Professional Documents
Culture Documents
Active Directory Interview Questions PDF
Active Directory Interview Questions PDF
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Distinguished names
Relative Distinguished names
Sanjo900@yahoo.com
msdes
sites
tcp
adp
Using nslookup
>nslookup
>ls t SRV Domain
If the SRV records are properly created, they will be listed.
2. Verifying SYSVOL
If SYSVOL folder is not properly created data stores in SYSVOL such are scripts, GPO,
etc will not be replicated between DCs.
First verify the following folder structure is created in SYSVOL
Domain
Staging
Staging areas
Sysvol
Then verify necessary shares are created.
>net share
It should show two shares, NETLOGON and SYSVOL
3. Verifying Database and Log files
Make sure that the following files are there at %systemroot%\ntds
Ntds.dit, Edb.*, Res*.log
Schema Table
The types of objects that can be created in the Active Directory, relationships between
Sanjo900@yahoo.com
them, and the attributes on each type of object. This table is fairly static and much
smaller than the data table.
Link Table
contains linked attributes, which contain values referring to other objects in the Active
Directory. Take the MemberOf attribute on a user object. That attribute contains
values that reference groups to which the user belongs. This is also far smaller than
the data table.
Data Table
users, groups, application-specific data, and any other data stored in the Active
Directory.
Schema information
Definitional details about objects and attributes that one CAN store in the AD.
Replicates to all DCs. Static in nature
Configuration information
Configuration data about forest and trees. Replicates to all DCs. Static as your forest
is.
Domain information
Object information for a domain. Replicates to all DCs within a domain. The object
portion becomes part of GC. The attribute values only replicates within the domain.
2. EDB.LOG
This is the transaction log file (10 MB). When EDB.LOG is full, it is renamed to EDBnnnn.log.
Where nnnn is the increasing number starting from 1
3. EDB.CHK
This is the checkpoint file used to track the data not yet written to database file. This
indicates the starting point from which data is to be recovered from the logfile, in case of
failure.
4. Res1.log and Res2.log
This is reserved transaction log files of 20 MB (10 MB each) which provides the transaction log
files enough room to shutdown if the other spaces are being used.
Sanjo900@yahoo.com
(**When an object is deleted, it is not actually removed from the Active Directory database. It is
marked for deletion at a later date. This then gets replicated to other DCs. When the
tombstoneLifetime is over, the object is deleted.)
Sanjo900@yahoo.com
The name of the chills domain is combined with its parent domain to form its DNS name.
Every child domain has a two two-way, transitive trust relationship with its parent domain
Because these trust relationships are two-way and transitive, a Windows 2000 domain newly
created in a domain tree or forest immediately has trust relationships established with every
other Windows 2000 domain in the domain tree or forest.
These trust relationships allow a single logon process to authenticate a user on all domains in
the domain tree or forest. This does not necessarily mean that the authenticated user has
rights and permissions in all domains in the domain tree. Because a domain is a security
boundary, rights and permissions must be assigned on a per-domain basis.
FORESTS
A forest consists of multiple domain trees. The domain trees in a forest do not form a
contiguous namespace but share a common schema and GC.
The forest root domain is the first domain created in the forest. The root domains of all
domain trees in the forest establish transitive trust relationships with the forest root domain.
This is necessary for the purposes of establishing trust across all the domain trees in the
forest.
All of the Windows 2000 domains in all of the domain trees in a forest share the following
traits:
Using both domain trees and forests provides you with the flexibility of both contiguous and
noncontiguous naming conventions. This can be useful in, for example, companies with
independent divisions that must each maintain their own DNS names.
Sanjo900@yahoo.com
Classes, also referred to as object classes; describe the possible directory objects that can be
created. Each class is a collection of attributes. When you create an object, the attributes
store the information that describes the object. The User class, for example, is composed of
many attributes, including Network Address, Home Directory, and so on. Every object in
Active Directory is an instance of an object class.
Active Directory does not support deletion of schema objects; however, objects can be
marked as deactivated, providing many of the benefits of deletion.
The structure and content of the schema is controlled by the domain controller that holds the
schema operations master role. A copy of the schema is replicated to all domain controllers in
the forest. The use of this common schema ensures data integrity and consistency throughout
the forest.
Service requests
When a client requests a service from a domain controller, it directs the request to a
domain controller in the same site. Selecting a domain controller that is well-connected
to the client makes handling the request more efficient.
