC per
site generates all connections between sites.
How to test Active Directory
user account and password working fine or not?
Net use *
\\ServerNAme\Share /User:Domain\UserNAme Password
* will assign
the drive letter based on your drive availability.
How to search for particular
value for profile path?
HTTP://WWW.Petri.co.il/Forums/showthread.php?t=61241
I would like to
query for all users with a value containing \\specificserver and export only
those records to spread sheet.
ADFIND -csv -f
"(Pforfilepath=*ServerNAME*)" > c:\export.csv
If you want
additional properties add them in at the end ie:
adfind -csv -f
"(Profilepath=*Servername*)" SamAccountname description >
c:\export.csv
What is Linked Value
Replication?
In a Server 2003
and Server 2008 Functional Domain / Forest NTDSUTIL uses what we call Linked
Value Replication to restore group membership to restored Accounts.
When you do an
authoritative restore in a Server 2000 functional level domain, you end up
losing group memberships on your User Accounts.
During the
authoritative restore, at least one file called an LDIF file is created. You
can use this file to restore group membership to all the users you restored
quickly by using what are called back links from the LDIF file.
A magical
process available in a server 2003 or 2008 functional level domain that
restores group membership back to restored accounts automatically.
How
The Client Determines Which Site Its Belongs To:-
Having site specific records is important
in order for ADS to operate efficiently, because a lot of client network
traffic can be limited to a particular site. For example, the client logon
process always tries to connect to a domain controller in the client side
before connecting to any other sites. So how does the client know which site it
belongs to?
The site information for the forest is
stored in the configuration directory partition in ADS, and this information is
replicated to all domain controllers in the forest included with the
configuration information is a list of IP subnets that are associated with a
particular site. When the client logs on to ADS for the first time, the first
domain controller to respond compares the client’s IP address with the site IP
address. Part of the domain controller’s response to the client is the site
information, which the client then caches. Any future logon attempts will
include the client site information.
If the client is moved between sites (for
example, a portable computer may be connected to a network in a different
city). The client still needs the site information as part of the logon. The
DNS server will respond with the record of a domain controller that is in the
requested site. However, if the domain controller determines that the client is
not in the original site based on the client’s new IP address, it will send the
new site information to the client the client then caches this information and
tries to locate a domain controller in the correct site.
If the client is not in any site that is
defined in ADS, it cannot make site specific requests for domain controllers.
Troubleshooting
with the Dcpromo Log Files?
Windows 2003
maintains Dcpromo log files that pertain to Active Directory Installation. When
installing or removing Active Directory using the Active Directory installation
wizard, the following log files are created in the
%system
root%\Debug folder.
ü
Dcpromoui.log
ü
Dcpromos.log
ü
Dcpromo.log
Dcpromoui.log
The
Dcpromoui.log file contains a detailed progress report of the Active Directory
Installation and
removal processes from a graphical interface perspective. Logging begins when
the Active Directory Installation Wizard is opened and continues. Until the
summary page appears; regardless of whether it terminated prematurely or
completed successfully. If the installation or removal fails, detailed error
messages appear in the log immediately after the step that caused the failure.
When the installation or removal process is successful, the log provides
Positive confirmation of that fact. The Dcpromoui.log file includes the
following information about the installation or removal of Active Directory:
The name of the
source domain controller for replication
The directory
partitions that were replicated to the target server
The number of
items that were replicated in each directory partition
The services
configured on the target domain controller
The access
control entries (ACEs) set on the registry and files
The Sysvol
directories
Applicable error
messages
Applicable
selections that were entered by the Administrator during the installation or
removal process.
Dcpromos.log
The Dcpromos.log
file is similar to Dcpromoui.log. Dcpromos.log is created by the user interface
during the graphical user interface mode setup when a Microsoft Windows
3.x–based or Microsoft Windows 4–based domain controller is promoted to a
Windows 2000 domain controller.
Dcpromo.log
The Dcpromo.log
file records settings used for promotion or demotion, Such as the site name,
the path for the Active Directory database and log files, Time synchronization,
and information about the computer account. The Dcpromo.log file captures the
creation of the Active Directory database, Sysvol trees and the installation,
modification, and removal of services. This file is created by using the Active
Directory Installation Wizard.
Designating
a Preferred Bridgehead Server?
Bridgehead
servers are the contact point for exchange of directory information between
sites. Replication occurs between bridgehead servers in different sites.
