Upload
mohamednaina
View
215
Download
0
Embed Size (px)
Citation preview
7/29/2019 Important Things in Active Directory
1/10
How do I manually defragment Active
Directory?
Windows 2000 servers running Directory Services (DSs) perform a directory onlinedefragmentation every 12 hours by default as part of the garbage-collection process. Thisdefragmentation only moves data around the database file (ntds.dit) and doesn?t reducethe files size.
To create a new, smaller ntds.dit file and to enable offline defragmentation, perform thefollowing steps.
1. Back up Active Directory (AD) (see the FAQ How do I back up Active Directoryand the System State?).
2. Reboot the server, select the OS option, and press F8 for advanced options.
3. Select the Directory Services Restore Mode option, and press Enter. Press Enteragain to start the OS.4. Win2K will start in safe mode, with no DS running.5. Use the local Sams administrator account and password to log on.6. Youll see a dialog box that says youre in safe mode. Click OK.7. From the Start menu, select Run and type cmd.exe
8. In the command window, youll see the following text. (Enter the commands inbold.)C:\> ntdsutilntdsutil: filesfile maintenance: info....
file maintenance: compact to c:\temp9. Youll see the defragmentation process. If the process was successful, enterquitquit
10. to return to the command prompt.11. Then, replace the old ntds.dit file with the new, compressed version. (Enter the
commands in bold.)C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
12. Restart the computer, and boot as normal.
How does intrasite replication work in
Windows 2000?Windows 2000?s Knowledge Consistency Checker (KCC) automatically managesreplication within a site. The KCC uses a bidirectional ring topology that uses remoteprocedure call (RPC) over TCP/IP without compression. Domain controllers (DCs)within a site are typically on a fast network (per the definition of a site), and the extraprocessing necessary for compression and decompression is undesirable.
http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=13383http://www.windows2000faq.com/articles/index.cfm?articleid=133837/29/2019 Important Things in Active Directory
2/10
The KCC runs every 15 minutes, adjusting the topology as necessary. As you create newDCs, the KCC automatically places them in the ring. To view the DC links, you can usethe Microsoft Management Console (MMC) Active Directory Sites and Services snap-in.Expand the site, the Servers container, and the server. Under the NTDS Settings branchare the created connection objects.
Because the KCC runs on all DCs, the rings are in order of the DCs? globally unique IDs(GUIDs) to ensure convergence on one topology. An exception to the ring rule is that nomore than three hops can exist between two DCs within the ring. To protect the three-hoprule, the KCC adds extra links for seven or more DCs, as the Figure shows.
These rings are for same-naming context (i.e., domains) in one site. If you have multipledomains in a site, rings exist for each domain in the site.
Another type of ring that exists replicates schema and configuration information betweenDCs, as the Figure shows. Because all the domains share this information (i.e., the
information is forestwide), each site has only one ring. Thus, if you have two domains ina site, you have three rings: one ring for each domain and one ring for the schema andconfiguration information. If you have only one domain in a site, one ring functions astwo.
Manual configuration of intrasite replication is unnecessary, and Microsoft doesn?trecommend such configuration. The only task you might need to perform is adding extraconnection objects to reduce the hop count between DCs.
When you make a change to the naming context (i.e., domain) data, the DC?s local copyof Active Directory (AD) records the change, then the DC waits 5 minutes (by default)
before notifying its replication partners of the change. You can continue to make changesduring this time period. The delay exists so that all changes transmit at once. If nochanges occur during a particular time period (which you can configure in the intrasiteconnection object schedule), a replication sequence initiates to ensure no changes weremissed.
The SAM or the Local Security Authority (LSA) can trigger urgent replication during thefollowing events: replication of a newly locked-out account (e.g., if you fire someone),change of an LSA secret (i.e., a trust account), and state changes to the Relative Identifier(RID) Manager. These events trigger immediate replication. Because urgent replicationrequires notification, this type of replication occurs only within a site (i.e., intrasite).
However, you can modify site links to enable notification.
