AD_Q&A

8/12/2019 AD_Q&A

1/44

Sanjo Thomas, CCNA, MCSE, MCDBA [email protected]

8/12/2019 AD_Q&A

2/44


Microsoft Windows 2000 Active Directory

What is LDAP?

LDAP is the directory service protocol that is used to query and update AD. LDAP namingpaths are used to access AD objects and include the following:

Distinguished names Relative Distinguished names

Distinguished name gives the complete path of the object

E.g. CN=Sanjo Thomas,OU=India,DC=Microsoft,DC=com

Relative Distinguished name is the portion of the distinguished name that uniquely identifies

the object.

E.g. CN=Sanjo Thomas OROU= India

What is Active Directory?

AD is the directory service in Windows2000 network. AD is a hierarchical database. Adirectory service stores information about network resources and make the resourcesaccessible to users and computers. It helps to centrally manage, organize and control accessto resources. AD objects include users, groups, computers, printers, etc. Servers, domainsand sites are also considered as AD objects.

Minimum Requirement for Installing AD

1. Windows Server, Advanced Server, Datacenter Server2. Minimum Disk space of 200MB for AD and 50MB for log files3. NTFS partition4. TCP/IP Installed and Configured to use DNS5. Administrative privilege for creating a domain in existing network

How will you verify whether the AD installation is proper?

1. Verify SRV Resource RecordsAfter AD is installed, the DC will register SRV records in DNS when it restarts. We cancheck this using DNS MMC or nslookup command.

Using MMC

If the SRV records are registered, the following folders will be there in the domainfolder in Forward Lookup Zone.

8/12/2019 AD_Q&A

3/44


msdes sites tcp adp

Using nslookup

>nslookup>ls t SRV Domain

If the SRV records are properly created, they will be listed.

2. Verifying SYSVOLIf SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,etc will not be replicated between DCs.

First verify the following folder structure is created in SYSVOL

DomainStagingStaging areasSysvol

Then verify necessary shares are created.

>net share

It should show two shares, NETLOGON and SYSVOL

3. Verifying Database and Log filesMake sure that the following files are there at %systemroot%\ntds

Ntds.dit, Edb.*, Res*.log

Explain about ADS Database

Active Directory includes 4 files.

1. NTDS.DIT

This is the AD database and stores all AD objects. Default location isSystemRoot%\ntds\NTDS.DIT.Active Directory's database engine is the Extensible Storage Engine which is based on the Jetdatabase and can grow up to 16 TB.

NTDS.DIT, consists of the following tables

Schema TableThe types of objects that can be created in the Active Directory, relationships between

8/12/2019 AD_Q&A

4/44


them, and the attributes on each type of object. This table is fairly static and muchsmaller than the data table.

Link Tablecontains linked attributes, which contain values referring to other objects in the ActiveDirectory. Take the MemberOfattribute on a user object. That attribute containsvalues that reference groups to which the user belongs. This is also far smaller than

the data table. Data Table

users, groups, application-specific data, and any other data stored in the ActiveDirectory.

From a different perspective, Active Directory has three types of data

Schema informationDefinitional details about objects and attributes that one CAN store in the AD.Replicates to all DCs. Static in nature

Configuration informationConfiguration data about forest and trees. Replicates to all DCs. Static as your forestis.

Domain informationObject information for a domain. Replicates to all DCs within a domain. The objectportion becomes part of GC. The attribute values only replicates within the domain.

2. EDB.LOG

This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.Where nnnn is the increasing number starting from 1

3. EDB.CHK

This is the checkpoint file used to track the data not yet written to database file. Thisindicates the starting point from which data is to be recovered from the logfile, in case offailure.

4. Res1.log and Res2.log

This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction logfiles enough room to shutdown if the other spaces are being used.

Explain ADS Database Garbage Collection Process?

Garbage Collection is a process that is designed to free space within the Active Directorydatabase. This process runs independently on every DC with a default lifetime interval of 12hours.

The Garbage Collection process has 3 main steps

1. Removing "tombstones" from the database. Tombstones are remains of objects that havebeen previously deleted.

8/12/2019 AD_Q&A

5/44


(**When an object is deleted, it is not actually removed from the Active Directory database. It ismarked for deletion at a later date. This then gets replicated to other DCs. When the

tombstoneLifetimeis over, the object is deleted.)

2. Deletion of any unnecessary log files.

3. The process launches a defragmentation thread to claim additional free space.

There are two ways to defragment the Active Directory database in Windows 2000.

Online Defragmentationmethod that runs as part of the garbage collection process. The onlyadvantage to this method is that the server does not need to be taken offline for it to run.However, this method does not shrink the Active Directory database file (Ntds.dit).

Offline Defragmentation: This is done by taking the server offline and use Ntdsutil.exe todefragment the database. This approach requires that the ADS database be started in repairmode. The advantage to this method is that the database is resized, unused space isremoved, and the size is reflected by the Ntds.dit file.

How will you do an Offline Defragmentation of Active Directory?

Active Directory routinely performs online database defragmentation, but this is limited to thedisposal of tombstoned objects. The database file cannot be compacted while Active Directoryis mounted. To defrag ntds.dit offline:

Back up System State in the backup wizard. Reboot and select Directory Services Restore Mode At the command prompt:

NtdsutilFiles

Info

This will display current information about the path and size of the Active Directory databaseand its log files.

Compact to D:\DbBackup\

You must specify a directory path and if the path name has spaces, the command will notwork unless you use quotation marks

Quit(till you reach the command prompt)

A new compacted database named Ntds.dit can be found in D:\DbBackup

Copy the new ntds.dit file over the old ntds.dit file. You have successfully compacted the

Active Directory database.

Introducing domain trees and forests

TREES

Tree is a hierarchical arrangement of W2K domains that share a contiguous name space. Thefirst domain in a domain tree is called the root domain. Additional domains in the samedomain tree are child domains. A domain immediately above another domain in the samedomain tree is referred to as the parent of the child domain.

8/12/2019 AD_Q&A

6/44


The name of the chills domain is combined with its parent domain to form its DNS name.Every child domain has a two two-way, transitive trust relationship with its parent domain

Because these trust relationships are two-way and transitive, a Windows 2000 domain newlycreated in a domain tree or forest immediately has trust relationships established with everyother Windows 2000 domain in the domain tree or forest.

These trust relationships allow a single logon process to authenticate a user on all domains inthe domain tree or forest. This does not necessarily mean that the authenticated user hasrights and permissions in all domains in the domain tree. Because a domain is a securityboundary, rights and permissions must be assigned on a per-domain basis.

FORESTS

A forest consists of multiple domain trees. The domain trees in a forest do not form acontiguous namespace but share a common schema and GC.

The forest root domain is the first domain created in the forest. The root domains of all

domain trees in the forest establish transitive trust relationships with the forest root domain.This is necessary for the purposes of establishing trust across all the domain trees in theforest.

All of the Windows 2000 domains in all of the domain trees in a forest share the followingtraits:

Transitive trust relationships between the domains Transitive trust relationships between the domain trees A common schema Common configuration information A common global catalog

Using both domain trees and forests provides you with the flexibility of both contiguous andnoncontiguous naming conventions. This can be useful in, for example, companies withindependent divisions that must each maintain their own DNS names.

Explain Active Directory schema?

The Active Directory schema is the set of definitions that defines the kinds of objects, and thetypes of information about those objects, that can be stored in Active Directory. Thedefinitions are themselves stored as objects so that Active Directory can manage the schemaobjects with the same object management operations used for managing the rest of the

objects in the directory.

There are two types of definitions in the schema: attributes and classes. Attributes andclasses are also referred to as schema objects or metadata.

Attributes are defined separately from classes. Each attribute is defined only once and can beused in multiple classes. For example, the Description attribute is used in many classes, but isdefined once in the schema, assuring consistency.

8/12/2019 AD_Q&A

7/44


Classes, also referred to as object classes; describe the possible directory objects that can becreated. Each class is a collection of attributes. When you create an object, the attributesstore the information that describes the object. The User class, for example, is composed ofmany attributes, including Network Address, Home Directory, and so on. Every object inActive Directory is an instance of an object class.

Active Directory does not support deletion of schema objects; however, objects can bemarked as deactivated, providing many of the benefits of deletion.

