38676182.doc What is Active Directory?.........................................................................................12 Domain vs Workgroup...........................................................................................

12 Understanding Active Directory Forest Structures....................................................14 What Is a Schema?................................................................................................... 15 What Is the Global Catalog?.....................................................................................16 Preparing the Servers for Windows 2008.................................................................17 Installing Active Directory with DCPromo.................................................................18 Windows 2008 Domain Decisions.............................................................................20 System Changes with AD Install...............................................................................21 Domain Functional Levels.........................................................................................22 Windows 2000 Native............................................................................................22 Windows Server 2003............................................................................................22 Windows Server 2008............................................................................................22 Forest Functional Levels...........................................................................................24 Windows Server 2003............................................................................................24 Windows Server 2008............................................................................................24 Implementing, Managing, and Maintaining Name Resolution DNS Namespace....................................................................................................... 25 Primary DNS suffix:............................................................................................... 26 FQDN Rules:..........................................................................................................26 NetBIOS Names.....................................................................................................26 How to Get a Domain Name..................................................................................26 Some Basic DNS Naming Guidelines..................................................................27 DNS Zones................................................................................................................ 28 DNS Name Resolution - Forward Lookup..................................................................29 DNS Query Types.................................................................................................. 29 DNS Name Resolution Failure.............................................................................29 Resolver Cache......................................................................................................30 Name Resolution...................................................................................................30 Resource Records...............................................................................................31 SRV Records............................................................................................................. 32

19 August 2010

00:23

1 of 233

38676182.doc Troubleshooting SRV Records................................................................................33 Managing Mail Server Records..............................................................................34 DNS Server Functions...............................................................................................35 Caching Only Server..............................................................................................35 Forwarder..............................................................................................................35 Chained Forwarder................................................................................................36 Installing DNS........................................................................................................... 37 Manual Install........................................................................................................ 37 Active Directory Installation..................................................................................37 Default Installations...............................................................................................38 Windows Server 2008 DNS Zone Options.................................................................39 Standard Primary Zone..........................................................................................40 Secondary Zone.................................................................................................... 41 Stub Zone..............................................................................................................41 Active Directory Integrated Zone..........................................................................42 Forwarding................................................................................................................43 Conditional Forwarding..........................................................................................43 Advantages of Conditional Forwarding...............................................................44 Disadvantages of Conditional Forwarding..........................................................44 Simple Forwarding.................................................................................................44 Delegated DNS Zone.............................................................................................45 Creating a Delegation........................................................................................45 DNS Design...............................................................................................................46 Dynamic Updates..................................................................................................... 47 DNS and DHCP Integration....................................................................................47 Types of Dynamic Updates.................................................................................47 Zone Transfer...........................................................................................................48 Default Settings for Zone Transfer........................................................................48 Zone Transfer via Notify........................................................................................48 Securing Zone Transfers........................................................................................49 SOA Record...............................................................................................................50

19 August 2010

00:23

2 of 233

38676182.doc Zone Transfers......................................................................................................... 52 Full Transfer (AXFR)...............................................................................................52 Incremental Transfer (IXFR)...................................................................................52 Active Directory Integrated...................................................................................53 Win 2008 ADI Zone Replication..........................................................................53 Root Name Servers...................................................................................................55 Creating a Root Server..........................................................................................55 Non-root Name Servers............................................................................................56 DNS and BIND...........................................................................................................57 Configure DNS Client................................................................................................58 Appending Suffixes................................................................................................58 Client Registration in DNS.....................................................................................59 Manual Registration...........................................................................................59 Dynamic Registration.........................................................................................59 Optimizing Name Resolution....................................................................................61 Round Robin.......................................................................................................... 61 Round Robin.......................................................................................................... 61 DNS Interfaces.......................................................................................................61 Advanced DNS Server Properties..............................................................................63 Test the DNS Server service.....................................................................................65 Manage and Monitor DNS.........................................................................................66 DNS Debug Logging.............................................................................................. 68 Group Policies and DNS............................................................................................69 Securing DNS............................................................................................................ 70 DNS Naming Considerations..................................................................................70 Enhancements to DNS in 2008.................................................................................72 GlobalNames Zone ...............................................................................................72 Enhanced Support for IPv6....................................................................................73 WINS Integration with DNS.......................................................................................74 Troubleshooting DNS Issues.....................................................................................75 Incorrect query results.......................................................................................76

19 August 2010

00:23

3 of 233

38676182.doc Too much zone transfer traffic...........................................................................76 Single vs. Multi-Master Replication...........................................................................78 Single Master Operations..........................................................................................79 Moving FSMO roles...................................................................................................82 Recover Roles.....................................................................................................83 Directory Partitions...................................................................................................84 Application Directory Partitions.............................................................................84 The Global Catalog................................................................................................... 86 Universal Group Membership Caching...............................................................87 Managing UPN Suffixes.............................................................................................88 Creating and Managing UPNs................................................................................88 Trust Types in Windows Server 2008........................................................................90 Tree-Root Trust......................................................................................................90 Parent-Child Trust..................................................................................................90 Shortcut Trust........................................................................................................90 External trust.........................................................................................................90 Forest trust............................................................................................................91 Realm trust............................................................................................................ 92 Managing Trusts.......................................................................................................94 Access Resources using External/Forest Trusts.....................................................94 Selective-authentication.....................................................................................95 Read-Only Domain Controllers.................................................................................96 Password Replication on RODCs............................................................................97 Significant Points for RODCs...............................................................................98 Managing and Maintaining an Active Directory Infrastructure..................................99 Managing Schema Modifications............................................................................101 Replication.............................................................................................................. 102 Intra-Site.............................................................................................................. 102 Inter-Site.............................................................................................................. 103 Forest and Domain Replication...............................................................................104 Intra-Site Replication...........................................................................................104

19 August 2010

00:23

4 of 233

38676182.doc Intra-Site Replication...........................................................................................104 Active Directory Sites.............................................................................................105 Site Creation........................................................................................................106 Creating Subnets..............................................................................................106 Inter-Site Replication...........................................................................................107 Site Links.......................................................................................................... 107 Bridgehead Servers..........................................................................................108 Site Link Bridges...............................................................................................108 Inter-Site Transports.........................................................................................109 Managing AD Sites..................................................................................................111 Creating Boundaries with Subnets......................................................................111 Bridgehead Selection Process.................................................................................112 Manually Selecting Bridgeheads.........................................................................112 Monitoring Replication............................................................................................114 Event Viewer....................................................................................................114 File Replication Service Log..............................................................................114 Command-Line Utilities....................................................................................114 Active Directory Replication Monitor................................................................115 Backing-Up Active Directory...................................................................................116 System State.......................................................................................................116 Server Backup Utility...........................................................................................116 WBAdmin................................................................................................................ 117 Restoring Active Directory......................................................................................120 Restore Options...................................................................................................120 Normal Restore................................................................................................ 120 Authoritative Restore.......................................................................................121 Primary Restore................................................................................................121 AD Replication Conflicts..........................................................................................122 Active Directory Garbage Collection.......................................................................123 Troubleshooting Active Directory...........................................................................124 Directory Services Restore Mode Password.........................................................124

19 August 2010

00:23

5 of 233

38676182.doc Resolving issues with AD.....................................................................................124 Removing Active Directory..................................................................................125 ADSIEdit and LDP.............................................................................................125 Planning and Implementing User, Computer and Group Strategies.......................126 File Permissions...................................................................................................... 127 Turning on and turning off Simple File Sharing...................................................127 Enabling the Security Tab in Windows XP............................................................128 NTFS Permissions................................................................................................129 Set, view, change, or remove special permissions for files and folders...............131 Security Group Strategy.........................................................................................133 Group Scopes...................................................................................................... 133 Global............................................................................................................... 133 Domain Local....................................................................................................134 Universal.......................................................................................................... 134 Group Nesting..................................................................................................... 134 Changing Group Scope........................................................................................134 Removing Groups................................................................................................134 How to Create Accounts Using the Csvde Tool ................................................135 How to Create and Manage Accounts Using the Ldifde Tool ...........................136 Domain User Account Policy...................................................................................139 Password Challenges...........................................................................................139 Planning Organization Units (OUs)..........................................................................141 Planning and Implementing Group Policy Group Policies.........................................................................................................143 Group Policy Processing......................................................................................143 Plan Policy Application Sequence...........................................................................145 Linking and Options..........................................................................................145 Group Policy Filtering..........................................................................................146 WMI Filters........................................................................................................146 Refreshing Group Policies....................................................................................146 Group Policy Settings..............................................................................................148

19 August 2010

00:23

6 of 233

38676182.doc Categories........................................................................................................... 149 Group Policies and Security Templates...................................................................150 Group Policy Management Console........................................................................151 Resultant Set of Policies......................................................................................151 Group Policy Result Wizard..................................................................................153 Software Deployment.............................................................................................155 Windows Installer Service....................................................................................156 Windows Installer Packages................................................................................156 Application (.zap) Files........................................................................................157 Software Distribution Point (SDP)........................................................................157 Creating Package................................................................................................157 Upgrading Software..........................................................................................158 Removing Applications........................................................................................158 Terminal Services and Software Installation........................................................159 Software Restriction Policies...................................................................................160 Software Rules................................................................................................. 160 Designated File Types......................................................................................161 Enforcement.....................................................................................................161 Redirected Folders..................................................................................................162 Target Folder Options..........................................................................................163 Additional Policy Settings.......................................................................................164 Group Policy Loopback........................................................................................164 Linking, Disabling, and Deleting GPOs....................................................................165 Disabling and Deleting GPOs...............................................................................165 GP processing...................................................................................................166 Backing Up, Importing, and Restoring GPOs...........................................................167 Replacing Security Templates................................................................................168 Security Templates...........................................................................................168 Troubleshooting Group Policy.................................................................................169 IP Addressing..........................................................................................................171 Address Classes...................................................................................................171

19 August 2010

00:23

7 of 233

38676182.doc Private Addressing and APIPA..............................................................................172 Automatic Private IP Addressing (APIPA)..........................................................172 Subnetting..............................................................................................................174 Subnet Masks......................................................................................................174 Network/Broadcast Address................................................................................174 Determining Local and Remote Hosts....................................................................176 Common Ports to Know..........................................................................................177 IPv6......................................................................................................................... 179 Teredo................................................................................................................. 179 DHCP......................................................................................................................181 Configuring TCP/IP..................................................................................................182 Advanced TCP/IP Settings....................................................................................182 Multiple IP Addresses.......................................................................................183 Alternate (Static) IP Address............................................................................183 IP Troubleshooting Tools.....................................................................................183 IPConfig............................................................................................................ 184 Ping..................................................................................................................184 Tracert..............................................................................................................185 PathPing........................................................................................................... 185 Event Viewer .........................................................................................................186 Event Subscriptions.............................................................................................186 Configure Forwarding computer.......................................................................187 Configure Collecting computer.........................................................................187 Check the forwarded Event Viewer entries......................................................187 DFS -- Distributed File System................................................................................188 DFS Namespaces....................................................................................................189 Create a namespace :......................................................................................189 DFS Replication......................................................................................................191 Create a replication group................................................................................191 Create a replicated folder.................................................................................192 DFS Requirements...............................................................................................193

19 August 2010

00:23

8 of 233

38676182.doc DFS Commands......................................................................................................194 Shadow Copy .........................................................................................................196 Using Shadow Copies of Shared Folders .............................................................196 Shadow copy client configuration........................................................................197 Installing the Previous Versions Client ............................................................197 Installing the Shadow Copy Client ...................................................................197 Configuring Shadow Copies in Computer Management ...................................198 Enabling Shadow Copying from the Command Line ........................................199 Server Manager...................................................................................................... 202 Server Manager Interface....................................................................................202 Roles................................................................................................................202 Diagnostics.......................................................................................................202 Configuration....................................................................................................203 Storage.............................................................................................................203 Active Directory Lightweight Directory Services.....................................................204 ADRMS - Active Directory Rights Management Services........................................206 AD RMS Benefits ..............................................................................................207 AD FS - Active Directory Federation Services.........................................................208 Federation and Web SSG..................................................................................208 Web Services (WS)-* interoperability...............................................................208 Extensible architecture....................................................................................208 Extending AD DS to the Internet......................................................................209 WDS........................................................................................................................210 What is Windows Deployment Services?.............................................................210 Server functionality modes..................................................................................210 Known issues with configuring Windows Deployment Services........................211 Prerequisites:......................................................................................................212 Install & Configure:..............................................................................................212 Add Images:........................................................................................................ 212 To install an operating system ........................................................................213 Unattended Installation.......................................................................................214

19 August 2010

00:23

9 of 233

38676182.doc Hyper-V..................................................................................................................216 Server Consolidation........................................................................................216 Business Continuity and Disaster Recovery.....................................................216 Testing and Development................................................................................216 Dynamic Data Center.......................................................................................216 Key Features of Hyper-V...................................................................................216 Live Migration...................................................................................................217 Increased Hardware Support for Hyper-V Virtual Machines..............................217 Cluster Shared Volumes...................................................................................217 Cluster Validation Tool.....................................................................................217 Management of Virtual Data Centers...............................................................217 Enhanced Networking Support.........................................................................218 Dynamic VM storage........................................................................................218 Broad OS Support.............................................................................................218 Network Load Balancing...................................................................................218 Virtual Machine Snapshot.................................................................................218 High Availability......................................................................................................219 Failover Clustering...............................................................................................219 Cluster Migration..............................................................................................219 Cluster Infrastructure.......................................................................................219 Cluster Storage................................................................................................ 219 Cluster Network................................................................................................220 Cluster Security................................................................................................220 Advantages of Network Load Balancing...........................................................221 Host Priorities ..................................................................................................221 Port Rules ........................................................................................................ 221 Remote Control................................................................................................222 How Network Load Balancing Works................................................................222 Managing Application State..............................................................................223 Windows System Resource Manager (WSRM).........................................................225 Windows Server Update Services 3.0 ....................................................................226

19 August 2010

00:23

10 of 233

38676182.doc Prerequisites for WSUS servers...........................................................................226 Prerequisites for using the WSUS 3.0 Administration Console.........................226 Prerequisites for WSUS client computers.........................................................226 How it works........................................................................................................226 Client-side features.............................................................................................229 WSUS 3.0 Deployment Scenarios...........................................................................230 Single WSUS server (small-sized or simple network)...........................................230 Multiple independent WSUS servers....................................................................231 Multiple internally synchronized WSUS servers...................................................232 Disconnected WSUS servers (limited or restricted Internet connectivity)...........233 More Information..............................................................................................233

19 August 2010

00:23

11 of 233

38676182.doc

What is Active Directory?
• A directory service database that allows for the creation of a hierarchical management structure. • The Windows Server 2008 Active Directory service consists of forest, trees, domain, and organizational units created as a means of satisfying an organizations resource management needs. • The AD forest is a collection of domains that share a common schema, configuration, and global catalog. • The trees within the AD forest are a group of domains that share a contiguous name space (Le. fabrikam.com, research.fabrikam.com, sales.fabrikam.com). A different namespace (fabrikam.com, contososchool.com) constitutes a new tree. • The organizational unit (OU) is the building block of an Active Directory domain that provides for administrative delegation and policy implementation within a domain. Active Directory is a directory service database that provides a centralized management structure for objects within a network enterprise. The Microsoft Windows Server 2008 Active Directory infrastructure is made up of logical components called forests, trees, domains, and organizational units or OUs. One of the toughest concepts regarding Active Directory infrastructure is to relinquish the idea that it should mirror the physical network or the corporate organizational chart. Active Directory can and most likely will be influenced by one if not both of these factors however, it does not HAVE TO have any relationship. Active Directory infrastructure should be designed to suit your administrative and security needs. Active Directory should be built in a fashion that facilitates the management of networked resources. Active Directory infrastructure does not have to mirror the organizational chart with a physical configuration of the enterprise environment.

Domain vs Workgroup
A workgroup is Microsoft's terminology for a peer-to-peer PC computer network. Microsoft operating systems in the same workgroup may allow each other access to their files, printers, or Internet connection. Members of different workgroups on the same local area network segment and TCP/IP network can only access resources in workgroups to which they are joined.

19 August 2010

00:23

12 of 233

38676182.doc A Windows Server domain is a logical group of computers running versions of the Microsoft Windows operating system that share a central directory database. This central database (known as the Active Directory starting with Windows 2000[1], also referred to as NT Directory Services on Windows NT Server operating systems, or NTDS) contains the user accounts and security information for the resources in that domain. Each person who uses computers within a domain receives his or her own unique account, or user name. This account can then be assigned access to resources within the domain. In a domain, the directory resides on computers that are configured as "domain controllers." A domain controller is a server that manages all security-related aspects between user and domain interactions, centralizing security and administration. A Windows Server domain is normally more suitable for moderately larger businesses and/or organizations. Windows Workgroups, by contrast, is the other model for grouping computers running Windows in a networking environment which ships with Windows. Workgroup computers are considered to be 'standalone' - i.e. there is no formal membership or authentication process formed by the workgroup. A workgroup does not have servers and clients, and as such, it represents the Peer-to-Peer (or Clientto-Client) networking paradigm, rather than the centralised architecture constituted by Server-Client. Workgroups are considered difficult to manage beyond a dozen clients, and lack single sign on, scalability, resilience/disaster recovery functionality, and many security features. Windows Workgroups are more suitable for small or home-office networks. A domain does not refer to a single location or specific type of network configuration. The computers in a domain can share physical proximity on a small LAN or they can be located in different parts of the world. As long as they can communicate, their physical position is irrelevant.

19 August 2010

00:23

13 of 233

38676182.doc

Understanding Active Directory Forest Structures
• • • • Forest Tree Schema Global catalog

The fabrikam.com forest is made up of 2 trees and 5 total domains. The fabrikam.com and elabs.corp domains serve as tree roots. While the .research.fabrikam.com, training.fabrikam.com, and dev.elabs.corp domains exist as child domains. The fabrikam.com domain is known as the forest root. Each domain maintains its own set of domain specific information, while every domain in the forest shares the same schema, configuration, and global catalog. The organizational unit is the building block for each Active Directory domain. Note, organizational units do not cross domains; therefore, multiple domain environments could contain organizational units of the same name.

19 August 2010

00:23

14 of 233

38676182.doc

What Is a Schema?
The Active Directory schema defines the kinds of objects, the types of information about those objects, and the default security configuration for those objects that can be stored in Active Directory. The Active Directory schema contains the definitions of all objects, such as users, computers, and printers that are stored in Active Directory. On domain controllers running Windows Server 2003, there is only one schema for an entire forest. This way, all objects that are created in Active Directory conform to the same rules. The schema has two types of definitions: object classes and attributes. Object classes such as user, computer, and printer describe the possible directory objects that you can create. Each object class is a collection of attributes. Attributes are defined separately from object classes. Each attribute is defined only once and can be used in multiple object classes. For example, the Description attribute is used in many object classes, but is defined only once in the schema to ensure consistency. You can create new types of objects in Active Directory by extending the schema. For example, for an e-mail server application, you could extend the user class in Active Directory with new attributes that store additional information, such as users’ e-mail addresses. On Windows Server 2003 domain controllers, you can reverse schema changes by deactivating them, thus enabling organizations to better exploit Active Directory’s extensibility features. You may also redefine a schema class or attribute. For example, you could change the Unicode String syntax of an attribute called Department to Unit.

19 August 2010

00:23

15 of 233

38676182.doc

What Is the Global Catalog?
Resources in Active Directory can be shared across domains and forests. The global catalog feature in Active Directory makes searching for resources across domains and forests transparent to the user. For example, if you search for all of the printers in a forest, a global catalog server processes the query in the global catalog and then returns the results. Without a global catalog server, this query would require a search of every domain in the forest. The global catalog is a repository of information that contains a subset of the attributes of all objects in Active Directory. Members of the Schema Admins group can change which attributes are stored in the global catalog, depending on an organization’s requirements. The global catalog contains: • The attributes that are most frequently used in queries, such as a user’s first name, last name, and logon name. • The information that is necessary to determine the location of any object in the directory. • A default subset of attributes for each object type. • The access permissions for each object and attribute that is stored in the global catalog. If you search for an object that you do not have the appropriate permissions to view, the object will not appear in the search results. Access permissions ensure that users can find only objects to which they have been assigned access. A global catalog server is a domain controller that efficiently processes intraforest queries to the global catalog. The first domain controller that you create in Active Directory automatically becomes a global catalog server. You can configure additional global catalog servers to balance the traffic for logon authentication and queries. The global catalog enables users to perform two important functions: • Find Active Directory information anywhere in the forest, regardless of the location of the data. • Use universal group membership information to log on to the network.