Replication
Site streamlines replication of directory information and reduces replication traffic
Site membership is determined differently for domain controllers and clients. A client
determines it is in when it is turned on, so its site location will often be dynamically updated.
A domain controller's site location is established by which site its Server object belongs to in
the directory, so its site location will be consistent unless the domain controller's Server
object is intentionally moved to a different site.
Explain GC?
By default, a GC is created automatically on the first DC in the forest. It stores a full replica of
all objects in the directory for its host domain and a partial replica of all objects of every other
domain in the forest. The replica is partial because it stores only some attributes for each
objects.
The GC performs two key directory roles:
Sanjo900@yahoo.com
When a user logs on to the network, the GC provides universal group membership
information for the account sending the logon request to the DC. If a GC is not available the
user is only able to log on to the local computer unless he is in the Domain Admins group.
The GC is designed to respond to queries about objects with maximum speed and minimum
network traffic. Because a single GC contains information about objects in all domains in the
forest, a query about an object can be resolved by a GC in the domain in which the query is
initiated. Thus, finding information in the directory does not produce unnecessary query traffic
across domain boundaries.
Active Directory defines a base set of attributes for each object in the directory. Each object
and some of its attributes (such as universal group memberships) are stored in the GC. Using
Active Directory Schema, you can specify additional attributes to be kept in the GC.
It enables finding directory information in the entire forest regardless of which domain
in the forest actually contains the data.
When a user logs on to the network, the global catalog provides universal group membership
information for the account sending the logon request to the domain controller. If there is
only one domain controller in the domain, the domain controller and the global catalog are
the same server. If there are multiple domain controllers in the network, the global catalog is
hosted on the domain controller configured as such. If a global catalog is not available when a
user initiates a network logon process, the user is only able to log on to the local computer.
If a user is a member of the Domain Admins group, they are able to log on to the network
even when a global catalog is not available.
The global catalog is designed to respond to queries about objects anywhere in the forest with
maximum speed and minimum network traffic. Because a single global catalog contains
information about objects in all domains in the forest, a query about an object can be
resolved by a global catalog in the domain in which the query is initiated. Thus, finding
Sanjo900@yahoo.com
information in the directory does not produce unnecessary query traffic across domain
boundaries.
You can optionally configure any domain controller to host a global catalog, based on your
organization's requirements for servicing logon requests and search queries.
After additional domain controllers are installed in the domain, you can change the default
location of the global catalog to another domain controller using Active Directory Sites and
Services.
Schema master
Domain naming master
There can be only one schema master and one domain naming master for the entire forest.
Sanjo900@yahoo.com
Schema master
The schema master DC controls all updates and modifications to the schema.
Domain naming master
Domain Naming Master DC controls the addition or removal of domains in the forest.
DOMAIN-WIDE OPERATIONS MASTER ROLES
Every domain in the forest must have the following roles:
Relative ID master
Primary DC (PDC) emulator
Infrastructure master
E0ach domain in the forest can have only one RID master, PDC Emulator, and Infrastructure
Master.
Relative ID master
The RID master allocates pool of relative IDs to each DC in its domain. Whenever a DC
creates a user, group, or computer object, it assigns a unique security ID to that object. The
security ID consists of a domain security ID (that is the same for all security IDs created in
the domain), and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe), you must initiate the move on
the DC acting as the relative ID master of the domain that currently contains the object.
PDC emulator
For pre-W2K clients, the PDC emulator acts as a Windows NT PDC. It processes password
changes from clients and replicates updates to the BDCs.
In native-mode, the PDC emulator receives preferential replication of password changes
performed by other DCs in the domain. If a password was recently changed, that change
takes time to replicate to every DC in the domain. If a logon authentication fails at another
DC due to a bad password, that DC will forward the authentication request to the PDC
emulator before rejecting the log on attempt.
Infrastructure master
The infrastructure master is responsible for updating the group-to-user references whenever
the members of groups are renamed or changed. At any time, there can be only one DC
acting as the infrastructure master in each domain.
When you rename or move a member of a group (and that member resides in a different
domain from the group), the group may temporarily appear not to contain that member. The
infrastructure master of the group's domain is responsible for updating the group so it knows
Sanjo900@yahoo.com
the new name or location of the member. The infrastructure master distributes the update via
multimaster replication.
There is no compromise to security during the time between the member rename and the
group update. Only an administrator looking at that particular group membership would
notice the temporary inconsistency.
