This action might not be possible to undo. Are you sure you want to continue?
What Is Active Directory? Active Directory consists of a series of components that constitute both its logical structure and its physical structure. It provides a way for organizations to centrally manage and store their user objects, computer objects, group membership, and define security boundaries in a logical database structure. Purpose of Active Directory Active Directory stores information about users, computers, and network resources and makes the resources accessible to users and applications. It provides a consistent way to name, describe, locate, access, manage, and secure information about these resources
Functions of Active Directory Active Directory provides the following functions:
● Centralizes control of network resources
By centralizing control of resources such as servers, shared files, and printers, only authorized users can access resources in Active Directory.
● Centralizes and decentralizes resource management
Administrators have Centralized Administration with the ability to delegate administration of subsets of the network to a limited number of individuals giving them greater granularity in resource management.
● Store objects securely in a logical structure
Active Directory stores all of the resources as objects in a secure, hierarchical logical structure.
● Optimizes network traffic
The physical structure of Active Directory enables you to use network bandwidth more efficiently. For example, it ensures that, when users log on to the network, the authentication authority that is nearest to the user, authenticates them reducing the amount of network traffic.
Sites within Active Directory Sites are defined as groups of well-connected computers. When you establish sites, domain controllers within a single site communicate frequently. This communication minimizes the latency within the site; that is, the time required for a change that is made on one domain controller to be replicated to other domain controllers. You create sites to optimize the use of bandwidth between domain controllers that are in different locations 1
Operations Master Roles When a change is made to a domain, the change is replicated across all of the domain controllers in the domain. Some changes, such as those made to the schema, are replicated across all of the domains in the forest. This replication is called multimaster replication. During multimaster replication, a replication conflict can occur if originating updates are performed concurrently on the same object attribute on two domain controllers. To avoid replication conflicts, Active Directory uses single master replication, which designates one domain controller as the only domain controller on which certain directory changes can be made. This way, changes cannot occur at different places in the network at the same time. Active Directory uses single master replication for important changes, such as the addition of a new domain or a change to the forestwide schema. Operations that use single-master replication are arranged together in specific roles in a forest or domain. These roles are called operations master roles. For each operations master role, only the domain controller that holds that role can make the associated directory changes. The domain controller that is responsible for a particular role is called an operations master for that role. Active Directory stores information about which domain controller holds a specific role.
Forest-wide Roles Forest-wide roles are unique to a forest, forest-wide roles are: ● Schema master Controls all updates to the schema. The schema contains the master list of object classes and attributes that are used to create all Active Directory objects, such as users, computers, and printers. ● Domain naming master Controls the addition or removal of domains in the forest. When you add a new domain to the forest, only the domain controller that holds the domain naming master role can add the new domain. There is only one schema master and one domain naming master in the entire forest. Domain-wide Roles Domain-wide roles are unique to each domain in a forest, the domain-wide roles are:
● Primary domain controller emulator (PDC)
Acts as a Windows NT PDC to support any backup domain controllers (BDCs) running Microsoft Windows® NT within a mixed-mode domain. This type of domain has domain controllers that run Windows NT 4.0. The PDC emulator is the first domain controller that you create in a new domain. 2
● Relative identifier master (RID)
When a new object is created, the domain controller creates a new security principal that represents the object and assigns the object a unique security identifier (SID). This SID consists of a domain SID, which is the same for all security principals created in the domain, and a RID, which is unique for each security principal created in the domain. The RID master allocates blocks of RIDs to each domain controller in the domain. The domain controller then assigns a RID to objects that are created from its allocated block of RIDs.
● Infrastructure master
when objects are moved from one domain to another, the infrastructure master updates object references in its domain that point to the object in the other domain. The object reference contains the object’s globally unique identifier (GUID), distinguished name, and a SID. Active Directory periodically updates the distinguished name and the SID on the object reference to reflect changes made to the actual object, such as moves within and between domains and the deletion of the object.
The global catalog contains: ● The attributes that are most frequently used in queries, such as a user’s first name, last name, and logon name. ● The information that is necessary to determine the location of any object in the directory. ● The access permissions for each object and attribute that is stored in the global catalog. If you search for an object that you do not have the appropriate permissions to view, the object will not appear in the search results. Access permissions ensure that users can find only objects to which they have been assigned access. A global catalog server is a domain controller that, in addition to its full, writable domain directory partition replica, also stores a partial, read-only replica of all other domain directory partitions in the forest. Taking a user object as an example, it would by default have many different attributes such as first name, last name, phone number, and many more. The GC will by default only store the most common of those attributes that would be used in search operations (such as a user’s first and last names, or login name, for example). The partial attributes that it has for that object would be enough to allow a search for that object to be able to locate the full replica of the object in active directory. This allows searches done against a local GC, and reduces network traffic over the WAN in an attempt to locate objects somewhere else in the network. Domain Controllers always contain the full attribute list for objects belonging to their domain. If the Domain Controller is also a GC, it will also contain a partial replica of objects from all other domains in the forest.
Active Directory uses DNS as the name resolution service to identify domains and domain host computers during processes such as logging on to the network. 3
Similar to the way a Windows NT 4.0 client will query WINS for a NetBIOS DOMAIN[1B] record to locate a PDC, or a NetBIOS DOMAIN[1C] record for domain controllers, a Windows 2000, 2003, or Windows XP client can query DNS to find a domain controller by looking for SRV records.
Integration of DNS and Active Directory The integration of DNS and Active Directory is essential because a client computer in a Windows 2000 network must be able to locate a domain controller so that users can log on to a domain or use the services that Active Directory provides. Clients locate domain controllers and services by using A resource records and SRV records. The A resource record contains the FQDN and IP address for the domain controller. The SRV record contains the FQDN of the domain controller and the name of the service that the domain controller provides.
What Are Active Directory Integrated Zones? One benefit of integrating DNS and Active Directory is the ability to integrate DNS zones into an Active Directory database. A zone is a portion of the domain namespace that has a logical grouping of resource records, which allows zone transfers of these records to operate as one unit. Active Directory Integrated Zones Microsoft DNS servers store information that is used to resolve host names to IP addresses and IP addresses to host names in a database file that has the extension .dns for each zone. Active Directory integrated zones are primary zones that are stored as objects in the Active Directory database. If zone objects are stored in an Active Directory domain partition, they are replicated to all domain controllers in the domain.
What Are DNS Zones? A zone starts as a storage database for a single DNS domain name. If other domains are added below the domain used to create the zone, these domains can either be part of the same zone or belong to another zone. Once a subdomain is added, it can then either be: ● Managed and included as part of the original zone records, or ● Delegated away to another zone created to support the subdomain
Active Directory requires forward lookup zones.dns text files that are stored in the %SystemRoot%\System32\Dns folder on each computer operating a DNS server. the client supplies a name and requests the IP address that corresponds to that name. With most queries. and process zone changes. They must include SOA and NS records and can include any type of resource record except the PTR resource record. The DNS standard provides for this possibility through reverse lookups. This type of query is typically described as a forward lookup. Forward lookup zones contain information needed to resolve names within the DNS domain.dns if the zone name was example. forward lookup and reverse lookup. 5 .e. The process of obtaining this zone information (i.com. Standard Secondary Zone A secondary name server gets the data for its zones from another name server (either a primary name server or another secondary name server) for that zone across the network. This type offers the choice of using either a Standard Primary zone or a Standard Secondary zone.microsoft. also known as DDNS. Only one server is allowed to accept dynamic updates. no additional primary servers for the zone are permitted.com. Standard Primary Zone For standard primary-type zones. The data in a Secondary zone is Read only. The standard primary model implies a single point of failure. NS. If you create a zone and keep it as a standard primary zone. and updated information must come from additional zone transfers. They usually include SOA.. you have two options for storing your zones when operating the DNS server at the new domain controller: Standard Zone Zones stored this way are located in . Once you have installed Active Directory. Reverse lookup zones contain information needed to perform reverse lookups. what if a client already has a computer's IP address and wants to determine the DNS name for the computer? This is important for programs that implement security based on the connecting FQDN.microsoft. Zone transfers occur over TCP port 53. Additionally. only a single DNS server can host and load the master copy of the zone. However. such as Example. and CNAME records. and is used for TCP/IP network troubleshooting.Types of Zones 1 There are two types of zones. Zone file names correspond to the name you choose for the zone when creating it. a secondary server can provide some name resolution in the zone until the primary server is available. if a primary server is down. Secondary servers can provide a means to offload DNS query traffic in areas of the network where a zone is heavily queried and used. the database file) across the network is referred to as a zone transfer. PTR.