19 August 2010

00:23

16 of 233

38676182.doc

Preparing the Servers for Windows 2008
Windows 2000/2003 Domains and Forests must be prepared for the upgrade to Windows Server 2008 ADPREP command-line utility extends the schema, updates security to selected objects, adds new directory objects as required • Adprep /forestprep • Run first on Schema Master • Must be member of Enterprise Admins and Schema Admins group or have delegated authority • make sure this is given time to replicate before proceeding to the domainprep • Adprep /domainprep • Run on Infrastructure Master in each domain after the forestprep has been completed and given time to replicate • Must be member of Domain Admins or Enterprise Admins group or have delegated authority • make sure to give this time to replicate to the other domain controllers before proceeding to upgrade the domain controllers The adprep utility is located on the Windows Server 2008 CD. It is used to prepare a Windows 2000/2003 domain to upgrade to Windows Server 2008 domain. The utility extends the schema, updates security to selected objects and adds new directory objects when required. It gets the Windows 2003 systems prepared for the new Active Directory features in Windows Server 2008. Once the ADPREP has been successfully replicated, both /forestprep and /domainprep, the domain controllers can be left running Windows 2000/2003 for an indefinite period of time.

19 August 2010

00:23

17 of 233

38676182.doc

Installing Active Directory with DCPromo
Server Manager-Add Domain Controller Role Service Answer file to perform unattended installation • Part of DCPromo • • • • Network or Backup Media New in Windows 2008 Reduces replication traffic when installing DCs in remote offices Start> Run> DCPromo /adv

References to old DCs must be removed with NTDSUtil > metadata cleanup before a DC name can be re-used. ADSIZER.exe estimates hardware requirements for deploying Active Directory in your organization. The wizard will walk through the creation of the domain. Several choices must be made including if it is a new domain or becoming a replica in an existing domain, new tree or child domain of existing tree, and new forest or join existing forest. The windows to follow depend on the selections made. The server will look for a DNS server that is authoritative for the zone for that domain. If none is found, DNS can be installed as part of the wizard. It will create an AD I zone with the domain name as the zone name. If DNS has already been configured and it just doesn't find it, select not to install and configure later. Make sure the DNS address is correct in the IP settings. New domain, new tree, new forest- the domain controller is the forest root server and will install Active Directory, create the Global Catalog, create the Schema, have all FSMO roles, and create the Enterprise Admins and Schema Admins groups, which are only available in the forest root domain. No credentials are required to complete the installation. The DNS name of this domain also becomes the name of the forest. New domain, new tree, existing forest - the domain controller will become the tree root. The name of the domain will be verified with the Domain Naming Master. Active Directory will be installed and the Schema and Configuration information will be replicated from the forest root. Only the domain FSMO roles will be created. Enterprise Admins credentials must be provided in order to complete the installation. DNS is also required. New domain, existing tree - the domain controller will become the first domain controller for a child domain. The tree root domain must be specified along with the child name. The Domain Naming Master must verify that the name is unique. AD is installed and the domain FSMO roles created. It will also obtain the Schema and Configuration information from the forest root. Enterprise Admins credentials must be provided in order to complete the installation. DNS is also required.

19 August 2010

00:23

18 of 233

38676182.doc Existing domain - the domain controller becomes an additional domain controller in an existing domain. The domain name must be specified along with the Domain Admins credentials. AD is installed and it receives all its information by replicating with an existing domain controller in the domain. NOTE: DCPROMO is also used to remove Active Directory. When the command is used, the system detects it is already a domain controller and will start the wizard to remove Active Directory. After installing a domain controller, the settings for that domain controller can be saved as an answer file through the wizard. Use a current backup either from a network share or removable media to install Active Directory. Must be from a domain controller in the same domain. Backup cannot be any older than the "tombstone lifetime", typically 180 days. The more recent the backup, the less replication traffic will be created during synchronization of the new domain controller after AD installation. At the Run command, type DCPromo /adv.

19 August 2010

00:23

19 of 233

38676182.doc

Windows 2008 Domain Decisions
When installing Active Directory, there are three decision points that need to be considered. The first is are you creating a new domain controller in a new domain or a domain controller in an existing domain. If creating in an existing domain, you will be required to select the domain and provide the proper credentials (domain admin) to join that domain. If selected to be a new domain, the next decision is this going to be a new tree or become part of an existing tree (child domain). Once the decision is made to become part of an existing tree, the tree root and child name desired will need to be selected, along with the proper credentials (Enterprise Admin) in order to join. If creating a new tree, the last decision point is to create a new forest or become part of an existing forest. If a new forest, then the domain name will also become the name of the forest. This name cannot be changed unless a new forest is created and the existing forest will no longer be valid. If joining an existing forest was the decision, proper credentials (Enterprise admin) must be provided to join the tree to the forest. The new domain will become the tree root.

19 August 2010

00:23

20 of 233

38676182.doc

System Changes with AD Install
AD Consoles in Administrative Tools • dsa.msc: Active Directory Users and Computers • • • • • • • • • • • dssite.msc: Active Directory Sites and Services domain.msc: Active Directory Domains and Trusts Sysvol folder created Permissions on system files modified The Active Directory database, ntds.dit, and log files created If possible put on separate hard disks for better performance Transaction Logs - Write operations (Raid-1) Database - Read/write operations (Raid-5) NTDSUTIL allows management of ntds.dit (move, compact, etc) Server account placed in domain controllers OU Local User and Computer accounts no longer available

There are some noticeable system changes after the installation of Active Directory, most notably the additional administrative tools like Active Directory Users and Computer, Active Directory Domains and Trusts, and Active Directory Sites and Services. Digging a little further into a system that has been promoted to a domain controller you will find the existence of the ntds.dit or The Active Directory database. "NTDS" obviously makes references to it being the NT directory services and the dit represents the acronym "directory information tree." For optimal performance of The Active Directory database you should spread the information across multiple physical hard drives. The Active Directory database should be separate from Active Directory logs. By default each new domain controller is automatically placed into the domain controllers' organizational unit underneath the domain object. After converting a system into a Domain controller it no longer houses a local user and computer accounts database. (SAM)

19 August 2010

00:23

21 of 233

38676182.doc

Domain Functional Levels
Windows 2000 Native
• Universal groups are enabled for both distribution groups and security groups. • Group nesting. • Group conversion is enabled, which makes conversion between security groups and distribution groups possible. • Security identifier (SID) history.

Windows Server 2003
• The availability of the domain management tool, netdom.exe, to prepare for domain controller rename. • Update of the logon time stamp. The lastLogonTimestamp attribute will be updated with the last logon time of the user or computer. This attribute is replicated within the domain. • The ability to set the userPassword attribute as the effective password on inetOrgPerson and user objects. • The ability to redirect Users and Computers containers. By default, two well-known containers are provided for housing computer and user/group accounts: namely, cn=Computers,<domain root> and cn=Users,<domain root>. This feature makes possible the definition of a new well-known location for these accounts. • Makes it possible for Authorization Manager to store its authorization policies in Active Directory Domain Services (AD OS). • Includes constrained delegation so that applications can take advantage of the secure delegation of user credentials by means of the Kerberos authentication protocol. Delegation can be configured to be allowed only to specific destination services. • Supports selective authentication, through which it is possible to specify the users and groups from a trusted forest who are allowed to authenticate to resource servers in a trusting forest.

Windows Server 2008
• Distributed File System Replication support for SYSVOL, providing more robust and detailed replication of SYSVOL contents. • Advanced Encryption Services (AES 128 and 256) support for the Kerberos protocol.

19 August 2010

00:23

22 of 233

38676182.doc • Last Interactive Logon Information, which displays the time of the last successful interactive logon for a user, from what workstation, and the number of failed logon attempts since the last logon. • Fine-grained password policies. Which make it possible for password and account lockout policies to be specified for users and global security groups in a domain.

19 August 2010

00:23

23 of 233

38676182.doc

Forest Functional Levels
Windows Server 2003
• • Forest trust. Domain rename.

• Linked-value replication (changes in group membership to store and replicate values for individual members instead of replicating the entire membership as a single unit). This change results in lower network bandwidth and processor usage during replication and eliminates the possibility of lost updates when different members are added or removed concurrently at different domain controllers. • The ability to deploy a read-only domain controller (RODC) that runs Windows Server 2008. • Improved Knowledge Consistency Checker (KCC) algorithms and scalability. • The Intersite Topology Generator (ISTG) uses improved algorithms that scale to support forests with a greater number of sites than can be supported at the Windows 2000 forest functional level. The improved ISTG election algorithm is a less intrusive mechanism for choosing the ISTG at the Windows 2000 forest functional level. • The ability to create instances of the dynamic auxiliary class called dynamicObject in a domain directory partition. • The ability to convert an inetOrgPerson object instance into a User object instance and the reverse. • The ability to create instances of the new group types, called application basic groups and Lightweight Directory Access Protocol (LDAP) query groups, to support role-based authorization. • Deactivation and redefinition of attributes and classes in the schema.

Windows Server 2008
This functional level provides all the features that are available at the Windows Server 2003 forest functional level, but no additional features. All domains that are subsequently added to the forest, however, will operate at the Windows Server 2008 domain functional level by default.

19 August 2010

00:23

24 of 233

38676182.doc

Implementing, Managing, and Maintaining Name Resolution DNS Namespace
• • • • • • • • • • • • • • • Domain Namespace is a hierarchical name structure “.”— Root is starting point Primary DNS suffix (e.g.: domain.com) Hostname (e.g.: www or JT-laptop) Characters a-z, A-Z, 0-9 and hyphens 255 characters Not case sensitive Period between labels: No Spaces FQDN - Fully Qualified Domain Name (e.g.: www.domain.com) Identifies computer in name space Host name + domain name together Naming options Keep name as simple as possible Use .net or .local to keep separate from Internet domain name

The namespace for a domain has a hierarchical name structure. Each layer represents a different part of the name. partnering.one.microsoft.com would be the namespace used to represent the server "partnering". The root server at the top of the hierarchy is the top of the name chain. No other namespace is available beyond the root. The'.' is normally invisible at the end of every full name, but it can be seen within zone files. The root servers keep track of all the Top-level domains. The toplevel domains (.com, .org, .net) keep track of all the domain names. When a domain name is registered, the corresponding Top-level domain knows the second-level domain information and a DNS server address that is authorized for the domain name. Both the Root and Top-level domains are publicly-managed layers. The second-level and on down are managed by private entities such as companies and government agencies. There can be a difference between public and private domain namespace. The namespace known to the public would be the public namespace with a public IP address. The private namespace represents the internal network and private IP addressing. They can be the same namespace if a secure firewall is configured. In most cases, the public name and the private name will be altered slightly. 19 August 2010 00:23 25 of 233

38676182.doc

Primary DNS suffix:
This is set to the DNS name of the AD domain to which the computer joins. Can be specified by a GPO, in the Network Identification tab of the individual computer, or through DHCP scope options.

FQDN Rules:
The FQDN can be viewed by using the IPCONFIG command at a prompt or by opening the properties of the My Computer icon. One important difference between NetBIOS names and an FQDN name is that a NetBIOS name cannot begin with a number. An FQDN is limited to 254 characters. DCs are limited to 155 characters for a FQDN. To read a FQDN, start from right to left, beginning with the invisible '.' and proceeding to the far left, which is the host name.

NetBIOS Names
• • • • • • Characters a-z, A-Z, 0-9 and hyphens (not case sensitive) . Cannot begin with a number. No more than 15 characters. A 16th Character is automatically added to identify the service. Spaces are OK While not case-sensitive but, always displayed in all capital letters.

During the creation of an Active Directory domain, that domain must be provided with DNS and NetBIOS domain names. After creating a DNS name for the domain, a NetBIOS name will automatically be generated using the first 15 characters, not including the dotted notation, of the domain's DNS name. All NetBIOS names must be unique so the WINS server will not allow the domain to have a duplicate NetBIOS name. If the first 15 characters are exactly the same, it will give an error and the administrator must alter the name in some manner. NetBIOS is a flat naming structure and it doesn't distinguish between domain, computer or user names. If there is already a NetBIOS name of CHARLES for a domain, a computer or user cannot have a NetBIOS name of CHARLES.

How to Get a Domain Name
Domain names must be registered with an appropriate authority so that the name is guaranteed to be unique across the entire Internet. If you are planning on using a domain name for your company and you plan to connect to the Internet, you should check to be sure the name has not already been registered by another company.

19 August 2010

00:23

26 of 233

38676182.doc

Some Basic DNS Naming Guidelines
• Avoid namespaces that are too long or complicated. If the root of the domain is three levels deep, adding further domains might become unwieldy and difficult for users to remember. • Delegate a sub-domain to maintain a single, manageable DNS hierarchy. Useful when you need to leave an old DNS structure in place to support external resources (Web) but want to manage both namespaces together. • Register your internal namespace with ICANN. A simple solution is to register the "company.com" and the "company.net" with the Internet, but reserve the .net for internal usage. The disadvantage to this is the need to maintain two separate namespaces. • Use .net or .local to separate your public domain namespace and the private namespace.

19 August 2010

00:23

27 of 233

38676182.doc

DNS Zones
Database file representing a portion of the namespace • Divided up based on needs of network • Single zone for the root domain with subdomains for each child domain • Single zone for the root domain and one subdomain for one child with a separate zone for he other child domain • Cannot be two subdomains without the parent A zone is a portion of the namespace that has a database file generated in DNS to support name registration and name resolution for that zone. The namespace can be divided based on the needs of the network. A DNS domain is a portion of the namespace which allows multiple computers to have a name in common. A zone must contain at least one domain and may contain multiple domains. E.g. The left half of the slide shows one zone "fabrikam.com" which includes the parent domain fabrikam.com and two child domains research and training. All records ending in fabrikam.com, research.fabrikam.com, or training.fabrikam.com will be found in a single zone file. The right half of the slide shows two zones. The first zone is called fabrikam.com and has two domains fabrikam.com and research.fabrikam.com. The second zone has the single domain training.fabrikam.com. Any records ending in .training.fabrikam.com are only on the DNS server shown in the training.fabrikam.com domain. Zones are often divided like this to reduce bandwidth consumption, allow for localized administration of DNS records, or to accommodate differences that preclude sharing a single file between multiple entities. Domains for an Active Directory tree can share the same zone. Since the parent and child domain all share the same namespace (name of the parent), the parent will have an authoritative server responsible for the entire namespace. If it is a larger network and the infrastructure plan is to allow one of the child domains to take care of its own namespace, the zone could be designated for just that child domain. A zone cannot have two child domains together without the parent. They no longer have a common namespace (parent is no longer involved), so they are not allowed to share a zone. When creating zones, a parent must be with a child or a child can stand alone. The zone name and the domain name match. Even though we have two separate naming structures, an Active Directory namespace which represents objects in Active Directory and DNS naming which represents resource records, the names look the same. See also: DNS Namespace Planning (KB25468)

19 August 2010

00:23

28 of 233

38676182.doc

DNS Name Resolution - Forward Lookup
• DNS NetBIOS on TCP 53 and UDP 53 must be allowed through a router or firewall • • • Forward Lookup, provides name to IP address name resolution with: Recursive - full name query (all or nothing) Iterative – full name query (“Piece at a time”)

There are two categories of zones in DNS: Forward Lookup and Reverse Lookup. Forward Lookup zones provide hostname to IP address resolution. This category is required. The Reverse Lookup zone provides IP address to hostname resolution. This is optional, but must be created for some tools to function. When trying to resolve a hostname, the resolver (client) will check its own DNS cache first, if not able to resolve, it will then send the request (query) to its Preferred DNS server as a Recursive (full name) query.

DNS Query Types
Recursive Query: A recursive is a full name query that is made usually from the client to the DNS server. This query expects a response back for the full name resolution, either an IP address to connect or a failed query message. The resolver has instructed the name server to go up to the Root name servers if necessary. The recursive resolution is usually the responsibility of the Preferred DNS server. Iterative Query: An iterative query is a partial name query. Only part of the full name is being requested and received. The process of iteration breaks a name down one piece at a time until the IP address matching the final piece of the name has been found. This request is between DNS servers, starting with the root server and working on down until the DNS server that is authoritative for the full name is located. Inverse Query: Inverse queries use the IP address to make a request instead of an FQDN. The FQDN is returned by the server.

DNS Name Resolution Failure
If DNS name resolution fails and WINS is enabled on the client, the client will continue to attempt resolution as follows: 1. Cache/Hosts file cached (text file on local system) 2. DNS 3. CACHE (NetBIOS Cache) 4. WINS (NetBIOS to IP address) 5. BROADCAST

19 August 2010

00:23

29 of 233

38676182.doc 6. LMHOSTS (Text file on local system)

Resolver Cache
Each time a client receives an answer to a DNS query from a DNS server, an entry is made in the resolver's cache. The next time the client needs to resolve a name, it checks its cache to see if it has already resolved this name in the recent past. The resolver cache is cleared and the HOSTS file's contents are reloaded into cache each time the computer is booted. The resolver cache is also updated each time the HOSTS file is saved. The HOSTS file is a text file that is available on the local system. It can be configured to provide hostname to IP address resolution, but each entry must be entered manually. To use the HOSTS file in a domain, the file must be modified on each machine manually. To display the resolver cache, type IPCONFIG /displaydns. To clear this cache, type IPCONFIG /flushdns.

Name Resolution
• HOSTS File - Static, manually managed text file of name-to-IP mappings • DNS Server is a distributed database made up of Resource Records (RRs): o A (Host): name to IP resolution for computers and printers o AAAA: Equivalent of A records, but for IPv6 PTR (pointer): IP to name resolution o NS (name servers): used to identify authoritative DNS servers o SOA (start of authority): used to provide configuration to secondary zones o SRV (service locator): use to locate Kerberos, GC, LDAP o MX (mail exchanger): identifies mail servers CNAME (canonical name): aliases helpful for server consolidation o WINSLookup: required to integrate WINS with DNS for down-level clients. There are two ways to provide name resolution to clients in a Windows Server 2008 network: Hosts file or DNS server. The Hosts file is a text-based file that can have mappings entered for name to IP resolution. All entries are made manually and the file must be created an each client. This could be useful if there was a specific name to IP address resolution needed for an individual server and not desired for the remaining servers. Since the Hosts file is checked before going to the DNS server, it provides a way of doing this type of specialized entry.

19 August 2010

00:23

30 of 233

38676182.doc The HOSTS file is located in the %systemroot%\system32\drivers\etc\ folder (similar to UNIX). Open in a text editor (Notepad or WordPad) and modify accordingly. Notice the semi-colon at the beginning of some of the lines. This indicates not to use these lines because they are documentation only. The loopback address is in the Hosts file by default as localhost. When at a command prompt, if you type ping localhost, it will resolve it to 127.0.0.1. After making any entries, save the text file as the same name, "hosts" and do not allow Windows to add a file extension or the file will not work. Since the local system checks the Hosts file and cache first in the process of name resolution, any entries in the Hosts file will be used instead of the DNS server entries. A stale entry in the Hosts file will result in the client being unable to reach the server even if that server's record is current in the DNS zones. The DNS server provides a centralized database for all clients to register and use to resolve hostnames. This can be a dynamic environment, if configured properly, where the resource records are automatically recorded in the proper zone for that client. It provides a much better way to maintain a name resolution environment than with distributed Hosts files.