The structure and content of the schema is controlled by the domain controller that holds theschema operations master role. A copy of the schema is replicated to all domain controllers inthe forest. The use of this common schema ensures data integrity and consistency throughoutthe forest.

Explain Sites. What are the advantages of Sites?

Site consists of one or more IP subnets connected by a high speed link. Wide area networksshould employ multiple sites for efficiently handling servicing requests and reducing

replication traffic. Sites map the physical structure of your network whereas domainsgenerally map the logical structure of your organization.

Active Directory Sites and Services allow you to specify site information. Active Directory usesthis information to determine how best to use available network resources.

This makes the following types of operations more efficient:

Service requestsWhen a client requests a service from a domain controller, it directs the request to adomain controller in the same site. Selecting a domain controller that is well-connected

to the client makes handling the request more efficient.

ReplicationSite streamlines replication of directory information and reduces replication traffic

Site membership is determined differently for domain controllers and clients. A clientdetermines it is in when it is turned on, so its site location will often be dynamically updated.A domain controller's site location is established by which site its Server object belongs to inthe directory, so its site location will be consistent unless the domain controller's Serverobject is intentionally moved to a different site.

Explain GC?

By default, a GC is created automatically on the first DC in the forest. It stores a full replica ofall objects in the directory for its host domain and a partial replica of all objects of every otherdomain in the forest. The replica is partial because it stores only some attributes for eachobjects.

The GC performs two key directory roles:

8/12/2019 AD_Q&A

8/44


It enables network logon by providing universal group membership information to aDC when a logon process is initiated.

It enables finding directory information regardless of which domain in the forestactually contains the data.

When a user logs on to the network, the GC provides universal group membershipinformation for the account sending the logon request to the DC. If a GC is not available theuser is only able to log on to the local computer unless he is in the Domain Admins group.

The GC is designed to respond to queries about objects with maximum speed and minimumnetwork traffic. Because a single GC contains information about objects in all domains in theforest, a query about an object can be resolved by a GC in the domain in which the query isinitiated. Thus, finding information in the directory does not produce unnecessary query trafficacross domain boundaries.

Active Directory defines a base set of attributes for each object in the directory. Each objectand some of its attributes (such as universal group memberships) are stored in the GC. Using

Active Directory Schema, you can specify additional attributes to be kept in the GC.

Explain the role of Global Catalog Server in a Domain?

By default, a global catalog is created automatically on the initial domain controller in theforest. It stores a full replica of all objects in the directory for its host domain and a partialreplica of all objects contained in the directory of every other domain in the forest. The replicais partial because it stores some, but not all, of the property values for every object in theforest.

The global catalog performs two key directory roles:

It enables network logon by providing universal group membership information to adomain controller when a logon process is initiated. It enables finding directory information in the entire forest regardless of which domain

in the forest actually contains the data.

When a user logs on to the network, the global catalog provides universal group membershipinformation for the account sending the logon request to the domain controller. If there isonly one domain controller in the domain, the domain controller and the global catalog arethe same server. If there are multiple domain controllers in the network, the global catalog ishosted on the domain controller configured as such. If a global catalog is not available when auser initiates a network logon process, the user is only able to log on to the local computer.

If a user is a member of the Domain Admins group, they are able to log on to the networkeven when a global catalog is not available.

The global catalog is designed to respond to queries about objects anywhere in the forest withmaximum speed and minimum network traffic. Because a single global catalog containsinformation about objects in all domains in the forest, a query about an object can beresolved by a global catalog in the domain in which the query is initiated. Thus, finding

8/12/2019 AD_Q&A

9/44


information in the directory does not produce unnecessary query traffic across domainboundaries.

You can optionally configure any domain controller to host a global catalog, based on yourorganization's requirements for servicing logon requests and search queries.

After additional domain controllers are installed in the domain, you can change the defaultlocation of the global catalog to another domain controller using Active Directory Sites andServices.

GC and infrastructure master should not be on the same Server. Why?

The infrastructure master is responsible for updating references from objects in its domain toobjects in other domains. The infrastructure master compares its data with that of a globalcatalog. Global catalogs receive regular updates for objects in all domains through replication,so the global catalog's data will always be up-to-date. If the infrastructure master finds datathat is out-of-date, it requests the updated data from a global catalog. The infrastructuremaster then replicates that updated data to the other domain controllers in the domain.

Important

1. If the infrastructure master and global catalog are on the same domain controller, theinfrastructure master will not function. The infrastructure master will never find datathat is out of date, so will never replicate any changes to the other domain controllersin the domain.

2. If all of the domain controllers in a domain are also hosting the global catalog, all ofthe domain controllers will have the current data and it does not matter which domaincontroller holds the infrastructure master role.

What are the Single master operations?

Active Directory supports multimaster replication of the directory data between all DCs in thedomain. Some changes are impractical to perform in multimaster fashion, so only one DC,called the operations master, accepts requests for such changes.

Because the operations master roles can be moved to other DCs within the domain or forest,these roles are sometimes referred to asFlexible Single Master Operations.

In any Active Directory there are five operations master roles. Some roles must appear inevery forest. Other roles must appear in every domain in the forest.

FOREST-WIDE OPERATIONS MASTER ROLES

Every Active Directory forest must have the following roles:

Schema master Domain naming master

There can be only one schema master and one domain naming master for the entire forest.

8/12/2019 AD_Q&A

10/44


Schema master

The schema master DC controls all updates and modifications to the schema.

Domain naming master

Domain Naming Master DC controls the addition or removal of domains in the forest.

DOMAIN-WIDE OPERATIONS MASTER ROLES

Every domain in the forest must have the following roles:

Relative ID master Primary DC (PDC) emulator Infrastructure master

E0ach domain in the forest can have only one RID master, PDC Emulator, and InfrastructureMaster.

Relative ID master

The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DCcreates a user, group, or computer object, it assigns a unique security ID to that object. Thesecurity ID consists of a domain security ID (that is the same for all security IDs created inthe domain), and a relative ID that is unique for each security ID created in the domain.

To move an object between domains (usingMovetree.exe), you must initiate the move onthe DC acting as the relative ID master of the domain that currently contains the object.

PDC emulator

For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes passwordchanges from clients and replicates updates to the BDCs.

In native-mode, the PDC emulator receives preferential replication of password changesperformed by other DCs in the domain. If a password was recently changed, that changetakes time to replicate to every DC in the domain. If a logon authentication fails at anotherDC due to a bad password, that DC will forward the authentication request to the PDCemulator before rejecting the log on attempt.

Infrastructure master

The infrastructure master is responsible for updating the group-to-userreferences wheneverthe members of groups are renamed or changed. At any time, there can be only one DCacting as the infrastructure master in each domain.

When you rename or move a member of a group (and that member resides in a differentdomain from the group), the group may temporarily appear not to contain that member. Theinfrastructure master of the group's domain is responsible for updating the group so it knows

8/12/2019 AD_Q&A

11/44


the new name or location of the member. The infrastructure master distributes the update viamultimaster replication.

There is no compromise to security during the time between the member rename and thegroup update. Only an administrator looking at that particular group membership wouldnotice the temporary inconsistency.

What are the FSMO roles and explain their functions?

Schema master Domain naming master RID master PDC emulator Infrastructure daemon

Schema Master

The schema master is responsible for performing updates to the directory schema. This DC isthe only one that can process updates to the directory schema. Once the Schema update is

complete, it is replicated from the schema master to all other DCs in the directory. There isonly one schema master per directory.

Domain Naming Master

The Domain Naming Master is responsible for making changes to the forest-wide domainname space of the directory. This DC is the only one that can add or remove a domain fromthe directory.

RID Master

The RID master is responsible for processing RID Pool requests from all DCs within a givendomain. It is also responsible for removing an object from its domain and putting it in anotherdomain during an object move.

When a DC creates a security principal object such as a user or group, it attaches a uniqueSID to the object. This SID consists of a domain SID (the same for all SIDs created in adomain), and a relative ID (RID) that is unique for each security principal SID created in adomain.