Schema master
Domain naming master
RID master
PDC emulator
Infrastructure daemon
Schema Master
The schema master is responsible for performing updates to the directory schema. This DC is
the only one that can process updates to the directory schema. Once the Schema update is
complete, it is replicated from the schema master to all other DCs in the directory. There is
only one schema master per directory.
Domain Naming Master
The Domain Naming Master is responsible for making changes to the forest-wide domain
name space of the directory. This DC is the only one that can add or remove a domain from
the directory.
RID Master
The RID master is responsible for processing RID Pool requests from all DCs within a given
domain. It is also responsible for removing an object from its domain and putting it in another
domain during an object move.
When a DC creates a security principal object such as a user or group, it attaches a unique
SID to the object. This SID consists of a domain SID (the same for all SIDs created in a
domain), and a relative ID (RID) that is unique for each security principal SID created in a
domain.
Each Windows 2000 DC in a domain is allocated a pool of RIDs that can be assigned to the
security principals it creates. When a DC's allocated RID pool falls below a threshold, that DC
issues a request for additional RIDs to the domain's RID master. The domain-RID master
responds to the request by retrieving RIDs from the domain's unallocated RID pool and
assigns them to the pool of the requesting DC. There is one RID master per domain in a
directory.
PDC Emulator FSMO Role
The PDC emulator is necessary to synchronize time in an enterprise. Windows 2000 includes
the W32Time (Windows Time) time service that is required by the Kerberos authentication
protocol. All Windows 2000-based computers within an enterprise use a common time. The
purpose of the time service is to ensure that the Windows Time service uses a hierarchical
relationship that controls authority and does not permit loops to ensure appropriate common
time usage.
Sanjo900@yahoo.com
The PDC emulator of a domain is authoritative for the domain. The PDC emulator at the root
of the forest becomes authoritative for the enterprise, and should be configured to gather the
time from an external source. All PDC FSMO role holders follow the hierarchy of domains in
the selection of their in-bound time partner.
In a Windows 2000 domain, the PDC emulator role holder retains the following functions:
Password changes performed by other DCs in the domain are replicated preferentially
to the PDC emulator.
Authentication failures that occur at a given DC in a domain because of an incorrect
password are forwarded to the PDC emulator before a bad password failure message is
reported to the user.
Account lockout is processed on the PDC emulator.
Note that the PDC emulator role becomes unnecessary as down-level workstations, member
servers, and domain controllers are all upgraded to Windows 2000, in which case the
following information applies:
Windows 2000 clients (workstations and member servers) and down-level clients that
have installed the distributed services client package do not perform directory writes
(such as password changes) preferentially at the DC that has advertised itself as the
PDC; they use any DC for the domain.
Once backup domain controllers (BDCs) in down-level domains are upgraded to
Windows 2000, the PDC emulator receives no down-level replica requests.
Windows 2000 clients (workstations and member servers) and down-level clients that
have installed the distributed services client package use the Active Directory to locate
network resources. They do not require the Windows NT Browser service.
Place the RID and PDC emulator roles on the same domain controller. Good
communication from the PDC to the RID master is desirable as downlevel clients and
applications target the PDC, making it a large consumer of RIDs.
Sanjo900@yahoo.com
Two exceptions to the "do not place the infrastructure master on a global catalog server"
rule are:
o
Multidomain forest where every domain controller holds the global catalog:
If every domain controller in the domain also hosts the global catalog, then there
are no phantoms or work for the infrastructure master to do. The infrastructure
master may be placed on any domain controller in the domain.
At the forest level, the schema master and domain naming master roles should be
placed on the same domain controller as they are rarely used and should be tightly
controlled. Additionally, the Domain Naming master FSMO should also be a global
catalog server.
Temporary loss of the schema operations master will be visible only if we are trying to modify
the schema or install an application that modifies the schema during installation.
A DC whose schema master role has been seized must never be brought back online.
To seize the schema master role
1.
2.
3.
4.
5.
6.
7.
8.
9.
Sanjo900@yahoo.com
How will you remove DC Server Object (In ADS Sites and Services) which is
not removed After Demotion?
After demoting a DC, the object that represents the server in the Active Directory Sites and
Services Manager snap-in remains.
This issue occurs because the server object is a "container" in the Active Directory and may
hold child objects that represent configuration data for other services installed on your
computer. Because of this, the Dcpromo utility does not automatically remove the server
object.