Resource Records
The resource records are the entries made in the DNS server to represent the hosts, services and other DNS specific items. The most popular resource records are listed below. A - Host record, maps a FQDN to an IP address. PTR - Pointer Record maps an IP address to a FQDN (Allows for reverse lookups) CNAME - Canonical name maps an alias to the actual A record SOA - Identifies key information about a zone including the authoritative server NS - Identifies a name server that can answer queries for that zone SRV - Identifies services within a specific domain including identifying domains, domain controllers and sites. These records are required for Active Directory. MX - Identifies a Mail server for a particular domain name. Needed for UNIX Sendmail, MS Exchange, Novell Groupwise and other Mail Transfer Agents. Some of the records can be created automatically. If it is necessary to create a resource record, right-click the zone where the record is needed and select the appropriate record type. The A(host) record is the only record which has an actual IP address entered. The remaining records point to the A(host) record. Because of this, if the A (host) record is not correct, the other records pointing to it will not function properly.

19 August 2010

00:23

31 of 233

38676182.doc

SRV Records
The SRV records are a very important part of the DNS server. They are created when Active Directory is installed and the domain is created. The information contained in the SRV records includes domain records, listing of domain controllers in each domain, the site structure (associates domain controllers with the correct site), and pointers and information regarding other services. This information is required when: joining host systems to the domain, creating a new domain controller in the domain, a computer or user performs a network logon, and connecting to various services within Active Directory structure such as the Global Catalog. If the SRV records are not available and accurate, these items will not work properly, if at all. Put another way, "If DNS is broke, Active Directory is broke." In addition to being identified by an FQDN in DNS and by a Windows full computer name, domain controllers are also identified by the specific services that they provide. Windows uses DNS to locate domain controllers by resolving a domain or computer name to an IP address. This is accomplished by SRV resource records that map a particular service to the domain controller that provides that service. When a domain controller starts, the Net Logon service running on the domain controller uses the DNS dynamic update feature to register with the DNS database the SRV resource records for all Active Directory–related services that the domain controller provides. Therefore, a computer running Windows can query a DNS server when it must contact a domain controller. For Active Directory to function properly, DNS servers must provide support for SRV resource records. SRV resource records allow client computers to locate servers that provide specific services, such as authenticating logon requests and searching for information in Active Directory. Windows uses SRV resource records to identify a computer as a domain controller. SRV resource records link the name of a service to the DNS computer name for the domain controller that offers that service. SRV resource records also contain information that enables a DNS server to locate: • A domain controller located in a specific Windows domain or forest. • • • A domain controller located in the same site as a client computer. A domain controller that is configured as global catalog server. A domain controller that is configured as the PDC emulator.

• A computer that runs the Kerberos Key Distribution Center (KDC) service. • SRV Resource Records and A Resource Records

19 August 2010

00:23

32 of 233

38676182.doc When a domain controller starts, it registers SRV resource records which contain information about the services that it provides. It also registers an A resource record that contains its DNS computer name and its IP address. A DNS server then uses this combined information to resolve DNS queries and return the IP address of a domain controller so that the client computer can locate the domain controller. In Windows, domain controllers are also referred to as Lightweight Directory Access Protocol (LDAP) servers because they run the LDAP service that responds to requests to search for or modify objects in Active Directory. All SRV resource records use a standard format, which consists of fields that contain the information used to map a specific service to the computer that provides the service. SRV resource records use the following format: _service_.protocol.name ttl class SRV priority weight port target

Troubleshooting SRV Records
• AD installation generates SRVs for domains, domain controllers, sites, and other services. • Error "Domain cannot be found" • IF SRV Records are missing: Check DNS IP address for domain controller • Stop and Restart Netlogon service on domain controller The biggest indicator that there is something wrong with the SRV records is when "domain cannot be found" or "no match for domain name" type of error message appears and Active Directory has been installed. The first thing to do is to check that the IP address on the client system has the proper DNS IP address in its configuration settings. If you are not pointing to the correct DNS server, you will not be able to find the domain. Next, look at the DNS server to verify if the SRV records are showing for the zone corresponding to the domain you are attempting to join or connect. If the SRV records are not there, check the IP address of the domain controllers to make sure the IP configuration is pointing to the DNS server. Even if the domain controller and the DNS server are on the same server, it must point to itself in order to register. The domain controller and DNS server must be thought of as two separate services that are sharing the same physical machine. After verifying and making any changes, go to a command prompt and type IPConfig /registerdns to force the registration of the server in DNS.

19 August 2010

00:23

33 of 233

38676182.doc Also make sure that dynamic updates are set on the zone in DNS. To determine this, go to the Properties of the zone and view the settings for Allow Dynamic Updates on the General tab. If None is displayed, dynamic updates are not configured and the drop-down menu will allow you to choose either Nonsecure and Secure or Secure only. Secure only is an option when the zone is an Active Directory Integrated Primary zone. Once the IP address and dynamic updates have been confirmed, the next step is to Stop and Start the netlogon service on the domain controller. This service can be found in the Services console in Administrative Tools. The Netlogon service is set to Automatic startup after Active Directory is installed and it is a responsibility of this service to create and maintain the SRV records on behalf of this Domain Controller. Return to the DNS console and refresh the window. As domain controllers are added, they will register their information in the appropriate SRV containers, also known as "the underscore subdomains". If records for domain controllers are missing, make sure dynamic updates are allowed in the zone's properties. On the domain controller that is missing SRV records, stop and restart the Netlogon service. An IPConfig /registerdns will not update SRV records, only A and PTR records.

Managing Mail Server Records
• • • • Mail servers are identified by MX records with assigned priorities. A lower priority has higher preference. A 10 server is used before a 20 server. MX records with equal priorities are used randomly.

19 August 2010

00:23

34 of 233

38676182.doc

DNS Server Functions
• Caching Only Servers o Defined by a DNS server that does not have any zones - Provides Internet name resolution - Caches DNS information for use at a later time • Name Server o A server authoritative for a given namespace due to the existence of a Primary, Active Directory Integrated, or Secondary zone. o The presence of a stub zone does not make a DNS server authoritative for the data in that zone. • o o • o Forwarder Receives queries from other DNS servers Configure forwarding DNS with the IP address of the Forwarder Chaining Forwarders Forwarder sends queries to other Forwarders

In Windows Server 2008 there are several different types of DNS servers. Each DNS server can function as several different types.

Caching Only Server
This is the default server type when DNS is first installed. It has no zone information and provides Internet name resolution only. When an answer is returned, a server caches the result to be used at a later time. Caching Only is a good option if you only want to provide Internet name resolution for a group of systems. A cachingonly server can make a useful forwarder in a DMZ aka "perimeter network".

Forwarder
When a DNS server cannot resolve a name request, it will then send the query to a Forwarder, and if that fails, use its Root Hints which normally entails iterating the FQDN beginning with the Internet's Root Name Servers. The Forwarder's role is to resolve the request or send it on to the Roots for resolution. This can be a way to protect your internal network if you have multiple DNS servers because there is only one connection between the internal network and the Internet. If all DNS servers in an organization queried the Internet Roots, then there would be multiple access points through the organization's firewall(s), which is not secure. To utilize the forwarder for a single point of access, configure all of the other DNS servers with the IP address of the Forwarder, the one system that is going to be able to send queries to the Internet.

19 August 2010

00:23

35 of 233

38676182.doc

Chained Forwarder
It is possible for a Forwarder to then send a query to another Forwarder. This creates a chain and Internet name resolution is not provided until all Forwarders have not been able to complete the query. If you had a main office and multiple branches where the main office had the sole Internet connection (a hub and spoke arrangement), a Chained Forwarder arrangement may be appropriate. Have one DNS server at the home office configured to use an ISP DNS Server as a Forwarder. Each branch office would have its DNS server point to the central DNS (Forwarder).

19 August 2010

00:23

36 of 233

38676182.doc

Installing DNS
Manual Install
To install the DNS Server service, use Server Managers Roles feature. It is not necessary to reboot when the install is complete. When installed manually, no zones are created and it is considered a Caching Only server. When installing a DNS server in a workgroup, this is the only method available.

Active Directory Installation
During DCPROMO of a Windows Server 2008, there is an attempt to contact a DNS server which is authoritative for the domain which the server is attempting to become a domain controller. If the DNS server holds a Standard Primary or ADI Primary zone with the same name as the AD domains' and that zone allows dynamic updates, there will not be a prompt to install a DNS server locally. If there is not an authoritative DNS server for the domain name or if the zone does not support dynamic updates (or is not configured to support them), you will be prompted to install DNS locally. If this option is selected, DNS will be automatically installed on the server. Installing during Active Directory installation will install the DNS server with the following: • Active Directory Integrated zone using the domain name for the zone name Secure dynamic updates configured • Zone transfers are disabled If you are upgrading a server using DCPROMO, you might run into some issues with DNS. If you select to connect to any available DNS servers, you will need to communicate with a DNS server that is authoritative for that domain. If you are adding a new domain in an existing tree or forest, you will need to be able to connect to a DNS server hosting the tree root's DNS domain. If you are not able to find a DNS server, you will either be prompted with the option to install DNS locally or to configure it later. If the DNS Server service was installed manually on the same server that is now becoming a domain controller, it will present this message. Select to 'configure later' and it will register properly during the reboot for Active Directory Installation. Groups When installing DNS in a domain, as with many of the services, there are two groups created. They are DNSAdmins and DNSUpdateProxy group. The DNSAdmins can manage the DNS server. The DNSUpdateProxy group is used in the case of redundant DHCP servers registering DNS.

19 August 2010

00:23

37 of 233

38676182.doc

Default Installations
• o o o Basic install (not during DCPromo) Zones not created Server acts as caching-only server Root Hints are active

• Installed during DCPromo Forward-lookup zone automatically created for domain o o o o AD Integrated Primary Secure Updates only Root Hints and forwarders might be inactive Creates a root zone if there is no connection to a root name server

When DNS is first installed, it creates both the Forward Lookup and Reverse Lookup folders. Depending on the type of install completed, the folders will be empty (manual) or have the zone information from the DCPromo install will be in the Forward Lookup zone. Reverse Lookup zones must be created manually. When DNS is installed manually, no zones are created. It is considered a cachingonly server. Root hints are active and forwarding is enabled. If a root zone is desired, it must be created. When you run DCPromo with no DNS installed, DCPromo will prompt you to install DNS. It will create a Forward Lookup zone using the domain name as the zone name. The zone is an Active Directory Integrated zone with secure dynamic updates configured. Zone transfers are disabled.

19 August 2010

00:23

38 of 233

38676182.doc

Windows Server 2008 DNS Zone Options
• Standard Primary Zone - Writable copy of the zone stored in a local file • Secondary Zone - Read-only copy of the primary zone Only uses zone transfers to replicate o Avoid using across slow links • Stub Zone - Copy of Primary zone that only contains Start of Authority (SOA) record, Name Server (NS) records, and the Host (A) record of the authoritative servers There are three types of zones: Primary, Secondary and Stub. The Primary and Stub zones can be stored in Active Directory, as long as the DNS server is a domain controller. Otherwise, all three zones are stored as a text file on the local drive.

Standard Primary - is the only copy of the zone that can be modified. A
Standard Primary is combined with servers hosting Secondary zone files in a traditional DNS zone of authority. There can be only one Primary copy of the zone in a traditional DNS configuration of a zone of authority.

Secondary - is a duplicate of the primary zone and is stored only as a text file.
It is used for name resolution only and uses Zone Transfers to replicate from its Master Name Server.

Stub - a partial copy of the Primary zone that includes only specific records. It has
the Start of Authority (SOA) record, all the Name Server (NS) records and the Host (A) record of the authoritative server. When configured, the IP address of the serer that hosts the zone is indicated in order to create the Stub zone. Most often implemented on a parent domain to keep updated name server records for a child domain. Example: Given a zone of authority made up of 1,500 records managed by 4 name servers, the Standard Primary zone would have all 1,500 records and any new records must be created in that copy of the zone. A name server with a Secondary copy of the zone would also have 1,500 records. A third server with a Stub copy of the zone would have 9 total records - 1 SOA record, 4 NS records, and the 4 A records of the name servers.

19 August 2010

00:23

39 of 233

38676182.doc Store the Zone in Active Directory (Available only if DNS Server is a Domain Controller) Select this checkbox in order to store either the Primary or Stub zone in Active Directory. Storing a Primary zone in the AD database makes it an ADIP zone (Active Directory Integrated Primary). This provides ease of administration, conserves network bandwidth and increases security. The DNS records then synchronize automatically as part of Active Directory Replication. By default, the database replicates to all other domain controllers running the DNS server in the AD domain where the primary is located. Additional settings are available to specify the replication behavior of the database. It can be directed to replicate to all domain controllers in the forest or to all domain controllers in the domain, whether or not they are running DNS server. Also a custom replication scope can be created. During AD replication, the data is encrypted before sending it to another domain controller,- This would provide encryption of DNS records passing between DCs with ADIP zones. A secondary zone on another DNS server can be utilized when the database is being stored in Active Directory, but zone transfers are not secured by encryption. KEY POINT It is technically incorrect to refer to a DNS server as a primary or secondary. For example, a server that was providing DNS and Active Directory Services could participate in many different zones of authority at the same time. That DC/DNS Sever could have the ADIP zone "fabrikam.com", and the Standard Primary zone file "mlabs.com" and a Secondary zone file for "elabs.net" and a stub zone file for "contoso.com". How To: Configure a Secondary Name Server in Windows Server 2003 (KB816518) How To: Replace the Current Primary DNS Server with a New Primary DNS Server in Windows Server 2003 (KB323383)

Standard Primary Zone
A standard primary zone is a read/write copy of a DNS zone that is authoritative for all resource records of a particular namespace. Standard primary zones will not accept updates from any other DNS zones of the same namespace. Due to this limitation there should never be more than one Standard Primary zone configured within the same Zone of Authority.

19 August 2010

00:23

40 of 233

38676182.doc As a writable copy of the DNS data, a standard primary zone can be configured to allow Windows 2000 and later client systems to register their own records in the zone thereby significantly reducing the amount of administrative effort required to maintain a successful name resolution infrastructure. Although it is recommended to allow DNS client registration, the default setting for a standard primary zone is NOT to allow these client-initiated dynamic updates and registrations. Since dynamic DNS is a recommended best practice, administrators often assume that it is enabled by default. This is only true for new ADIP zones which have the default settings of "Allow dynamic updates: secure only". For security reasons, Microsoft's Standard Primary zones do not allow dynamic updates by default. Remember that there is no "secure only" option for a Standard Primary zone.

Secondary Zone
A secondary zone is a read-only copy of a DNS zone that is authoritative for all resource records in a particular namespace (one or multiple domains). Secondary zones are used to achieve fault tolerance of name resolution, but due to their readonly nature, fault tolerance of name registration is not available. Client systems must still register at the IP address of a server hosting a Standard or ADI Primary zone. Secondary zones obtain records and updates from the server listed as the Start of Authority. The secondary zone configured on the screen shows that dc1.fabrikam.com is the Start of Authority for the fabrikam.com zone of authority. The dc1.fabrikam.com server is the server that will be queried for all changes to the DNS zone data. Note that the zone transfer that occurred resulted in a copy of all available records from the SOA.

Stub Zone
Stub zones are new to Windows Server 2003 and are used to facilitate name resolution across parallel domains or between parent and child domains broken into separate zones of authority. Unlike a secondary zone, a stub zone does not copy all records from the Start of Authority. A stub zone limits the records it keeps to only the SOA record, the Name Server records, and the A (host) records for all the name servers authoritative for the zone. With a constant querying of the SOA the list of name servers available for that particular namespace is maintained dynamically. This is an excellent solution when the list of name servers needs to be kept current. The alternatives to Stubs: conditional forwarding and "delegate down forward up" are static arrangements that require additional administrative effort to be kept current. Servers with stub zones are NOT authoritative for that zone. An authoritative name server is one that has ALL the records for a particular zone of authority.

19 August 2010

00:23

41 of 233

38676182.doc

Active Directory Integrated Zone
• An Active Directory-integrated Primary (ADIP) zone is a read/write copy of a zone that stores all zone data inside Active Directory database and provides fault tolerance of name resolution and name registration. • ADI zones can only be configured on DNS servers that are also domain controllers. • ADI zones in multiple locations allow clients to securely register with local DNS servers. Active Directory-Integrated Primary (ADIP) zones are read/write copies of a DNS zone of authority's records that stores the records inside The Active Directory database. ADIP zones provide fault tolerance of name resolution and name registration. In fact, the only way to achieve fault tolerance of name registration is to configure multiple ADIP zones. Only DNS servers that are also functioning as domain controllers can host ADIP zones.

19 August 2010

00:23

42 of 233

38676182.doc

Forwarding
• • o o o • Good solution for name resolution across slow links Conditional Forwarding Forwards all traffic for a specific domain Multiple IP addresses for each domain can be entered Good for multi-tree forest/partnerships Simple Forwarding

o If name query does not match any domain specified, server uses "All other DNS domains" which may have different IP addresses specified, e.g. ISP DNS server • o o Two drawbacks Administrative effort Static nature of configuration

When a name query cannot be resolved by the local DNS name server, the query can be forwarded to another DNS name server. Queries will be sent to configured forwarders before using the Root Hints, which point to the Internet root servers for resolution. Forwarding is available whenever there is not a Root zone on the DNS name server. Forwarding is configured on the Forwarders tab in the Properties of the DNS server. There is a listing for All other DNS domains with no IP address provided. If there is a DNS name server in the ISP being used or another specific name server that all requests should be forwarded, supply the IP address with this entry. Multiple addresses can be configured and will be contacted in order. If the first address is unable to resolve the query, it will then send it to the second and so on.

Conditional Forwarding
Both Windows Server 2003 and 2008 support Conditional Forwarding. It provides the option to direct specific name queries to the DNS name server for that domain. If names need to be resolved to another area in our network or to a company we are working with on a project, obtain the domain name and the IP address for the DNS name server for that domain. The domain names are added in the Forwarders tab with the corresponding IP addresses for the name servers. Any name queries that are received by the DNS name server that cannot be resolved, will check the specific domain names in the Forwarders tab first and if a match if found, will send the name query directly to the name server in that domain. If no matches are found, it sends the name query to the IP address listed under All other DNS domains.

19 August 2010

00:23

43 of 233

38676182.doc For Example: Users in contoso.com are working with one of our divisions, prep.com, on a special project. They need to be able to contact them easily. Add a New domain entry for prep.com with the address 192.168.4.5, which is the name server for prep.com. All name queries that come through the DNS server will now go directly to the name server for prep.com. The longest domain name will be checked first when trying to match domain names. If domain, sales.prep.com and prep.com are both listed, the DNS server will try to match sales.prep.com first. So if the name query is for server1.sales.prep.com, it will find the appropriate name server. If sales.prep.com was not listed, it would try prep.com.

Advantages of Conditional Forwarding
There are a lot of advantages with Conditional Forwarding. The DNS traffic is kept on the private network by not going to Root servers on the Internet to resolve names. It speeds up name resolution for the same reason, the queries do not have to go through the entire iterative process to the Root, .com, etc. before the name server responsible for that host name is located. By not having to use the Internet to resolve names, it conserves bandwidth to the Internet.

Disadvantages of Conditional Forwarding
Since the information must be manually entered in to the Forwarders tab, it does take considerable amount of administrative effort to configure it for a large network. Any changes that may occur will also need to be made manually. Do not use recursion for this domain: This option at the bottom window determines if the Conditional Forwarding does not resolve the query, will it then be sent to the Root hints to be resolved. If the box is checked, it will turn off recursion, which means if the name query fails from the specific domain name server, it will not be sent to the Root hints for further resolution. Conditional Forwarding in Windows Server 2003 (KB304491) How To: Configure DNS for Internet Access in Windows Server 2003 (KB323380)

Simple Forwarding
When firewalls or routers prevent DNS traffic to all DNS servers except a specific external DNS server, forwarding should be configured on the internal DNS servers rather than provide the clients with the IP address of the external DNS. DNS forwarding eliminates a delay in name resolution availability. Allowing an internal DNS server to query an ISP name server is more secure as the Firewall requires less modification and the internal server is likely hosting a DNS zone needed for an AD domain that the DNS client PC would belong to.