Each Windows 2000 DC in a domain is allocated a pool of RIDs that can be assigned to thesecurity principals it creates. When a DC's allocated RID pool falls below a threshold, that DCissues a request for additional RIDs to the domain's RID master. The domain-RID masterresponds to the request by retrieving RIDs from the domain's unallocated RID pool andassigns them to the pool of the requesting DC. There is one RID master per domain in adirectory.

PDC Emulator FSMO Role

The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includesthe W32Time (Windows Time) time service that is required by the Kerberos authenticationprotocol. All Windows 2000-based computers within an enterprise use a common time. Thepurpose of the time service is to ensure that the Windows Time service uses a hierarchicalrelationship that controls authority and does not permit loops to ensure appropriate commontime usage.

8/12/2019 AD_Q&A

12/44


The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the rootof the forest becomes authoritative for the enterprise, and should be configured to gather thetime from an external source. All PDC FSMO role holders follow the hierarchy of domains inthe selection of their in-bound time partner.

In a Windows 2000 domain, the PDC emulator role holder retains the following functions:

Password changes performed by other DCs in the domain are replicated preferentiallyto the PDC emulator.

Authentication failures that occur at a given DC in a domain because of an incorrectpassword are forwarded to the PDC emulator before a bad password failure message isreported to the user.

Account lockout is processed on the PDC emulator.Note that the PDC emulator role becomes unnecessary as down-level workstations, memberservers, and domain controllers are all upgraded to Windows 2000, in which case thefollowing information applies:

Windows 2000 clients (workstations and member servers) and down-level clients thathave installed the distributed services client package do not perform directory writes(such as password changes) preferentially at the DC that has advertised itself as thePDC; they use any DC for the domain.

Once backup domain controllers (BDCs) in down-level domains are upgraded toWindows 2000, the PDC emulator receives no down-level replica requests.

Windows 2000 clients (workstations and member servers) and down-level clients thathave installed the distributed services client package use the Active Directory to locatenetwork resources. They do not require the Windows NT Browser service.

Infrastructure FSMO Role

When an object in one domain is referenced by another object in another domain, it

represents the reference by the GUID, the SID (for references to security principals), and theDN of the object being referenced. The infrastructure FSMO role holder is the DC responsiblefor updating an object's SID and distinguished name in a cross-domain object reference.

NOTE: The Infrastructure Master (IM) role should be held by a domain controller that is not aGlobal Catalog server(GC). If the Infrastructure Master runs on a Global Catalog server it willstop updating object information because it does not contain any references to objects that itdoes not hold. This is because a Global Catalog server holds a partial replica of every object inthe forest. As a result, cross-domain object references in that domain will not be updated anda warning to that effect will be logged on that DC's event log.

How will you place the FSMO roles?

Place the RID and PDC emulator roles on the same domain controller. Goodcommunication from the PDC to the RID master is desirable as downlevel clients andapplications target the PDC, making it a large consumer of RIDs.

As a general rule, the infrastructure master should be located on a nonglobal catalogserver that has a direct connection object to some global catalog in the forest,preferably in the same Active Directory site.

8/12/2019 AD_Q&A

13/44


Two exceptions to the "do not place the infrastructure master on a global catalog server"rule are:

o Single domain forest:In a forest that contains a single Active Directory domain, there are no phantoms,

and so the infrastructure master has no work to do. The infrastructure master maybe placed on any domain controller in the domain.

o Multidomain forest where everydomain controller holds the global catalog:If every domain controller in the domain also hosts the global catalog, then thereare no phantoms or work for the infrastructure master to do. The infrastructuremaster may be placed on any domain controller in the domain.

At the forest level, the schema master and domain naming master roles should beplaced on the same domain controller as they are rarely used and should be tightlycontrolled. Additionally, the Domain Naming master FSMO should also be a globalcatalog server.

Responding to operations master failures

Some of the operations master roles are crucial to the operation of your network. Others canbe unavailable for quite some time before their absence becomes a problem

If an operations master is not available due to computer failure or network problems, you canseize the operations master role.

In general, seizing an operations master role is a drastic step that should be considered onlyif the current operations master will never be available again.

SCHEMA MASTER FAILURE

Temporary loss of the schema operations master will be visible only if we are trying to modifythe schema or install an application that modifies the schema during installation.

A DC whose schema master role has been seized must never be brought back online.

To seize the schema master role

1. Click Start, click Run, and then type cmd.2.

At the command prompt, type ntdsutil.3. At the ntdsutilprompt, type roles.

4. At the fsmo maintenanceprompt, type connections.5. At the server connectionsprompt, type connect to server, followed by the fully

qualified domain name.6. At the server connectionsprompt, type quit.7. At the fsmo maintenanceprompt, type seize schema master.8. At the fsmo maintenanceprompt, type quit.9. At the ntdsutilprompt, type quit.

8/12/2019 AD_Q&A

14/44


DOMAIN NAMING MASTER FAILURE

Temporary loss of the schema operations master will be visible only if we are trying to add adomain to the forest or remove a domain from the forest.

A DC whose domain naming master role has been seized must never be brought back online.

RELATIVE IDMASTER FAILURE

Temporary loss of the schema operations master will be visible if you are creating objects andthe domain in which you are creating the objects runs out of RIDs.

A DC whose relative identifier master role has been seized must never be brought backonline.

PDCEMULATOR FAILURE

The loss of the PDC emulator affects network users. Therefore, when the PDC emulator is notavailable, you may need to immediately seize the role.

If the current PDC emulator master will be unavailable for an unacceptable length of time andits domain has clients without Windows 2000 client software, or if it contains Windows NTbackup DCs, seize the PDC emulator master role to the standby operations master. When theoriginal PDC emulator master is returned to service, you can return the role to the originalDC.

INFRASTRUCTURE MASTER FAILURE

Temporary loss of the infrastructure master is not visible to network users or administratorseither, unless they have recently moved or renamed a large number of accounts.

If the infrastructure master will be unavailable for an unacceptable length of time, you canseize the role to a DC that is not a GC but is well connected to a GC, ideally in the same siteas the current GC.

How will you remove DC Server Object (In ADS Sites and Services) which isnot removed After Demotion?

After demoting a DC, the object that represents the server in the Active Directory Sites andServices Manager snap-in remains.

This issue occurs because the server object is a "container" in the Active Directory and mayhold child objects that represent configuration data for other services installed on yourcomputer. Because of this, the Dcpromo utility does not automatically remove the serverobject.

If the server object contains any child objects named "NTDS Settings," these are objects that representthe server as a DC and should be automatically removed by the demotion process. If this does not work,these objects must be removed by using the Ntdsutil utility before you delete the server object.

After verifying that all other services with a dependency on the server object have been

8/12/2019 AD_Q&A

15/44


removed an administrator can delete the server in Active Directory Sites and ServicesManager.

NOTE: This process may not finish successfully for either of the following reasons:

If you receive a message that states the server is a container that contains other objects,

verify that the appropriate decommissioning of services has completed before continuing.

If you receive a message that states the DSA object cannot be deleted, you may be

attempting to delete an active DC.

How will you remove Orphaned Domains from Active Directory?

Typically, when the last DC for a domain is demoted, the administrator selects this server isthe last DC in the domainoption in the DCPromo tool, which removes the domain meta-data from Active Directory.

Note:The administrator must verify that replication has occurred since the demotion of thelast DC before manually removing the domain meta-data. Using the NTDSUTIL toolimproperly can result in partial or complete loss of Active Directory functionality.

1. Determine the DC that holds the Domain Naming Master FSMO role.2. Verify that all servers for the specified domain have been demoted.3. At the command prompt:

ntdsutil

metadata cleanup

connections

connect to server servername

(Servernameis the name of the DC holding the Domain Naming Master FSMO Role)

If an error occurs, verify that the DC being used in the connection is available and that the

credentials you supplied have administrative permissions on the server.

Quit

Metadata Cleanup menu is displayed

Select operation target

List domains

A list of domains in the forest is displayed, each with an associated number

Select domain number

Where numberis the number associated with the domain to be removed

Quit

The Metadata Cleanupmenu is displayed.

8/12/2019 AD_Q&A

16/44


Remove selected domain

You should receive confirmation that the removal was successful.

Quit

You should receive confirmation that the connection disconnected successfully.

Audit Active Directory Objects in Windows 2000

An audit entry in the Security log contains the following information:

The action that was performed. The user who performed the action. The success or failure of the event and the time that the event occurred.