An exception to multimaster normal replication is user passwords. As in other attributechanges, you can change a user password at any DC. However, the DC pushes the changeto the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attemptbasis. Other DCs receive the password through normal replication. The reason for theextra password work is that if password validation fails, the validating DC will pass the
7/29/2019 Important Things in Active Directory
3/10
request to the PDC FSMO in case the password has changed and the DC hasn?t yetreceived the new password via standard replication.
How do I automatically upgrade a server
to a domain controller duringinstallation?
You can automatically run DCPROMO during an unattended installation. Enter thecommand
dcpromo /answer:%path_to_answer_file%
In my example, the DCInstall section and parameters are added directly to the unattendedanswer file. TheMicrosoft Windows 2000 Resource Kitdetails the DCInstall section?sparameters in the file Unattend.doc. I?ve listed the main entries in the following table.
AdministratorPassword The new password for the domain Administrator account
AutoConfigDNS Specifies whether the wizard should configure DNS
ChildName Name of the child part of the domain
CreateOrJoinSpecifies whether the domain will join an existing forest orcreate a new one
DatabasePath Location for the Active Directory database
DNSOnNetwork
Used when a new forest of domains is installed and no DNS
client is configured on the computer
DomainNetBiosName NetBIOS name for the domain
IsLastDCInDomainOnly valid when demoting an existing domain controller to amember server
LogPath Path for the Directory Service (DS) logs
NewDomainDNSName Name of the new tree or when a new forest is created
ParentDomainDNSName Specifies the name of the parent domain
Password Password for the username used to promote the server
RebootOnSuccess Specifies whether an automatic reboot should be performed
ReplicaDomainDNSName Name of the domain to be replicated from
ReplicaOrMemberSpecifies whether a Windows NT 4.0 or 3.51 BDC beingupgraded should become a replica domain controller or bedemoted to a regular member server
ReplicaOrNewDomainSpecifies whether the machine is a new domain controller in anew domain or a replica of an existing domain
7/29/2019 Important Things in Active Directory
4/10
SiteName Name of the site (Default-First-Site by default)
SysVolPath Path of SYSVOL
TreeOrChildSpecifies whether entry is a new tree or child of existingdomain
UserDomain Domain for the user being used in promotionUserName Name of the user performing the upgrade
Because the DCPROMO process occurs after setup, the created answer file is called$winnt$.inf and copies to the \system32 folder. The parameters are in this file, so youneed to add the following text to the GUIRunOnce section of the unattended Setupanswer file.
[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"
After the DCPROMO process completes, DCPROMO removes password information
from the $winnt$.inf file. To make this process easier because the RunOnce commanddoesn?t execute until someone logs on to the computer, you can add the following text tothe unattended answer file.
[GUIUnattended]Autologon = yes ; automatically logs on the administrator accountAutoLogoncount = n ; number of times to perform auto-admin logon
Don't use items such as %systemroot% or %windir%, because the unattended installationprocess doesn?t understand them.
You can just create a DCInstall section directly in your unattend.txt file to avoid havingmultiple unattended setup files. Enter text such as the following.
[DCInstall]AdministratorPassword = cartmanCreateOrJoin = CreateDomainNetBiosName = savtechNewDomainDNSName = savtech.comRebootOnSuccess = YesReplicaOrNewDomain = DomainSiteName = "London"TreeOrChild = Tree
My example script would create a new forest with the domain savtech.com at the top andthe new domain controller in the site London. The SYSVOL, logs, and Active Directory(AD) files would be in the default locations. The new domain Administrator accountpassword would be cartman.
If you want to use DCPROMO outside an unattended installation, enter
dcpromo /answer:
7/29/2019 Important Things in Active Directory
5/10
You?ll see a dialog box that saysDCPROMO is running in unattended mode. Then, themachine will reboot.
How can I move the Active Directory log
files?Along with the ntds.dit file, the Active Directory (AD) keeps several log files that youmight want to move to a faster disk. To do so, perform the following steps:
1. Restart the domain controller (DC).2. Press F8 at the Startup menu when the system displays the list of OSs.3. Select Directory Services Restore Mode.4. Select the appropriate installation, if more than one exists, and then log on as an
administrator at the logon prompt.
5. Start a command prompt (Start, Run, cmd.exe).6. Start the NTDS utility, ntdsutil.exe.7. At the ntdsutil prompt, type "files" as shown below:8. ntdsutil: files9.