19 August 2010

00:23

44 of 233

38676182.doc

Delegated DNS Zone
By delegating zone data, you can distribute name records by making other servers authoritative for another domain name within the same namespace. The single zone of authority which would have contained both the parent domain and the child domain's records, becomes two zones of authority with the parent server responsible for the parent zone and the other server responsible for the child zone. Queries sent to the parent server for records within the child domain will be referred to the child zone's server based on the delegation. The parent server only holds a reference (delegated subdomain) to the child zone. The information maintained on the parent server includes the Delegation Records (NS record for the authoritative server(s) in the child domain) and the Glue records (which is the A record(s) for the child domain's authoritative name server(s)). This information is required when delegating name resolution of subdomains.

Creating a Delegation
The first step to create a delegation is to create the Primary zone "ad.fabrikam.com" on server2. Make sure to point the DNS address to it and change the DNS server address on clients in the domain to point to server2. Configure a Forwarder ofserverl.fabrikam.com so any name queries sent to the child DNS server that cannot be resolved will be sent to the parent. On the parent server, run the New Delegation Wizard from the shortcut menu of the "fabrikam.com" zone. A folder for the delegation will appear in the parent zone, containing a NS record(s) specifying the DNS server(s) which is delegated control of the child zone of authority. Remember "Delegate Down / Forward Up" The major drawback of "Delegate Down - Forward Up" is that it is a static arrangement. If new name servers were to host additional copies of "ad.fabrikam.com", server1 would be unable to direct queries to them until an administrator manually updated serverl. How To: Integrate DNS with an Existing DNS Infrastructure If Active Directory Is Enabled in Windows Server 2003 (KB323418)

19 August 2010

00:23

45 of 233

38676182.doc

DNS Design
• Stub zones are abbreviated copies of a zone that speed up name • Resolution by dynamically maintaining SOA, NS, and Glue (A) records. Stubs require zone transfer but are not authoritative for the names pace. • Forwarding is used to speed up name resolution without the overhead of zone transfer. • Secondary zones are full copies of a zone that are authoritative for that namespace but incur the overhead of zone transfers. When a Stub zone is created, it only maintains the Start of Authority (SOA) record, Name Server (NS) records and the Glue record that identifies the name server that is authoritative for the zone. The SOA and NS records are updated on a regular interval by the Master Server indicated during the configuration of the zone. Like a Secondary zone, information for the zone of authority cannot be modified in the Stub Zone. The use of Stub Zones makes the process of name resolution much more efficient and reliable. Name queries can be resolved faster because the name server information is readily available instead of having to query other DNS servers to get the information. Using the traditional delegation without a stub zone, name server records would have to be manually updated to the parent DNS server. With a Stub Zone, these records are kept up to date through scheduled zone transfers. Stub zones can also help with DNS administration for areas that require name resolution but having data redundancy is not important. Instead of Secondary servers, use a Stub Zone. Name resolution will occur and network traffic will be reduced because of not having the large zone transfers for the secondary zones. Updates for a Stub zone are determined by the refresh interval in the Start of Authority record. There are three options to update the Secondary and Stub zone data manually. • Reload - Reloads the Secondary or Stub zone from the local storage of the DNS server hosting it (hard drive to memory) • Transfer from Master - SOA record will be checked to see if the serial number has changed and then executes a standard zone transfer from the master server • Reload from Master - Executes a complete zone transfer even if the SOA serial number has not changed. (This option places the largest load on the network.)

19 August 2010

00:23

46 of 233

38676182.doc

Dynamic Updates
• o • • • Windows 2000+ clients only Manual configuration or additional applications needed for MAC/UNIX Register A host record and PTR record Configure DHCP to dynamically update on behalf of down-level clients Secure updates available for Active Directory Integrated zones only

• Configure dynamic update on the properties of the zone after creation; the default is set to None on a Standard Primary zone. Windows 2000, Windows XP, Windows Server 2003 and Windows Server 2008 clients are capable of registering their A and PTR records dynamically. There are a couple things that will influence whether or not they do. First, if the client is not a DHCP enabled client, it will be responsible for both the (A) and (PTR) record all of the time. If it is a DHCP enabled client, the results will solely depend on the configurations of the DHCP server.

DNS and DHCP Integration
DNS and DHCP work closely together to provide dynamic updates for resource records in DNS. Depending on how the DHCP server is configured, it can allow those clients who support dynamic updates to register their own A and PTR records. If the selection has been made to have DHCP to register the records, it will register both the A and PTR for the DHCP clients. It can also be configured to update the A and PTR records for the down-level clients that do not support dynamic updates; Windows 9X and Windows NT.

Types of Dynamic Updates
There are three choices when configuring Dynamic Updates. The zone can support Nonsecure and secure updates, secure updates only, or None. Making the choice is part of the wizard when creating the zone and can be modified in the Properties of the zone. 'Secure only' is only provided as an option for ADIP zones. It provides added security to the database being stored in Active Directory and only those who have permission through the Security ACL of the zone can create and modify the records. If the DNS was installed as part of Active Directory installation, the ADIP zone is automatically configured as Secure only. How To: Configure DNS Dynamic Update in Windows 2003 (KB816592)

19 August 2010

00:23

47 of 233

38676182.doc

Zone Transfer
• • • • Enabled on a Standard Primary Default setting Only Transfer to servers listed on name servers tab Add secondary servers to name servers tab AD Integrated zone - disabled

o Must be enabled on Zone Transfers tab and add secondary servers to Name Servers tab • • Option to specify IP addresses of servers permitted to zone transfer "Transfer from master", on secondary, forces a zone transfer

• DNS notify reduces the zone latency as Primary server notifies all listed servers of updates. • DNS Notify SHOULD NOT be configured to systems that are cachingonly DNS servers or non-DNS servers.

Default Settings for Zone Transfer
When a Primary zone is created, zone transfers are enabled and configured as only transfer to servers listed on name servers tab by default. This is different from the setting in Windows 2000, which was "Allow transfers to any server". In Windows Server 2003, by default the secondary name servers must be listed in the Name Servers tab in order for them to obtain zone transfers. When an Active Directory zone is created, zone transfers are disabled by default. In order to allow zone transfers to occur, enable zone transfers on the Zone Transfer tab in the Properties of the zone. Be aware that when zone transfers are enabled, the default setting is To all servers. To secure the zone transfer, select Only Transfer to servers listed on name servers or specify the name servers by IP address. Make sure the secondary name servers are listed on the name servers tab.

Zone Transfer via Notify
By default, a Master Server will notify the secondary servers when updates are made. The serial number in the SOA record, which can be viewed on the SOA tab in the properties of the zone, is incremented when changes occur to the database, which triggers the notification process. Only those servers that have been listed to be notified will be contacted. A zone transfer is a Notify - Pull transaction. The secondary servers are notified that there have been changes and the secondary servers will request the updates from its Master Server.

19 August 2010

00:23

48 of 233

38676182.doc

Securing Zone Transfers
Zone transfers can be secured by either using the Only Transfer to servers listed on name servers tab or Only to the following servers and specify the IP addresses of the servers that will be transferred the data.

19 August 2010

00:23

49 of 233

38676182.doc

SOA Record
• • o o • o • o o o • o Zone Transfer Process Controlled by SOA record Refresh Interval Frequency Secondary checks Master for updates Increasing this value delays next SOA request Retry Interval Time to wait before retrying after a failed zone transfer Expires after Length of time Secondary will attempt to contact Master Time expires, zone expires Zone expires, it will stop responding to queries TTL Length of time records are cached

o Increasing TTL allows records to be kept longer in cache – fewer authoritative queries The Start of Authority record controls the zone transfer process and provides information regarding the authoritative server for the zone. The SOA tab can be accessed in the Properties of the zone. The Serial number which increments when changes are made, can also be incremented manually to initiate a transfer. It is the Serial number changing that triggers the notifications to go to the secondary servers. The Primary Server is the name of the authoritative server for the zone. The user account that created the zone is the responsible person. The bottom section pertains to the handling of the secondary zones, how they are to refresh, time intervals to use and the life of the records they receive. Refresh Interval- The frequency that the secondary servers check the Masters for updates. This is outside of the Notification process. The default setting is that the secondary server will request updates from the Master Server every 15 minutes. Retry Interval - If the request was not successful for the Refresh Interval, the Retry interval will be used and the secondary server will Retry the contact with the Master Server every 10 minutes by default. Expires after - This is the length of time the secondary server will continue to attempt contacting the Master Server. After one day (by default), the time expires and the zone expires. Once the zone expires, the secondary server will no longer respond to queries for the expired zone.

19 August 2010

00:23

50 of 233

38676182.doc TTL - The time to live is the amount of time cached records are maintained. The setting for all cached records is 1 hour by default. The TTL at the bottom of the window is for the SOA record itself. It has a default time-to-live of 1 hour.

19 August 2010

00:23

51 of 233

38676182.doc

Zone Transfers
• o o o • Zone Transfers occur from Master Server: Primary to Secondary Secondary to Secondary AD Integrated to Secondary Full Transfer (AXFR)

o Entire database replicated between two servers - Used when secondary is created • o o o Incremental Transfer (IXFR) Only modified records replicated Not supported by Windows NT BIND 8.2 and later support this option

Zone transfers help maintain the DNS data for a particular zone. Which servers can obtain a zone transfer are controlled by the settings on the Zone Transfer tab in the Properties of the zone. This allows the secondary to store a copy of the zone so that it can resolve client requests without contacting the Primary Server. When a secondary zone is created, it is required as part of the configuration wizard to provide the IP address of the Master Server. This is the DNS that will be providing the updates to the secondary zone. A Master Server can be a Primary server, another Secondary server, or a server with an Active Directory Integrated zone.

Full Transfer (AXFR)
The Full Transfer copies all of the database information to the secondary server. This is used when the secondary zone is first created. If the Secondary zone is configured on a DNS server that does not support incremental transfers, then each time the transfer occurs it will be a full transfer. An AXFR may also occur when the Secondary server determines that the SOA serial numbers are significantly different.

Incremental Transfer (IXFR)
The Incremental Transfer will send only the changed records from a Master name server to the secondary servers. This will still create network traffic, but not like the Full Transfer.

19 August 2010

00:23

52 of 233

38676182.doc

Active Directory Integrated
Active Directory Integrated zone only supports zone transfers when going to a secondary server. The zone transfers tab is disabled by default and must be enabled and configured in order to complete a zone transfer. Zones which have configured as Active Directory Integrated zones do not use zone transfers. The database is transferred as part of File Replication Service through Active Directory. The DNS database replicates as part of the Domain partition and replicates to all domain controllers, whether they have DNS installed or not. How To: Configure a Secondary Name Server in Windows Server 2003 (KB816518)

Win 2008 ADI Zone Replication
In Windows 2000, Active Directory Integrated zone was replicated as part of Active Directory replication, which was part of the domain partition. With Windows Server 200312008, there are 3 additional options that can be considered for replication of the DNS database in Active Directory. These utilize the replication partitions for the domain (DomainDnsZone), forest (ForestDnsZone) and custom partitions can be created which are all new features with Windows Server 2003. The built-in application partition directory partitions, DomainDnsZone and ForestDnsZone, can be viewed in the Primary zone that is being stored in Active Directory. To configure and see the selections, select Properties for the zone and on the General Tab, select Change. This button is only available when the zone is being stored in Active Directory. These choices are also available when using the wizard to create the zone manually and the selection to store in Active Directory has been checked. There are four options provided. Details of each selection are listed below. • To All DNS Servers in Active Directory Forest - replicate zone data to all DNS Servers on domain controllers running Windows Server 2003/2008 in Active Directory Forest. For this option, the database is stored in the ForestDnsZones directory application partition. It creates the greatest network traffic but does increase the fault tolerance of the zone information. • To All DNS Servers in Active Directory Domain - replicates zone data to all DNS Servers on domain controllers running Windows Server 200312008 in Active Directory Domain. For this option, the database is stored in the DomainDnsZones directory application partition. • To All Domain Controllers in Active Directory Domain - replicates zone data to all Domain Controllers in Active Directory domain. The database is stored in the standard domain partition. This option must be selected if you have Windows 2000 domain controllers with the DNS server. Application partitions are not available with. Windows 2000 so the ForestDnsZones and DomainDnsZones cannot be used.

19 August 2010

00:23

53 of 233

38676182.doc • To All Domain Controllers Specified in the Scope of the Following Application Directory Partition - custom application directory partitions can be created and specific domain controllers running DNS and Windows Server 200312008 can be specified to be part of the new partition. The database is only replicated to those domain controllers which are hosting the custom application directory partition. Only members of the Enterprise Admins group may create and populate the custom application directory partitions. In order to create application directory partitions, Support Tools must be installed. These can be found on the Windows Server 2003 CD under Support/Tools. The file to install is suptools.msi. The commands to both create and specific the domain controllers for the application directory partition are executed from the command line. Once at a command prompt, change directories until you are at c:/Program Files/Support Tools. To create an application directory partition type the following command: Dnscmd servername /createdirectorypartition FQDNofPartition (Servername is the name of the server where you are creating the partition. The FQDNofPartition is the name of the partition plus the domain name) For example, if you were creating an application directory partition called partl in the fabrikam.com zone and the servername was w2008server, the command would look like this: Dnscmd w2008server /createdirectorypartition part1.fabrikam.com To add domain controllers to the application directory partition use the following command: dnscmd servername /enlistdirectorypartition FQDNofPartition For instance, you are adding a domain controller named w2008server2 to the new partition. The command would look like this: Dnscmd w2008server2 /enlistdirectorypartition part1.fabrikam.com

19 August 2010

00:23

54 of 233

38676182.doc

Root Name Servers
• • • • • • • • • If connectivity to Internet is not required AND you desire only local name resolution Top node in DNS name structure Good for intranet performance Client queries stop at your root server Forwarding, Root hints not available Methods to complete configuration Delete Cache.dns file Create zone with period, "."

A Root server is the end of the namespace resolution. The "root" servers provided on the Internet, are the end of the FQDN namespace for the Internet. Only for specific reasons would a Root server on an internal DNS server be appropriate. If the network is not connected to the Internet and no communication is required outside of the network, a Root server could be created. If local name resolution is all that is required, then an internal Root server might be appropriate. Without an Internet connection or a local root name server, attempts to reach Internet sites will take a long time to fail. The internal Root server becomes the top node in the DNS namespace. All name queries will end at the Root server. It can be good for intranet performance. With a Root server in the internal environment, the Root hints on other DNS servers should be modified to include only the internal network's Root server. When a Root zone is created, the capability to Forward or use Root Hints is disabled on that server. Since the server is seen as being the top of the chain, there is nowhere else to go.

Creating a Root Server
To create a Root server, simply create a forward lookup zone named "." The Cache.dns file is the file that contains the root hints for the Internet. It is updated each time the DNS Server service is started. In order to receive a faster negative reply when an internal root server is being used, delete the Cache.dns file on all DNS servers so they do not try to resolve recursively through the root hints. How to Delegate All Internet Top-Level Domains on an Internal Root DNS Server (KB294906)

19 August 2010

00:23

55 of 233

38676182.doc

Non-root Name Servers
• o o • • • • Multiple namespace support supports a: Need to interact with Internet Need to interact with intranet Non-root Name Server redirects unknown requests to root level servers Delete'.' zone to be able to forward and have root hints available Uses default Cache.dns file Contains A and NS records for Internet root servers

• Without root hints or forwarding a DNS server can only resolve for the zones stored locally on the server If you need to support access to the Internet from your internal DNS server, then you will need to configure your DNS server to not be the root name server. As long as there is no '.' root zone, the DNS server has access to root hints and forwarding. The only time a root zone is automatically created is when the "Configure your Server" option is used to configure the DNS server. All other methods will have the root hints and forwarding enabled. The Root Hints can be viewed on the Root Hints tab in the Properties of the DNS server. The Cache.dns file is located in the %systemroot%\system32\DNS\ folder. If you require the DNS server be able to locate the actual Internet root servers, you should not remove this file. The Internet Assigned Numbers Authority maintains a set of Root DNS servers that are responsible for maintaining the Internet's Name Resolution Infrastructure. The Highest level server is simply known as the "." root server. There are 13 root servers currently available on the Internet. Each time the DNS Server service is started, the Cache.dns file is updated. The file contains the A and NS records for the Internet root servers. http://www.iana.org/about/popular-links/ How To: Configure DNS for Internet Access in Windows Server 2003 (KB323380) How To: Troubleshoot DNS Name Resolution on the Internet in Windows Server 2003 (KB816567)

19 August 2010

00:23

56 of 233

38676182.doc

DNS and BIND
• Requires a NS resource record be created for the UNIX server • With both 2003 and BIND DNS, use 2003 as Primary and BIND as secondary • Advanced features of DNS not supported in BIND • Migrating from BIND to 2003 and supporting name resolution during the process o Create Primary on 2003 DNS using existing zone file. o Create Secondary on 2003 DNS with BIND server as the master. Change 2003 DNS to Primary zone with BIND changing to Secondary zone. UNIX BIND(Berkeley Internet Name Domain) DNS can work with a Windows Server 2008 network if the version of BIND is 8.1.2 or higher. In most cases, the latest version is being used, which meets the criteria. In order for DNS to function with Windows Server 2003 AD, it must be able to support SRV records and Dynamic Updates. To minimize network traffic, it would be best to also support incremental transfers, which can be achieved with BIND version 8.2 and higher. When integrating BIND with a Windows Server 2008 DNS server, it is best to use the Windows Server 2003 DNS as the Primary and use the Unix BIND as the secondary. Be sure to enable the DNS server advanced property "BIND Secondaries" so that the UNIX server will be able to successfully request zone transfers. When migrating from BIND to Windows Server 2003 DNS, it may be necessary to keep both DNS servers available to provide name resolution during the migration. The best way to accomplish this is to establish the Windows Server 2003 DNS with a Primary DNS zone with a new zone name. As the systems are migrated, they can be transferred to use the new DNS server. In order to still provide name resolution for both zones, place a secondary on each of the servers for the other zone: BIND host a secondary for the new Windows Server 2003 DNS zone / Windows Server 2003 DNS host a secondary for the BIND DNS zone.

19 August 2010

00:23

57 of 233

38676182.doc

Configure DNS Client
• o o DNS Server List DNS server to register and send queries Subsequent servers only used when previous fails to respond

• Register this connection's addresses with DNS enables Dynamic Updates Use Connection's DNS suffix Allows for a client to register its name in multiple zones, servers in one domain that need to be accessed via FQDN for different domain. (I.E. server named www in training.fabrikam.com registers DNS record in fabrikam.com for name resolution to www.fabrikam.com) To configure the systems in the network to be DNS clients, open the Properties of the network interface card and view the Properties for the Internet Protocol. On the General tab, there are two spaces provided for DNS server addresses. They are the Preferred DNS server, which will be contacted for name registration and name resolution first. The Alternative DNS server will only be contacted if the preferred server is not able to be contacted. In the Advanced area of the IP settings, the DNS tab provides additional options that can be configured.

Appending Suffixes
This feature allows the users to use one word host names instead of a FQDN. The default setting, "Append primary and connection specific DNS suffixes" means that a user in sales.fabrikam.com requesting ServerA with NetBIOS over TCP/IP disabled would cause a query to be sent to the DNS server asking for the IP address of serverA.sales.fabrikam.com. If the checkbox "Append parent suffixes of the primary DNS suffix" was checked, then the client would have attempted serverA.sales.fabrikam.com followed by serverA.fabrikam.com. By specifying "Append these DNS suffixes (in order)" as shown in the screenshot, the computer would send serverA.sales.fabrikam.com then serverA.fabrikam.com even though the DNS client itself might belong to contoso.com. This "Append these DNS suffixes (in order)" option is manually configured on each machine or there is a Group Policy setting that will configure this for all clients where the policy is applied. If you had a multi-homed server that needed to be accessible in two different zones, you could use the "DNS suffix for this connection" setting. For example, enter sales.fabrikam.com on one adapter's properties then contoso.com on the second. To maintain current listings, select the checkbox "Use this connection's DNS suffix in DNS registration" and that server would have A records in both zones. Please note that the default selection above reads "Append primary and connection specific DNS suffixes." 19 August 2010 00:23 58 of 233

38676182.doc Register this connection's addresses with DNS: This is enabled by default and enables the system to dynamically register its Host (A) record and PTR record, depending on the DHCP server setting. If the system has been statically assigned, it will register both records in DNS. If this box is cleared, the system will not register its own records, no matter how the DHCP server is configured. Use Connection's DNS Suffix / DNS suffix for this Connection: The system is assigned a DNS suffix that becomes part of the full name of the computer. It is seen in the System Properties / Computer Name tab. In a multi-homed system, it may be required to have a different DNS suffix used to identify a network interface. Check the box Use the Connection's DNS suffix and insert the DNS suffix that should be used for that interface in the area provided. Remember the DNS suffix is what is used to register with the DNS server, so there must be a zone with that DNS suffix name or the interface will not be able to register. Appending DNS suffixes allows users to find resources without needing to know the exact fully qualified domain name. CAUTION! Resources with same host names in different domains may return erroneous info. There are only two ways to specify multiple DNS suffixes for a client: Manually on each client, or using a GPO. A DHCP lease can only specify one entry for option 015 - DNS domain name.