When you audit Active Directory events, Windows 2000 writes an event to the Security log onthe domain controller. If a user tries to log on to the domain using a domain user account andthe logon attempt is unsuccessful, the event is recorded on the DC and not on the computer

on which the logon attempt was made. This is because it is the domain controller that tried toauthenticate the logon attempt.

How to Configure an Audit Policy Setting for a Domain Controller

Auditing is turned off by default. To audit all DCs, Enable auditing on Domain ControllersOU

To configure an audit policy setting for a domain controller, follow these steps:1. StartDirectory Users and Computers.2. Click Advanced Featureson the Viewmenu.3. Right-click Domain Controllers, and then click Properties.4. Click the Group Policytab, click Default Domain Controller Policy, and then click

Edit.5. Click Computer Configuration, double-click Windows Settings, double-click

Security Settings, double-click Local Policies, and then double-click Audit Policy.6. In the right pane, right-click Audit Directory Services Access, and then click

Security.7. Click Define These Policy Settings, and then click to select one or both of the

following check boxes:o Success: Click to select this check box to audit successful attempts for the

event category.o Failure: Click to select this check box to audit failed attempts for the event

category.

8. Right-click any other event category that you want to audit, and then click Security.Click OK

How to Configure Auditing for Specific Active Directory Objects

You can configure auditing for specific objects, such as users, computers, organizational units,or groups, by specifying both the types of access and the users whose access that you want

8/12/2019 AD_Q&A

17/44


to audit.

To configure auditing for specific Active Directory objects, follow these steps:

1. Open Active Directory Users and Computers.2. Select Advanced Featureson the Viewmenu.3. Right-click the Active Directory object that you want to audit, and then clickProperties.4. Click the Securitytab, and then click Advanced.5. Click the Auditingtab, and then click Add.

Enter the name of either the user or the group whose access you want to audit6. Click to select either the Successfulcheck box or the Failedcheck box for the actions

that you want to audit, and then click OK.

How to set up a One-Way Non-Transitive Trust in Windows 2000

Windows 2000 domains in the same forest share transitive trust relationships with one

another. There is an implicit transitive trust between the root domains in each tree in theWindows 2000 forest. A two-way implicit transitive trust also exists between all contiguousdomains in a single tree.

There may be times when you need to create explicit trust relationships between domains.Windows 2000 allows you to configure one-way transitive trusts between domains.

Configure a One-way Trust

Perform the following steps to configure the one-way trust:1. On a domain controller in the trusted domain, start the Active Directory Domains and

Trusts console.2. In the Domains that trust this domainpane, click Add.3. In the Add Trusting Domaindialog box, type the name of the trusting domain, type

a password, and then type the password again in the Confirm passwordbox.4. Click OK.5. In the Active Directorydialog box, click OKto verify the trust.6. Enter a user name and password of a user that has permissions to modify trust

relationships in the trusting domain.

You receive a message that states that the trusting domain has been added and the trustverified.

7. Quit the Active Directory Domains and Trusts console.8. On a domain controller in the trusting domain, start the Active Directory Domains and

Trusts console.9. Right-click the trusting domain and click Properties.10.In the Domains trusted by this domainbox, click Add.11.In the Add Trusted Domaindialog box, type the name of the trusted domain and a

password, and then type the password again in the Confirm Passworddialog box.12.Click OK.

NOTE:The DNS infrastructure must be in place so that domain controllers from each domaincan find one another. You can configure Windows NT 4.0 domain trusts by using Windows NT

8/12/2019 AD_Q&A

18/44


4.0 User Manager for Domains.

How to create a Container to List Printers in Active Directory

By default, printers are not displayed when you use My Network Places to browse ActiveDirectory. The ADSI Edit tool in Support Tools can be used to add a container in which to the

list printers that are published in Active Directory. By doing so, users can either find the folderthat contains the printers in My Network Places or add a network place to the folder thatcontains the printers.

To create a Printers container in which to list your printers in Active Directory:1. Click Start, point to Programs, point to Windows 2000 Support Tools, point to

Tools, and then click ADSI Edit.2. Expand Domain NC [DomainName], and then click DC=Domain, DC=com.3. On the Actionmenu, point to New, and then click Object.4. In the Select a classbox, click container, and then click Next.5. In the Valuebox, type Printers, and then click Next.6. Click Finish.

A CN=Printers container appears in the right pane of ADSI Edit.

7. Right-click CN=Printers, and then click Properties.8. Click the Attributestab.9. In the Select a property to viewbox, click showInAdvancedViewOnly, and then

click Clear.10.In the Edit Attributebox, type false, click Set, and then click OK.11.Quit ADSI Edit.12.Click Start, point to Programs, point to Administrative Tools, and then click Active

Directory Users and Computers.

The Printers container that you created appears in the list of directory objects.

13.On the Viewmenu, click Advanced Features.14.On the Viewmenu, click Users, Groups, and Computers as containers.15.Move the printers that you want to the Printers container.16.Quit Active Directory Users and Computers.

Note: The procedure in this article requires that printers are published in Active Directory.

How to publish a printer in AD

1. Log on to the computer as an administrator.2. Click Start, point to Settings, and then click Printers.3. In the Printers folder, right-click the printer that you want to publish in Active

Directory, and then click Properties.4. Click the Sharingtab, click Share As, and then either type a share name or accept

the default name.

Use only letters and numbers; do not use spaces, punctuation, or special characters.5. Click to select the List in the Directorycheck box, and then click OK.6. Close the Printers folder.

8/12/2019 AD_Q&A

19/44


NOTE: If you want to make this printer available to users who are running different versionsof Windows, you must install additional drivers. To do so, click Additional Driverson theSharingtab of the Printer properties, and then select the appropriate items in the list.

How to Configure an Authoritative Time Server in Windows 2000?

Windows includes the W32Time Time service tool that is required by the Kerberosauthentication protocol. The purpose of the Time service is to ensure that all computers thatare running Windows 2000 in an organization use a common time.

Windows-based computers use the following hierarchy by default:

All client PCs and member servers nominate the authenticating DC as their in-boundtime Server.

DCs may nominate the PDC operations master as their in-bound time partner but mayuse a parent DC based on stratum numbering.

All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

PDC operations master at the root of the forest becomes authoritative for the organization.This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP)time server as authoritative by using the following net timecommand:

Net time /setsntp:server_list

To reset the local computer's time against the authoritative time server for the domain:

Net time/domain_name /set

Net stop w32time

W32tm once

Net start w32time

SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannotsynchronize your server to Internet SNTP servers.

Administrators can also configure an internal time server as authoritative by using the nettimecommand. If the administrator directs the command to the operations master, it may benecessary to reboot the server for the changes to take effect.

Loop back Processing of Group Policy

Group Policy applies to the user or computer in a manner that depends on where both theuser and the computer objects are located in Active Directory. However, in some cases, usersmay need policy applied to them based on the location of the computer object alone. You canuse the Group Policy loopback feature to apply GPOs that depend only on which computer theuser logs on to.

To set user configuration per computer:

8/12/2019 AD_Q&A

20/44


In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.

Locate Administrative Templates, click System, click Group Policy, and then enable the

Loopback Policyoption.

This policy directs the system to apply the set of GPOs for the computer to any user who logson to a computer affected by this policy. Loopback is supported only in a purely Windows2000 based environment. Both the computer account and the user account must be in ActiveDirectory.

Usually users in their OU have GPOs applied in order during logon, regardless of whichcomputer they log on to. In some cases, this processing order may not be appropriate (E.g.,when you do not want applications assigned to users to be installed while they are logged onto the computers in some specific OU).

With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOsfor any user who logs on to any of the computers in this specific OU:

Merge Mode

Here, first the GPO for users is applied. Then the GPO for the computer is then added to the

end of the GPOs for the user. This causes the computer's GPOs to have higher precedence

than the user's GPOs.

Replace Mode

In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the

computer object is used.

Group Policy May Not Be Applied to Users Belonging to Many Groups

If a user is member of many groups either directly or because of group nesting, Kerberosauthentication may not work. The Group Policy object (GPO) may not be applied to the userand the user may not be validated to use network resources.