If the server object contains any child objects named "NTDS Settings," these are objects that represent
the server as a DC and should be automatically removed by the demotion process. If this does not work,
these objects must be removed by using the Ntdsutil utility before you delete the server object.
After verifying that all other services with a dependency on the server object have been
Sanjo900@yahoo.com
removed an administrator can delete the server in Active Directory Sites and Services
Manager.
NOTE: This process may not finish successfully for either of the following reasons:
If you receive a message that states the server is a container that contains other objects,
verify that the appropriate decommissioning of services has completed before continuing.
If you receive a message that states the DSA object cannot be deleted, you may be
attempting to delete an active DC.
1. Determine the DC that holds the Domain Naming Master FSMO role.
2. Verify that all servers for the specified domain have been demoted.
3. At the command prompt:
ntdsutil
metadata cleanup
connections
connect to server servername
(Servername is the name of the DC holding the Domain Naming Master FSMO Role)
If an error occurs, verify that the DC being used in the connection is available and that the
credentials you supplied have administrative permissions on the server.
Quit
Metadata Cleanup menu is displayed
Select operation target
List domains
A list of domains in the forest is displayed, each with an associated number
Select domain number
Where number is the number associated with the domain to be removed
Quit
The Metadata Cleanup menu is displayed.
Sanjo900@yahoo.com
When you audit Active Directory events, Windows 2000 writes an event to the Security log on
the domain controller. If a user tries to log on to the domain using a domain user account and
the logon attempt is unsuccessful, the event is recorded on the DC and not on the computer
on which the logon attempt was made. This is because it is the domain controller that tried to
authenticate the logon attempt.
Sanjo900@yahoo.com
to audit.
To configure auditing for specific Active Directory objects, follow these steps:
1. Open Active Directory Users and Computers.
2. Select Advanced Features on the View menu.
3. Right-click the Active Directory object that you want to audit, and then click
Properties.
4. Click the Security tab, and then click Advanced.
5. Click the Auditing tab, and then click Add.
Enter the name of either the user or the group whose access you want to audit
6. Click to select either the Successful check box or the Failed check box for the actions
that you want to audit, and then click OK.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
NOTE: If you want to make this printer available to users who are running different versions
of Windows, you must install additional drivers. To do so, click Additional Drivers on the
Sharing tab of the Printer properties, and then select the appropriate items in the list.
All client PCs and member servers nominate the authenticating DC as their in-bound
time Server.
DCs may nominate the PDC operations master as their in-bound time partner but may
use a parent DC based on stratum numbering.
All PDC operations masters follow the hierarchy of domains in the selection of their inbound time partner.
PDC operations master at the root of the forest becomes authoritative for the organization.
This PDC can be configured to recognize an external Simple Network Time Protocol (SNTP)
time server as authoritative by using the following net time command:
Net time /setsntp: server_list
To reset the local computer's time against the authoritative time server for the domain:
Net time /domain_name /set
Net stop w32time
W32tm once
Net start w32time
SNTP defaults to using UDP port 123. If this port is not open to the Internet, you cannot
synchronize your server to Internet SNTP servers.
Administrators can also configure an internal time server as authoritative by using the net
time command. If the administrator directs the command to the operations master, it may be
necessary to reboot the server for the changes to take effect.
Sanjo900@yahoo.com
In the Group Policy Microsoft Management Console (MMC), click Computer Configuration.
Locate Administrative Templates, click System, click Group Policy, and then enable the
Loopback Policy option.
This policy directs the system to apply the set of GPOs for the computer to any user who logs
on to a computer affected by this policy. Loopback is supported only in a purely Windows
2000 based environment. Both the computer account and the user account must be in Active
Directory.
Usually users in their OU have GPOs applied in order during logon, regardless of which
computer they log on to. In some cases, this processing order may not be appropriate (E.g.,
when you do not want applications assigned to users to be installed while they are logged on
to the computers in some specific OU).
With the Group Policy loopback, you can specify some other ways to retrieve the list of GPOs
for any user who logs on to any of the computers in this specific OU:
Merge Mode
Here, first the GPO for users is applied. Then the GPO for the computer is then added to the
end of the GPOs for the user. This causes the computer's GPOs to have higher precedence
than the user's GPOs.
Replace Mode
In this mode, the user's list of GPOs is not gathered. Only the list of GPOs based on the
computer object is used.