Client Registration in DNS
There are two ways DNS clients are registered. Manual registration is completed in the DNS console and Dynamic is accomplished from either the client or DHCP.

Manual Registration
The proper records can be manually created in the DNS console. When creating the A record, there is an option to also create the PTR record. In order to create the PTR, a Reverse Lookup zone must be already created for the network address. There is also a checkbox to select that will allow any authenticated user to update the DNS record with the same owner name. This option is only available when the zone is being stored in Active Directory. It will create an ACL that can be viewed in the Properties of the resource record.

Dynamic Registration
Clients running Windows 2000, Windows XP, Windows Server 2003 and 2008 support dynamic registration. The clients will dynamically register their A and PTR records in DNS, if all settings are in order. If a static IP address has been configured, the default setting is to dynamically register (checkbox on DNS tab is checked for Register this connection's addresses with DNS). If DHCP is providing the IP address, it then is dependent on the DNS settings in DHCP.

19 August 2010

00:23

59 of 233

38676182.doc The client will register whenever the system is started. If the DNS address is incorrect or has not registered for some reason, go to a command prompt and type IPConfig /registerdns.

19 August 2010

00:23

60 of 233

38676182.doc

Optimizing Name Resolution
For a better name resolution performance, it is best to configure the DNS clients with an IP address of a DNS server that is on the local segment. Since DNS is a major part of communication in the network, having it on the same segment as the clients allows registration and name resolution to be much more efficient. It cuts down network traffic across the routers and will enable name resolution to happen more quickly.

Round Robin
• Rotates Resource Records as it responds to Clients • Provides Load Balancing of name resolution Does not verify host state so failure can still occur • Enabled by default on the properties of the DNS server • Configure by creating multiple A resource records with the same name but different IP address.

Round Robin
A Round Robin configuration allows a DNS server to return different IP addresses for the same name. This strategy is used to balance the load on different servers that maintain the same data, such as Web servers. The drawback is that it is not capable of determining the state of the server so some requests may fail. If a request fails, it will have to make the request again. There is no redirection or management of a failed request. It can also be used for a multi-homed computer to balance out the network load on each adapter. Round Robin is enabled by default. To configure records for Round Robin, create multiple Host (A) resource records using the same name with different IP addresses. Round Robin is selected in the Advanced tab in the DNS server Properties. Hands on: To confirm round robin functionality, set up multiple A records with same name/different IP addresses and then request that name multiple times from within nslookup.

DNS Interfaces
• Multi-homed DNS servers can be configured to respond on all interfaces or just specific IP addresses. • This allows DNS to ignore requests sent to network adapters not listed, responses will not be sent. • Commonly used when a DNS server is part of two networks but should be authoritative for name resolution on one of the networks.

19 August 2010

00:23

61 of 233

38676182.doc • For security, be sure to verify that only appropriate interfaces on the DNS servers are responding to DNS clients. E.g. A clustered DNS server would typically not be configured to respond to name queries on the intra-cluster interface.

19 August 2010

00:23

62 of 233

38676182.doc

Advanced DNS Server Properties
• o o • o Disable Recursion - cleared Full name resolution supported Disables Forwarding option BIND Secondaries - checked Selection causes slow transfers

o BIND versions earlier than 4.9.4 do not support fast transfer, so this option should remain enabled when transferring only to BIND 4.9.3 and earlier • Enable Net Mask Ordering - checked o Answers query with -host record in same subnet, if more than one host name record is available • Secure Cache Against Pollution - checked o Prevents a hacker from polluting the cache of a DNS server with resource records that were not requested Disable Recursion -Recursion is used when the DNS server queries other servers on behalf of the client and attempt to fully resolve the FQDN. The default setting is for the DNS server to provide full name resolution. If Disable Recursion is selected, the server will not resolve the query for the client, but sent back to it referrals to allow the client to perform iterative queries instead. If this option is selected, the server will not use Forwarders either. The only situation in which this option should be selected is on an internal Root server. BIND Secondaries - The key issue here is so-called fast zone transfers. In a fast zone transfer, multiple DNS records can be placed into a single data packet. For example, an AXFR of 1,500 records using the fast transfer format might only require 50 data packets. The slow transfer format would require at least 1,500 data packets with considerable attendant overhead. The fast transfer format is always used between Microsoft DNS servers. Since this option is selected by default, the Microsoft DNS server will perform a slow zone transfer to BIND servers. If the version of BIND is 4.9.3 or earlier, leave this option checked to preserve the slow transfer format. "ON is slow, OFF is fast." Net Mask Ordering - Allows DNS to respond to a query for a host name which has multiple records in DNS. DNS determines the host record that is in the same subnet as the client requesting and that address is returned to the client. This should localize traffic so that clients are directed to nearby servers. This supersedes Round Robin when configured. Round Robin will be utilized if more than one server is in the same subnet.

19 August 2010

00:23

63 of 233

38676182.doc Secure cache against pollution - By default, the DNS is secured from cache pollution that occurs when DNS query responses contain nonauthoritative or malicious data. The Secure cache against pollution option prevents a hacker from polluting the cache of a DNS server with resource records that were not requested. Changing this default setting will increase the chances that incorrect query results will be returned to the client. Enable automatic scavenging of stale records - this setting is useful in networks of portable computers which tend to get disconnected from the network without releasing their A and PTR records. Enabling this setting in the server properties allows the DNS administrators to configure individual zones for scavenging. By default, DNS zones are NOT enabled for scavenging so this must be set by the administrators for each desired zone once the server has been enabled for scavenging. When the DNS server scavenges a zone, it deletes records from the zone file based on a somewhat complex sequence. To quote the Microsoft article: "It should only be enabled when all parameters are fully understood. Otherwise, the server could be accidentally configured to delete records that should not be deleted." Proceed with caution. "Understanding aging and scavenging" Microsoft Windows Server 2003 TechCenter, January 21, 2005

19 August 2010

00:23

64 of 233

38676182.doc

Test the DNS Server service
• o o o • o o o o Simple Test Performs iterative test to local database Uses DNS resolver Tests A record of the server Recursive Test Performs recursive test to root, "." Will fail if not connected to a Root name server not present Will pass if the server tested is a root name server Will fail if Cache.dns file corrupt or missing

o Repair by replacing with Cache.dns from the samples folder and connecting to the Internet

19 August 2010

00:23

65 of 233

38676182.doc

Manage and Monitor DNS
• o o o o   • o o o o • o Utilities IPCONFIG NSLookup PING DNSCmd /zoneexport /enumzones System Monitor DNS counters: Dynamic Updates Received/see Total Query Received/see IXFR Success/Request Received AXFR Success/Request Received Event Logging Logs errors, warnings, & other DNS events

Several tools are available to manage and monitor DHCP. They included commandline utilities, System Monitor, Debug logging and Event logging. IPConfig is a tool that can be used to display the resolver cache on a local machine, delete the resolver cache and register the system with the DNS server. The parameters needed are: IPConfig /displaydns, IPConfig /flushdns and IPConfig /registerdns. Be familiar with these three and what they can do. Another one that can be included would be IPConfig /all, which shows all of the configuration information for the interfaces. This will provide an easy way to confirm the DNS addresses that are being used and the DNS suffix for the system. NSLookup is used to verify resource records have been configured in DNS correctly. There are two modes: noninteractive and interactive. Interactive mode is used when several queries need to be checked. To enter NSLookup Interactive mode, type Nslookup at the command prompt. A > prompt will be displayed. Noninteractive mode is only one query. To use noninteractive mode, type Nslookup and the IP address or name you want to check. It will generate a response and the return to the normal command prompt. NSLOOKUP used to query for records in a zone requires the system performing the NSLOOKUP be allowed to perform a zone transfer. Many different switches are available with NSLookup. To view them, type NSLookup /? at the command prompt. In order for NSLookup to function properly, a Reverse Lookup zone with the appropriate PTR records is required.

19 August 2010

00:23

66 of 233

38676182.doc System Monitor has additional counters added when DNS is installed. The counters are for the DNS object and include the following: • AXFR Requests Received - number of full zone transfers requests received by the Master server • AXFR Requests Sent - number of full zone transfers requests sent by a secondary server .Caching Memory - total cache memory being used by DNS • Dynamic Update Received - number of dynamic update requests received • Dynamic Updates Rejected - number of dynamic updates rejected • IXFR Request Received - number of incremental zone transfer requests received by Master server • Recursive Queries/sec - average number of recursive queries received in one second • • Secure Update Failure - number of secure updates that failed Total Query received - total of all queries received

• Zone Transfer failure - number of failed one transfer of the Master server DNSLint is not installed by default. The Support Tools from the Windows Server 2003 CD must be installed before this utility is available. "DNSLint is a Microsoft Windows utility that helps you to diagnose common DNS name resolution issues." It also can be helpful for troubleshooting replication problems. KB321045 DNSCmd is a command-line utility that also requires the Support Tools to be installed before it is available. The DNSCmd can do anything that can be done within the DNS console. Because it is text being executed at a command line, it can be scripted and then executed at a later time. There are a lot of different commands that can be viewed at the command prompt by typing dnscmd /? Some of the more frequently used that you want to be familiar with are listed below. • /enumzones - lists all the zones on the DNS server • • • /zoneinfo - displays zone information /zoneprint - displays all records in the zone /enumdirectorypartitions - lists all directory partitions

• /directorypartitioninfo - displays information regarding the directory partitions • /zoneexport - allows administrator to push a zone's records to a file

19 August 2010

00:23

67 of 233

38676182.doc When DNS is installed, another Event log is created called DNS Server. Make sure to check for errors and warnings regarding the DNS Server service. The type of Events to log can be selected in the Event Logging tab in the Properties of the DNS server. These same events can be viewed within the DNS console. There is a folder for Event Viewer and when expanded the DNS Events log is displayed. Within Event Viewer it is called DNS Server, but both areas display the same events. Changes in Windows Server 2003 DHCP Logging (KB328891) Description of the DNSLint Utility (KB321045) How To: Use DNSLint to Troubleshoot Active Directory Replication Issues (KB321 046)

DNS Debug Logging
In the Properties of the DNS server there is a tab for Debug Logging. In this tab logging can be enabled for debugging and the specific types of packets and information to log is configured. Debug Log in allows for monitoring of all types of DNS traffic sent to and from a DNS server from client to DNS or from DNS to DNS. Logging this type of information is very resource intensive and should only be done when there is a problem and this type of information may be helpful. The file path can be designated at the bottom of the window or if DNS is being run locally, the default path is Windows\System32\dns\dns.log. To view either the default log or the log file designated in the configuration window, the DNS service must be stopped. This can be accomplished in the DNS console by select the DNS server, access the shortcut menu, and click All Tasks and Stop. Open WordPad and browse for the log file. After closing the file, make sure to restart DNS.

19 August 2010

00:23

68 of 233

38676182.doc

Group Policies and DNS
• o Settings include all settings configured on individual interface Primary DNS Suffix - configure automatically o DNS Suffix Search List - provide the listing of DNS suffixes to use when using a host name instead of an FQDN o o Register PTR records Connection-specific DNS suffix

Windows Server 2003 provides Group Policy configuration options for DNS. They are found under Computer Configuration> Administrative Templates> Network> DNS Client. The settings that can be configured are primarily all of the settings that can be set on the local client. By applying them through a Group Policy, it is possible to configure all or a group of computers at the same time. Since these are Administrative Templates, the description of each element can be viewed in the policy element on the Explain tab. Any settings that are configured as a Group Policy will overwrite any settings that have been set locally or through DHCP.

19 August 2010

00:23

69 of 233

38676182.doc

Securing DNS
Securing the resources in the DNS server is a key factor in network security. Several items that can help in that endeavor are listed. Place a DNS server on the external and internal networks: The internal DNS server provides name resolution for the internal network and then forwards any queries it cannot resolve to the external DNS server. The external DNS server is the server the public uses to access resources that have been made available to the public, such as public web servers. There is no forwarding from the external to internal DNS server. Limit DNS Interface Access: For a multi-homed system, identify the interface desired to receive DNS requests and specify on the Interface tab in the Properties of the DNS server. The default setting is All addresses. Remove any of the addresses that should not be accessing the DNS server. Secure Zone Transfers: The most secure method to replicate zone information is using Active Directory Integrated zones. If that is not an option for the environment, select to transfer only to specific IP addresses as the most secure alternative. Avoid allowing zone transfers "To all servers" as this is the least secure option. Secure cache against pollution: This is enabled by default on the Advanced tab in the Properties of the DNS server. It prevents referrals entering the cache. It caches only records that match the domain name from the original request. Any records that refer to a record outside of the requested name will be dropped. Use Secure Dynamic Updates: By storing the DNS database in Active Directory it can be secured by applying an ACL to the records. This prevents anyone but the owner of the record from modifying the information. Also, no one can add a record that does not have permission to do so.

DNS Naming Considerations
• • Internal AD DNS vs. External Internet DNS Determine Internal and External Naming Strategies • Delegated sub from the registered domain name (NEW

• PREFIX) • •

Same DNS name for internal and external Different DNS name for internal and external (NEW SUFFIX)

19 August 2010

00:23

70 of 233

38676182.doc Note: If an organization were to use two separate zones of authority that shared the same name, one inside the firewalls and the other outside, clients on the internal network by default would be unable to reach resources such as ftp or mail servers on the external network. In such a case, it would be necessary to manually add records with the names and external IP addresses of those external resources to the internal zone.

19 August 2010

00:23

71 of 233

38676182.doc

Enhancements to DNS in 2008
• GlobalNames Zone allows use of single-label names throughout an organization • Background zone loading speeds up the process of loading zones and allows DNS Servers to operate more efficiently • IPv6 support - AAAA record

GlobalNames Zone
Allows DNS clients to connect to specific resources by a single-label name, such as Server 1. Does not exist by default, but by deploying a zone with this name you can provide access to resources by using a single label name without needed WINS. This functionality is only supported on DNS servers running Server 2008, and cannot replicate to servers running earlier versions. There are three basic steps to enabling this feature: 1. Enable the GlobalNames Zone support. On each server to which the GlobalNames zone will be replicated run the following command: Dnscmd /config /enableglobalnamessupport 2. Create the GlobalNames zone. This is not a special zone type. Instead it is an Active Directory Integrated forward lookup zone that is named "GlobaINames". Make sure this is replicated to all DNS servers in the forest 3. Populate the GlobalNames zone. For each server that you want to be able to provide single-label name resolution for, create an alias (CNAME) record in the GlobalNames zone. The name you give each record represents the single-label name that users will use to connect to the resource. Note that each CNAME record points to a host record in another zone.

Background Zone Loading
The DNS Server service in Windows Server 2008 makes data retrieval faster by implementing background zone loading. In the past, enterprises with zones containing large numbers of records in Active Directory experienced delays of up to an hour or more when the DNS Server service in Windows Server 2003 tried to retrieve the DNS data from Active Directory on restart. During these delays, the DNS server was unavailable to service DNS client requests for any of its hosted zones.

19 August 2010

00:23

72 of 233

38676182.doc To address this issue, the DNS Server service in Windows Server 2008 retrieves zone data from Active Directory in the background after it starts so that it can respond to requests for data from other zones. When the service starts, it creates one or more threads of execution to load the zones that are stored in Active Directory. Because there are separate threads for loading Active Directory-based zones, the DNS Server service can respond to queries while zone loading is in progress. If a DNS client requests data in a zone that has already been loaded, the DNS server responds appropriately. If the request is for data in a zone that has not yet been entirely retrieved, the DNS server retrieves the specific data from Active Directory instead. This ability to retrieve specific data from Active Directory during zone loading provides an additional advantage over storing zone information in files-namely that the DNS Server service has the ability to respond to requests immediately. When the zone is stored in files, the service must sequentially read through the file until the data is found.

Enhanced Support for IPv6
Forward name resolution for IPv6 addresses uses the IPv6 Host DNS record, known as the AAAA record (pronounced "quad-A"). For reverse name resolution, IPv6 uses the IP6.ARPA domain, and each hexadecimal digit in the 32-digit IPv6 address becomes a separate level in the reverse domain hierarchy in inverse order. For example, the reverse lookup domain name for the address FD91:2ADD:715A:2111:DD48:AB34:D07C:3914 is 4.1.9.3.C.7.0.DA.3.B.A.8A.D.D.l.l.l.2.A.5.1. 7.D.D.A.2.1.9.D.F.IP6.ARP A. The DNS Server service in Windows Server 2003 supports forward and reverse name resolution for IPv6; however, the support is not fully integrated. For example, to create an IPv6 address record (the AAAA record we just discussed) in the Windows Server 2003 DNS Manager snap-in, you must right-click the zone, click Other New Records, and then double-click IPv6 Host (AAAA) as the resource record type. To add a AAAA record in the DNS Manager snap-in for Windows Server 2008, right-click the zone name, and then click New Host (A or AAAA). In the New Host dialog box, you can type an IPv4 or IPv6 address.

19 August 2010

00:23

73 of 233

38676182.doc

WINS Integration with DNS
• WINS can be integrated with DNS by enabling the WINS forward lookup option on the WINS tab of the zone properties. Enabling this option creates a new WINS Lookup record in the DNS database. • This record should not be replicated to UNIX servers. • If a GlobalNames Zone is not an option, single-names resolution can still be handled in Windows Using the WINS Lookup feature allows the DNS Server service to search the WINS database for names not found in the DNS database. Enabling this option creates a WINS resource record (RR) in the forward lookup zone and reverse lookup zone if one exists. DNS servers that do not find a Host (A) record for a name forward the request to the WINS server configured in the WINS RR. This feature is only supported on DNS servers running Windows (including Windows NT and 2000). In heterogeneous DNS environments (e.g. Microsoft and UNIX/LINUX) the “Do not replicate this record" option should be enabled to prevent transferring the record to a DNS server that does not support WINS integration.