10. At the file maintenance prompt, type the following:11. file maintenance: move logs to [new location for file]12.
13. To view the log files, at the file maintenance prompt, type "info":14. file maintenance: info15.
16. Type "quit" (without the quotation marks) twice to return to a C prompt.17. Restart the computer in Normal mode.
How do I change how often the
Knowledge Consistency Checker runs?
The Knowledge Consistency Checker (KCC), which manages connection objects forinter- and intrasite replication, runs every 15 minutes by default. To change this timeperiod, start regedit and go to theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry.
From the Edit menu, select New, DWORD Value. Enter
Repl topology update period (secs)
and press Enter. Double-click the new value, and enter the number of seconds for howoften you want the KCC to run. Click OK, then close the Registry editor. Restart themachine for the change to take effect
7/29/2019 Important Things in Active Directory
6/10
How do I tune Active Directory
replication?
You can use one of several settings under theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry to modify elements of Active Directory (AD) replication. When you makea change to AD, a timer starts. This timer specifies how long the domain controller willwait before notifying its first replication partner about replication between domaincontrollers. The default time is 5 minutes. To change this time period, edit theReplicatornotify pause after modify (secs) value in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry, as the screen shows.
After the domain controller notifies its first replication partner, the domain controller
waits before it notifies each subsequent replication partner. This delay preventssimultaneous replies from the replication partners. The default time is 30 seconds. Tochange this time period, edit theReplicator notify pause between DSAs (secs) value in theHKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\ParametersRegistry entry, as the screen shows.
You can modify other values to enhance a multiple-CPU system?s performance. Forexample, set the replication thread priority high value to 1 to run replication at highpriority. If you don?t set this value, or you set it to 0, replication will run at low priority.Set the replication thread priority low value to 1 to run replication at low priority. If youset this value to -1, the value is ignored.
How do I audit Active Directory?
You can configure Active Directory (AD) auditing to produce successful and failedentries in the Directory Service (DS) event log.
1. Start the Microsoft Management Console (MMC) Active Directory Users andComputers snap-in. (Select Programs, Administrative Tools, Active DirectoryUsers and Computers from the Start menu.)
2. From the View menu, select Advanced Features.
3. Expand the domain, right-click the Domain Controllers container, and selectProperties from the context menu.4. Select the Group Policy tab.5. Select Default Domain Controllers Policy, and click Edit.6. Expand the Computer Configuration branch, the Windows Settings branch, the
Security Settings branch, and the Local Policies branch.7. Select Audit Policy.
7/29/2019 Important Things in Active Directory
7/10
8. The rightmost window will show auditing levels. Double-click Audit DirectoryService Access.
9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failedattempts), as the Screen shows. Click OK.
10. Close the Group Policy window.11. In the main Domain Controllers Properties dialog box, click OK.12. Close the Active Directory Users and Computers MMC snap-in.
You can use Event Viewer to view the logs in the Security log. Because domaincontrollers poll for policy changes every 5 minutes, the policy change might take as longas 5 minutes to take effect. Other domain controllers in the enterprise receive the changesafter the 5-minute interval, plus replication time.
Which naming conventions does Active
Directory use for objects?Active Directory (AD) uses several naming conventions for objects. These namingconventions include the distinguished name (DN), relative distinguished name (RDN),Lightweight Directory Access Protocol (LDAP) URL name, LDAP canonical name, userprincipal name, and SAM account name.
The most popular method for naming AD objects is to use the DN. Every AD object has aDN that uniquely identifies the object in the Directory Service (DS). For example, theDN
/O=Internet/DC=COM/DC=SavillTech/CN=Users/CN=John Savill
identifies an object as follows:
/O=Internet - Organization=Internet /DC=COM - Domain Component=COM /DC=SavillTech - Domain Component=SavillTech (the full Domain Component
is SavillTech.com) /CN=Users - Common Names=Users /CN=John Savill - Common Names=John Savill
A DN might also include an organizational unit (OU). For more information about DNs,see RFC 1779 A String Representation of Distinguished Names.