Because: The Kerberos token has a fixed size. If a user is a member of a group either directlyor by membership in another group, the security ID (SID) for that group is added to theuser's token. For a SID to be added to the user's token, it must be communicated by usingthe Kerberos token. If the required SID information exceeds the size of the token,authentication does not succeed. The number of groups varies, but the limit is approximately70 to 80 groups.

For many operations, Windows NTLM authentication succeeds; the Kerberos authenticationproblem may not be evident without analysis. However, operations that include GPOapplication do not work at all.

To resolve this problem, obtain the latest service pack for Windows 2000.

8/12/2019 AD_Q&A

21/44


Explain Kerberos V5 authentication process?

Kerberos V5 is the primary security protocol for authentication within a domain. TheKerberos V5 protocol verifies both the identity of the user and network services. This dualverification is known as mutual authentication.

HOW KERBEROSV5WORKS

The Kerberos V5 authentication mechanism issues tickets(A set of identification data for asecurity principle, issued by a DC for purposes of user authentication. Two forms of tickets in

Windows 2000 are ticket-granting tickets (TGTs) and service tickets)for accessing networkservices. These tickets contain encrypted data, including an encrypted password, whichconfirms the user's identity to the requested service.

An important service within Kerberos V5 is the Key Distribution Center(KDC) (AKerberos V5 service that runs on a DC. It issues ticket-granting tickets (TGTs) and service

tickets for obtaining network authentication in a domain).The KDC runs on each DC as part ofActive Directory, which stores all client passwords and other account information.

The Kerberos V5 authentication process works as follows:

1. The user on a client system, using a password authenticates to the KDC.2. The KDC issues a special ticket-granting ticket(A ticket issued by the Kerberos V5

Key Distribution Center (KDC) for purposes of obtaining a service ticket from theticket-granting service (TGS)to the client. The client system uses this TGT to accessthe ticket-granting service (TGS), which is part of the Kerberos V5 authenticationmechanism on the DC.

3. The TGS then issues a service ticket to the client.4. The client presents this service ticket to the requested network service. The service

ticket proves both the user's identity to the service and the service's identity to theuser.

KERBEROSV5AND DCS

The Kerberos V5 services are installed on each DC, and a Kerberos client is installed on eachWindows 2000 workstation and server.

Every DC acts as a KDC. A Windows 2000 system uses a DNS lookup to locate the nearestavailable DC. That DC then functions as the preferred KDC for that user during the user's

logon session. If the preferred KDC becomes unavailable, the Windows 2000 system locatesan alternate KDC to provide authentication.

How the Local User Accounts Are Handled When a Server Is Promoted to aDC

When a server is promoted to a DC, the server no longer uses the local SAM database to storeusers and groups. When the promotion is complete, DC will store users, groups, and

8/12/2019 AD_Q&A

22/44


computer accounts in Active Directory database. The SAM database is present, but it isinaccessible when the server is running in Normal mode. But SAM database is used when youboot into Directory Services Restore Mode or the Recovery Console.

If this new DC is the first DC in a new domain, all of the local user accounts in the SAMdatabase are migrated to the Active Directory. All permissions that had been assigned to the

local users, such as, NTFS permissions, are retained.

Can we run DC promo on a server in which NAT is installed?

When you attempt to promote or demote a DC with dcromo, you may receive the followingerror message:

Active Directory Installation failedThe operation failed because:Failed to modify the necessary properties for the machine account Servername$The specified server cannot perform the requested operation.

This can happen when the server is using Network Address Translation: and it can be causedby the H.323/LDAP Proxy Service. To resolve this behavior, install SP1 or disable theH.323/LDAP proxy service with the following command:

Do not use NAT on a network with other DCs, DNS servers, Gateways, DHCP servers, orSystems configured for static IP because of possible conflict with other services. Do notconnect NAT directly to a corporate network because Kerberos authentication, IPSec, andInternet Key Encryption (IKE) will not work.

Enable Debug Logging in the Microsoft Directory Synchronization ServicesTool

When you troubleshoot synchronization issues in the MSDSS tool, you can enable debuglogging to capture detailed information about the synchronization process.

Enabling Detailed MSDSS Logging, go to

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Msdss\

Create a new REG_DWORDkey DebugLogLeveland set value as 1 and restart thecomputer

1activates logging, 0turns logging off.

The logging information is placed in the %Systemroot%\System32\DirectorySynchronization\Session Logs folder. The log files are labeled as "Session#-#.log"

Auditing Does Not Report Security Event for Resetting Password on DC

If you choose to audit success and failure with the "Audit account management" policy, theauditing does not report the expected success event in the Security log when an administratorresets the user password on a DC.

8/12/2019 AD_Q&A

23/44


This problem occurs because Remote Procedure Call (RPC) impersonation does not succeedwhen the Security service tries to send a message to the Eventlog service. SP2 will solve thisproblem.

How to Change the Recovery Console Administrator Password on a DC

When you promote a Windows 2000 Server-based computer to a DC, you are prompted totype a Directory Service Restore Mode Administrator password. This password is also used byRecovery Console, and is separate from the Administrator password that is stored in ActiveDirectory after a completed promotion.

The Administrator password that you use when you start Recovery Console or when you pressF8 to start Directory Service Restore Mode is stored in the SAM on the local computer. TheSAM-based account and password is computer specific and they are not replicated to otherDCs in the domain.

To change the local Administrator password that you use when you start Recovery Console or

when you start Directory Service Restore Mode, use one of the following methods.

Method 1

In a DC use the %systemroot%\system32\Setpwd.exe (SP2 or Later) utility to change theSAM-based Administrator password. To change the SAM Administrator password on a remoteDC, type the following command

Setpwd /s:servername

Method 2

Restart the DC in Directory Service Restore Mode. Use the command net useradministrator * or Local User and Groups

Who can "Log On locally" to a DC

By default Account Operators, Administrators, Backup Operators, Print Operators, ServerOperators, Internet Guest Account, and Terminal Services User Account are assigned the logon locally right

Explain User and Computer naming in AD?

Active Directory domain names are usually the full DNS name of the domain. For backward

compatibility, each domain also has a pre-Windows 2000 name.

USER ACCOUNTS

In Active Directory, each user account has a user logon name, a pre-Windows 2000 userlogon name (SAM account name), and a user principal name suffix. Active Directory suggestsa pre-Windows 2000 user logon name using the first 20 bytes of the user logon name.

8/12/2019 AD_Q&A

24/44


In Active Directory, each user account has a user principal which is composed of the userlogon name and the user principal name suffix joined by the @ sign.

Do not add the @ sign to the user logon name or to the user principal name suffix. ActiveDirectory automatically adds it when it creates the user principal name.A user principal namethat contains more than one @ sign is invalid.

The second part of the user principal name, referred to as the user principal name suffix,identifies the domain in which the user account is located. This user principal name suffix canbe the DNS domain name, the DNS name of any domain in the forest, or it can be analternative name created by an administrator and used just for logon purposes. Thisalternative user principal name suffix does not need to be a valid DNS name.

Using alternative domain names as the user principal name suffix can provide additional logonsecurity and simplify the names used to log on to another domain in the forest.

E.g. Sanjo is user in sales.westcoast.microsoft.com. So the logon name would [email protected]. Creating a user principal name suffix of "microsoft"

would allow that same user to log on using the much simpler logon name ofsanjo@microsoft.

You can add or remove user principal name suffixes using Active Directory Domains andTrusts.

COMPUTER ACCOUNTS

Each computer account created in Active Directory has a relative distinguished name, a pre-Windows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host nameand a service principal name. This computer name is used as the LDAP relative distinguishedname.

Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relativedistinguished name. This can be changed at any time.

The primary DNS suffix defaults to the full DNS name of the domain to which the computer isjoined. The DNS host name is built from the first 15 characters of the relative distinguishedname + the primary DNS suffix.

The service principal name is built from the DNS host name. The service principal name isused in the process of mutual authentication between the client and the server hosting aparticular service. The client finds a computer account based on the service principal name ofthe service to which it is trying to connect.

It is possible for administrators to change the way the service principal name is created. This

security modification allows a computer to use primary DNS suffixes that are different than

the domain to which the computer is joined. The same modification also allows ActiveDirectory to use more than the first 15 bytes of the relative distinguished name when

constructing the service principal name.