19 August 2010

00:23

74 of 233

38676182.doc

Troubleshooting DNS Issues
Problem: Incorrect query results • Outdated zone info on secondary DNS o o o • o o • • o o o o Decrease refresh interval on the SOA Add secondary servers on the Notify list Configure Slave servers with additional Masters Hosts file can be incorrect Update file and save Updates resolve cache automatically Client can have negative entry in resolver cache Update DNS Server Run IPCONFIG /flushdns on client Submit a query with the FQDN and trailing dot Clear the DNS Server's cache (Action> Clear cache) Enable scavenging for the server and zones on it

Problem: Secure DNS replication across Public network • Use AD integrated zones (data is encrypted by secure RPC session) • Create standard secondaries at the branch locations • Only include these DNS servers on the notify list Problem: Minimize DNS replication over WAN link Solution(s): • • • Create Active Directory -integrated zones (attribute level replication) Create caching-only servers in remote locations Verify DNS supports IXFR (e.g. BIND 8.2 and Windows 2000)

Problem: Too much zone transfer traffic • AD-integrated - replication part of File Replication Service • • Increase refresh interval on the SOA Ensure all DNS servers support IXFR (BIND8.2, Windows 2000/03/08)

Problem: Client shows up in AD, but not DNS • Configure Primary DNS zone to support Dynamic updates • • • Configure AD Integrated zone to support Dynamic updates Run IPCONFIG /REGISTERDNS command on client Run net stop netlogon && net start netlogon on DCs

Problem: Too much network traffic due to name resolution

19 August 2010

00:23

75 of 233

38676182.doc • • • Deploy multiple DNS servers Ensure client systems point to the nearest DNS server Increase TTL for longer caching

Incorrect query results
If clients are receiving incorrect results from a secondary server, it is most likely that the DNS server has stale records that need to be updated. In this case, there are a couple of options that can help eliminate this problem in the future. Of course the obvious option is to go to the secondary server and manually update the zone information from the primary or AD integrated DNS server. For a more permanent solution, additional master servers can be configured for the secondary servers. This will allow the secondary to contact one of many master servers to obtain the correct information. Another option is to decrease the refresh interval on the SOA. This will force the secondary DNS servers to more frequently communicate with the Master to see if there are changes. Another option that will help with this issue is to create a Notify list of secondary servers that need to be updated when a change occurs on the master DNS server. The changes that occur on the master will initiate a message to the secondary servers indicating that they need to get the new information. When an FQDN cannot be resolved, the client will append suffixes to it and keep trying. This is normal handling of a relative FQDN query. An absolute FQDN includes the trailing dot. The client and servers will not append suffixes to an FQDN which includes a trailing dot and the query will be sent directly to the Root name servers as an absolute name cannot be resolved from cache entries. Portable computers can end up leaving stale records if they are disconnected from the network without shutting down. A DNS administrator can enable scavenging in the properties of the server. The DNS administrator would then need to enable scavenging in the properties of each relevant DNS zone. Scavenging has no effect on DNS records that have been entered by hand, only the records registered by computers. When a client registers a record, it includes a timestamp which would later be used for scavenging.

Too much zone transfer traffic
This is almost the opposite issue from the first. There are some differences though. First, a solution for this problem is to configure AD-integrated servers instead of using primary and secondary servers. The reason this is beneficial is that the AD information will be obtained via the AD database, which is replicated automatically and only changed attributes are replicated.

19 August 2010

00:23

76 of 233

38676182.doc Another option to decrease the traffic is to increase the refresh interval on the SOA. This will have the opposite effect from the first case, in that this will reduce the times the secondary servers attempt to contact the primary DNS servers.

19 August 2010

00:23

77 of 233

38676182.doc

Single vs. Multi-Master Replication
The Windows NT 4.0 domain environment provided authentication and resource management to the configuration of account domains and resource domains. These domains were built using a single-master structure that began with ~ primary domain controller (PDC) and was accompanied by one or more backup domain controllers (BDC) Beginning with Windows 2000, 2003 and now with Windows Server 2008 the existence of the PDC and BDC architecture is no longer necessary. Authentication and resource management now uses a multimaster Domain controller methodology. Each individual domain controller is permitted to make updates to The Active Directory database. With Windows Server 2008, it is now possible to have Read Only Domain Controllers for situations in which writable domain controllers are not appropriate, typically branch offices. In a Windows Server 2008 Active Directory Domain, all domain controllers are equal. They all share the same Active Directory information through AD Replication. The domain controllers in a Windows 2003 domain are also equals and share their data through AD replication. Windows NT had a single-master structure. There was one Primary Domain Controller (PDC) that held the writable copy of the SAM database (Security Account Manager). All other domain controllers were Backup Domain Controllers (BDC) and had a read-only copy of the SAM. Anytime data was written to SAM, it was written to the PDC database.

19 August 2010

00:23

78 of 233

38676182.doc

Single Master Operations
There are some operations in the Windows Server 2008 network that are held by only one Domain Controller. The function of the role determines the placement of the domain controller. There are five roles, 2 pertain to the forest, the other three deal with the domain. The two roles that work with the forest are Schema Master role and Domain Naming Master role. There are only of each of these per forest. The three domain roles are PDC emulator, Infrastructure Master and RID Master. There is one of each per domain. • Domain Naming Master • • • • • • • • One per forest Maintains domain list and ensure unique domain names RID Master One per domain Generates SID and distributes to domain controllers Infrastructure Master One per domain Tracks moved objects

• Should not be collocated with GC unless the forest has only a single domain or multi-domain where all DCs are also GCs. • • PDC Emulator One per domain

• Synchronizes domains in mixed mode, responsible for password changes, • • • • • synchronizes time Place in a location with the greatest number of down-level clients Schema Master One per forest Controls Schema

The FSMO roles must be operational in the forest/domain in order for the network to function properly. Some of the roles can be down for a brief period of time without impacting the network. A way to memorize the roles is DRIPS.

19 August 2010

00:23

79 of 233

38676182.doc Domain Naming Master - There is only one per forest and it is in charge of the domain names. It is in the forest root on the first domain controller in the forest. It maintains the list of domain names, makes sure all new domains have a unique name and must be available when domains are removed from the forest. In the process of installing Active Directory to become a new domain, the domain Naming Master is checked to verify the domain name. RID Master - A SID is a combination of the domain number and RID (relative identifier) that is assigned to all security objects in a domain. RID Master is a domain role and there is one per domain. The RID Master is in charge of distributing the RIDs to the other domain controllers in the domain. Since each DC can create objects, they all must have RIDs available. If no RID, no object. RIDs are distributed in groups of 500. When a DC gets down to 200 in cache, it will query the RID Master for more. If the RID Master is going to be down, the role must be transferred to another DC or object creation will eventually fail. Infrastructure Master - The Infrastructure Master is in charge of tracking objects and their movement between domains. It keeps track as objects are moved and is responsible to update any associations. When an object moves, it maintains its GUID but the SID will change to reflect the new domain. The Infrastructure Master must not be on the same DC as a Global Catalog if there is more than one domain in the forest. Since the Global Catalog records object movement, the Infrastructure Master does not know how to function with a GC so it will do nothing. In that case, the associations will not be updated properly and objects can't be located properly by the DCs in the misconfigured domain. PDC Emulator - The PDC Emulator is a domain role and there is only one per domain. It is responsible for several different things. If in Domain Functional Level 2000 and there are BDCs in the domain, it will be the 'go between' for Active Directory and the NT BDC. It will coordinate replication of system policies, scripts and other information to the NT BDC. Place the PDC Emulator in the site where the largest number of NT clients are located. In both NT and 2008, it is responsible for password changes. If a password is changed; it knows it second. The DC first contacted during a password change records the change locally then replicates it to the PDC Emulator. When a user logs on right after a password has been changed, there may be a delay if replication has not occurred informing all the other DCs of the password change. All DCs will check with the PDC Emulator before generating a negative password message for a logon request.

19 August 2010

00:23

80 of 233

38676182.doc It is also the time keeper. Many of the features of Active Directory are dependent on time. Time synchronization problems are most significant for Kerberos which requires timestamps to be within five minutes of each other at times. All times in Windows 2X are maintained relative to GMT. This means a replica domain controller in the Pacific Time Zone will be fine replicating AD contents with a DC in the ***Eastern Time Zone as long as their clocks display a time difference of three hours. All Windows 2X systems in a domain synchronize their clock with the PDC Emulator. If a DC has the wrong time zone or time, it will have difficulties with replication and will not be able to uninstall Active Directory. A time synchronization error will be generated and the process will fail. Schema Master - This is a forest-wide role and there is only one in the forest. It is held by the first domain controller in the forest and can be relocated to any DC in the forest root only. It is responsible for all changes to the Schema. The Schema Master holds the only writable copy of the schema partition

19 August 2010

00:23

81 of 233

38676182.doc

Moving FSMO roles
• • • • • • • • • • • • • • Transfer Role Planned maintenance Know server is going to be shutdown AD Users & Computer for domain roles AD Domains & Trusts - Domain Naming Master AD Schema snap-in - Schema Master Seize Role Catastrophic shutdown Not planned / no warning Use NTDSUTIL Reformat server before bringing back Domain Naming Master Schema Master RID Master

The FSMO roles must be available in the forest/domain as much as possible. When a role is not going to be available or becomes unavailable unexpectedly, the roles can be transferred or seized.

Transfer Role when maintenance is planned or it is known in advance that the
server will be unavailable. By transferring the role, it ensures the role will be available without any interruption. To transfer the three domains roles, go to AD Users & Computers, either on the DC that the role is being transferred or connect to the server remotely by right-clicking the domain name and selecting Connect to Domain Controller. The Domain Controllers in the domain will be displayed, select the one that will be receiving the role and connect to it. Once connected, right-click the domain again and select Operation Masters. The window will have 3 tabs, one for each domain role. It will display the current DC assigned the role and the DC that you are connected to will be displayed in the bottom area. Select the Change button to transfer the role. The same process is used to transfer the Domain naming master in AD Domains & Trusts and the Schema Master in the Schema snap-in. Make sure that you are connected to the DC that will be obtaining the role. If the Schema snap-in is not available in the MMC console, from a cmd prompt, run regsvr32 schmmgmt.dll to register the schema snap-in.

19 August 2010

00:23

82 of 233

38676182.doc

Seize Role when the server has catastrophically failed or has gone down without
having any roles transferred. Some of the roles may not be missed right away, but if the server is down for a longer time, it can cause a major impact in the environment. The Schema Master and Domain Naming Master role servers would not be a major impact unless domains were planned to be added, removed or schema changes were planned. In order to seize the role, the NTSDSUTIL must be used from a command prompt. Seizing a role should not be done unless it is absolutely necessary. Normally, the only role that will cause a major impact is the PDC emulator. It is normally best to allow time to recover the server, but if you must bring them back up as quickly as possible, then you will have to seize the role. The steps to seizing the role are: • From a command prompt type: NTDSUtil • • At the NTDSUtil command prompt, type roles At the fsmo maintenance command prompt, type connections

• At the server connections command prompt, type connect to server servername At the server connections command prompt, type quit • role At the fsmo maintenance command prompt, type seize name of fsmo

Recover Roles
The best thing is to not seize the role and just bring the server backup when repaired. If the role has been seized, care must be taken on handling of the servers that had the original roles. For the Infrastructure Master and PDC Emulator roles, the servers can be brought back on line and the role transferred back to the DC. When dealing with the Domain Naming Master, Schema Master and RID Master roles, they cannot be brought back online as they are. They should be taken off the network and reformatted, then perform a fresh install. If the AD database and log files are on other volumes, they will not impact the network but the operating system must be totally blown away and reinstalled. If they would be put back online in there previous state, they would forcibly take back the role and there would then be two of each server in the forest/domain. This could have catastrophic results in the network.

19 August 2010

00:23

83 of 233

38676182.doc

Directory Partitions
Active Directory contains a lot of different information regarding its own directory and the forest. This information is contained and replicated by very specific partitions. Active Directory contains 4 partitions: • Schema Partition – Schema information replicated to all DCs in the forest. • contains a copy of Active Directory Schema for a forest • Configuration Partition – Forest, tree, and site configurations replicated to all DCs in the forest. • contains information about Active Directory sites and services • Domain Partition – Domain data replicated by FRS to all DCs of the same domain. • contains all objects associated with a particular domain • Application Directory Partition – Data from applications, files/folders replicated to participating DCs. • Stores data related to Active Directory-integrated applications and services. Replicates to specified domain controllers in the domain/forest. Only Windows Server 2003/2008 Domain Controllers can have Application Directory partitions.

Application Directory Partitions
Application Directory Partitions are used to replicate information to specific Windows Server 2008 domain controllers. Without using Application Directory Partitions, any information that is being replicated through Active Directory is being replicated to all domain controllers, whether they actually use it or not. By using Application Directory Partitions, it cuts down the network traffic by only replicating to the domain controllers specified while still allowing applications requiring LDAP to use it. Any type of objects, files/folders, can be in the Application Directory Partitions except Security Principals (users, groups, and computers). Application Directory Partitions are replicated through the domain partition to all domain controllers. To create Application Directory Partitions, use NTSDUTIL. Some applications create their own directory or have their own utilities to create them. Below find the steps on how to create an Application Directory Partitions through NTDSUTIL. Creating or Deleting an Application Directory Partition 1. From the Command Prompt, type NTDSUtil 2. At the NTDSUtil, type management

19 August 2010

00:23

84 of 233

38676182.doc 3. At the domain management prompt, type the appropriate command based on the task you would like to complete. * To create a partition - create nc application-directory partition DomainController where the application-directory application is the distinguished name of the partition and the DomainController is the DNS name of the domain controller * To delete partition - delete nc application-directory-partition, where applicationdirectory-partition is the distinguished name of the partition 4. To create/remove a replica of an Application Directory partition, use the same commands as above but use add instead of create / remove instead of delete When removing AD or deleting a partition, all data in the replica will be lost. If the last DC, move the partition or everything will be lost.

19 August 2010

00:23

85 of 233

38676182.doc

The Global Catalog
Though not actually considered one of the Directory Partitions, the Global Catalog is a subset of all attributes of all objects in Active Directory forest. Replicates to all domain controllers configured as Global Catalog servers in the same forest. Data stored in the Application Directory Partition is not replicated to the Global Catalog. However, a domain controller which is a Global Catalog Server can have an Application Directory Partition. A configurable partial replica set of every object in the forest based upon the attributes most frequently used in Active Directory searches. One Global Catalog is created by default for the entire forest on the first DC of the forest (all domain directory partitions are included.) At least 2 to GCs should be created to provide fault tolerance Additional GCs can be configured for performance improvements A GC is enabled through AD Sites & Services> Site Name> Server Name >NTDS Settings> Properties Logons require the DC query a GC to determine universal group memberships. If universal groups are not used it is possible to edit the registry to disable the GC requirement for authentication: HKEY _LOCAL_MACH INE\System\CurrentControISet\Control\Lsa\lgnoreGCFailures By default, only one Global Catalog is created and it is located on the first domain controller in the Forest Root. To provide fault-tolerance and load balancing, it is recommended to always have at least two global catalogs. If more than one site is in the network, it is best practice to have a Global Catalog in each site. For domains of all domain functional levels, the GC is used for forest-wide LDAP queries. Any object in the forest can be found. For domains of functional level Windows 2000 Native, Windows Server 2003, or Windows Server 2008, Universal Security Group SIDs must be retrieved during logon. These SIDs can be retrieved from a Global Catalog server or a Windows Server 2008 DC that is caching Universal Group memberships. The Global Catalog in Windows 2003/2008 does not replicate the entire catalog every time a schema change is made, unlike Windows 2000. The Global Catalog DCs assist other domain controllers in authenticating logon requests using the User Principal Name (UPN). If there are remote sites, having a Global Catalog in the site will allow the authentication process to be expedited.

19 August 2010

00:23

86 of 233

38676182.doc There are several factors that should be considered when determining what sites should have a replica of the Global Catalog. If a site has more than 100 users, it would be best to have a Global Catalog in the site. If there are less than 100, Universal Group Membership Caching will facilitate the authentication needs. If Directory-aware applications, such as Exchange 200012003/2007, are being used in a site, a Global Catalog in the site is required. The application queries the Global Catalog port of 3268. Another consideration is the roaming users in the network. The transitive nature of the user's and the functionality of being able to login from anywhere in the forest, cause a greater need for the Global Catalog in each site. When a roaming user logs on from another domain, the request queries the Global Catalog to locate the user accounts domain and directs the authentication process to that domain. By having the Global Catalog in the site, it makes the authentication process happen a lot faster. WAN link availability is the last item to consider. If the WAN link is available 100% of the time for Active Directory traffic, one Global Catalog between two sites is possible. If there is a concern over WAN connectivity and it is not reliable, having a Global Catalog in each site ensure that authentication will happen, even if the WAN link is down. The Global Catalog is configured in Active Directory Sites and Services in the NTDS Settings of the server. Additional GCs should be enabled based upon: • Number of users in the site ( >100) • • Existence of an AD-aware application that reads the global catalog . WAN link availability

Universal Group Membership Caching
Enabling UGMC for a site without a GC improves logon performance without adding the overhead of GC replication across the wide area network (WAN) links.

19 August 2010

00:23

87 of 233

38676182.doc

Managing UPN Suffixes
• • • • • • Protects domain name Cross-forest authentication Align with existing email account for easier user access Create in AD Domains and Trusts Stored in GC Select for User in user's account Logon window Use UPN & password only The UPN suffixes are created in Active Directory Domains and Trusts.

User Principal Name (UPN) suffixes are used for several reasons. It provides a method of using alternative logons in order to protect the domain name space. Instead of using the domain name to login, the user provides the UPN suffix that has been configured for their user account. Multiple UPN suffixes can be created and are available throughout the forest. When authenticating across a forest trust, the UPN suffix is used to identify the user. The Global Catalog is contacted to resolve the user logon. The UPN suffix, the username and the domain it is a member of is identified and the authentication is sent to an appropriate domain controller. UPNs can also be used for cross-domain authentication in the same forest. The UPN authentication passes across a transitive trust and which uses Kerberos across the trust. When authenticating across an External Trust, only the Pre-Windows 2000 logon name can be used. The trust is not transitive and so it uses NTLMv2 to pass the authentication. Using a UPN suffix also allows the user to use their email address as their logon name, even if the suffix portion is different than the domain name. It makes it user friendly but also provides a way to protect the domain name by using a different suffix than the domain name for the email accounts.

Creating and Managing UPNs
The UPNs are created in Active Director Domains and Trusts. Select Active Director Domains and Trusts at the top left and right-click and select Properties. Add the UPN suffixes desired. In the User account, select the Account tab and use the drop-down menu to select the UPN suffix to use with the user's logon name. When using the UPN for logging in, the usemame will be followed by the @ sign and then the UPN suffix. The user will only be required to provide the UPN and password. The Log on to drop-down box is not available once the @ sign is keyed in the usemame textbox. A User Principal Name is used to simplify the login process and also provides a method of securing the domain name by creating a UPN suffix different than the domain name.

19 August 2010

00:23

88 of 233

38676182.doc When authenticating across a Forest Trust, UPN conflicts can occur. In the process of creating the Forest Trust, the UPN suffixes available in each forest are checked and if there is a conflict detected, the wizard will warn of the pending conflict.

19 August 2010

00:23

89 of 233

38676182.doc

Trust Types in Windows Server 2008
The trust is the administrative connection between domains that allows crossdomain authentication to pass across those connections. When Active Directory domains are created in a forest, several types of trusts are created automatically and others can be created manually. In Windows NT, all trusts had to be manually created. Within Windows Server 20001200312008 forests, the trusts are automatically created and are transitive. Transitive means if Tom logs on with a domain controller in training.fabrikam.com, then he can potentially access file shares in research.fabrikam.com, elabs.corp, and dev.elabs.corp even though his domain does not have a direct trust relationship with those domains. The principal of the trust is that the Resource trusts the User. When depicting a trust, the arrow always points from the resource to the user. Remember that the ArrowHEAD points to trustED. "Ed" would be our user in this mnemonic. Another thing to remember is that the directions of the arrows reflect their description as Incoming and Outgoing. Ed would see an Incoming trust, the resource sees it as an Outgoing trust.

Tree-Root Trust
This trust is automatically created between the tree root domain and the forest root domain. These trusts are two-way and transitive.

Parent-Child Trust
This trust is automatically created between the child and parent domains. These trusts are two-way and transitive.

Shortcut Trust
Shortcut Trust is a one-way, transitive trust between: Two domains of the same forest A Shortcut Trust speeds authentication and resource access between different domains in the same forest. This trust is manually created between two domains in the same forest. These trusts are one-way and transitive.