When two sites
are connected by a site link, the KCC automatically selects
Bridgehead
servers—one in each site for each domain that has domain controllers
In the site. You
can specify multiple preferred Bridgehead servers, but only one in each site is
the active preferred bridgehead server at any time.
The ISTG (Inter Site Topology
Generator) automatically assigns one server in each site as the bridgehead
server, remember that Intersite replication traffic is compressed by default,
and the bridgehead servers will be responsible sending and receiving all
replication traffic within the site and between the sites.
When more than one preferred
bridgehead server is configured and preferred bridgehead server fails, the KCC
will chose another server from the list.
Universal Group Membership Caching
is enabled for an entire site, the information in the cache is refreshed every
8 hours by default using a configuration request.
When replicating between sites, a
bridgehead server is a single server in each site selected to perform
site-to-site replication. Bridgehead servers are the Gatekeepers of active directory replication between sites...
Once updated, the bridgehead server
then process to update the remainder of its domain controllers partners with
the newly replicated information. For example suppose the wan link is down for
several hours between two locations of a corporate network. During this time,
changes are made to objects and attributes.
The USN and Timestamp of the
changes are compared with these on the bridgehead servers.
If the same objects are modified at
both ends of the wan when the link was down, the USN will be incremented to the
same number. When this occurs the timestamp is compared and the latest timestamp
decides which object is the most recent.
What is ISTG?
Intersite topology generator (ISTG)
is the process used to initiate the creation and management of the replication
topology between sites.
Checking the database for
integrity:-?
Checking the database for integrity means that
the database is checked at a low level to look for a database corruption.
The process also checks the database headers and checks all the tables
for consistency. Because every byte of the database is checked during this process,
it will take a long time to run on a large database.
Semantic Database analysis:- ?
The semantic database analysis is
different from the integrity check in that it does not examine the database at
a binary level. Rather, the semantic analysis checks the database consistency
against the Active Directory semantics. The semantic database analysis examines
each object in the database to ensure that each object has a GUID, a proper SID
and correct replication metadata.
To
perform the semantic database analysis performs the following steps:-
1. NTDSUTIL.
2. Activate instance NTDS.
3. Semantic database analysis.
4. At the semantic check prompt, type
Verbose on
This setting configures NTDSUTIL to
write additional information to the screen when the semantic checker is
running.
5. at the semantic checker prompt,
type go.
What
is the function of Replmon.exe?
Replmon.exe the
Active Directory Replication Monitor enables administrators to view the
low-level status of Active Directory replication, force synchronization between
domain controllers, view the topology in a graphical format, and monitor the
status and performance of domain controller replication through a graphical
interface.
What is the function of
Repadmin.exe?
Repadmin.exe, the Replication
Diagnostics Tool, allows you to view the replication
Topology as seen from the
perspective of each domain controller. Repadmin.exe can be used in
trouble-shooting to manually create the replication topology (although in
normal practice this should not be necessary), to force replication events
between domain controllers, and to view the replication metadata and see how
up-to-date a domain controller is.
What is the function of
Dsastat.exe?
Dsastat.exe compares and detects
differences between directory partitions on domain controllers and can be used
to ensure that domain controllers are up-to-date with one another. The tool
retrieves capacity statistics such as megabytes per server, objects per server,
and mega-bytes per object class, and compares the attributes of replicated
objects.
Authoritative Restore Example?
Once object has been restored the object of the USN value
will be increase 10,000 to let all other DCs know this object in replication.
E:\ntdsutil>ntdsutil
ntdsutil: authoritative restore
authoritative restore: restore
object OU=bosses,DC=ourdom,DC=com
Opening DIT database... Done.
The current time is 06-17-05
12:34.12.
Most recent database update
occurred at 06-16-05 00:41.25.
Increasing attribute version
numbers by 100000.
Counting records that need
updating...
Records found: 0000000012
How do we see the GUID and
SID?
We can see the GUID and SID through
the rescue kit.
Install the rescue kit.
Register the following dll
Regsvr32
accinfo.dll
How to register and unregister
the accountinfo.dll?
regsvr32
%systemroot%\system32\acctinfo.dll--->for register the command
regsvr32 /u
%systemroot%\system32\acctinfo.dll ---->for UN register the command
The Query Process?
A query is a specific request made
by a user to the global catalog in order to retrieve, modify, or delete Active
Directory data.
The following steps describe the
query process:
1. The client queries its DNS
server for the location of the global catalog server.
2. The DNS server searches for the
global catalog server location and returns the IP address of the domain
controller designated as the global catalog server.