For mapping a DNS domain. DNS Records After you create a zone. Win2003 also supports stub zones. or replicate with other domain controllers since it does not have Active Directory installed. Service location For mapping a DNS domain name to a specified list of DNS host (SRV) computers that offer a specific type of service. Note If DNS is running on a Windows 2000 server that is not a domain controller. 6 . Other resource records as needed. For mapping an alias DNS domain name to another primary or canonical name. name to the name of a computer that exchanges or forwards mail. additional resource records need to be added to it. but may allow zone transfers to Secondary zones. For mapping a reverse DNS domain name based on the IP address of a computer that points to the forward DNS domain name of that computer. The most common resource records (RRs) to be added are: Table 1. Directory-integrated Zone Zones stored this way are located in the Active Directory tree under the domain object container. Each directory-integrated zone is stored in a dnsZone container object identified by the name you choose for the zone when creating it. such as Active Directory domain controllers. Active Directory integrated zones will replicate this information to other domain controllers in that domain. it will not be able to use an Active Directory integrated zones.Note A Standard Primary zone will not replicate its information to any other DNS servers. A secondary or stub zone cannot be hosted on a DNS server that hosts a primary zone for the same domain name. Record Types Name Host (A) Alias (CNAME) Mail Exchanger (MX) Pointer (PTR) Description For mapping a DNS domain name to an IP address used by a computer.
Microsoft. A domain represents an administrative boundary. The user class. group membership. and so on. even if you have only one domain in your organization.com 7 . is made up of attributes such as name. The attributes that make up an object are defined by an object class. password. for example.Q1.com sales. phone number. and other objects within a domain share a common security database.Microsoft. users. A user object.com West.Microsoft.com was the first domain created in Active Directory in this example and is therefore the root domain. The next domain that you add becomes a child domain of that root. This expandability of domains makes it possible to have many domains in a tree. Figure 1-1 shows an example of a tree. What does the logical component of the Active Directory structure include? ■ Objects:-Resources are stored in the Active Directory as objects. you still have a tree. Sub category: object class An object is really just a collection of attributes. The Active Directory Schema:The classes and the attributes that they define are collectively referred to as the Active Directory Schema—in database terms. You can think of the Active Directory Schema as a collection of data (object classes) that defines how the real data of the directory (the attributes of an object) is organized and stored ■ Domains The basic organizational structure of the Windows Server 2003 networking model is the domain.co m RND. for example.Microsoft.com East.microsoft. specifies the attributes that make up the user object. ■ Trees Multiple domains are organized into a hierarchical structure called a tree. Actually. The first domain you create in a tree is called the root domain. Microsoft. The computers. a schema is the structure of the tables and fields and how they are related to one another.
all of the domains in the tree under the microsoft.com (after the first domain created) Root domain of microsoft. This is where the forest comes in.Figure 1-1 A tree is a hierarchical organization of multiple domains. In the example shown in Figure 1-1.com root domain share the namespace microsoft. called the forest root domain.co m RND. and it is created when the first Active Directory–enabled computer (domain controller) on a network is installed.microsoft.com East.com Figure 1-2 Trees in a forest share the same schema.com West. ■ Forest A forest is a group of one or more domain trees that do not form a contiguous namespace but may share a common schema and global catalog. It cannot be removed from the forest without removing the entire forest itself. In the figure. is special because it holds the schema and controls domain naming for the entire forest.Microsoft. Figure 1-2 shows an example of a forest with two trees. All domains in a tree share a common schema and a contiguous namespace.com West. no other domain can ever be created above the forest root domain in the forest domain hierarchy.com forest Microsoft.contoso. Using a single tree is fine if your organization is confined within a single DNS namespace.Microsoft.com forest & tree Root domain of Contoso. Each tree in the forest has its own namespace.contoso.Microsoft. Also. for organizations that use multiple DNS namespaces.com sales. There is always at least one forest on a network. However.com East.com. 8 . but not the same namespace.com is one tree and contoso. your model must be able to expand outside the boundaries of a single tree.com Contoso. This first domain in a forest. Both are in a forest named microsoft.com is a second tree. microsoft.
a relatively small organization with a single domain might create separate OUs for departments within the organization. you start running into significant performance issues. Primarily. the structure of OUs follows an organization’s business or functional structure. For example.A forest is the outermost boundary of Active Directory. this would let you grant access to resources and accounts that are outside of a particular forest. OUs serve as containers into which the resources of a domain can be placed. ■Organizational Units Organizational Units (OUs) provide a way to create administrative boundaries within a domain. You can then assign administrative permissions on the OU itself. Q4. However. Q3. you can create multiple forests and then create trust relationships between specific domains in those forests. special mechanisms called trust relationships allow objects in one domain (called the trusted domain) to access resources in another domain (called the trusting domain).What is nesting? The creation of an OU inside another OU. What does the physical structure of active directory contain? Physical structures include domain controllers and sites. Q2. IMP: . Windows Server 2003 supports six types of trust relationships: ■ Parent and child trusts ■ Tree-root trusts ■ External trusts ■ Shortcut trusts ■ Realm trusts ■ Forest trusts 9 . the directory cannot be larger than the forest.once you go beyond about 12 OUs deep in a nesting structure. this allows you to delegate administrative tasks within the domain. Typically. What is trust relationship and how many types of trust relationship is there in exchange 2003? Since domains represent security boundaries.
Domain controllers within a site are pretty much free to replicate changes to the Active Directory database whenever changes are made. FRS uses site boundaries to govern the replication of items in the SYSVOL folders. The first type is the domain controllers contained in the site. Q7. startup and shutdown scripts. The SYSVOL folders provide a default Active Directory location for files that must be replicated throughout a domain. both of which are intended to cut down on network traffic. ■ File Replication Service (FRS) Every domain controller has a built-in collection of folders named SYSVOL (for System Volume). The second type of object is the site links configured to connect the site to other sites. If DFS does not find a copy of the data within the same site as the client.Q5. In other words. reliable network connection. What is a site? A Windows Server 2003 site is a group of domain controllers that exist on one or more IP subnets (see Lesson 3 for more on this) and are connected by a fast. You can use SYSVOL to replicate Group Policy Objects. What are the objects a site contains? Sites contain only two types of objects. A Windows Server 2003 service named File Replication Service (FRS) is responsible for replicating files in the SYSVOL folders between domain controllers. DFS uses site information to direct a client to the server that is hosting the requested data within the site. regardless of where on the network those items are actually stored. DFS lets you create a single logical hierarchy for folders and files that is consistent on a network. Files represented in the DFS might be stored in multiple locations on the network. If different LANs on the network are connected by a wide area network (WAN). 10 . Domain controllers in different sites compress the replication traffic and operate based on a defined schedule. sites are used to control the following: ■ Workstation logon traffic ■ Replication traffic ■ Distributed File System (DFS) Distributed File System (DFS) is a server component that provides a unified naming convention for folders and files stored on different servers on a network. Q6. a site usually follows the boundaries of a local area network (LAN). More specifically. To this end. you’ll likely create one site for each LAN. and logon and logoff scripts. Fast means connections of at least 1Mbps. DFS uses the site information in Active Directory to determine which file server that has DFS shared data is closest to the client. What is the use of site? Sites are primarily used to control replication traffic. so it makes sense that Active Directory should be able to direct users to the closest physical location of the data they need.
You can make changes to the database on any domain controller and the changes will be replicated to other domain controllers in the domain. ■ Intersite Replication Intersite replication sends all data compressed. but replication occurs according to a change notification mechanism. the replication can be scheduled for times that are more appropriate to your organization.Q8. in which all replicas of the Active Directory database are considered equal masters. Q10. the partners then request the changes and replication occurs. Domain controllers in the same site replicate on the basis of notification. The site link object is created within Active Directory and determines the protocol used for transferring replication traffic (Internet Protocol [IP] or Simple Mail Transfer Protocol [SMTP]). ■ Intrasite Replication Intrasite replication sends replication traffic in an uncompressed format. For replication to occur between sites. You should create additional sites when you need to control how replication traffic occurs over slower WAN links. those changes are quickly replicated to the other domain controllers. but it increases the server load because compression/decompression is added to the processing requirements. What are the different types of replication? Single site (called intrasite replication) Replication between sites (called intersite replication). In addition to the compression. This means that if changes are made in the domain.What is a Site link? Within a site. Explain Replication in Active directory? Windows Server 2003 uses a replication model called multimaster replication. but you would want to control traffic across the WAN link to prevent it from affecting higher priority network traffic. To address this situation. This is because of the assumption that all domain controllers within the site are connected by high-bandwidth links. Because of the highspeed. For example. you may decide to allow replication only during slower times of the 11 . suppose you have a number of domain controllers on your main LAN and a few domain controllers on a LAN at a branch location. replication happens automatically. There are two components to this link: the actual physical connection between the sites (usually a WAN link) and a site link object. it notifies its replication partners (the other domain controllers in the site). This shows an appreciation for the fact that the traffic will probably be going across slower WAN links (as opposed to the LAN connectivity intrasite replication assumes). replication occurs as needed rather than according to a schedule. Those two LANs are connected to one another with a slow (256K) WAN link. For example. you would set up two sites— one site that contained all the domain controllers on the main LAN and one site that contained all the domain controllers on the remote LAN. low-cost connections assumed within a site. The site link object also governs when replication is scheduled to occur. You would want replication traffic to occur as needed between the domain controllers on each LAN. When changes are made on a domain controller. you must establish a link between the sites. Not only is the traffic uncompressed. Q9.