External trust
Manually created between AD domains in different forests or between Windows Server 2008 and a Windows NT 4.0 domain - one-way or two-way, no transitive

19 August 2010

00:23

90 of 233

38676182.doc The external trust is one-way or two-way and is non-transitive. The external trust is created between specific domains and those domains are the only ones that have the trust relationship. External trusts are created between domains in different AD forests. If one forest is a Windows 2000 forest or an NT domain, it must connect via an external trust. Also, an External Trust must be used between two Windows Server 2008 forests unless they are both functioning at least at the Windows Server 2003 forest functional level. Must be a member of the Enterprise Admins or have the appropriate delegated authority in order to create an External trust. A trust is essentially a managed breach of the forest's security boundary. External Trusts are created between domains and is non-transitive. It permits access to resources only. Permissions must be applied to the resource in order for access. For a manual trust, the Resource Trusts the User (arrow points to the user). The External trusts are created by the New Trust Wizard. The wizard detects if the domains are at the proper functional level and will automatically default to an external trust. If both forests are in Forest Functional Level Windows Server 2003, the option will be given to create an External trust or Forest trust. Required for migrations with Active Directory Migration Tool (ADMT)

Forest trust
Manually created between forest root domains in two separate forests – one-way or two-way, transitive. Forest trusts are created between the root domains of two separate forests. The forests must be set to at least the Forest Functional Level of Windows Server 2003. It can be a one-way or two-way trust. If it is a two-way trust, it allows both authentication and access to resources (as long as permissions allow) in either forest. They are transitive between two forests only. If forestA trusts forestB, and forestB trusts forestC, that doesn't mean that forestA trusts forestC. The trust is only transitive between the two forests. Some of the benefits of a Forest Trust include less external trusts are needed to share resources across forests, UPN authentication can be used across the two forests, and administrators have more flexibility because administrative efforts can be shared between the two trusting forests. To create a Forest trust, the use must be a member of the Enterprise Admins or have delegated authority in both forests.

19 August 2010

00:23

91 of 233

38676182.doc Unless two forests are at the Windows Server 2003 forest functional level, they can only be connected by External trusts. This means that if there was a two-domain forest connecting via trusts with a three domain forest, and you wanted to add global groups from any domain to local groups in any other domain, a total of 12 external trusts would have to be established. Given the same scenario with the two forests at the Windows Server 2003 Forest Functional Level, a single two-way forest trust could be configured between the forest root domains. This is a huge advantage of Windows Server 2003 forests, especially if two companies using them were merging. Forest trusts are transitive and are created between forests that are in Forest Functional Level Windows Server 2003 or 2008. The trust is created between the Forest Roots and is valid for only those two forests. The forest trust can be used for cross-forest authentication using the UPN suffix and the Global Catalog in each forest. During the creation of the Forest trust, UPN suffixes are checked in both forests for duplication and a warning is given if duplicates exist. If both forests use the same UPN suffix, the user trying to authenticate across the forest trust will not be successful. Access to resources is provided either as Forest-wide access or Selective access. With the Selective trusts, users are granted access to specific servers only through the ACL of the server's AD object. Create the Forest trusts using the New Trust Wizard. Both the Incoming and Outgoing trusts can be created at the same time. If the administrator has administrative rights in both forests, both ends of the trust can be created at the same time. If not, the trust must be configured in both forests. When planning user access to resources across a forest trust, the Global group that the user belongs to should be placed in a Universal group, which is then placed in the Domain Local group where the resource is located. Since the Universal group is located in the Global Catalog of the forest, the access across the forest is expedited. Global Catalog in both forests is queried for access to resources and for authentication.

Realm trust
Manually created between non-Windows Kerberos and Windows Server 2003/2008 Active Directory Domain - can be transitive or non-transitive, one-way or two-way A reason to create a Realm trust would be to allow Active Directory users access to resources in a UNIX environment without requiring them to authenticate separately. It could also be used to provide access for those in the Unix Kerberos environment access to resources in a Windows Server 2003/2008 AD domain.

19 August 2010

00:23

92 of 233

38676182.doc Members of the Enterprise Admins group in the Windows Server 2008 domain can create a Realm trust or someone who has the appropriate delegated privileges. The individual creating the trust must also have the appropriate administrative privileges in the target Kerberos realm. The trust can be transitive or non-transitive, one-way or two-way. • External Trusts • • • • • • • • • • Non-transitive Access to resources only Domain-to-Domain Resource Trusts User Create using Trust Wizard in AD Domains and Trusts Forest Trusts Transitive within the two forests Authentication and access to resources Authentication uses UPN suffix

• Use Global/Universal/Domain Local groups for access to resources Must be Forest Functional Level Windows Server 2003 to support Forest Trusts • Create using Trust Wizard

19 August 2010

00:23

93 of 233

38676182.doc

Managing Trusts
Trusts are managed through Active Directory Domains and Trusts. To display the trusts that are in place, access the Properties of the Root domain. On the Trusts tab, the trusts that are currently in affect are displayed. The domain name, trust type and transitive state are listed. The top pane shows domains that the domain trusts (outgoing) and the bottom pane shows domains that trust this domain (incoming). Incoming trust is created by the administrator in the domain where the users are located. It is the trusted domain. The Outgoing trust is created on the domain where the resource is located and is called the trusting domain. When a single administrator creates the complete trust, they create both the Incoming and Outgoing trusts. In order to create a manual trust, select the New Trust button at the bottom of the window. The New Trust Wizard will be launched. Windows Server 2003 added flexibility to trusts, offering "wide" and "selective" options. If two companies needed to work on a project together, their domains could be joined using a selective trust. This could limit access between the companies to only the shared resources needed for the project. " With a Forest trust, the choices are a little different. Since the trust is transitive for the entire forest, the selection is forest-wide authentication and also selective authentication. With Forest-wide authentication, the user can access any resource in the forest that they have appropriate permissions. For the Selective authentication, the server must give Allowed to Authenticate permissions in order for the user/group to access the server and then the level of access is determined by the share and NTFS permissions. Forest trusts between partner company's can be configured with different authentication methods for better control of resource access.

Access Resources using External/Forest Trusts
A user connecting to a remote server to gain access to a resource must present its credentials to the server in order to prove authentication. Once the credentials have bee~ verified, access to the resource is then granted. This verification of credentials would generate an entry in the server's Security Log: if someone had enabled" Audit logon events" for that server. This is no difference accessing resources across a forest trust. When the forest trust is configured, both incoming and outgoing trusts are configured (access authentication can be configured differently for each) and the access authentication is selected. The level of access to the resource is still dictated by the Share and NTFS permissions that have been placed on the resource. The choices depend on the type of trust being configured.

19 August 2010

00:23

94 of 233

38676182.doc An External trust has Domain-wide authentication and Selective authentication as choices. If Domain-wide is selected, the users can have access to all resources in the domain that they have permission to access. With Selective, the particular server that is going to be accessed must have Allowed to Authenticate permission set for the user/group in order to gain access to the server. Access to the resource is controlled with Share/NTFS permissions.

Selective-authentication
Servers must be manually configured with the Allowed to Authenticate permission for users in trusted domain Permission is configured on the ACL of server in ADUC and for the specific resource.

19 August 2010

00:23

95 of 233

38676182.doc

Read-Only Domain Controllers
For some environments, the most significant feature for AD DS in Windows Server 2008 is a Read-Only Domain Controller (RQDC), which allows you to easily deploy a domain controller that hosts a read-only replica of the domain database. This is well suited for locations where physical security of the domain controller can't be guaranteed or where other applications must run on the domain controller and be maintained by a server administrator (who, ideally, is not a member of the Domain Admins Group). Both of these scenarios are common in branch office deployments. A read-only domain controller is installed by simply enabling one checkbox in the Installation Wizard Before the release of Windows Server 2008, if users had to authenticate with a domain controller in a different location, the traffic would have to cross a wide-area network (W AN) link. WAN links are often slower and more expensive than local area network (LAN) connections, and sometimes are more susceptible to service disruption. One possible solution was to deploy a DC into the remote site or branch office. However, this introduced other problems, including replication traffic, and the need to maintain physical security over the DC in the branch office -- something that is all too often lacking in small and remote branch sites. In other cases, branch offices have poor network bandwidth connected to a hub site, increasing the amount of time required to log on. With the exception of account passwords (unless specifically configured otherwise), an RODC holds all Active Directory Domain Services objects and attributes that a writable domain controller holds. However, locally originating changes cannot be made to the replica stored on the RODC. Instead, changes are made on a writable domain controller and replicated back to the RODC. This prevents changes made at branch locations from potentially polluting or corrupting the forest via replication, thus eliminating one avenue of attack. Local applications that request read access to the domain directory information can obtain access directly from the RODC, while Lightweight Directory Access Protocol (LDAP) applications that request write access receive an LDAP referral response. This referral response directs them to a writable domain controller, normally in a hub site. Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly, writable domain controllers that are replication partners do not have to pull changes from the RODC. This reduces the workload of bridgehead servers in the hub and the effort required to monitor replication. RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication. The RODC performs normal inbound replication for AD DS and DFS Replication changes.

19 August 2010

00:23

96 of 233

38676182.doc In the domain database, each security principal has a set of approximately 10 passwords or secrets, called credentials. An RODC does not store user or computer credentials, except for its own computer account and a special "krbtgt" account (the account that is used for Kerberos authentication) for each RODC. The RODC is advertised as the Key Distribution Center (KDC) for its site (usually the branch office). When the RODC signs or encrypts a ticket-granting ticket (TGT) request, it uses a different krbtgt account and password than the KDC on a writable domain controller. The first time an account attempts to authenticate to an RODC, the RODC sends the request to a writable domain controller at the hub site. If the authentication is successful, the RODC also requests a copy of the appropriate credentials. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy that's in effect for that RODC. The Password Replication Policy determines if the credentials are allowed to be replicated and stored on the RODC. If so, a writable domain controller sends the credentials to the RODC, and the RODC caches them. After the credentials are cached on the RODC, the next time that user attempts to logon the request can be directly serviced by the RODC until the credentials change. When a ticket is signed with the RODC's own krbtgt account, krbtgt, the RODC recognizes that it has a cached copy of the credentials. If another DC has signed the TGT, the RODC will forward requests to a writable domain controller. By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of credentials by a compromise of the RODC is also limited. By default, no user passwords will be cached on an RODC, but that's not necessarily the most efficient scenario. Normally, only a few domain users need to have credentials cached on any given RODC, compared with the total number of users in a domain. You can use the Password Replication Policy to specify which groups of users can even be considered for caching. For example, by limiting RODC caching to only users who are frequently at that branch office, or by preventing the caching of high-value credentials, such as administrators, you can reduce the potential exposure. Thus, in the event that the RODC is stolen or otherwise compromised, only those credentials that have been cached need to be reset.

Password Replication on RODCs
When you initially deploy an RODC, YOU must configure the Password Replication Policy on the writable domain controller that will be its replication partner. The Password Replication Policy acts as an access control list (ACL). It determines if an RODC should be permitted to cache a password. After the RODC receives an authenticated user or computer logon request it refers to the Password Replication Policy to determine if the password for the account should be cached. The same account can then perform subsequent logons more efficiently.

19 August 2010

00:23

97 of 233

38676182.doc The Password Replication Policy lists the accounts that are permitted to be cached, and accounts that are explicitly denied from being cached. The list of user and computer accounts that are permitted to be cached does not imply that the RODC has necessarily cached the passwords for those accounts. An administrator can, for example, specify in advance any accounts that an RODC will cache. This way, the RODC can authenticate those accounts, even if the WAN link to the hub site is offline. Prerequisites for setting up an RODC • The PDC Emulator of the domain must be Windows Server 2008 • • • Domain Functional Level must be Windows Server 2003 Adprep /RODCprep must be run RODC must be able to replicate with a 2008 DC for initial sync

Significant Points for RODCs
An RODC still has a local Administrators group, independent of the one shared by the ordinary DCs in the domain. A member of this group can fully administer only that RODC: very useful for allowing installation of drivers, running Windows Update, etc without impacting the entire domain. Moving from RODC to writable DC requires reinstallation of Active Directory on that server

19 August 2010

00:23

98 of 233

38676182.doc

Managing and Maintaining an Active Directory Infrastructure
• o o Delegation Strategy Plan OU structure to take advantage of Delegation Allows delegation to groups or users

o Use Delegation Authority Wizard or set special permissions on OU Create OUs instead of domains and delegate • o o o o o o o o o Tasks to Delegate Select common tasks Customize your own Create delete and manage user accounts Reset user passwords and force password change at next logon Read all user information Create delete and manage groups Modify the membership of a group Manage Group Policy links Generate Resultant Set of Policy (Planning)

When designing the OU structure of Active Directory domain, the opportunity to use Delegation must be considered. The ability to Delegate Authority provides a way to allow specific users or groups to manage objects within an OU without giving them more permissions than are required to complete the tasks. This is a good alternative to creating multiple domains where the entire AD structure must be administered. By using Delegation, the user account administration (Password/lockout) is handled in one location. The management tasks involved with the individual objects can be passed to someone else who mayor may not be an administrator. To implement Delegation, right-click the OU and select Delegate Control. A wizard starts and the users/groups that should be delegated authority are selected. Then next step is to select what tasks should be delegated. There are common tasks that can be delegated, such as Resetting passwords and creating/modifying user accounts. The tasks can also be customized. To customize a delegation, select the AD objects the users/group will have authority over. Then select the specific permissions for those objects. The permissions created by using the Delegate

19 August 2010

00:23

99 of 233

38676182.doc Authority wizard can be viewed in the Security tab of the OU in the Advanced area. The permissions are listed under Special Permissions. If the users/group that has been Delegated Authority needs to be removed from the delegation, select the users/group name in the ACL of the OU and remove them. It is also possible to Delegate Authority manually by adding the users/group to the ACL in the Security tab of the OU. Then go to Special Permissions in the Advanced area and manually set. Using the wizard is a much better way to make sure the permissions required for the tasks desired to delegate are correctly configured. If implementing Delegation in the network environment, the security groups that are created can be designed to accommodate the delegation plan. For example: create a group for IT staff that will be assigned delegation tasks and delegate to the group instead of individual users. Another example is a Help Desk staff that will be allowed to reset passwords. Create a security group for HelpDesk and place the appropriate users in the group. Delegate authority to the specific OU where they can reset passwords. Disable inheritance of permissions for AD objects to prevent delegations from propagating.

19 August 2010

00:23

100 of 233

38676182.doc

Managing Schema Modifications
• o • o • o    Schema snap-in To register snap-in: “regsvr32 schmmgmt.dll” at run command Any changes to Schema makes a major impact on network Update cache copy on DCs by selecting Reload the Schema Modifying the Schema Schema Admin to make modifications Server with Schema Master role Cannot delete object classes or attributes Deactivate if no longer required or configured Incorrectly

 Some applications change the Schema as part of installation Exchange, ISA Server, SQL Schema snap-in must be registered in order to view through the Microsoft Management Console. At the run command type regsvr32 schmmgmt.dll or install adminpak.msi to make Schema snap-in available. Care must be taken before making any type of changes to the Schema because it will impact the entire network. Until all of the Schema changes have been replicated, the network is basically shutdown. To update the cached copies of the Schema on each domain controller as soon as the changes are made, right-click the AD Schema node in the snap-in and select Reload the Schema. In order to make any modifications to the Schema, the user must be a member of the Schema Admins group. This group has no members by default. All changes must be made on the domain controller with the Schema Master role. Object classes and attributes cannot be deleted but must be deactivated if they are no longer required or created in error. If errors, recreate the object class or attribute as needed. Some applications will make changes to the Schema as part of their installation. If the first part of the application install fails, make sure the user doing the install is a member of the Schema Admins group. Examples of applications that make Schema changes are Exchange 200012003 and ISA Server. Plan carefully when deploying these applications. If possible, deploy the application in the beginning of the forest process so changes are made early and are replicated correctly to domain controllers as they are added to the forest.

19 August 2010

00:23

101 of 233

38676182.doc

Replication
• • o o o o • o o o o Based on USN (update sequence number) Intra-Site Between DCs in same site Ring-based topology is maintained by KCC Uses Replication Partners Notify-Pull replication Inter-Site Managed by Site Links Use when replication needs to be scheduled Request-Pull replication Bridgehead servers receive replication at each site

Replication is used between domain controllers to update Active Directory information throughout the domain and forest. The Schema and Configuration partition replicates to all DCs in the forest. The Domain partition replicates to all DCs in the domain. The Application Directory partition replicates to those DCs specific in the partition. The USN (update sequence number) on objects is used to designate which objects have changed. When an object changes its USN number will increase. When replication occurs the USN numbers are compared and the higher USN is replicated. Two types of replication are used: Intra-Site (within the site) and Inter-Site (between sites).

Intra-Site
The Intra-Site replication occurs between domain controllers in the same site. The replication is a ring-based topology which provides a two-way replication. If one domain controller is not available, the AD information is still replicated to all domain controllers. The replication topology is established and maintained by the KCC (Knowledge Consistency Checker). It is responsible to create the replication topology as well as reconfigure it when a domain controller is added or removed.

19 August 2010

00:23

102 of 233

38676182.doc The KCC creates Replication Partners for each domain controller in the site. These replication partners are notified when changes have been made to an object in AD. It is called a Notify-Pull replication because the replication partner is notified there are changes and it will then pull any changes from the domain controller that sent the notification. When the change occurs, the domain controller with the change waits 15 seconds before notifying the first replication partner. The DC will then notify any remaining replication partners every 3 seconds in order they are listed in AD Sites and Services. The replication topology is designed to be fully replicated within 3 hops. To view the replication partners for the domain controllers, in AD Sites and Services, expand the Site name, expand Servers, expand the Server name and select NTDS Settings. The replication partners will be displayed in the detail pane on the right. If there is a need to force replication, right-click the replication partner and select Replicate Now. A command-line utility called repadmin can also be used to force directory replication.

Inter-Site
The Inter-Site replication is replication that occurs between sites. The connections are normally not as fast and reliable as the connections within the site. This depends on your site strategy and the reasons you created the site. The replication is controlled by Site Links. There is a DefaultSiteLink that all sites can be linked when the site is created. The replication between sites is based on a schedule. When it is time for replication based on the schedule configured in the site link, the domain controller designated will Request-Pull changes from a specified domain controller in the other site. The schedule created includes the time window to use for replication, the replication interval (how often to replicate) and the cost (priority) of the link. The specified domain controller in the site is called the Bridgehead Server. It is automatically designated by the ISTG (InterSite Topology Generator). The Bridgehead server can be manually designated but it can have some major impact on the network which will be discussed in the next few pages.

19 August 2010

00:23

103 of 233

38676182.doc

Forest and Domain Replication
Intra-Site Replication
• • • • Uses a Notify-Pull process via RPC over IP (high bandwidth is required) Source DC notifies first Replication Partner after 15 seconds Additional Replication Partners are notified every 3 seconds Complete replication within 3 hops

• Account lockout, domain password policy, or DC password do not wait for replication interval ( 15 seconds) • o o Replication Partners Replication connection objects are created automatically by the KCC Replication connection objects can be created manually

Intra-Site Replication
Replication between domain controllers in the same site is automatically configured and managed by the KCC (Knowledge Consistency Checker). If only one site is created (Default First Site), replication will not need to be configured because it will happen automatically. The topology of replication uses Replication Partners. Each domain controller in the site will have replication partners automatically created by KCC when it becomes part of the site. In most cases, there will be up to 3 replication partners (3 hop rule). In larger networks there may be more than three. Replication Partners can be manually created by right-clicking the NTDS setting for the domain controller where the new Replication Partner is desired. Select New Active Directory Connection. A window is displayed with a listing of all domain controllers in the site. Select the domain controller desired as a Replication Partner. The Windows Server 2008 intra-site replication uses Notify-Pull to complete replication. When a change is made to an AD object (created, moved or modified), the domain controller will wait 15 seconds and then Notify the first Replication Partner. The Replication Partner will then Pull changes based on the USN (update sequence number) of the objects. The higher number will be replicated. After the first Replication Partner is notified, the second is notified in 3 seconds. Additional Replication Partners are notified in 3 second increments. Total replication will take no more than a total of 3 hops. The data that is being replicated is being sent uncompressed. The protocol being used to transmit the data is RPC/IP, which is a reliable protocol standard used with Site replication traffic.