3. The client queries the IP
address of the domain controller designated as the global catalog server.
The client quires
The
query is sent to port 3268 on the domain controller;
Standard
Active Directory queries are sent to port 389.
4. The global catalog server
processes the query. If the global catalog contains the attribute of the object
being searched for, the global catalog server provides a response to the
client. If the global catalog does not contain the attribute of the object
being searched for, the query is referred to Active Directory.
You can configure any domain
controller or designate additional domain controllers as global catalog
servers. When considering which domain controllers to designate
As global catalog servers, base
your decision on the ability of your network structure
To handle replication and query
traffic.
What is default data path for
Active Directory?
The default path is in the boot
partition under \Windows\NTDS. Generally, it is a good idea to put them
on a separate volume from the operating system files to improve performance.
Default path for active directory
is C:\Winnt\NTDS\NTDS.DIT
Active Directory includes 4 files.
ü NTDS.DIT:
The Active Directory Database.
ü EDB.CHk:
The checkpoint file.
ü EDB.Log:
The transaction logs, each 10 Mb in size.
ü Res1.log
and Res2.Log: Reserved transaction logs.
Explain about Active Directory Database
NTDS.DIT
Active Directory's database engine
is the Extensible Storage Engine which is based on the Jet database
and can grow up to 16 TB.
This is the main AD database. NTDS stands for NT Directory Services.
The DIT stands for Directory Information Tree. The Ntds.dit file on a
particular
Domain controller contains all naming
contexts hosted by that domain controller,
Including the Configuration and
Schema naming contexts. A Global Catalog
Server stores the partial naming
context replicas in the Ntds.dit right along with the full Domain naming
context for its domain.
This is the AD database and stores
all AD objects. Default location is
SystemRoot%\ntds\NTDS.DIT.
NTDS.DIT, consists of the following
tables
Schema Table
The types of objects that can be
created in the Active Directory, relationships between
Them and the attributes on each
type of object. This table is fairly static and much
Smaller than the data table.
Link Table
Contains linked attributes, which
contain values referring to other objects in the Active Directory. Take the MemberOf attribute on a user
object. That attribute contains values that reference groups to which the user
belongs. This is also far smaller than the data table.
Data Table
Users, groups, application-specific
data, and any other data stored in the Active
Directory
Edb.log:
This is a transaction log. Any
changes made to objects in Active Directory are first saved to a transaction
log. The database engine commits the transactions into the main Ntds.dit
database. This ensures that the database can be recovered in the event of a
system crash. Entries that have not been committed to Ntds.dit are kept in
memory to improve performance. Transaction log files used by the ESE engine are
always10MB.
Edbxxxxx.log:
These are auxiliary transaction
logs used to store changes if the main Edb.log file gets full before it can be
flushed to Ntds.dit. The xxxxx stands for a sequential number in hex. When the
Edb.log file fills up, an Edbtemp.log file is opened. The original Edb.log file
is renamed to Edb00001.log, and Edbtemp.log is renamed to Edb.log file, and the
process starts over again. ESENT uses circular logging. Excess log files are
deleted after they have been committed. You may see more than one Edbxxxxx.log
file if a busy domain controller has many updates pending.
Edb.chk:
This is a checkpoint file. It is
used by the transaction logging system to mark the point at which updates are
transferred from the log files to Ntds.dit. As transactions are committed, the
checkpoint moves forward in the Edb.chk file. If the system terminates
abnormally, the pointer tells the system how far along a given set of commits
had progressed before the termination.
Res1.log and Res2.log:
These are reserve log files. If the
hard drive fills to capacity just as the system is attempting to create an
Edbxxxxx.log file, the space reserved by the Res log files is used. The system
then puts a dire warning on the screen prompting you to take action to free up
disk space quickly before Active Directory gets corrupted. You should never let
a volume containing Active Directory files get even close to being full. File
fragmentation is a big performance thief, and fragmentation increases
exponentially as free space diminishes. Also, you may run into problems as you
run out of drive space with online database defragmentation (compaction). This
can cause Active Directory to stop working if the indexes cannot be rebuilt.
Temp.edb:
This is a scratch pad used to store
information about in-progress transactions and to hold pages pulled out of
Ntds.dit during compaction.
Schema.ini:
This file is used to initialize the
Ntds.dit during the initial promotion of a domain controller. It is not used
after that has been accomplished.
What is Global Catalog Server?