Computers with these modified computer names will register their names in DNS correctly butan additional procedure is required to enable correct registration of the DNS host name

8/12/2019 AD_Q&A

25/44


(dNSHostName) and service principal Name (servicePrincipalName) attributes of the computerobject in Active Directory.

To allow a computer to use a different DNS name

1. Right-click Active Directory Users and Computers, point to View, and then clickAdvanced Features.

2. Right-click the name of the domain, and then click Properties.3. On the Securitytab, click Add, click the Selfgroup, click Add, and then click OK.4. Click Advanced, click Self, and then click View/Edit.5. On the Propertiestab, in Apply onto, click Computer Objects.6. Under Permissions, click Write dNSHostName, and then click the Allowcheck box.

By modifying default security in this way, there is a possibility that a computer joined to theselected domain could be operated by a malicious user and may be able to advertise itself

under a different name through the service principal name attribute.

Resetting Computer Accounts in Windows 2000 and Windows XP

For each Windows 2000/XP PC that is a member of a domain, there is a discretecommunication channel, known as the secure channel, with a DC. The secure channel'spassword is stored along with the computer account on all DCs. Default computer accountpassword change period is every 30 days. If the computer account's password and the LSAsecret are not synchronized, the Netlogon service logs one or both of the following errorsmessages:

The session setup from the computer DOMAINMEMBER failed to authenticate. The name ofthe account referenced in the security database is DOMAINMEMBER$. The following erroroccurred: Access is denied.

NETLOGON Event ID 3210:

Failed to authenticate with \\DOMAINDC, a Windows NT DC for domain DOMAIN.

The Netlogon service on the DC logs the following error message when the password is notsynchronized:

NETLOGON Event 5722:The session setup from the computer %1 failed to authenticate. The name of the accountreferenced in the security database is %2. The following error occurred: %n%3

We can reset computer password using Active Directory Users and Computers MMC. Right-click the computer object and then click Reset Account. Resetting the password for DCsusing this method is not allowed. Resetting a computer account breaks that computer'sconnection to the domain and requires it to rejoin the domain. This will prevent an established

computer from connecting to the domain and should only be used for a computer that hasjust been rebuilt.

Distinguishing a DC from a Windows 2000 Member Server

The \NTDS registry key exists in the HKLM\SYSTEM\CCS\SERVICES portion of theregistry.

The SYSVOL and NETLOGON shares exist. (The SYSVOL share and its contents existafter demotion of a DC.)

8/12/2019 AD_Q&A

26/44


NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n froma command prompt and note the presence of the 1C name.

The computer role from the NET ACCOUNTS utility lists the computer role as"PRIMARY" and standalone servers as "SERVERS." Type net accounts from thecommand prompt.

The NET START command indicates that the Kerberos Key Distribution Center (KDC)service is running. Type net start |more.

The computer responds to LDAP queries (specifically, to port 389 or 3268). The "Connect to server %S" command in Ntdsutil.exe functions only against Windows

2000 DCs. The Change button on the Network Identification tab in My Computer is disabled when

Windows 2000 is configured as a DC. A note appears indicating this. Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry

in the output. Type netdiag /v from the command prompt.

How to create Third-Party Microsoft Installer Package (.MSI)

If you want to install a third-party program by using this method, you must install a copy ofVeritas Software Console by Seagate Software at a location that is accessible by the referencecomputer. This program is available on the Windows 2000 CD-ROM inValueadd\3rdparty\Mgmt\Winstle\Swiadmle.msi. This includes a copy of WinINSTALLlimited edition, which allows for basic functionality.

Clean PC

A clean PC is defined as a computer with only the following items on it before you runDiscover:

The operating system

The service packs for the operating system

If you install Veritas Software Console on the computer, it is by definition no longer a cleanPC. You must install Veritas Software Console somewhere, but not on the clean PC.

Reference Computer

A clean PC ensures that the Discover program will pick up all files and registry entriesnecessary for the program to run. The reference computer should have access to the Discoverprogram (Discoz.exe) in the Winstall folder from Runcommand on the Startmenu. Do notmap a drive to the Winstall share. Doing so may cause Discover to pick up the added drive,possibly causing problems in your Microsoft Installer packages.

Discover

The Discover program is the program you use to create the instruction file (Microsoft Installerpackage) that contains information about what needs to be done to install a product.

How to Create a Third-Party MSI Package

For this process to work properly, you should start with a clean PC.

8/12/2019 AD_Q&A

27/44


1. Start with a clean PC, or one that is representative of the computers in your network.2. Start Discover to take a picture of the representative PC's software configuration. This

is the Before snapshot.

3. Install a program on the PC on which you took the Beforesnapshot.4. Reboot the PC.5. Run the new program to verify that it works.6. Quit the program.7. Start Discover and take an After snapshot of the PC's new configuration. Discover

compares the Before and the After snapshots and notes the changes. It creates a

Microsoft Installer package with information about how to install that program on such

a PC in the future.

8. (Optional) Use Veritas Software Console to customize the Microsoft Installer package.9. Clean the reference computer to prepare to run Discover again.10.(Optional) Perform a test installation of the program on non-production workstations.

AD Replication

Create and Configure a Site Link in Active Directory in Windows 2000

For the site link to become active, there must be at least two sites available in ActiveDirectory.

A Site Link object represents a set of sites that can communicate at uniform cost through aninter-site transport. For IP transport, a typical site link connects just two sites andcorresponds to an actual WAN link. An IP site link that connects more than two sites mightcorrespond to an asynchronous transfer mode (ATM) backbone that connects more than two

clusters of buildings on a large campus, or several offices in a large metropolitan area thatare connected through leased lines and IP routers.

How to Create a Site Link

To create a new site link:

1. Click Active Directory Sites and Services.2. Expand the Inter-Site Transportsnode, right-click IP(or click SMTPif you want to

use SMTP as the inter-site transport protocol), and then click New Site Link.

If you have only one site in Active Directory, you receive a message that states that two sitesare required for the site link to work. Click OKto continue.

Domain Replication and the knowledge consistency checker

8/12/2019 AD_Q&A

28/44


Since widows 2000 has multi master replication, maintaining consistency is a problem. KCCcreates connections dynamically between the DCs and triggers replication.

As the number of DCs increases, replication consumes more and more network bandwidth.The KCC balances the need for consistency against bandwidth limitation using the timelycontact rule.

This means that no DC is allowed to be more than 3 connections from any other DC. The KCCmaintains domain consistency automatically. You can manually force the KCC to runimmediately using the Repadmin.exe tool. To force the KCC on the server namedserver1.mydomain.com, you would issue the following command.

Repadmin /kcc server1.mydomain.com

Intersite replication relaxes the timely contact rule since replication between sites usuallyoccurs over slower links. The KCC can be optimized for your particular intersite replicationneeds.

Bridgehead servers perform directory replication between two sites. Only two designated DCstalk to each other. These DCs are called bridgehead servers. If you have DCs from multipledomains, you will have a bridgehead server for each domain.

Each Active Directory site also has one DC that takes the role of Inter-Site TopologyGenerator (ISTG), which reviews and generates the connection object for the bridgeheadservers in each site.

There is only one DC with this role in each site, even if you have multiple domains. The firstDC in the site becomes the ISTG for the site by default. You can't controller which DC is theISTG, but you can know which one is the ISTG:

Open the Active Directory Sites and Services console. Select the site object. In the right pane right-click the NTDS Site Settings object and select Properties. The

current role owner will appear in the Server box under Inter-Site Topology Generatoron the Site Settings tab.

If the DC holding the ISTG role is offline for more than 60 minutes, another DC in the site willautomatically take over this role.

Replication Access Was Denied" Error Message When Attempting to

Synchronize DCs

When you use the Active Directory Sites and Services snap-in from a child domain to forcereplication from a parent domain or another child domain at the same level, you may receivethe following error message:

The following error occurred during the attempt to synchronize the DCs: ReplicationAccess was denied

Domains in Active Directory are natural security boundaries. Administrative permissions donot flow down; they need to be assigned. When a child domain is created, the Enterprise

8/12/2019 AD_Q&A

29/44


Admin global group is added to the built-in Administrators group of the child domain. Thisallows the administrator of the parent domain to administer and force replication from eitherthe parent domain or the child domain, but the administrator in the child domain is only ableto force replication from within his or her own domain.