Sanjo900@yahoo.com
How the Local User Accounts Are Handled When a Server Is Promoted to a
DC
When a server is promoted to a DC, the server no longer uses the local SAM database to store
users and groups. When the promotion is complete, DC will store users, groups, and
Sanjo900@yahoo.com
computer accounts in Active Directory database. The SAM database is present, but it is
inaccessible when the server is running in Normal mode. But SAM database is used when you
boot into Directory Services Restore Mode or the Recovery Console.
If this new DC is the first DC in a new domain, all of the local user accounts in the SAM
database are migrated to the Active Directory. All permissions that had been assigned to the
local users, such as, NTFS permissions, are retained.
Create a new REG_DWORD key DebugLogLevel and set value as 1 and restart the
computer
1 activates logging, 0 turns logging off.
The logging information is placed in the %Systemroot%\System32\Directory
Synchronization\Session Logs folder. The log files are labeled as "Session#-#.log"
Sanjo900@yahoo.com
This problem occurs because Remote Procedure Call (RPC) impersonation does not succeed
when the Security service tries to send a message to the Eventlog service. SP2 will solve this
problem.
Sanjo900@yahoo.com
In Active Directory, each user account has a user principal which is composed of the user
logon name and the user principal name suffix joined by the @ sign.
Do not add the @ sign to the user logon name or to the user principal name suffix. Active
Directory automatically adds it when it creates the user principal name. A user principal name
that contains more than one @ sign is invalid.
The second part of the user principal name, referred to as the user principal name suffix,
identifies the domain in which the user account is located. This user principal name suffix can
be the DNS domain name, the DNS name of any domain in the forest, or it can be an
alternative name created by an administrator and used just for logon purposes. This
alternative user principal name suffix does not need to be a valid DNS name.
Using alternative domain names as the user principal name suffix can provide additional logon
security and simplify the names used to log on to another domain in the forest.
E.g. Sanjo is user in sales.westcoast.microsoft.com. So the logon name would be
sanjo@sales.westcoast.microsoft.com. Creating a user principal name suffix of "microsoft"
would allow that same user to log on using the much simpler logon name of
sanjo@microsoft.
You can add or remove user principal name suffixes using Active Directory Domains and
Trusts.
COMPUTER ACCOUNTS
Each computer account created in Active Directory has a relative distinguished name, a preWindows 2000 computer name (SAM account name), a primary DNS suffix, a DNS host name
and a service principal name. This computer name is used as the LDAP relative distinguished
name.
Active Directory suggests the pre-Windows 2000 name using the first 15 bytes of the relative
distinguished name. This can be changed at any time.
The primary DNS suffix defaults to the full DNS name of the domain to which the computer is
joined. The DNS host name is built from the first 15 characters of the relative distinguished
name + the primary DNS suffix.
The service principal name is built from the DNS host name. The service principal name is
used in the process of mutual authentication between the client and the server hosting a
particular service. The client finds a computer account based on the service principal name of
the service to which it is trying to connect.
It is possible for administrators to change the way the service principal name is created. This
security modification allows a computer to use primary DNS suffixes that are different than
the domain to which the computer is joined. The same modification also allows Active
Directory to use more than the first 15 bytes of the relative distinguished name when
constructing the service principal name.
Computers with these modified computer names will register their names in DNS correctly but
an additional procedure is required to enable correct registration of the DNS host name
Sanjo900@yahoo.com
Sanjo900@yahoo.com
NBTSTAT shows that the 1C name (Domain) has been registered. Type nbtstat -n from
a command prompt and note the presence of the 1C name.
The computer role from the NET ACCOUNTS utility lists the computer role as
"PRIMARY" and standalone servers as "SERVERS." Type net accounts from the
command prompt.
The NET START command indicates that the Kerberos Key Distribution Center (KDC)
service is running. Type net start |more.
The computer responds to LDAP queries (specifically, to port 389 or 3268).
The "Connect to server %S" command in Ntdsutil.exe functions only against Windows
2000 DCs.
The Change button on the Network Identification tab in My Computer is disabled when
Windows 2000 is configured as a DC. A note appears indicating this.
Run Netdiag (a Resource Kit utility) and observe the "Machine is a Primary DC" entry
in the output. Type netdiag /v from the command prompt.
Sanjo900@yahoo.com
1. Start with a clean PC, or one that is representative of the computers in your network.
2. Start Discover to take a picture of the representative PC's software configuration. This
is the Before snapshot.