A global catalog server is a domain
controller it is a master searchable database that
Contains information about every
object in every domain in a forest. The global catalog contains a complete
replica of all objects in Active Directory for its host domain, and contains a
partial replica of all objects in Active Directory for every other domain in
the forest. It has two important functions:
* Provides group membership
information during logon and authentication.
* It enables finding directory
information regardless of which domain in the
TIP:
if a user is a member of the domain admin group they can able to log on to the
Network even when the global
catalog is not available.
What are the phantom records?
DN
SID
GUID
It should not play GC.
How do we see the schema
master?
Run
Regsvr32 schmmgmt.dll
Using MMC
Active Directory schema
What are the Active Directory
Management Tools?
NTDSUTIL
REPADMIN
REPLMON
NETDOM (Netdome.exe: netdom.exe
utility can rename a computer that is a member of a windows server 2003 domain.)
NLTEST
NETDIAG
DCDIAG
ADSIEDIT
What must be done to an AD
forest before Exchange can be deployed?
Setup.exe /forest prep
What is the NTDS.DIT (.DIT)
expansion?
.DIT=Directory Information Tree
What is the NTDS.DIT file
default size?
40 MB (This file contains
c:\windows\NTDS Folder)
A change to tombstone lifetime
is windows server 2003 SP1.
The default tombstone lifetime
(TSL) in windows Server 2003 has proven to be too
Short. For example, a pre staged
domain controller may be in transit for longer then
60 days. An administrator may not
resolve an application failure or bring an offline
Domain controller into operation
until the TSL is exceeded. Windows Server 2003
Service Pack 1 (SP1) increases the
TSL from 60 to 180 days in the following
What is the size when creating
the Active Directory objects?
Before you install Active
Directory, you have to know the potential size of the Active Directory
database. Active Directory database space requirements are much smaller than
you might think. The approximate size of objects and attributes in Active
Directory are listed as follows.
|
S:NO
|
Objects
|
Size
|
|
1
|
Security Principle (Users, Group and Computers)
|
3600 bytes
|
|
2
|
Organization Unit (OU)
|
1100 bytes
|
|
3
|
Security Certificates Mapped to a user
|
1500 bytes
|
|
4
|
Objects attributes
|
~100 bytes
|
|
5
|
Access Control Entry (ACE)
|
70 bytes per ACE
|
Define the Active Directory
Maintenance?
Active Directory is a database with
its own database engine named the Extensible Storage Engine (ESE). The ESE is
responsible for managing changes to the Active Directory Database.
Active Directory has two methods
using Defragmentation they are
ü Online
Defragmentation
ü Offline
Defragmentation
Online Defragmentation:
Online defragmentation is an
automatic process that occurs the Garbage Collation Process. The garbage
collection process runs by default every 12 hours on all domain controllers in
the forest. When the garbage collection process begins, it removes all
Tombstones from the database. A Tombstone
is what is left of an object that has been deleted. Deleted objects are not
completely removed from the Active Directory Database. They are marked for
deletion. Tombstone
objects are permanently deleted during the garbage collection process. Through
the deletion of Tombstone
objects and
Unnecessary log files.
The advantage of an online
defragmentation is that it occurs automatically and doesn’t
Require the server to be offline to
run. An online defragmentation does not reduce the actual size of the Active
Directory database.
Offline Defragmentation:
Offline defragmentation is a manual
process that defragments the Active Directory Database in addition to reducing
its size.
The following tasks should be
performed prior to running an offline defragmentation
1)
Before begins Take System State Backup.
2)
Create a Temp Folder for completed database
3) Check
to ensure that you have free space equivalent to the size of the current
database plus at least an additional 15 percent. This ensures that there is
enough space for temporary storage during the defragmentation process in
addition to space for the newly compacted database
Performing
offline Defragmentation
1)
Restart domain controller, press F8 Directory Service
Restore Mode.
2)
Logon Directory Service using Restore Mode Password.
3)
Command Prompt
4)
NTDSUTIL
5)
Files
6)
Compact to drive :\Directory
7)
Quit
8)
Quit
9)
Copy the database file from Temp directory to
C:\Windows\NTDS Directory
10) Restart
domain controller
Active
Directory Backup and Restore?
There are two
methods are there
Ø
Primary Restore
Ø
Normal Restore
Primary
Restore:
This method is
required when all active directory information is lost for the entire domain.
For example if all domain controllers fail, or if there was only one domain
controller before the failure you need to perform a primary restore in order to
rebuild the domain from a recent backup.