the relative distinguished name of the object is CN=wjglenn. For most objects.What types of naming convention active directory uses? Active Directory supports several types of names for the different formats that can accessActive Directory. the relative distinguished name of an object is the same as that object’s Common Name attribute. Active Directory does not allow two objects with the same relative distinguished name to exist in the same parent container.day. but also where the object resides in the overall object hierarchy. such as COM or ORG. Thus the name uniquely identifies the object relative to the other objects within the same container. based on information provided when the object is created. Lightweight Directory Access Protocol. LDAP-aware clients can query the server in a wide variety of ways. Q12. In the example CN=wjglenn. What is LDAP? LDAP. The relative distinguished name of the parent organizational unit is Users. ■ CN The Common Name (CN) tag identifies the common name configured for an Active Directory object. You can think of the distinguished name as the relative distinguished name of an 12 .CN=Users. but only within its parent container. ■ OU The Organizational Unit (OU) tag identifies an organizational unit container. Active Directory creates the relative distinguished name automatically. The three attribute tags used include: ■ DC The Domain Component (DC) tag identifies part of the DNS name of the domain.DC=com. The notations used in the relative distinguished name (and in the distinguished name discussed in the next section) use special notations called LDAP attribute tags to identify each part of the name. is an Internet protocol that email and other programs use to look up information from a server. An LDAP-aware directory service (such as Active Directory) indexes all the attributes of all the objects stored in the directory and publishes them. this delay in replication (based on the schedule) can cause inconsistency between servers in different sites.DC=contoso. ■ Distinguished Names Each object in the directory has a distinguished name (DN) that is globally unique and identifies not only the object itself. Of course. These names include: ■ Relative Distinguished Names The relative distinguished name (RDN) of an object identifies an object uniquely. Q11.
It’s best. ■ Canonical Names An object’s canonical name is used in much the same way as the distinguished name— it just uses a different syntax. CN and DC). Q13.DC=com. If the wjglenn object is moved to another container. You cannot have two objects with the same distinguished name. User principal names should be unique. and those updates are then replicated to other domain controllers. however.DC=contoso. This distinguished name would indicate that the user object wjglenn is in the Users container. which in turn is located in the contoso.g. there are two primary differences in the syntax of distinguished names and canonical names. An example of a typical distinguished name would be: CN=wjglenn.. to formulate a naming convention that avoids duplicate user principal names. similar to the way that a fully qualified domain name uniquely identifies an object’s placement in a DNS hierarchy. its DN will change to reflect its new position in the hierarchy.CN=Users.object concatenated with the relative distinguished names of all parent containers that make up the path to the object. Q14.com/Users/wjglenn. but Active Directory does not enforce this requirement. Distinguished names are guaranteed to be unique in the forest. Users can log on with their user principal name.Which two operations master roles should be available when new security principals are being created and named? Domain naming master and the relative ID master 13 . The second difference is that the canonical name does not use the LDAP attribute tags (e.com domain. and an administrator can define suffixes for user principal names if desired. What is multimaster replication? Active Directory follows the multimaster replication which every replica of the Active Directory partition held on every domain is considered an equal master. Updates can be made to objects on any domain controller. The first difference is that the canonical name presents the root of the path first and works downward toward the object name. As you can see. The same distinguished name presented in the preceding section would have the canonical name: contoso. ■ User Principal Names The user principal name that is generated for each object is in the form username@ domain_name.
■ Global groups are used to gather users that have similar permissions requirements. Global groups can contain user and computer accounts only from the domain in which the global group is created. ■ Domain local groups exist on domain controllers and are used to control access to resources located on domain controllers in the local domain (for member servers and workstations. Domain groups are stored in Active Directory and let you gather users and control resource access in a domain and on domain controllers. Universal groups exist outside the boundaries of any particular domain and are managed by Global Catalog servers. Security groups can be assigned permissions and can also be used as email distribution lists. Universal groups are used to assign permissions to related resources in multiple domains. Universal groups are available only when the forest functional level is set to Windows 2000 native or Windows Server 2003. One of the primary uses is within an e-mail As with user accounts. the domain contains only Windows 2000 or 2003 servers). global groups can also contain other global groups from the local domain. What is a group scope and what are the different types of group scopes? Group scopes determine where in the Active Directory forest a group is accessible and what objects can be placed into the group. Global groups have the following characteristics: 1. Users placed into a group inherit the permissions assigned to the group for as long as they remain members of that group. Domain local groups share the following characteristics: 1. When the domain functional level is set to Windows 2000 native or Windows Server 2003. Domain local groups can contain users and global groups from any domain in a forest no matter what functional level is enabled. Windows Server 2003 includes three group scopes: global.Q15. Q16.. domain local groups can also contain other domain local groups and universal groups. What are different types of groups? ■ Security groups Security groups are used to group domain users into a single administrative unit. 2. ■ Distribution groups These are used for nonsecurity purposes by applications other than Windows. Universal groups share the following characteristics: 1. When the domain functional level is set to Windows 2000 native or Windows Server 2003 (i. Local groups are stored in a local computer’s security database and are intended to control resource access on that computer. Windows itself uses only security groups. 3. and universal. ■ Universal groups are normally used to assign permissions to related resources in multiple domains. 2. 2. 3. Global groups can be assigned permissions or be added to local groups in any domain in a forest. there are both local and domain-level groups. you use local groups on those systems instead). domain local.e. 14 .
Then. However. This approach would allow you to set permissions on a single group and have those permissions flow down to the members.When a user browses the logical namespace. as shown in Figure 4-10. 5. site names are used in the Domain Name System (DNS) records. Universal groups can contain users. What are the items that groups of different scopes can contain in mixed and native mode domains? Q18. yet still be able to subdivide the junior administrators by location. 15 . suppose you had juniorlevel administrators in four different geographic locations. Q17.4. computers and users are grouped into domains and OUs without reference to sites. so sites must be given valid DNS names. Is site part of the Active Directory namespace? NO: . global groups. and other universal groups from any domain in a forest. you could create a single group named Junior Admins and make each of the location-based groups a member of the main group. You can grant permissions for a universal group to any resource in any domain. Q19. You could create a separate group for each location (named something like Dallas Junior Admins). What is group nesting? Placing of one group in another is called as group nesting For example. How many characters does a group name contain? 64 Q20.
The image below shows the actual folder structure of what the user sees when using DFS and load balancing. It also comes with a powerful set of command-line scripting tools which can be used to make administrative backup and restoration tasks of the DFS namespaces easier. What is DFS? The Distributed File System is used to build a hierarchical view of multiple file servers and shares on the network. normally stored on different servers. Figure 1: The actual folder structure of DFS and load balancing Windows 2003 offers a revamped version of the Distributed File System found in Windows 2000. If you have two identical shares. It can also be installed on a cluster for even better performance and reliability. which will be the 'key' to a list of shares found on multiple servers on the network. DFS has the capability of routing a client to the closest available file server by using Active Directory site metrics. and in this share you can have additional files and folders. load balancing and reduced use of network bandwidth. The client windows operating system consists of a DFS client which provides additional features as well as caching. Dfs target (or replica): This can be referred to as either a root or a link. When a user opens this link they will be redirected to a shared folder. the user will only have to remember one name. which has been improved to better performance and add additional fault tolerance. Dfs link: A link is another share somewhere on the network that goes under the root. Think of it as the home of all file shares with links that point to one or more servers that actually host those shares. you can group them together as Dfs Targets under the same link.Q21. Dfs root: You can think of this as a share that is visible on the network. Instead of having to think of a specific machine name for each set of files. Understanding the DFS Terminology It is important to understand the new concepts that are part of DFS. 16 . Below is an definition of each of them.
Before DNS. DFS and requires all files to be replicated manually.Q22. Q1. The owner is responsible for making any necessary changes to the site as the physical network grows and changes.which is available for stand alone. And DNS drastically lowers the need to remember numeric IP addresses when accessing hosts on the Internet or any other TCP/IP-based network. ■ Tracking subnetting information for the network. What all can a site topology owner do? The site topology owner is the name given to the administrator (or administrators) that oversee the site topology. This includes IP addresses. 17 . A host file is manually modified. Host files are easy to understand. Windows ships with a HOSTS file in the \winnt\system32\drivers\etc subdirectory The fundamental problem with the host files was that these files were labor intensive. What are the types of replication in DFS? There are two types of replication: * Automatic . The DNS system consists of three components: DNS data (called resource records). the practice of mapping friendly host or computer names to IP addresses was handled via host files.which is only available for Domain DFS * Manual . Q23. servers (called name servers). ■ Monitoring network connectivity and setting the costs for links between sites. Which service is responsible for replicating files in SYSVOL folder? File Replication Service (FRS) Q24. and it is typically centrally administrated. and Internet protocols for fetching data from the servers. These are static ASCII text files that simply map a host name to an IP address in a table-like format. subnet masks. and the locations of the subnets. What is DNS. DNS provides name registration and name to address resolution capabilities. The site topology owner’s responsibilities include: ■ Making changes to the site topology based on changes to the physical network topology.
com typed into Internet Explorer is passed to the DNS server identified in the client TCP/IP configuration. A client (or “resolver”) passes its request to its local name server. If all else fails. SPRINGERS01) (121.44) (Abbey) Media Access Control (MAC)—this is the network adapter hardware address Q3. Step 3. Which are the four generally accepted naming conventions? NetBIOS TCP/IP Host Name (for Address Name instance. perform queries against the DNS servers.133. the URL term www. For example. higher-level name servers until the query resolution process starts with far-right term (for instance. the local name server is unable to resolve the request.idgbooks.2. The bottom line? DNS resolves domain names to IP address using these steps Step 1.Q2. The DNS client. This DNS server is known as the local name server. com) or at the top of the DNS tree with root name servers 18 . the request is passed to more and more. How DNS really works DNS uses a client/server model in which the DNS server maintains a static database of domain names mapped to IP addresses. known as the resolver. If. as often happens. other name servers are queried so that the resolver may be satisfied. Step 2.