3. Install a program on the PC on which you took the Before snapshot.
4. Reboot the PC.
5. Run the new program to verify that it works.
6. Quit the program.
7. Start Discover and take an After snapshot of the PC's new configuration. Discover
compares the Before and the After snapshots and notes the changes. It creates a
Microsoft Installer package with information about how to install that program on such
a PC in the future.
8. (Optional) Use Veritas Software Console to customize the Microsoft Installer package.
9. Clean the reference computer to prepare to run Discover again.
10. (Optional) Perform a test installation of the program on non-production workstations.
AD Replication
Create and Configure a Site Link in Active Directory in Windows 2000
For the site link to become active, there must be at least two sites available in Active
Directory.
A Site Link object represents a set of sites that can communicate at uniform cost through an
inter-site transport. For IP transport, a typical site link connects just two sites and
corresponds to an actual WAN link. An IP site link that connects more than two sites might
correspond to an asynchronous transfer mode (ATM) backbone that connects more than two
clusters of buildings on a large campus, or several offices in a large metropolitan area that
are connected through leased lines and IP routers.
How to Create a Site Link
To create a new site link:
1. Click Active Directory Sites and Services.
2. Expand the Inter-Site Transports node, right-click IP (or click SMTP if you want to
use SMTP as the inter-site transport protocol), and then click New Site Link.
If you have only one site in Active Directory, you receive a message that states that two sites
are required for the site link to work. Click OK to continue.
Sanjo900@yahoo.com
Since widows 2000 has multi master replication, maintaining consistency is a problem. KCC
creates connections dynamically between the DCs and triggers replication.
As the number of DCs increases, replication consumes more and more network bandwidth.
The KCC balances the need for consistency against bandwidth limitation using the timely
contact rule.
This means that no DC is allowed to be more than 3 connections from any other DC. The KCC
maintains domain consistency automatically. You can manually force the KCC to run
immediately using the Repadmin.exe tool. To force the KCC on the server named
server1.mydomain.com, you would issue the following command.
Repadmin /kcc server1.mydomain.com
Intersite replication relaxes the timely contact rule since replication between sites usually
occurs over slower links. The KCC can be optimized for your particular intersite replication
needs.
Bridgehead servers perform directory replication between two sites. Only two designated DCs
talk to each other. These DCs are called bridgehead servers. If you have DCs from multiple
domains, you will have a bridgehead server for each domain.
Each Active Directory site also has one DC that takes the role of Inter-Site Topology
Generator (ISTG), which reviews and generates the connection object for the bridgehead
servers in each site.
There is only one DC with this role in each site, even if you have multiple domains. The first
DC in the site becomes the ISTG for the site by default. You can't controller which DC is the
ISTG, but you can know which one is the ISTG:
If the DC holding the ISTG role is offline for more than 60 minutes, another DC in the site will
automatically take over this role.
Sanjo900@yahoo.com
Admin global group is added to the built-in Administrators group of the child domain. This
allows the administrator of the parent domain to administer and force replication from either
the parent domain or the child domain, but the administrator in the child domain is only able
to force replication from within his or her own domain.
To resolve this issue, give the administrator in the child domain permissions to the parent
domain from which you want to force replication. Add his to Administrators group in parent
domain
Repeat these steps from each domain that you want to assign administrative permissions to.
Keep in mind that parent domains are able to manage all of their child domains but you need
to perform the steps described in this article for any child domains that want to manage the
parent domain or other child domains on the same level.
RPC Error Messages Returned for Active Directory Replication When Time Is
Out of Synchronization
When you are viewing the status of Active Directory replication between two DCs, the
following messages may be displayed for the result of the last replication attempt:
The RPC server is unavailable.
-orThe RPC server is too busy to complete this operation.
These error messages may be reported in the Event log through Replication Monitor. By
default, W2K computers synchronize time with a time server. If the time server is not
available and the time difference between DCs drifts beyond the skew allowed by Kerberos,
authentication between the two DCs may not succeed and the RPC error messages can result.
Synchronies time amongst DCs using net time
Net time \\mypdc /set /y
This synchronizes the local computer time with the server named Mypdc.
The /set - Time not only be queried, but synchronized with the specified server.
The /y switch skips the confirmation for changing the time on the local computer
Attribute value: An object's attribute is set concurrently to one value at one master,
and another value at a second master.