The RDN is also known as thefriendly name. The RDN for the above example isCN=John Savill. The RDN for the Users container is CN=Users.
7/29/2019 Important Things in Active Directory
8/10
LDAP URL names begin with LDAP://, then include an LDAP server and a modified DNthat identifies the object (e.g.,LDAP://titanic.savilltech.com/ou=Sales,cn=JSavill,dc=SavillTech,dc=com).
An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=,
dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Manyadministrative tools use these names.
The user principal name contains the username and DNS domain name, linked with thesymbol @ (e.g., [email protected]).
The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of thisnames single-layer convention, each name must be unique within an organization.
Objects are actually stored as globally unique IDs. A GUID is a 128-bit number thatgenerates at object creation and is stored in the object attribute objectGUID. GUIDs dont
change.
How do I modify the Active Directory's
garbage-collection period?
The Active Directory (AD) garbage-collection process performs two vital functions.First, it cleans up deleted objects. When you delete an object in AD, the system doesn'timmediately delete the object because when replication occurs, a replication partnerwould recreate the object. Instead, the system uses a tombstone with a finite lifetime to
mark the object as deleted. The tombstone replicates to all domain controllers (DCs), andafter it expires, the garbage-collection agent deletes the object.
The garbage-collection process also performs online AD defragementation.
By default this process runs every 12 hours on each DC. However, you can change thisfrequency by modifying the attribute garbageCollPeriod under the path CN=DirectoryService, CN=Windows NT, CN=Services, CN=Configuration, DC=, DC=, DC=COM.The best way to modify the attribute is to use the Windows 2000 Support Tools' ldp.exeutility.
How does ntdsutil know it's in DirectoryRestore mode?
When you start the domain controller (DC) in Directory Restore mode, the DC sets theenvironment variable safeboot_option to "dsrepair." If you want to check something inntdsutil that is allowed only in Directory Restore mode, you can "trick" the program by
7/29/2019 Important Things in Active Directory
9/10
typing the following statement at a command prompt:set SAFEBOOT_OPTION=DSREPAIR
Don'tuse this approach on a live or important machine because it could result in systemdamage if you try to perform system modifications when the system isn't in Directory
Restore mode.
How do I create trusts from the command
line in Windows 2000?
TheMicrosoft Windows 2000 Resource Kits Trustdom tool lets you define trustrelationships between Windows 2000 domains and one-way relationships with WindowsNT 4.0 domains. You can create two types of one-way trusts: an outbound trust on thelocal or specified domain, and an inbound trust on the specified target domain.
Trustdom? s syntax is
C:\> trustdom [[domain[:dc],]target_domain[:dc]] [Options]
The default switch is -out. To see a list of other switches, use the /? switch.
Why is size of the ntds.dit file different on
different domain controllers?
The ntds.dit file contains Active Directory (AD) information, and because all domaincontrollers (DCs) replicate AD, you might expect the file to be the same size on all DCs.However, you might find differently sized files because the database file is createdindividually on each DC, and the data--not the database file--replicates. Thus, severalfactors can lead to files with different sizes:
Over time, the database can become fragmented. Although objects are deletedwhile the database is online, you can't compact the database online (compactingrequires a manual offline defragmentation).
If a DC is a Global Catalog (GC), it contains information about objects of otherdomains in the forest, thus making it larger than non-GC servers.
The displayed size of the ntds.dit file is the size of the file when you started theDC; if many objects are added and you restart one DC, that DC's ntds.dit file sizewill appear larger.
How can I set the RPC port that intrasite
replication uses?
7/29/2019 Important Things in Active Directory
10/10
For security, Windows 2000 sets the remote procedure call (RPC) replication portdynamically. However, you might want to manually set the port (e.g., to monitor data).
1. Start regedit.2. Go to the
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters registry entry.3. From the Edit menu, select New, DWORD Value.4. Enter
TCP/IP Port
and press Enter.5. Double-click the new entry, and enter the port you want to use. (Make sure the
port isn?t already in use.) Click OK.6. Close the registry editor.7. Reboot the machine.
After monitoring finishes, you need to remove the registry entry you created. Removingthis entry reinstates the security that dynamic RPC port allocation provides.