All you must do is add a second A record.g. Figure 8-5: How DNS works Q4.foobarbaz. with every column the same save for the IP address. IN A 36. This often happens for people who run a firewall and have two 19thernet cards in one machine. Host or Address Records (A):. In clearer terms.map the name of a machine to its numeric IP address.com.eric.1.36.:. Which are the major records in DNS? 1. E. this record states the hostname and IP address of a certain machine.Below is the Steps explained with the help of a chart. Domain. Host IP Address.6 It is possible to map more than one IP address to a given hostname. Have three fields: Host Name. 19 .
foobarbaz. If something happens so that this server becomes unreachable. This is accomplished by the record shown below: foobarbaz. the number “10”. The next two entries have been explained thoroughly in previous records.foobarbaz. You can see the similarities to the previous record. You can add A or CNAME records for the service name pointing to the machines you want to load balance. however. This is exceedingly useful – it abates the load on your internal hosts since they do not have to route incoming mail. you will only want the backups receiving mail if something goes wrong with the primary mail server.com.com.foobarbaz. The host name of a machine that is stated in an A record is called the canonical. You can indicate this with your MX records. Some sendmail programs only look for MX records. It is a signifier of priority. A lower number in an MX record means a higher priority. It is also a good idea to include an MX record even if you are having mail sent directly to a machine with an A record. we have a mail server running on the fictitious machine eric. Obviously.foobarbaz. Records always read from left to right. A new record must be entered for each alias. mail could be sent directly to each machine. Mail Exchange Records (MX) MX” records are far more important than they sound. For convenience sake. The column on the far left signifies the address that you want to use as an Internet email address.foobarbaz. 3. Here is an example of a CNAME: www. you can add an MX record like this one: *.2. It is also possible to include wildcards in MX records. we want our email address to be “user@foobarbaz. Other records should point to the canonical name. and mail will be sent to the server with the lowest number (the lowest possible being 0).com.foobarbaz. IN CNAME eric. Often larger systems will have backup mail servers. the computer delivering the mail will attempt every other server listed in the DNS tables. IN MX 10 eric.com.com. IN MX 10 eric. This would make any mail set to any individual workstation in the foobarbaz. Obviously.foobarbaz.com domain go through the server eric. A machine can have an unlimited number of CNAME aliases.foobarbaz. The next column.com.com. For example. with the subject to be queried about on the left and the answer to the query on the right.com”. There must always be an A record for the machine before aliases can be added. you can have as many MX records as you would like. and it allows your mail to be sent to any address in your domain even if that particular address does not have a computer associated with it. If you have a domain where your users each have their own machine running mail clients on them. Rather than clutter your DNS entry. Aliases or Canonical Name Records (CNAME) “CNAME” records simply allow a machine to be known by more than one hostname.com. perhaps more than one. They allow all mail for a domain to be routed to one host.com” rather than “user@eric. or official name of the machine. 20 . is different from the normal DNS record format. in order of priority.
Reverse lookups are a good security measure. Name Server Records (NS) NS records are imperative to functioning DNS entries. 6.36. they merely state the authoritative name servers for the given domain.arpa. There must be at least two NS records in every DNS entry.foobarbaz. In-addr. Pointer Records (PTR) Although there are different ways to set up PTR records.1. the record simply has the IP address in reverse for the host name in the last column. They are very simple.com. specific records will be given precedence over ones containing wildcards.com.com. IN NS draven.algx.One should use caution with wildcards. you will have to fill out the online web form on the support. then each part of it will be explained: foobarbaz.arpa”. Here is an example of a SOA record. verifying that your machine is exactly who it claims to be. A note for those who run their own name servers: although Allegiance Internet is capable of pulling zones from your name server.com. we will set up these records for you automatically. If you would like us to put PTR records in our name servers for you.foobarbaz. 5. It conveys more information than all the other records combined. called “in-addr. with “nse. It is becoming more and more common that a machine will do a reverse lookup on your machine before allowing you to access a service (such as a World Wide Web page). There also must be an A record in your DNS for each machine you enter as A NAME server in your domain.com.com page. Resolving a machine in this fashion is called a “reverse lookup”. Start Of Authority Records (SOA) The “SOA” record is the most crucial record in a DNS entry.arpa records look as such: 6.in-addr.net” as your two authoritative name servers. IN PTR eric.net” and “nsf. hostmaster.arpa records) unless you have been assigned a full class C network.36. IN SOA draven. 4.algx.foobarbaz. Serial 10800 .allegianceinternet. As you can see from the example for the A record in the beginning of this document. ( 1996111901 .foobarbaz. we will be explaining only the most frequently used method.com. we cannot pull the inverse zones (these in-addr. NS records look like this: foobarbaz.arpa PTR records are the exact inverse of A records. They allow your machine to be recognized by its IP address. In-addr. If Allegiance Internet is doing primary and secondary names service. This record is called the start of authority because it denotes the DNS entry as the official source of information for its domain. Refresh 21 .
Quick Summary of the major records in DNS Record Type Host (A) Aliases (CNAME) Definition Maps host name to IP address in a DNS zone. Allegiance Internet sets up this record for you if you are not running your own name server. “Expire” is how long the secondary server should use its current entry if it is unable to perform a refresh. Has three fields: Domain. Maps IP address to host name in a DNS reverse zone. Other name servers that pull information for a zone from the primary only pull the zone if the serial number on the primary name server’s entry is higher than the serial number on it’s entry. Fields include: IP Address. Expire . The next two entries should look familiar. you should still fill out the web form and use the comment box when you make changes asking us to pull the new zones. Alias Name. 22 Nameservers (NS) Pointer (PTR) . The next entries are a little more unusual then what we have become used to. There should always be a viable contact address in the SOA record. Canonical name resource record that creates an alias for a host name. Every time a change is made to the entry. NS records appear in all DNS zones and reverse zones. The “refresh” number stands for how often secondary name servers should check the primary for a change in the serial number. Name Server DNS Name. in seconds. Also. Fields include: Domain. Host DNS Name. The last entry on this row is actually an email address. Host IP Address. A recommended way of using your serial number is the YYYYMMDDNN format shown above. For Host DNS Name. The serial number is a record of how often this DNS entry has been updated. and “minimum” is how long other name servers should cache. CNAME records are typically used to hide implementation details from clients. or save. a note for Allegiance Internet customers who run their own name servers: even if the serial number is incremented. The “draven.com” entry is the primary name server for the domain. In this way the name servers for a domain are able to update themselves. Fields include: Domain. Minimum The first column contains the domain for which this record begins authority for. the serial number must be incremented. this entry. Host Name. All the rest of the numbers in the record are measurements of time. Like NS records.foobarbaz. “Retry” is how long a secondary server should wait before trying to reconnect to primary server if the connection was refused. if you substituted a “@” for the first “. Identifies the DNS name servers in the DNS domain.3600 3600000 86400 ) . Retry . where the NN is the number of times that day the DNS has been changed. There can only be one SOA record per domain.”.
Fields include: Domain.com domain. This records contains many miscellaneous settings for the zone. where support and msdn are subdomains within the Microsoft. Short summary of the records in DNS.Mail Exchange (MX) Specifies a mail exchange server for a DNS domain name. Mail Exchange Server DNS Name. Name the two Zones in DNS? DNS servers can contain primary and secondary zones. Often.com and msdn. Q5. For example. MX records are used when configuring a domain for email.microsoft. such as who is responsible for the zone.What is a DNS zone A zone is simply a contiguous section of the DNS namespace. The PTR record is used for reverse lookups (IP to name). Note that the term “exchange” does not refer to Microsoft Exchange. 23 . The NS records are used to point to additional DNS servers. a domain may have several DNS servers that respond to requests for the same information. to connect Microsoft Exchange to the Internet via the Internet Mail Server (IMS). A primary zone is a copy of a zone where updates can be made. a BackOffice e-mail application. For fault tolerance purposes and load balancing. support. or queuing it for a specified amount of time.microsoft. and a serial number (incremented with every update). A mail exchange server is a host that will either process or forward mail for the DNS domain name. refresh interval settings.com are separate zones. Host Name (Optional). while a secondary zone is a copy of a primary zone. subdomains are split into several zones to make manageability easier. However. CNAME records are used to give a host multiple names. Q7. Processing the mail means either delivering it to the addressee or passing it to a different type of mail transport. sending it using Simple Mail Transfer Protocol to another mail server that is closer to the final destination. Forwarding the mail means sending it to its final destination server. The entries within a zone give the DNS server the information it needs to satisfy requests from other computers or DNS servers. How many SOA record does each zone contain? Each zone will have one SOA record. Records for a zone are stored and managed together. TTL (Time To Live) settings. Q6. Q8. the MX record must be correctly configured by your ISP. Preference Number.