Sanjo900@yahoo.com
Sibling name conflict: This conflict occurs when one replica attempts to move an object
into a container in which another replica has concurrently moved another object with
the same relative display name (RDN).
Active Directory orders all update by assigning a globally unique stamp to the originating
update. If there is a conflict, the ordering of stamps allows a consistent resolution. This
approach is used in the following ways:
Attribute value: The value whose update operation has the larger stamp wins.
Add/move under a deleted container object or the deletion of a non-leaf object: After
resolution at all replicas, the container object is deleted, and the leaf object is made a
child of the folder's special Lost&Found container. Stamps are not involved in this
resolution.
Sibling name conflict: The object with the larger stamp keeps the RDN. The sibling
object is assigned a unique RDN by the computer. This does not conflict with any
client-assigned value [using a reserved character (the asterisk), the RDN, and the
object's GUID].
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
The default value data for the "Replicator notify pause after modify (secs)" DWORD value is
0x12c, which in hexadecimal format is 300 decimal (5 minutes).
To modify the notification delay between DCs, use Registry Editor to modify value data for the
"Replicator notify pause between DSAs (secs)" DWORD value in the following registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
Sanjo900@yahoo.com
The default value data for the "Replicator notify pause between DSAs (secs)" DWORD value is
0x1e, which in hexadecimal format is 30 decimal (30 seconds).
When the KCC on each DC generates the intra-site topology for the site in which it resides,
the KCC create a connection object in the Active Directory only when a connection object is
required for the local computer. These changes propagate to other DCs through the normal
replication process. Each DC uses the same algorithm to compute the replication topology,
and in a state of equilibrium between DCs, each should arrive at the same result in respect to
what the replication topology should be. In the process, each DC creates its own connection
objects.
Connection objects for bridgehead servers for inter-site replication are created differently. The
KCC on one DC in each site is responsible for reviewing the inter-site topology and creating
inbound replication connection objects as necessary for bridgehead servers in the site in
which it resides. This DC is known as the Inter-Site Topology Generator (ISTG). The DC
holding this role may not necessarily be a bridgehead server.
When the ISTG determines that a connection object needs to be modified on a given
bridgehead server in the site, the ISTG makes the change to its local Active Directory copy.
As part of the normal intra-site replication process, these changes propagate to the
bridgehead servers in the site. When the KCC on the bridgehead server reviews the topology
after receiving these changes, it translates the connection objects into replication links that
Active Directory uses to replicate data from remote bridgehead servers.
The current owner of the ISTG role is communicated through the normal Active Directory
replication process. Initially, the first server in the site becomes the ISTG for the site. The role
does not change as additional DCs are added to the site until the current ISTG becomes
unavailable.
The current ISTG notifies every other DC in the site that it is still present by writing the
"interSiteTopologyGenerator" attribute on the NTDS Settings object under its DC object in the
Configuration naming context in Active Directory at a specified interval.
As this attribute gets propagated to other DCs by Active Directory replication, the KCC on
each of these computers monitors this attribute to verify that it has been written within a
specified amount of time. If the amount of time elapses without a modification, a new ISTG
takes over.
In the event that a new ISTG needs to be established, each DC orders the list of servers in
ascending order by their Globally Unique Identifier (GUID). The DC that is next highest in the
list of servers from the current owner takes over the role, starts to write the
"interSiteTopologyGenerator" attribute, and performs the necessary KCC processes to
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Check for a disjointed namespace, and then run Netdiag.exe /fix. You must install Support
Tools from the Windows 2000 Server CD-ROM to run Netdiag.exe.
How do I set up DNS for other DCs in the domain that are running DNS?
For each additional DC that is running DNS, the preferred DNS setting is the parent DNS
server (first DC in the domain), and the alternate DNS setting is the actual IP address of
network interface.
How do I set up DNS for a child domain?
To set up DNS for a child domain, create a delegation record on the parent DNS server for the
child DNS server. Create a secondary zone on the child DNS server that transfers the parent
zone from the parent DNS server. Set the child DNS server to point to itself only.
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
Sanjo900@yahoo.com
How to replace the current primary DNS Server with a new Primary DNS
Server in Windows 2000
When an existing DNS domain structure is in place, it may be necessary to replace the current
primary DNS server with a new Windows 2000 DNS server.
First install DNS on new windows 2000 Server and transfer the records
Transfer Records from the Current DNS Server
1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it.