To resolve this issue, give the administrator in the child domain permissions to the parent

domain from which you want to force replication. Add his to Administrators group in parentdomain

Repeat these steps from each domain that you want to assign administrative permissions to.

Keep in mind that parent domains are able to manage all of their child domains but you needto perform the steps described in this article for any child domains that want to manage theparent domain or other child domains on the same level.

RPC Error Messages Returned for Active Directory Replication When Time Is

Out of Synchronization

When you are viewing the status of Active Directory replication between two DCs, thefollowing messages may be displayed for the result of the last replication attempt:

The RPC server is unavailable.

-or-

The RPC server is too busy to complete this operation.

These error messages may be reported in the Event log through Replication Monitor. Bydefault, W2K computers synchronize time with a time server. If the time server is not

available and the time difference between DCs drifts beyond the skew allowed by Kerberos,authentication between the two DCs may not succeed and the RPC error messages can result.

Synchronies time amongst DCs using net time

Net time \\mypdc/set /y

This synchronizes the local computer time with the server named Mypdc.The /set- Time not only be queried, but synchronized with the specified server.The /yswitch skips the confirmation for changing the time on the local computer

How Conflicts Are Resolved in Active Directory Replication

All computers that provide multi-master updates must deal with potential conflicts that mayarise when concurrent updates originating on two separate master replicas are inconsistent.There are three types of conflicts:

Attribute value: An object's attribute is set concurrently to one value at one master,and another value at a second master.

8/12/2019 AD_Q&A

30/44


Add/move under a deleted container object or the deletion of a non-leaf object:Essentially, this conflict is a situation in which one master records the deletion of acontainer object, while another master records the placement of another objectsubordinate to that deleted object.

Sibling name conflict: This conflict occurs when one replica attempts to move an objectinto a container in which another replica has concurrently moved another object withthe same relative display name (RDN).

Active Directory orders all update by assigning a globally unique stamp to the originatingupdate. If there is a conflict, the ordering of stamps allows a consistent resolution. Thisapproach is used in the following ways:

Attribute value: The value whose update operation has the larger stamp wins. Add/move under a deleted container object or the deletion of a non-leaf object: After

resolution at all replicas, the container object is deleted, and the leaf object is made achild of the folder's special Lost&Found container. Stamps are not involved in this

resolution.

Sibling name conflict: The object with the larger stamp keeps the RDN. The siblingobject is assigned a unique RDN by the computer. This does not conflict with anyclient-assigned value [using a reserved character (the asterisk), the RDN, and theobject's GUID].

How to Modify the Default Intra-Site DC Replication Interval

When a DC writes a change to its local copy of the Active Directory, a timer is started that

determines when the DC's replication partners should be notified of the change. By default,this interval is 5 minutes. When this interval elapses, the DC initiates a notification to eachintra-site replication partner that it has changes that need to be propagated. Anotherconfigurable parameter determines the number of seconds to pause between notification. Thisparameter prevents simultaneous replies by the replication partners. By default, this intervalis 30 seconds. Both of these intervals can be modified by editing the registry.

To modify the delay between the change to the Active Directory and first replication partnernotification, use Registry Editor to modify value data for the "Replicator notify pause aftermodify (secs)" DWORD value in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

The default value data for the "Replicator notify pause after modify (secs)" DWORD value is0x12c, which in hexadecimal format is 300 decimal (5 minutes).

To modify the notification delay between DCs, use Registry Editor to modify value data for the"Replicator notify pause between DSAs (secs)" DWORD value in the following registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters

8/12/2019 AD_Q&A

31/44


The default value data for the "Replicator notify pause between DSAs (secs)" DWORD value is0x1e, which in hexadecimal format is 30 decimal (30 seconds).

The Role of the Inter-Site Topology Generator in Active Directory Replication

The Knowledge Consistency Checker (KCC) is an Active Directory component that isresponsible for the generation of the replication topology between DCs. This article describesthe role of one server per site, known as the Inter-Site Topology Generator, which isresponsible for managing the inbound replication connection objects for all bridgehead serversin the site in which it is located.

When the KCC on each DC generates the intra-site topology for the site in which it resides,the KCC create a connection object in the Active Directory only when a connection object isrequired for the local computer. These changes propagate to other DCs through the normalreplication process. Each DC uses the same algorithm to compute the replication topology,and in a state of equilibrium between DCs, each should arrive at the same result in respect to

what the replication topology should be. In the process, each DC creates its own connectionobjects.

Connection objects for bridgehead servers for inter-site replication are created differently. TheKCC on one DC in each site is responsible for reviewing the inter-site topology and creatinginbound replication connection objects as necessary for bridgehead servers in the site inwhich it resides. This DC is known as the Inter-Site Topology Generator (ISTG). The DCholding this role may not necessarily be a bridgehead server.

When the ISTG determines that a connection object needs to be modified on a givenbridgehead server in the site, the ISTG makes the change to its local Active Directory copy.As part of the normal intra-site replication process, these changes propagate to thebridgehead servers in the site. When the KCC on the bridgehead server reviews the topology

after receiving these changes, it translates the connection objects into replication links thatActive Directory uses to replicate data from remote bridgehead servers.

The current owner of the ISTG role is communicated through the normal Active Directoryreplication process. Initially, the first server in the site becomes the ISTG for the site. The roledoes not change as additional DCs are added to the site until the current ISTG becomesunavailable.

The current ISTG notifies every other DC in the site that it is still present by writing the"interSiteTopologyGenerator" attribute on the NTDS Settings object under its DC object in theConfiguration naming context in Active Directory at a specified interval.

As this attribute gets propagated to other DCs by Active Directory replication, the KCC oneach of these computers monitors this attribute to verify that it has been written within aspecified amount of time. If the amount of time elapses without a modification, a new ISTGtakes over.

In the event that a new ISTG needs to be established, each DC orders the list of servers inascending order by their Globally Unique Identifier (GUID). The DC that is next highest in thelist of servers from the current owner takes over the role, starts to write the"interSiteTopologyGenerator" attribute, and performs the necessary KCC processes to

8/12/2019 AD_Q&A

32/44


manage inbound connection objects for bridgehead servers.

As DCs evaluate which server should assume the ISTG role, the selection begins again withthe first DC listed in the site if the current server is the last server in the list.

In the event that two DCs in the site believe that they own the ISTG role, there may be

temporary state of inbound replication connection objects being created by two computers.However, once replication occurs and all DCs receive the change identifying the new ISTG,the KCC on the ISTG adjusts the topology as appropriate.

Domain Naming System

Questions about Windows 2000 DNS

What are the common mistakes that are made when administrators set up DNS on

network that contains a single Windows 2000 or Windows Server 2003 DC?

The most common mistakes are:

The DC is not pointing to itself for DNS resolution on all network interfaces.

The "." zone exists under forward lookup zones in DNS.

Other computers on the local area network (LAN) do not point to the Windows 2000 DNS

server for DNS.

Why do I have to point my DC to itself for DNS?

The Netlogon service on the DC registers a number of records in DNS that enable other DCsand computers to find Active Directory-related information. If the DC is pointing to theInternet service provider's (ISP) DNS server, Netlogon does not register the correct recordsfor Active Directory, and errors are generated in Event Viewer. The preferred DNS setting forthe DC is itself; no other DNS servers should be listed. The only exception to this rule is withadditional DCs. Additional DCs in the domain must point to the first DC (which runs DNS)that was installed in the domain and then to themselves as secondary.

What does a DC register in DNS?

The Netlogon service registers all the SRV records for that DC. These records are displayedas the _msdcs, _sites, _tcp, and _udp folders in the forward lookup zone that matches your

domain name. Other computers look for these records to find Active Directory-relatedinformation.

Why can't I use WINS for name resolution like it is used in Microsoft Windows NT4.0?

A Windows 2000 DC does not register Active Directory-related information with a WINSserver; it only registers this information with a DNS server that supports dynamic updatessuch as a Windows 2000 DNS server. Other Windows 2000-based computers do not query

8/12/2019 AD_Q&A

33/44


WINS to find Active Directory-related information.