This type of resolution may be necessary when a corporate merger requires that the DNS servers for two separate DNS namespaces resolve names for clients in both namespaces. How the resolution in a stub zone takes place? When a DNS client performs a recursive query operation on a DNS server hosting a stub zone.Q9. Q11. Q12. only the SOA. A stub zone is used to resolve names between separate DNS namespaces. and glue A resource records. 24 . name server (NS) resource records. and the glue A resource records for the delegated zone. but it will not store these resource records in the stub zone itself. usually the DNS server hosting the primary zone for the delegated domain name. The resource records stored in the cache are cached according to the Time-to-Live (TTL) value in each resource record. What does a stub zone consists of? A stub zone consists of: • The start of authority (SOA) resource record. Overloading DNS server responsibilities on your domain controllers may not be something you want to do if you plan on supporting a large volume of DNS requests. the DNS server hosting the stub zone attempts standard recursion using its root hints. Q10. The one catch with ADintegrated zones is that the DNS server must also be a domain controller. and glue A resource records returned in response to the query are stored in the stub zone. the DNS server uses the resource records in the stub zone to resolve the query. The DNS server sends an iterative query to the authoritative DNS servers specified in the NS resource records of the stub zone as if it were using NS resource records in its cache. What is an AD-integrated zone? AD-integrated zones store the zone data in Active Directory and use the same replication process used to replicate other data between domain controllers. NS. The DNS server will store the resource records it receives from the authoritative DNS servers listed in a stub zone in its cache.What is a STUB zone? A stub zone is a copy of a zone that contains only those resource records necessary to identify the authoritative Domain Name System (DNS) servers for that zone. If the DNS server cannot find the authoritative DNS servers in its stub zone. NS. The master servers for a stub zone are one or more DNS servers authoritative for the child zone. • The IP address of one or more master servers that can be used to update the stub zone. The SOA.
ACLs may only be applied to the DNS client service.What is the benefits of Active Directory Integration? For networks deploying DNS to support Active Directory. Also. Q 13. With the multimaster update model of Active Directory. is designated as a primary source for the zone. This feature provides granulated access to either the zone or a specified RR in the zone. directory-integrated primary zones are strongly recommended and provide the following benefits: * Multimaster update and enhanced security based on the capabilities of Active Directory In a standard zone storage model. while you may use ACLs on DNSrelated Active Directory objects. This server maintains the master copy of the zone in a local file. the DNS server returns a referral containing the servers specified in the stub zone. expire according to the expire interval specified in the stub zone's SOA record. Because the master copy of the zone is maintained in the Active Directory database. any authoritative DNS server. For example. an ACL for a zone RR can be restricted so that dynamic updates are only allowed for a specified client computer or a secure group such as a domain administrators group. Note that when you change the zone type to be directory-integrated. With directory-integrated storage. primary zone. which is fully replicated to all domain controllers. update requests from DNS clients are not processed for the zone. DNS updates are conducted based upon a single-master update model. In this model. In this model. the zone can be updated by the DNS servers operating at any domain controller for the domain. If the query was an iterative query. when using directory-integrated zones. If this server is not available. the default for updating the zone changes to allow only secure updates. which is created during the creation of the stub zone and updated during transfers to the stub zone from the original. With this model. any of the primary servers for the directory-integrated zone can process requests from DNS clients to update the zone as long as a domain controller is available and reachable on the network. the primary server for the zone represents a single fixed point of failure. such as a domain controller running a DNS server. dynamic updates to DNS are conducted based upon a multimaster update model. 25 . This security feature is not available with standard primary zones. Also.which are not written to cache. you can use access control list (ACL) editing to secure a dnsZone object container in the directory tree. a single authoritative DNS server for a zone is designated as the primary source for the zone.
DNS Q&A corner Q1. Because Active Directory replication processing is performed on a per-property basis.F5's Big IP.e . Have you ever > heard or architected such a configuration? 26 .both by local queries directly from local users and > also queries from external DNS servers. > The main question being the configuration whether to use 2 > Master/Primary Servers or is it wiser to use 1 Primary and 1 > Secondary? The reason is that I feel there are two configurations > that could be setup. What is Scavenging? DNS scavenging is the process whereby resource records are automatically removed if they are not updated after a period of time. The multimaster replication model of Active Directory removes the need for secondary zones when all zones are stored in Active Directory. Q15. ie . How do I use a load balancer with my name servers? Just wanted to ask a question about load balanced DNS servers > via an external network load balancing appliance (i. A DNS server cannot store secondary zones in the directory. DNS scavenging is a recommended practice so that your DNS zones are automatically kept clean of stale resource records. One in which only the resolvers query the > virtual IP address on the load balancing appliance or actually > configure your NS records to point to the Virtual Address so that all > queries. only relevant changes are propagated. > Cisco's Content Switches/ Local Directors). Typically. Note: Only primary zones can be stored in the directory. also referred to as static. records. It must store them in standard text files. This allows less data to be used and submitted in updates for directory-stored zones. What is the default interval when DNS server will kick off the scavenging process? The default value is 168 hours.* Directory replication is faster and more efficient than standard DNS replication. but you can also scavenge manually added. Q14. this applies to only resource records that were added via DDNS. I've included a text > representation of the physical configuration. which is equivalent to 7 days.
Then the resolver sends a query for PTR records attached to that domain name.how does it know where to look? Is there a giant reverse lookup zone in > the sky? Yes. Q2.arpa.161. if DNS 1 fails.5 > ----------------------------------->> Load Balancer Device | > -----------------------------------> | > | > ----------------> | | > ---------------------------->> DNS 1 | | DNS 2 | > ----------------------------> 1.in-addr.1.1.2 There's usually not much need to design solutions like these. The root name servers refer the querier to the 161. just setting up a virtual IP address.arpa name servers. finally.114. 161.1. Is there any problems in running two Master/Primaries? Just that you'd have to synchronize the zone data between the two manually.compaq.1. these name servers map the IP address to inmail.arpa name servers. 27 .> VIP = 167. in this case. run by an organization called ARIN. However.1.arpa. actually.1 1. it can be useful for resolvers. I run > nslookup 161.how can a local > resolver or ISP's Dns server find the pointer records please? E.com. remote name servers will automatically try DNS 2. If a resolver needs to reverse map. there is: in-addr. it first inverts the octets of the IP address and appends "in-addr.arpa. run by Compaq.206 & get a reply for a Compaq server > .1.114.147. since most name server implementations will automatically choose the name server that responds most quickly.1. These name servers refer the querier to 1.206 to a domain name." So. the American Registry for Internet Numbers. > Also. If necessary. In that case. and vice versa.1.114. the resolution process starts at the root name servers. you don't need to worry about NS records (since resolvers don't use them). say.in-addr.114. How does reverse mapping work? How can reverse lookup possibly work on the Internet .g. the IP address would become the domain name 206. In other words. And.in-addr.161.
168. Please help.0. administering slaves is a little more work than administering caching-only name servers.0.168. The main advantage of having slaves everywhere is that you have a source of your own zone data on each name server. Can I set a TTL on a specific record? > Is it possible to setup ttl values for individual records in bind? Sure.0.168. how would you put in an MX > record for a backup mailserver.0. you need to use MX records. I have looked into having a primary master server running in my server > room and adding slave servers in the other areas. 300 IN A 10. Nearly all mailers will look up A records for a domain name in a mail destination if no MX records exist. On the other hand.0.Q3.1 > mail cname 192.1 > smtp cname 192. If the machine > that is running the mail is the name of the domain does there need > to be an MX record for mail? Technically. between the owner field and the class field: foo. > www cname 192. and a little greater burden on the primary master name server. Can I use an A record instead of an MX record? > I have a single machine running DNS mail and web for a domain > and I'm not sure that I have DNS setup properly. I then thought I could just > setup a primary and a single slave server and run caching only servers in the other > areas. the local name server can answer most of their queries.example. > If an MX record is not needed. What are the pros and cons of running slaves versus caching-only name servers? > Question: I am in the process of setting up dns servers in several locations for my > business. Q4. If you want to use a backup mailer. or should I run a slave > server in every location and still have a caching server with it? I just don't > know what the best way would be.0.168.1 28 .1 > pop cname 192. What are the pros and cons of these two options. You can't. You specify explicit TTLs in a record's TTL field. So if you have a community of hosts near each slave that look up domain names in your zones.1 Q5. no.