Sanjo900@yahoo.com
2. Right-click Forward Lookup Zones, click New Zone to start the wizard, and then
click Next.
3. Click Standard Secondary for the zone type, click Next, type the zone name (E.g.
"microsoft.edu"), and then click Next.
4. Type the IP address of the current primary DNS server (in this example, 192.168.0.2),
click Add, click Next, and then click Finish.
5. Right-click Reverse Lookup Zones, click New Zone to start the wizard, click Next,
click Standard Secondary for the zone type, and then click Next.
6. In the Network ID box, type 192.168.0, and then click Next.
7. Type the IP address of the current primary DNS server (in this example, 192.168.0.2),
click Add, click Next, and then click Finish.
Change the Role of a DNS Server to Primary Server
After you transfer all of the records have been transferred, you must remove the old DNS
server from the network, and set the DNS server as the primary DNS server. To set the DNS
server as the primary DNS server
1. Open the DNS MMC and double-click W2K-DNS (the server name) to expand it.
2. Double-click Forward Lookup Zones, right-click the Microsoft.edu zone, and then
click Properties.
3. Click the General tab, click Change under Type, and then click either Standard
Primary or Active Directory Integrated as the new type, depending on whether or
not this computer is a domain controller (DC). Click OK.
4. Change the setting under Allow Dynamic Updates to Yes if this server is for a
Windows 2000 Domain.
The server is now set as a primary DNS server for the DNS domain space.
It may be necessary to change the IP address of the new server to match the IP address that
the old DNS server used. This should be done to prevent having to make changes on all
clients or secondary servers to point to a new IP address for the primary DNS server
Sanjo900@yahoo.com
Sanjo900@yahoo.com
left pane, click Scavenge Stale Resource Records, and then click YES when asked if you
want to scavenge.
The host's "A" record is registered in DNS after you choose not to register
the connection's address.
In Windows 2000, if you clear the Register this connection's address in DNS check box
under Advanced TCP/IP Settings for a network interface, the IP address may register an A
record for the host name in its primary DNS suffix zone.
For example, this behavior may occur if you have the following configuration:
Sanjo900@yahoo.com
If you click to clear the Register this connection's address in DNS check box on the
network adaptor that has the IP address of 10.2.2.2 and then you delete the host record for
Server1.example.com 10.2.2.2, the host record for Server1.example.com 10.2.2.2 is dynamically
added back to the zone late. The unwanted registration of this record can be reproduced if
you restart the DNS service on the server.
This is because, when the DNS service is installed on a computer that is running Windows
2000, it listens to all of the network interfaces that are configured by using TCP/IP. When
DNS causes an interface to listen for DNS queries, the interface tries to register the host A
record in the zone that matches its primary DNS suffix. The interface tries to register the host
A record regardless of the settings that have been configured in the TCP/IP properties. This
behavior is by design and can take place under the following circumstances:
The DNS service is installed on the server whose configuration you are trying to
change.
The DNS zone that matches the primary DNS suffix of the server is enabled to update
dynamically.
To resolve this, remove the interface from the list of interfaces that the DNS server listens on.
To do so, follow these steps:
1.
2.
3.
4.
5.
Dynamic DNS Updates Do Not Work if the DHCP Client Service Stops
The client computer does not send dynamic Domain Name System (DNS) updates to the DNS
server even though the Register this connection's address in DNS option is selected.
You receive the following error forcing DNS registration:
IPCONFIG /REGISTERDNS
Windows 2000 IP Configuration
Error: The system cannot find the file specified.
: Refreshing DNS names
This is because: Dynamic DNS registration relies on the DHCP client service to perform
dynamic updates. When you disable or set the DHCP client service to start manually, it
Sanjo900@yahoo.com
prevents dynamic DNS updates from occurring. Even if the has a static IP, the DHCP client
service must be running for dynamic DNS updates to occur.
To resolve this issue, you must configure the DHCP client service to start automatically when
your computer system starts.
The DNS server is configured as a Dynamic Host Configuration Protocol (DHCP) client.
The DNS zone has a name other than your Active Directory domain name.
To resolve this issue, verify that all of the following conditions exist:
Configure your DNS server to use a static Internet Protocol (IP) address.
If all of these conditions exist and you still do not see your SRV records, stop and start the
Netlogon service. This action forces the DC to re-register the appropriate SRV records.
Using the netdiag /fix command on the DC will verify that all SRV records that are in the
Netlogon.dns file are registered on the primary DNS server.