Normal
Restore:
This method
restores the Active Directory Database to its state before the Backup. This
method can be used when you want to restore a single domain controller to a
point in time when it was considered good. If there are other domain
controllers it was considered good. If there are other domain controllers in
the domain, the replication process updates the domain controller with the most
recent information after the restore is complete. You may see this method also
referred to as a non-authoritative restore.
Caution
Active directory
cannot be restored from a backup that we older than the tombstone life time of
60 days by default domain controllers only keep track of deleted objects for
the duration of tombstone lifetime. If you’re backup is older. Than the
tombstone lifetime, you lose any changes that you made to the database since
this backup.
Universal Group Caching:
A new feature in windows server
2003 that allows domain controllers to process a logon or resource request
without the presence of a global catalog server.
The domain controller periodically
contacts a global catalog server for universal group membership information.
This information copied to the
domain controller.
How will you verify whether the AD installation is proper?
Verify SRV Resource Records
After AD is installed, the DC will
register SRV records in DNS when it restarts. We can check this using DNS MMC
or nslookup command.
Using MMC
If the SRV records are registered,
the following folders will be there in the domain
folder in Forward Lookup Zone.
• msdes
• sites
• tcp
• adp
Using nslookup
>nslookup
>ls –t SRV Domain
If the SRV records are properly
created, they will be listed.
What is the Universal Group
Membership Catching?
When one the branch office is not
having the global catalog we can use the universal Group Membership Caching
(UGMC) for login credentials.
The user first time login into the
server, the UGMC will collect the user’s information and store it to the UGMC.
The User wants to next time logon
the server. UGMC will give the login information.
The UGMC will update every
replication interval.
Domain and Forest Functional
Levels?
We can check and change the Domain
and Forest Functional levels
Through the
1)
Active Directory Users and Computers ( Domain Levels
Roles)
2)
Active Directory Domains and Trust (Forest
Level Role (Domain Naming Master Role))
3)
Schema master Role (Forest Level Role)
Note: if you want to Raise your
domain or Forest functional levels. Please go through the below options.
Domain Functional Level:
1)
Active Directory Domains and Trust
2)
Select the Server name
3)
Right Click the Server name and raise domain functional
level
Forest functional level:
1)
Active Directory Domains and Trust
2)
Select the root console (Not the Server) and right
click the console and raise the forest functional.
What is a GUID?
Globally Unique Identified
(GUID):
The GUID is a 128 - bit hexadecimal
number that is assigned to every object in the Active Directory forest upon its
creation. This number does not change, even when the object itself is renamed.
The number is not used again, even if an object is deleted and recreated with
the same display name.
What
will happen while running adprep.exe?
The command line
tool used to prepare a windows 2000 forest and domain upgrade to windows server
2003.
Adprep
/ForestPrep runs on the
schemamaster FSM role holder.
Adprep
/DomainPrep runs on the
infrastructure master role holder on the domain.
Adprep
/DomainPrep does not function if the changes performed by adprep /forestprep
are not completed.
How many members we can add a
single group?
You can add maximum of 5000 users
into a group.
Group Types:
There are Two Types
1)
Distribution Groups (Non Security related)
2)
Security Group (Security related)
Distribution Groups: Email, software
distribution programs such as Microsoft system management server to update
desktop application.
Only applications designed to work
with AD can use distribution groups.
Converting Group Types:
After a group created, it can be
converted from a security group to a distribution group and vice versa at any
time. As long as the domain functional is set to windows 2000 native or higher.
The windows 2000 mixed domain functional level does not support the
conversation of groups.
Group
Nesting
Group Nesting used
to simplify permissions.
Understanding the Schema
Every resource in Active Directory
is represented as an Object, and each object has a set of attributes that are
associated with it.
The Schema has two components:
Object
Classes and Attributes.
How many passwords by default
are remembered when you check "Enforce
Password History
Remembered"?
User’s last 6 passwords.
What is the Active Directory
Web Console Port?
8098
What are the authentication
protocols using for trust?
NTLM
Kerberos
How many days once we need to
renewal the trusting password?
7 days once.
How do you upgrade your
windows 2000 to windows 2003 server?
I386>adprep /forestprep (it will
update your schema)
I386>adprep /domainprep
Setup
I am trying to create a new universal user group. Why can’t I?
Universal groups are allowed only
in Native-mode Windows Server 2003 environments. Native mode requires that all
domain controllers be promoted to
Windows Server 2003 Active
Directory.
No comments:
Post a Comment