Q7. in the authority section of the DNS message. > > Which one is proper reason? 29 . What's the largest number I can use in an MX record? > Could you tell us the highest possible number we can use for the MX > preference ? Preference is an unsigned.example. The NS records from your zone data file are used for several things: . so the field after "CNAME" must contain a domain name.Your name servers returns them in responses to queries. the set of NS records that comes directly from your name server supersedes the set that a querier gets from your parent zone's name servers. Q9. Q8. > Some documents explain that one of the reason is technical limit on Domain > Name System (without any detailed explanation). which they often get from the authoritative name servers.Your name servers use the NS records to determine where to send NOTIFY messages. so if the two sets are different. is > all this traffic happening on TCP. or just Internet policy stuff. Is there any problem if our > own NS records have lower TTLs than the records from parent name server ? That's a good question. Moreover. > From my understanding. not an IP address. CNAME records create an alias from one domain name to another." . so the largest number you can use is 65535.These CNAME records are all incorrect. For example. . 16-bit number. Why are there only 13 root name servers? > I'm very wondering why there are only 13 root servers on globally. Do slaves only communicate with their masters over TCP? > When the slave zone checks in with the master zone for the serial number. it seems that some limitation of NS record numbers > in DNS packet that specified by certain RFCs.Dynamic updaters determine where to send updates using the NS records. if you have acl's blocking > udp traffic but allowing tcp traffic will the transfer work or will it fail > due to the slaves inability to query for the SOA record on udp? No. What are a zone's NS records used for? > Could you elaborate a little bit on why do we need to put NS records for > the zone we are authoritative for ? > The parent name server handles these already. Q6. For example: www CNAME foo. The refresh query (for the zone's SOA record) is usually done over UDP. yours "wins.
This DC is the only one that can process updates to the directory schema. What are their functions? 1. that is the PDC emulator. Time synchronization for the domain. acts as a Windows NT 4 PDC to the BDCs. There is only one domain naming master in the active directory or forest. IMP information http://www. Group Policy changes are preferentially written to the PDC emulator. then the Windows 2000 domain controller.Which is the FIVE FSMO roles? Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master Forest Level Forest Level Domain Level Domain Level Domain Level One per forest One per forest One per domain One per domain One per domain Q2. This DC is the only one that can add or remove a domain from the directory. it is replicated from the schema master to all other DCs in the forest. It can also add or remove cross references to domains in external directories. and that is it's major purpose.menandmice. Additionally.htm Q1. PDC Emulator (Domain level) In a Windows 2000 domain. and once the schema update is complete.com/online_docs_and_faq/glossary/glossarytoc.It's a technical limitation. This is not true. There is only one PDC emulator per domain. It contains the only writable copy of the AD schema. the PDC emulator server role performs the following functions: Password changes performed by other DCs in the domain are replicated preferentially to the PDC emulator first. Note: Some consider the PDC emulator to only be relevant in a mixed mode domain. Even after you have changed your domain to native mode (no more 30 . Authentication failures that occur at a given DC in a domain because of an incorrect password are forwarded to the PDC emulator for validation before a bad password failure message is reported to the user. Schema Master (Forest level) The schema master FSMO role holder is the Domain Controller responsible for performing updates to the active directory schema. There is only one schema master in the forest. 3. 2. Account lockout is processed on the PDC emulator. Domain Naming Master (Forest level) The domain naming master FSMO role holder is the DC responsible for making changes to the forest-wide domain name space of the directory. and only 13 NS records and their corresponding A records will fit into a DNS message that size. UDP-based DNS messages can be up to 512 bytes long. if your domain is a mixed mode domain that contains Windows NT 4 BDCs.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that it assigns to the security principals it creates. then the Infrastructure master is involved. who has been added to a group in DomainB. the SID (for references to security principals). 4. it represents the reference by the GUID. If it is not. Since schema updates are rare (usually done by certain applications and possibly an Administrator adding an attribute to an object). When a user in DomainA is added to a group in DomainB. Domain Naming Master The Domain Naming Master must be available when adding or removing a domain from the forest (i. There is only one Infrastructure master per domain. Infrastructure Master (Domain level) The DC that holds the Infrastructure Master FSMO role is responsible for cross domain updates and lookups.e. Likewise. it attaches a unique Security ID (SID) to the object. Q3. this functionality is only used on occasion and is not critical unless you are modifying 31 . This SID consists of a domain SID (the same for all SIDs created in a domain). then changes his username in DomainA. and the distinguished name (DN) of the object being referenced. group or computer account. the PDC emulator is still necessary for the reasons above. running DCPROMO). then the malfunction of the server holding the Schema Master role will not pose a critical problem. The Infrastructure role holder is the DC responsible for updating an object's SID and distinguished name in a cross-domain object reference. if that user in DomainA. RID Master (Domain level) The RID master FSMO role holder is the single DC responsible for processing RID Pool requests from all DCs within a given domain. and a relative ID (RID) that makes the object unique in a domain. When an object in one domain is referenced by another object in another domain. When a DC creates a security principal object such as a user. When a DC's allocated RID pool falls below a threshold. that DC issues a request for additional RIDs to the domain's RID master. the Infrastructure master must update the group membership(s) in DomainB with the name change. It is also responsible for removing an object from its domain and putting it in another domain during an object move.NT 4 domain controllers). Like the Schema Master. The domain RID master responds to the request by retrieving RIDs from the domain's unallocated RID pool and assigns them to the pool of the requesting DC. 5. What if a FSMO server fails? Schema Master No updates to the Active Directory schema will be possible. then the domain cannot be added or removed. It is also needed when promoting or demoting a server to/from a Domain Controller. There is one RID master per domain in a directory.
Can you Move FSMO roles? Yes. 32 . Where to place the FSMO roles? Assuming you do have multiple domain controllers in your domain. computer accounts). If you have only one domain controller in your organization then you have one forest. In a native mode domain the failure of the PDC emulator isn't as critical because other domain controllers can assume most of the responsibilities of the PDC emulator. There is no rule that says you have to have one server for each FSMO server role. Q6. Failure of this server in a multi-domain environment would be a problem if you are trying to add objects from one domain to another. there are some best practices to follow for placing FSMO server roles. The failure of this FSMO server would have little impact unless you are adding a very large number of users or groups. RID Master Infrastructure Master Q4. Q5.your domain or forest structure. then the Infrastructure Master is irrelevant. Since the PDC emulator acts as a NT 4 PDC. one domain. browsing and BDC replication). the FSMO roles can be moved to other domain controllers. then any actions that depend on the PDC would be affected (User Manager for Domains. by default. changing passwords. Then. PDC Emulator The server holding the PDC emulator role will cause the most problems if it is unavailable. This would be most noticeable in a mixed mode domain where you are still running NT 4 BDCs and if you are using downlevel clients (NT and Win9x). it does not happen automatically. The RID Master provides RIDs for security principles (users. If you only have one domain. All 5 FSMO server roles will exist on that DC. But what if you only have one domain controller in your domain? That is fine. as more domain controllers are added to the domain. and of course the one domain controller. and a problem would occur only if the DC you adding the users/groups on ran out of RIDs. Where are these FSMO server roles found? The first domain controller that is installed in a Windows 2000 domain. moving a FSMO server role is a manual process. Each DC in the domain has a pool of RIDs already. Server Manager. This FSMO server is only relevant in a multi-domain environment. groups. holds all five of the FSMO server roles.
IMP:. it should be on a server that can handle the load. Note: According to MS. If you are going to separate the Domain Naming master and Schema master.What permissions you should have in order to transfer a FSMO role? Before you can transfer a role. on the first domain controller installed in a forest. Since all three are. It is also recommended that all FSMO role holders be direct replication partners and they have high bandwidth connections to one another as well as a Global Catalog server. you must have the appropriate permissions depending on which role you plan to transfer: Schema Master Domain Naming Master PDC Emulator RID Master Infrastructure Master FSMO TOOLS member of the Schema Admins group member of the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group member of the Domain Admins group and/or the Enterprise Admins group Q8. Microsoft also recommends that the PDC Emulator and RID Master be on the same server. The reason for this is the Global Catalog contains information about every object in the forest. and that machine should be a Global Catalog server. If they both reside on the same server. This would result in the Infrastructure Master never replicating changes to other domain controllers in its domain. by default. Tools to find out what servers in your domain/forest hold what server roles? 33 . Note: In a single domain environment this is not an issue. Also.The Schema Master and Domain Naming Master should reside on the same server. Q7. it contacts the Global Catalog server for this information. When the Infrastructure Master. then the Infrastructure Master will never think there are changes to objects that reside in other domains because the Global Catalog will keep it constantly updated. but is recommended. the Domain Naming master needs to be on a Global Catalog Server. which is responsible for updating Active Directory information about cross domain object changes. then you can leave them as they are. This is not mandatory like the Infrastructure Master and the Global Catalog server above. just make sure they are both on Global Catalog servers. needs information about objects not in it's domain.Why Infrastructure Master should not be on the same server that acts as a Global Catalog server? The Infrastructure Master should not be on the same server that acts as a Global Catalog server. since the PDC Emulator will receive more traffic than any other FSMO role holder.
Do this by right clicking "Active Directory Users and Computers" at the top of the Active Directory Users and Computers snap-in and choose "Connect to Domain Controller". Active Directory Users and Computers:. When you do connect to another DC. and also to change the location of one or more of these 3 FSMO roles. Infrastructure Master). A dialog box (below) will open with three tabs. RID Master. you must first connect to the domain controller you want to move it to. Once connected to the DC. choose a role to move and click the Change button. one for each FSMO role.use this snap-in to find out where the domain level FSMO roles are located (PDC Emulator. go back into the Operations Masters dialog box. Open Active Directory Users and Computers.1. you will notice the name of that DC will be in the field below the Change button (not in this graphic). To change the server roles. right click on the domain you want to view the FSMO roles for and click "Operations Masters". Click each tab to see what server that role resides on. 34 .