If I remove the ISP's DNS server settings from the DC, how does it resolve namessuch as Microsoft.com on the Internet?

As long as the "." zone does not exist under forward lookup zones in DNS, the DNS service

uses the root hint servers. The root hint servers are well-known servers on the Internet thathelp all DNS servers resolve name queries.

What is the "." zone in my forward lookup zone?

This setting designates the Windows 2000 DNS server to be a root hint server and is usuallydeleted. If you do not delete this setting, you may not be able to perform external nameresolution to the root hint servers on the Internet.

Do I need to configure forwarders in DNS?

By default, Windows 2000 DNS use the root hint servers on the Internet; however, you can

configure forwarders to send DNS queries directly to your ISP's DNS server or other DNSservers. In most cases, when you configure forwarders, DNS performance and efficiencyincreases, but this configuration can also introduce a point of failure if the forwarding DNSserver is experiencing problems. The root hint server can provide a level of redundancy inexchange for slightly increased DNS traffic on your Internet connection.

Should I point the other Windows 2000-based and Windows Server 2003-basedcomputers on my LAN to my ISP's DNS servers?

No. If a Windows 2000-based or Windows Server 2003-based server or workstation does notfind the DC in DNS, you may experience issues joining the domain or logging on to thedomain. A Windows 2000-based or Windows Server 2003-based computer's preferred DNS

setting should point to the Windows 2000 or Windows Server 2003 DC running DNS. If youare using DHCP, make sure that you view scope option #15 for the correct DNS serversettings for your LAN.

Do I need to point computers that are running Windows NT 4.0 or Microsoft

Windows 95, Microsoft Windows 98, or Microsoft Windows 98 Second Edition to the

Windows 2000 or Windows Server 2003 DNS server?

Legacy operating systems continue to use NetBIOS for name resolution to find a DC; howeverit is recommended that you point all computers to the Windows 2000 or Windows Server2003 DNS server for name resolution.

What if my Windows 2000 or Windows Server 2003 DNS server is behind a proxy

server or firewall?

If you are able to query the ISP's DNS servers from behind the proxy server or firewall,Windows 2000 and Windows Server 2003 DNS server is able to query the root hint servers.UDP and TCP Port 53 should be open on the proxy server or firewall.

What should I do if the DC points to itself for DNS, but the SRV records still do notappear in the zone?

8/12/2019 AD_Q&A

34/44


Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install SupportTools from the Windows 2000 Server CD-ROM to run Netdiag.exe.

How do I set up DNS for other DCs in the domain that are running DNS?

For each additional DC that is running DNS, the preferred DNS setting is the parent DNS

server (first DC in the domain), and the alternate DNS setting is the actual IP address ofnetwork interface.

How do I set up DNS for a child domain?

To set up DNS for a child domain, create a delegation record on the parent DNS server for thechild DNS server. Create a secondary zone on the child DNS server that transfers the parentzone from the parent DNS server. Set the child DNS server to point to itself only.

Configure DNS Dynamic Update in Windows 2000

The DNS service allows client computers to dynamically update their resource records in DNSand improves DNS administration. You can use DDNS in conjunction with DHCP to updateresource records when a computer's IP address is changed.

How Windows 2000-Based Computers Update Their DNS Names

Windows 2000 computers try to dynamically register host address (A) and pointer (PTR)resource records. All computers register records based on their full computer name.

Dynamic updates can be sent for any of the following reasons or events: An IP address is added, removed, or modified for any one of the installed network

connections. An IP address lease changes or renews. For example, if you use the ipconfig /renew

command.

You use the ipconfig /registerdnscommand to manually force a refresh of the clientname registration in DNS.

At startup time, when the computer is turned on.When one of these events triggers a dynamic update, the DHCP Client service (not the DNSClient service) sends updates. This process is designed so that if a change to the IP addressinformation occurs because of DHCP, corresponding updates in DNS are performed tosynchronize name-to-address mappings for the computer. The DHCP Client service performsthis function for all network connections used on the system, including connections thatare not configured to use DHCP.

Dynamic updates are sent or refreshed periodically. By default, Windows 2000 sends arefresh once every 24 hours. If the update occurs and there are no changes to zone data, thezone remains at its current version and no changes are written.

NOTE: Names are not removed from DNS zones if they become inactive or if they are notupdated within the refresh interval (24 hours). DNS does not use a mechanism to release ortombstone names, although DNS clients do attempt to delete or update old name recordswhen a new name or address change is applied.

When the DHCP Client service registers A and PTR resource records for a Windows 2000computer, it uses a default caching Time-To-Live (TTL) value of 15 minutes for host records.This value determines how long other DNS servers and clients cache a computer's records

8/12/2019 AD_Q&A

35/44


when they are included in a query response.

How to Allow Only Secure Dynamic Updates

1. Click Start, point to Programs, point to Administrative Tools, and then click DNS.2. Under DNS, expand the applicable DNS server, expand Forward Lookup Zones(or

Reverse Lookup Zones) , and then click the applicable zone.3. On the Actionmenu, click Properties.4. On the Generaltab, verify that the zone type is Active Directory-integrated.5. In the Allow dynamic updates?box, click Only secure updates.

The secure dynamic update functionality is supported only for Active Directory-integratedzones.How to Configure DNS Dynamic Update for DHCP Clients

By default, Windows 2000-based DHCP clients are configured to request that the clientregister the A resource record and the server register the PTR resource record. By default, thename that is used in the DNS registration is a concatenation of the computer name and theprimary DNS suffix. To change this default name, open the TCP/IP properties of your networkconnection.

To change the dynamic update defaults on the dynamic update client:

1. Right-click the connection that you want to configure, and then click Properties.2. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click

the DNStab.

By default, Register this connection's address in DNSis selected and Use thisconnection's DNS suffix in DNS registrationis not selected. This defaultconfiguration causes the client to request that the client register the A resource recordand the server register the PTR resource record. In this case, the name to be used inDNS registration is a concatenation of the computer name and primary DNS suffix of

the computer.

3. Click to select the Use this connection's DNS suffixcheck box in DNS registration.If you select this check box, the client requests that the server update the PTR recordby using the name that is a concatenation of the computer name and the connection-specific DNS suffix. PTR record, which uses the name that is a concatenation of thecomputer name and the primary DNS suffix.

4. To configure the client to make no requests for DNS registration, click to clear theRegister this connection's address in DNScheck box. If you clear this check box,the client does not attempt to register any A or PTR DNS records that correspond tothis connection.

DNS Dynamic Update on Statically Configured and Remote Access Clients

Statically configured clients and remote access clients do not communicate with the DHCPserver. Statically configured Windows 2000-based clients dynamically update their A and PTRresource records every time they start in case the records become corrupted in the DNSdatabase. Remote access clients dynamically update A and PTR resource records when a dial-up connection is made. They also attempt to unregister the A and PTR resource records whenthe user closes down the connection.

8/12/2019 AD_Q&A

36/44


How to Configure DNS Dynamic Update on Multiple-Homed Clients

If a dynamic update client is multiple-homed (if it has more than one adapter and anassociated IP address), it registers all of its IP addresses with DNS by default. If you do notwant the client to register all of its IP addresses, you can configure it to not register one or

more IP addresses in the network connection properties.

To prevent the computer from registering all its IP addresses:1. Right-click My Network Places, and then click Properties.2. Click the connection that you want to configure, and then click Properties.3. Click Internet Protocol (TCP/IP), click Properties, click Advanced, and then click

the DNStab.4. Click to clear the Register this connection's address in DNScheck box.

You can also configure the computer to register its domain name in DNS. For example, if youhave a client that is connected to two different networks, you can configure the client to havea different domain name on each network.

How to Configure DNS Dynamic Update on a Windows 2000 DNS Client Computer

To configure DNS dynamic update on a Windows 2000 DNS client computer:1. Click Start, point to Settings, and then click Network and Dial-up Connections.2. Right-click the network connection that you want to configure, and then click

Properties.3. Click either the Generaltab (for the local area connection) or the Networkingtab

(for all other connections), click Internet Protocol (TCP/IP), and then clickProperties.

4. Click Advanced, and then click the DNStab.5. To use DNS dynamic update to register both the IP addresses for this c

Documents

AD_Q&A