.this snap-in is used to view and change the Schema Master FSMO role. Once you install the support tools you can open up a blank Microsoft Management Console (start. Changing the server the Schema Master resides on requires you first connect to another domain controller.2. You will see the dialog box below. right click "Active Directory Domains and Trusts" at the top of the tree.use this snap-in to find out where the Domain Naming Master FSMO role is and to change it's location. run. Once the snap-in is open. and choose "Operations Master". The process is the same as it is when viewing and changing the Domain level FSMO roles in Active Directory Users and Computers. 3. you will see the dialog box below. However. the Active Directory Schema snap-in is not part of the default Windows 2000 administrative tools or installation. Changing the server that houses the Domain Naming Master requires that you first connect to the new domain controller. You can connect to another domain controller by right clicking "Active Directory Schema" at the top of the Active Directory Schema snap-in and choosing "Connect to Domain Controller 35 . When you do. then click the Change button. You first have to install the Support Tools from the \Support directory on the Windows 2000 server CD or install the Windows 2000 Server Resource Kit. and then click the Change button. Open Active Directory Domains and Trusts. You can connect to another domain controller by right clicking "Active Directory Domains and Trusts" at the top of the Active Directory Domains and Trusts snap-in and choosing "Connect to Domain Controller". mmc) and add the snapin to the console. right click "Active Directory Schema" at the top of the tree and choose "Operations Masters". except you use the Active Directory Domains and Trusts snap-in. Active Directory Schema . Active Directory Domains and Trusts ..
You will see a list of the FSMO role servers: 36 .Netdom The easiest and fastest way to find out what server holds what FSMO role is by using the Netdom command line utility. the Netdom utility is only available if you have installed the Support Tools from the Windows 2000 CD or the Win2K Server Resource Kit.4. open a command prompt window and type: netdom query fsmo and press enter. To use Netdom to view the FSMO role holders. Like the Active Directory Schema snap-in.
exe. Add Monitored Server and add the name of a Domain Controller. Once open.exe utility to gather information about and change servers for FSMO roles. Ntdsutil.com/windows2000 37 . Open this utility from Start. Once added. right click the Server name and choose properties. you can use the Ntdsutil. Windows 2000 Support Tools. click Edit. It is something you should check out if you haven't already. but this tool has many other useful purposes in regard to Active Directory information. is rather complicated and beyond the scope of this document. a command line utility that is installed with Windows 2000 server. 6. Click the FSMO Roles tab to view the servers holding the 5 FSMO roles (below). DUMPFSMOS Command-line tool to query for the current FSMO role holders Part of the Microsoft Windows 2000 Server Resource Kit Downloadable from http://www. You cannot change roles using Replication Monitor.microsoft. Active Directory Relication Monitor another tool that comes with the Support Tools is the Active Directory Relication Monitor. Programs.5. Finally.
aspx?scid=kb./techinfo/reskit/default.Q255504 38 . Adcheck (470k) (3rd party) A simple utility to view information about AD and FSMO roles http://www.msi Q9.com/default.asp Prints to the screen. the current FSMO holders Calls NTDSUTIL to get this information 7. NLTEST Command-line tool to perform common network administrative tasks Type “nltest /?” for syntax and switches Common uses Get a list of all DCs in the domain Get the name of the PDC emulator Query or reset the secure channel for a server Call DsGetDCName to query for an available domain controller 8.svrops. How to Transfer and Seize a FSMO Role http://support.com/svrops/downloads/zipfiles/ADcheck.en-us.microsoft.
and these policies are configured on Domain Controllers. What are Group Policies? Group Policies are settings that can be applied to Windows computers. You must be an Administrator to configure/modify Group Policies. Local policies can be accessed by clicking Start. it the same process except you right click the Domain or an OU and choose properties. Give the the GPO a name. Group Policies can be configured either Locally or by Domain Polices. Run type mmc). Enterprise Administrators.all this can be done with Group Policies. Run and typing gpedit. or you want to insure certain applications are installed on computers . then the Group Policy tab. You can access Domain Group Polices by opening Active Directory Sites and Services (these policies apply to the Site level only) or Active Directory Users and Computers (these policies apply to the Domain and/or Organizational Units). From Where to create a Group Policy? To create a Domain Group Policy Object open Active Directory Sites and Services and right click Default-First-Site-Name or another Site name. Who can Create/Modify Group Policies? You have to have Administrative privileges to create/modify group policies. choose properties. In Windows 2000 there are hundreds of Group Policy settings. and adding the Group Policy snap-in. The Enterprise Administrators group is found only in the root domain.GROUP POLICY Q1. They can also be accessed by opening the Microsoft Management Console (Start. Domain Administrators or members of the built-in group . Group Policies are usually used to lock down some aspect of a PC. Windows 2000 Group Policies can only be used on Windows 2000 computers or Windows XP computers. By default only the Administrator user account is a 39 Domain Level Group Policies . Whether you don't want users to run Windows Update or change their Display Settings. The root domain is the first domain created in a tree or forest.Group Policy Creator Owners.msc. Q4. then click the Edit button to configure the policies. For Active Directory Users and Computers. The following table shows who can create/modify group policies: Policy Type Site Level Group Policies Allowable Groups/Users Enterprise Administrators and/or Domain Administrators in the root domain. They cannot be used on Win9x or WinNT computers. Q2. users or both. Q3. Domain policy gets applied to whom ? Domain Policies are applied to computers and users who are members of a Domain. then click the New button.
Sally the user is an object in Active Directory. Q5. you add users (or groups) and computers to container objects. add them to the Group Policy Creator Owners group for the domain. then nested OU polices (OUs within OUs). It all depends on how you organize your Active Directory structure and what Group Policies you want applied to what objects. at the OU level. the wizard only allows the delegated user to Link already created group policies to the OU. How are Group Policies Applied? Group Polices can be configured locally. Sally's Windows 2000 Pro PC is also an object in Active Directory. 40 . Group Policies are applied in a Specific Order. Domains and OUs are considered container objects. while her computer object can be another OU. Sally the user object can be in one OU. then Domain level policies. then Site based policies. However. users can be delegated control for the OU Group Policies by starting the Delegate Control Wizard (right click the OU and choose Delegate Control).Local policies first. If you want to give the OU administrators control over creating/modifying group policies. the Domain level or at the Organizational Unit (OU) level. In order to apply Group Polices to specific users or computers. Domain Administrators or members of the Group Policy Creator Owners. at the Site level. Local Group Policies The local Administrator user account or members of the local Administrators group. only container objects. Group polices cannot be linked to a specific user or group.member of this group OU Level Group Policies Enterprise Administrators. By default only the Administrator user account is a member of this group. Sites. For example. Computer and User Active Directory objects do not have to put in the same container object. then OU polices. Anything in the container object will then get the policies linked to that container. Additionally. LSDO .
then click the Properties button. and then applied to Sally the user. all the Computer node polices for that computer are evaluated. then applied. When creating Domain Group Polices you can disable either the Computer node or User node of the Group Policy Object you are creating. For example.versa). as a whole. When a computer boots up. When Sally logs onto her PC the policies set in the User node of the both the Development OU and the Security OU Group Policy Objects are evaluated. Note: Computer policies are also referred to as machine policies. you are decreasing the time it takes to apply the polices. They only apply to the user that is logged on. You will see two check boxes at the bottom of the General tab. all the policies for a node are evaluated first. 41 . They are called Computer Configuration and User Configuration (see image above). and then applied. They are not applied Development OU first. By disabling a node that no policies are defined for. They are not applied one after the other. It's important to understand that when Group Policies are being applied. and the Security OU. say Sally the user is a member of the Development OU. The same goes for Computer policies. User policies are user specific. Whoever logs onto that computer will see those policies.User and Computer Policies There are two nodes in each Group Policy Object that is created. click that Group Policy Object on the Group Policy tab. To disable the node polices: After creating a Group Policy Object. and then Security OU (or visa. The polices configured in the Computer node apply to the computer as a whole. A Computer node and a User Node.
The last policy applied is the policy the user/computer will have. When users login. the User policies are applied. When user and computer group policies overlap. the Computer policies are applied. Q6. this is the place to do it. make your changes. the computer policy wins. The top Group Policy in the list is the last to be applied. click the Group Policy Object on the Group Policy tab and under the Disable column. There is no "saving" of GPOs. To prevent a partial GPO from being applied.a little check will appear. You can also click the Options button on the Group Policy tab and select the Disabled check box. Click the Edit button. disable the GPO while you are configuring it.How to disable Group Policy Objects When you are creating a Group Policy Object. To do this. then No Display Settings. Group Policies are applied from bottom to top in the Group Policy Object list. 42 . Note: IPSec and EFS policies are not additive.When computers boot up. the changes happen immediately. When applying multiple Group Policies Objects from any container. If there were any conflicts in the policy settings. the one above it would take precedence. if you want to temporarily disable a GPO for troubleshooting reasons. then double click under the Disable column to re-enable the GPO. In the above image you can see three Group Policy Objects associated with the Human Resources OU. double click . Also. then No ScreenSaver. These polices would be applied No Windows Update first.
. interval. open a command prompt and type: secedit /refreshpolicy user_policy to refresh the user policies secedit /refreshpolicy machine_policy to refresh the machine (or computer) policies These parameters will only refresh any user or computer policies that have changed since the last refresh.exe is a command line tool that can be used to refresh group policies on a Windows 2000 computer. background refresh is every 5 mins. Which are the policies which does not get affected by background refresh? Policies not affected by background refresh. every 16 hours every PC will request all group policies to be reapplied (user and machine) These settings can be changed under Computer and User Nodes. For DCs (Domain Controllers). To force a reload of all group policies regardless of the last change. policies are also refreshed automatically according to a predefined schedule. Logoff. So the refresh could be 60. These policies are only applied at logon time: Folder Redirection Software Installation Logon. When does the group policy Scripts run? Startup scripts are processed at computer bootup and before the user logs in.30 min.System. Also. Shutdown scripts are processed after a user logs off. How to refresh Group Policies suing the command line? Secedit. Q9. Q8. with a +/. use: secedit /refreshpolicy user_policy /enforce secedit /refreshpolicy machine_policy /enforce 43 .Q7. Background refresh for non DCs (PCs and Member Servers) is every 90 mins. but before the shutdown script runs. 90 or 120 mins. Login scripts are processed when the user logs in. This is called Background Refresh. However. but before the computer shuts down. Group Policy. Logoff scripts are processed when the user logs off. When the group policy gets refreshed/applied? Group Policies can be applied when a computer boots up. Startup. and/or when a user logs in. To use secedit. Administrative Templates. Shutdown Scripts Q9.
There is no separation of the two like there is with secedit Q10.Gpupdate. To use gpupdate. To force a reload of all group policies regardless of the last change. System. What is the Default Setting for Dial-up users? Win2000 considers a slow dial-up link as anything less than 500kbps. Which are the policies which get applied regardless of the speed of the dial-up connection? Some policies are always applied regardless of the speed of the dial-up connection. Q11. Group Policy.exe is a command line tool that can be used to refresh group policies on a Windows XP computer. Which are the policies which do not get applied over slow links? IE Maintenance Settings Folder Redirection Scripts Disk Quota settings Software Installation and Maintenance These settings can be changed under Computer and User Nodes. Windows 2000 will automatically detect the speed of the dial-up connection and make a decision about applying Group Policies. Administrative Templates. use: gpupdate /force Notice the /force switch applies to both user and computer policies. When a user logs into a domain on a link under 500k some policies are not applied. It has replaced the secedit command. 44 . These are: Administrative Templates Security Settings EFS Recovery IPSec Q12. open a command prompt and type: gpupdate /target:user to refresh the user policies gpupdate /target:machine to refresh the machine (or computer) policies As with secedit. these parameters will only refresh any user or computer policies that have changed since the last refresh.
g. then the Group Policy tab. they are ignored. Default Domain Controllers Policy . no matter where you put your domain controllers in Active Directory (whatever OU you put them in). Do not delete the Default Domain Policy. It is the first policy listed. If you double click this GPO and drill down to Computer Configuration. Rename Guest Account . The Default Domain policy and the Default Domain Controllers policy. Windows Settings. choosing Properties.When set at the domain level. Which are the two types of default policies? There are two default group policy objects that are created when a domain is created. If you want to create additional domain level policies. Q13. you will see three policies listed: Password Policy Acount Lockout Policy Kerberos Policy These 3 policies can only be set at the domain level. setting these 3 policies at the OU level will have the effect of setting these policies for users who log on locally to their PCs. The Default Domain Policy should be used only for the policies listed above. If the user connects to the domain using "Network and Dial-up Connections". However. Security Settings.this GPO can be found under the group policy tab for that domain. You can disable it. the policies are applied using the standard refresh cycle. who can logon locally and so on. after they logon. login locally you get the OU policy. e. it affects the Domain Administrator account only. Use the Default Domain Controllers Policy to set local policies for your domain controllers. you should create additional domain level GPOs. Login to the domain you get the domain policy. the computer policies are applied first. Audit Policies.If the user connects to the domain using "Logon Using Dial-up Connection" from the logon screen. Local Policies.This policy can be found by right clicking the Domain Controllers OU. Security Options. followed by the user policies. they will still process this policy. 45 . The default domain policy is unique in that certain policies can only be applied at the domain level. This policy affects all Domain Controllers in the domain regardless of where you put the domain controllers. Default Domain Policy . Account Policies. Security Settings. If you drill down to Computer Configuration. there are 3 policies that are affected by Default Domain Policy: Automatically log off users when logon time expires Rename Adminsitrator Account . it affects the Domain Guest account only. but it is not recommended. That is.When set at the domain level. Windows Settings. Event Log settings. If you set these policies anywhere elseSite or OU. once the user is authenticated.
Settings made at the OU level override conflicting settings applied at the domain. > dcgpofix /target:Both Note that this must be run from a domain controller in the target domain where you want to reset the GPO If you've ever made changes to the default GPOs and would like to revert back to the original settings. You can specify Domain or DC instead of Both. GPOs linked to the highest level OU in the Active Directory hierarchy are processed first. Settings made at the domain level override conflicting settings applied at the local or site level. there must be a way of determining how those GPOs are combined. it not restore the GPOs.Q14. dcgpofix works with a particular version of schema. GPOs are processed in the following order: 1. Again. If multiple GPOs are linked to a single 46 . and so on. local. 2.How to restore Group policy setting back to default? The following command would replace both the Default Domain Security Policy and Default Domain Controller Security Policy. but have not installed it yet on a second domain controller (dc2). or site level. The only time you might experience this issue is if you install a service pack on a domain controller (dc1) that extends schema. Resolving GPOs from Multiple Sources Because GPOs can come from different sources to apply to a single user or computer. If you try to run dcgpofix from dc2. In this case. 4. Domain GPOs GPOs linked to the domain in which the computer resides are processed and any settings are applied. Settings made at this level override any conflicting settings made at the preceding level. 3. to only restore one or the other. Site GPOs GPOs linked to the site in which the computer resides are processed. followed by the next highest level OU. Local GPO The local GPO on the computer is processed and all settings specified in that GPO are applied. which restore the GPO according to the version dcgpofix thinks is current. the dcgpofix utility is your solution. If multiple GPOs are linked to a site. you will receive the error since a new version of the schema and the dcgpofix utility was installed on dc1. OU GPOs GPOs linked to any OUs that contain the user or computer object are processed. the administrator can control the processing order when multiple GPOs are linked to the domain. It is possible for a single object to be in multiple OUs. You can work around this by using the /ignoreschema switch. the site administrator can control the order in which those GPOs are processed. If the version it expects to be current is different from what is in Active Directory.
they must be members of Active Directory. Unsupported settings are ignored. if a parent container has the No Override option set. This provides a way to force child containers to conform to a particular policy.exe to redirect computer accounts. “Redirecting the Users and Computers Containers in Windows Server 2003 Domains. What is the client requirement for supporting GPOs? For client computers to accept Group Policy settings. For example. How to Redirect New User and Computer Accounts? By default. Any new users created would immediately be affected by the settings in the GPO. What are the two exceptions to control the inheritance of the group policy? ■ No Override When you link a GPO to a container.0 and earlier versions do not support Group Policy.com. and then redirect the creation of new-users accounts to the New Users OU. the child container cannot block inheritance from this parent. Administrators could then move the new user accounts to a more appropriate location later. Support for Group Policy for key operating systems includes the following: ■ Windows 95/98/Me do not support Group Policy. you could create an OU named New Users. Windows Server 2003 includes two new tools that let you redirect the target location for new user and computer accounts. However.” in the Microsoft Knowledge Base at http://support. Even though the built-in containers inherit GPOs linked to the domain. What permissions should a administrator have to manage GPOs? Editing GPOs linked to sites requires Enterprise Administrative permissions. ■ Windows NT 4. Once you choose the OU for redirection. Q16. you may have a situation that requires user accounts and computer accounts to be stored in an OU to which you can link a GPO. 47 . but not all. ■ Windows 2000 Professional and Server support many of the Group Policy settings available in Windows Server 2003. You cannot link a GPO to either of these built-in containers. where the appropriate GPOs are linked. respectively. you can configure a No Override option that prevents settings in the GPO from being overridden by settings in GPOs linked to child containers. ■ Block Inheritance You can configure the Block Inheritance option on a container to prevent the container from inheriting GPO settings from its parent containers.microsoft. You can use redirusr. new user and computer accounts are created directly in the new target OU. Q17. You can find both of these tools in the %windir%\system32 folder on any computer running Windows Server 2003. Editing GPOs linked to domains requires Domain Administrative Editing GPOs linked to OUs requires permissions for the OU.Q15. new user and computer accounts are created in the Users and Computers containers. Q18. link an appropriate GPO to the OU. You can learn more about using these tools in Knowledge Base article 324949.exe to redirect user accounts and redircomp.
and Windows Server 2003 fully support Group Policy. Windows XP 64-bit Edition. 48 .■ Windows XP Professional.
This action might not be possible to undo. Are you sure you want to continue?
We've moved you to where you read on your other device.
Get the full title to continue reading from where you left off, or restart the preview.