19 August 2010

00:23

104 of 233

38676182.doc

Active Directory Sites
A collection of well connected TCP/IP subnets: Sites are used to: • Control protocol, cost, & schedule of AD replication • • • Control authentication traffic Optimize Active Directory-aware applications Sites are managed by Enterprise Admins thru AD Sites & Services

• Default First Site contains all DCs by default and all DCs on unassociated subnets • A Site can consist of multiple domains and a domain can span multiple sites Sites are part of the physical structure of Active Directory in Windows Server 2008. They are used to control replication of Active Directory within the site and between sites. A site can also be used to keep logon traffic local to the site by having a Global Catalog in the site and by using Universal Group Membership Caching. If a directory-aware application is used, the site where the request for the application is requested and the location of the application is considered when directing traffic to the application. A site is defined as a collection of one or more subnets that have a 'fast and reliable' connection. It is best to have all domain controllers within a site with a good connection to support the replication of Active Directory. Subnets that do not have a 'fast and reliable' connection should be in separate sites and replication configured between the two sites. Many times the physical location is used to differentiate the site structure even if the connection is good. It all comes down to how the replication of AD is going to be managed. Active Directory Sites and Services is where Sites and replication is administered. Though AD Sites and Services can be viewed from anywhere in the forest, it is managed in the Forest Root. Any administration needs to be completed by a user in the Enterprise Admins group. There is a site created by default when Active Directory is installed. It is called "Default First Site". If no other site is created, all domain controllers will be listed under this site. When implementing a Windows Server 2008 forest, it is best to create the site structure immediately after installing Active Directory on the first domain controller. When the subsequent domain controllers join the forest, they will be listed under the appropriate site based on their IP address and the subnet it belongs. If this is not possible, the servers can be moved to the appropriate site at a time after the site is created.

19 August 2010

00:23

105 of 233

38676182.doc It is possible to have more than one domain in a site or have part of a domain in one site with the other in another site. If more than one domain is in a site, it requires at least one Domain Controller be listed in that site.

Site Creation
To create a new site, open AD Sites & Services located in Administrative Tools. Select Sites and from the shortcut menu select New Site. In the window that is displayed, name the site and associate it with a site link. This will be the DefaultSiteLink, if no other links have been created. Name your sites so they can be easily recognized. If your site implementation is by location, use the name of the location. Once the site is created, it is time to create the subnets.

Creating Subnets
In the left-hand pane select Subnets and from the shortcut menu select New Subnet. The IP address to enter in the window displayed will be the network address with the appropriate subnet mask. Select the site that is going to be associated with the subnet. Once the subnet is created, the site association can be changed from the Properties of the subnet. If the sites and subnets are created before any other domain controllers become part of the forest, the domain controllers will be automatically listed in the appropriate site during the installation of Active Directory. If not, expand the Servers folder under Default First Site to view the domain controllers that are listed. Select to Move the domain controllers from the shortcut menu on the server and select the site that is associated with their subnet. Once the Sites are created and domain controllers are in place, select the Site and view in the right pane a node for License Site Settings. The default Site License server is the first domain controller created in the site. The Site License server is where the database regarding licensing for Microsoft products is stored. The information is managed in the Licensing console, but stored in the Site License server. The five basic steps for creating a site are as follows: • Create the site, and associate it with a site link (typically the DefaultSiteLink on smaller networks) • Create a subnet and associate it with a site-Sites must contain unique subnets to make them useful. • Connect the site to other sites by using site links-A site that does not have a site link to other sites cannot replicate directory information outside of its own site. • Move the domain controllers to the appropriate sites. - Future DCs will be placed in the appropriate site based on subnet.

19 August 2010

00:23

106 of 233

38676182.doc • Select a site license server - For compliance with Microsoft licensing rules, this is a necessary step. All sites are registered by the License Logging Service and stored on a central database.

Inter-Site Replication
Faster WAN connections should be assigned lower site link costs, while slower WAN connections should be assigned higher site link costs. Inter-Site replication occurs between sites that have been created in AD Sites and Services. To manage the replication, Site Links must be created.

Site Links
There is a DefaultSiteLink that is created when AD Sites & Services is created. When new sites are created, they can be associated with the DefaultSiteLink. If all site connections are equal and there is no preference in how the data replicates, the DefaultSiteLink is used and no other configuration is required. The default settings for the DefaultSiteLink include Cost of 100, replication every 180 minutes (3 hours) and scheduled time is 24/7 availability. If the type of connections between the sites is different and there is a need to differentiate when the different sites replicate, a site link is created to configure the specific settings required. To create a Site Link, select the Inter-Site Transport desired. There are two options: IP (RPC/IP) and SMTP. IP provides a reliable connection and all partitions can be replicated across this type of transport. The SMTP is an e-mail based replication and is designed for unreliable connections. Only the Schema and Configuration partitions can be replicated using SMTP. In order to use SMTP, there must be a SMTP server in each site. The transport of choice is going to be IP. Select New Site Link from the shortcut menu of IP node. Name the Site link (user friendly name for easy identification) and indicate the Sites that are going to be linked with this Site link. Once the Site Link is created, access the Properties area to configure settings. The default cost assigned to a Site Link is 100. When deciding the Cost to assign to a link, determine the preferred link to replicate to first and then make that link a lower cost. For example, if SiteA and SiteB have a link that is 100, SiteB and SiteC have a link that is 75. SiteB will replicate to SiteC first, because it has the lower cost. The Replication interval default setting is 180 minutes (3 hours). This represents the interval of requests to pull changes from the Bridgehead server from the linked site. It is not recommended to make the time any shorter. Recommended is to make sure at least 2 replications occur during the time schedule allotted.

19 August 2010

00:23

107 of 233

38676182.doc The Schedule is the days and times available for replication to occur. Default is 24 hours a day, seven days a week. The schedule can be set to only allow replications during a certain period of time. For example: Replication is desired for off-hours, it can be scheduled to only occur from 8 p.m. to 6 p.m. It is a 24 hour time schedule midnight to midnight. Be careful when setting time frames to ensure it corresponds with the desired results. If the Replication is scheduled for a 4 hour time frame and replication interval is every 3 hours, the 2 replication rule will be accomplished. It will initiate replication at the beginning of the time and then again in 3 hours later. The time frame available and the intervals of replication are very important when getting the desired result. If replication is set to occur between multiple sites and one site does not get the changes until the next day, the schedule and intervals need to be examined to make sure all changes are replicated to all sites within a given time.

Bridgehead Servers
The Bridgehead server is the domain controller in each site that has been designated by the ISTG for that domain to Request and Pull the changes to the AD database. It will then turn around and start notifying its own Replication Partners that it has changes to initiate the Intra-Site replication. The ISTG will maintain the Bridgehead server topology by replace it automatically should it fail for any reason. If a different Bridgehead server is desired, right-click the server name under the site and select Properties. It will show if the server has been assigned the role of Bridgehead server. If it is not already the Bridgehead server, select the Transport protocol it should be responsible for and move to the right side. Note: After manually designating a Bridgehead server, the ISTG will no longer maintain the environment. It will not designate any Bridgehead server at all, even if the one manually created fails. If manually creating a Bridgehead server, make sure to specify at least two so there is another one available, should one fail. If the Bridgehead server is manually created on one site, it must also be manually created on the site that it is linked. The Site replication will fail if only one Bridgehead server has been manually created and the other has been created by ISTG.

Site Link Bridges
By default all site links are bridged (transitive). If the option to "Bridge all site links" is disabled, the DCs in the fabrikam.com domain would not successfully perform replication without the manual creation of a site link bridge.

19 August 2010

00:23

108 of 233

38676182.doc By default, Windows Server 2008 will automatically bridge between non-adjacent sites, creating connection objects between the DCs in the non-adjacent sites. If SiteA is linked to SiteB, and SiteB is linked to SiteC, bridging is automatic between SiteA and SiteC. This allows SiteA and SiteC to exchange AD changes through site links A-B and B-C. To turn off this feature, clear the checkbox "Bridge all site links" in the Properties of the IP node under the Inter-Site Transports section. With this turned off, any bridges desired must be created manually. If "Bridge all site links" has been unchecked, the AD network can then be described as "not fully routed". To create a Site Link Bridge, from the shortcut menu of the IP node, select New Site Link Bridge. Name the bridge and specify the sites that are to be bridged. No other configuration is required. The Cost of the Site Link Bridge is the combined Site Link Costs of the two links the Site Link Bridge has in common. For example: SiteA and SiteB have a link Cost of 100, SiteB and SiteC have a link Cost of 75, the Cost of the Site Link Bridge between SiteA and SiteC is a Cost of 175. Manual bridging is used instead of creating a site link in environments that are not routed to one another and when there are an excessive amount of sites in the routed environment. Another term for a bridged site is a Transitive site. If a bridge is not created it is Non-Transitive. Costs are not assigned to site link bridges. The cost of a site link bridge is the sum of the costs of the site links involved in the creation of the site link bridge. Therefore the JAX-HOU-SEA-SLB created to solve the problem in the diagram above would have a replication cost of 200 (100 + 100).

Inter-Site Transports
• o o • o o o Fast, reliable WAN links Only domain controllers of the same domain Built in security SMTP Slow unreliable WAN links DCs of different domains, same forest Certificates and SMTP on replication partners

Inter-Site replication occurs between sites that have been created in AD Sites and Services. To manage the replication, Site Links must be created. Rules to follow: • Domain controllers of the same domain must use RPC over IP regardless of WAN connectivity speeds. • When WAN connections are fast and reliable use RPC over IP even when replicating between DCs of different domains.

19 August 2010

00:23

109 of 233

38676182.doc • When replicating between DCs of different domains across a slow, unreliable link use the SMTP inter-site transport. • When using SMTP, certificates need to be used to enhance security and the SMTP protocol will need to be installed on the DCs participating in the inter-site replication.

19 August 2010

00:23

110 of 233

38676182.doc

Managing AD Sites
Inter-site Replication Strategy • Schedule: Site schedules should be configured with overlapping times to provide at least two replication cycles. • Link Costs: Site link costs should be configured proportionately to the speed of the physical link connecting the sites. (Faster speeds, lower costs) • Create Boundaries with Subnets - Subnets assigned to only one site o Subnet association dictates what DCs clients will use for authentication. The replication strategy for both Intra-site and Inter-site replication can be managed through AD Sites and Services. For Intra-site replication, place all of the domain controllers belonging to the same subnet in the appropriate site. Make sure the connectivity between the domain controllers in a given subnet is fast and reliable to support the Intra-site replication. There is more to managing Inter-Site replication. The Site Links that are created between the sites must be configured properly in order to obtain the desired result. If only the default settings are required, the DefaultSiteLink can be used to connect all sites. Otherwise a site link must be created and customized. Items to be carefully configured include the cost, schedule and replication interval. These will be discussed in detail in the pages to follow.

Creating Boundaries with Subnets
Sites are important for AD replication but also play a key roll in authentication. When authenticating, a domain controller located in the same site as the user is selected to complete the authentication. If a specific domain controller is desired to authenticate, make sure the client's subnet is part of that site. The subnet is the identifying factor for both the user and the domain controller. Sites are not domain specific so if there are a lot of users who travel to other sites and require cross-domain authentication, place a domain controller in the site they are physically located. The domain controller will require an IP address from one of the subnets associated with the site and a site link created to a site with other domain controllers from the same domain.

19 August 2010

00:23

111 of 233

38676182.doc

Bridgehead Selection Process
The inter-site topology generator automatically selects a bridgehead server to be responsible for inter-site replication. Bridgehead servers can be manually selected in the properties of the server object, however when manually selecting a bridgehead, at least two should be selected to prevent a single point of failure. ISTG will forgo an election if a bridgehead is manually assigned. A bridgehead server is required for each directory partition that must be replicated to other sites. When the Knowledge Consistency Checker builds the inter-site replication topology, it selects one or more servers in each site to act as a bridgehead server. The bridgehead server is responsible for the inter-site replication. This auto-selection process ensures that once a site link opens for replication all domain controllers within each site do not attempt to establish connection objects outside the boundaries of the site. Microsoft recommends allowing the bridgehead servers to be chosen automatically instead of manually. Once a bridgehead server is chosen manually KCC will not select one. Thus if your pre-selected bridgehead becomes unavailable inter-site replication could be interrupted.

Manually Selecting Bridgeheads
The minimum number of DCs to select as a bridgehead servers to prevent an election would be one DC to account for each directory partition requiring replication, however, best practice would suggest configure a two bridgeheads for each directory partition. If a preferred bridgehead server has been selected then updates to the domain directory partition hosted by that server can be replicated only from a preferred bridgehead server. If at the time of replication a preferred bridgehead server is not available for that directory partition, replication fails. If a bridgehead servers has been selected but no domain controller is designated as a preferred bridgehead server for a specific directory partition that has replicas in another site or sites, the KCC selects a domain controller to act as the bridgehead server, if one is available that can replicate the directory partition to the other site or sites. Therefore, to select preferred bridgehead servers effectively be sure to assign at least two or more bridgehead servers for each of the following: • Any domain directory partition that has a replica in another site. • Any application directory partition that has a replica in another site.

19 August 2010

00:23

112 of 233

38676182.doc • The schema and configuration directory partitions if no domains in the site have replicas in other sites. If the site has a global catalog server, select the global catalog server as one of the preferred bridgehead servers.

19 August 2010

00:23

113 of 233

38676182.doc

Monitoring Replication
• o o • • • Command-line Utilities Repadmin Dcdiag Event Viewer Directory Services log Active Directory Replication Monitor (replmon)

Event Viewer
There are two Event Logs that pertain to Replication and Active Directory. These logs are automatically added when Active Directory is installed. The Directory Services log records events having to do with the Directory Services service. These events include connections between the domain controller and the Global catalog. The File Replication Service log records events regarding the File Replication service. Failures during replication of Active Directory can be found in this log.

File Replication Service Log
Several tools are available to monitor both Active Directory replication and File Replication. None of the tools, except Event Viewer, are installed by default. Install the suptools.msi package from the \Support\Tools folder on the Windows Server 2008 CD. Two of the tools, repadmin and dcdiag are command-line utilities. Replmon (Active Directory Replication Monitor) is has a GUI interface and can be accessed from the Run command by typing replmon.

Command-Line Utilities
The repadmin (Replication Diagnostic Tool) utility is used to diagnose Active Directory replication problems between domain controllers. It can be used to force replication or to manually create a replication topology. Dcdiag (Domain Controller Diagnostic tool) is used to analyze the domain controllers either in the domain or forest. Domain controllers can be specified to run diagnostic tests.

19 August 2010

00:23

114 of 233

38676182.doc

Active Directory Replication Monitor
Access Active Directory Replication Monitor by typing replmon in the Run command. The GUI interface will be displayed. To connect to a domain controller, right-click Monitored Servers and select Add Monitored Server. The domain controller can be selected by name or browse to select the domain controller desired. This is tool will allow the administrator to see what is being replicated. Replication can be forced, a map of the replication topology viewed, along with other reports that can be generated to analyze the performance of Active Directory replication. See the listing of the reports in the picture above.

19 August 2010

00:23

115 of 233

38676182.doc

Backing-Up Active Directory
• System State – A set of components that are backed up and restored as a single unit and cannot be managed individually • o o • • • Server Backup Utility Backs up immediately or use Task Scheduler to schedule Always full backup NTBackup in Directory Services Restore Mode for restore of SSD Must be Domain Admin or Backup Operators group Only interactive backups Local Disk (C) and restores are allowed

• Includes AD, Sysvol (scripts, My Documents, GPOs) registry, boot files, & My Network Places o Possibly more depending on system configuration

System State
System State is the collection of all system components and distributed services that Active Directory requires to function. It is a logical group that cannot be separated and backed up individually. Included the System State is the registry, system boot files, files protected by Windows File Protection, and Certificate Services database. It can include Active Directory components and the Sysvol folder if the server is a domain controller.

Server Backup Utility
The backup utility provided with Windows Server 2008 can be used to backup the System State. It can either be selected to back up separately or it can be selected along with other data to backup. No matter what type of backup is being performed, the System State will always be backed up as a full backup. Use the same utility to restore System State while in Directory Services Restore Mode. The user performing the System State backup must be either a member of the Domain Admins group or Backup Operators group. It can be backup job can be run immediately or can be scheduled to run after hours by creating a Scheduled Task through the Backup wizard. The System State backup can only be configured on the local machine but the System State backup can be stored in a network share.

19 August 2010

00:23

116 of 233

38676182.doc

WBAdmin
• • Not installed by default Must be installed as a Feature with Server Manager • “wbadmin startsystemstatebackup" backs up the system state, including AD on a domain controller. Windows Server 2008 includes a new backup application named Windows Server Backup. Windows Server Backup is not installed by default. You must install it by using the Add Features option in Server Manager before you can use the Wbadmin.exe command-line tool or Windows Server Backup on the Administrative Tools menu. To back up a domain controller, you should use the wbadmin startsystemstatebackup command to back up system state data. If you use the wbadmin startsystemstatebackup command, the backup contains only system state data, which minimizes the size of the backup. This method provides system state data backups that are similar to the system state backups that are provided by the Ntbackup tool in previous versions of Windows Server. As another option, you can use the wbadmin start backup command with the -allcritical parameter or use Windows Server Backup to perform a backup of all critical volumes, rather than only backing up system state data. However, this method backs up all the critical volumes entirely. A volume is considered critical if any system state file is reported on that particular volume. In Windows Server 2008, the system components that make up system state data depend on the server roles that are installed on the computer. The system state data includes at least the following data, plus additional data, depending on the server roles that are installed: • RegistryCOM+ Class Registration database • • • • • • • Boot files Active Directory Certificate Services (AD CS) database The Active Directory database (Ntds.dit) SYSVOL directory Cluster service information Microsoft Internet Information Services (IIS) metadirectory System files that are under Windows Resource Protection

When you use Windows Server Backup to back up the critical volumes on a domain controller, the backup includes all data that resides on the volumes that include the following: • The volume that hosts the boot files, which consist of the Bootmgr file and the Boot Configuration Data (BCD) store 19 August 2010 00:23 117 of 233

38676182.doc • • The volume that hosts the Windows operating system and the registry The volume that hosts the SYSVOL tree

• The volume that hosts The Active Directory database (Ntds.dit)The volume that hosts The Active Directory database log files Windows Server 2008 supports the following types of backup: • Manual backup: A member of the Administrators group or the or Backup Operators group can initiate a manual backup by using Server Backup or the Wbadmin.exe command line tool each time that a backup is needed. If the target volume is not included in the backup set, you can make manual backups on a remote network share or on a volume on a local hard drive. • Scheduled backup: A member of the Administrators group can use the Windows Server Backup or the Wbadmin.exe command line tool to schedule backups. The scheduled backups must be made on a local, physical drive that does not host any critical volumes. Because scheduled backups reformat the target drive that hosts the backup files, we recommend that you use a dedicated backup volume. Windows Server Backup supports DVDs or CDs as backup media. You cannot use magnetic tape cartridges. You cannot use a dynamic volume as a backup target. Windows Server Backup does not support backing up individual files or directories. You must back up the entire volume that hosts the files that you want to back up. For Install from Media (IFM) installations, use the enhanced version of Ntdsutil.exe that is included in Windows Server 2008 to create the installation media, rather than Windows Server Backup. Ntdsutil.exe in Windows Server 2008 includes a new ifm command that creates installation media for additional domain controllers. For read-only domain controller (RODC) installations, the NTDSUtil ifm command can create secure installation media, in which the command strips secrets from Active Directory data. You can also include SYSVOL data in the installation media. When you need to restore a domain controller, you can use Bcdedit.exe to toggle the default startup mode between normal and Directory Services Restore Mode (DSRM). To start the server in DSRM by using Bcdedit.exe, at a command prompt, type the following command: bcdedit /set safeboot dsrepair. To restart the server normally, at a command prompt, type the following command: bcdedit /deletevalue safeboot. Windows Server backup in Windows Server 2008 has three recovery modes: • Full server recovery • • System state recovery File/folder recovery

19 August 2010

00:23

118 of 233

38676182.doc As with previous versions of Active Directory, you can perform a system state recovery only by starting the domain controller in DSRM, which you access by pressing F8 during the initial boot phase of Windows Server 2008. If you cannot start the server, you must perform a full server recovery. For more information, see Performing a Full Server Recovery of a Domain Controller.

19 August 2010

00:23

119 of 233

38676182.doc

Restoring Active Directory
• Must be in Directory Services Restore Mode (Though Directory Services can be stopped and started, to restore AD, you must enter DSRM) • • • • o o o Use Backup Utility and select Restore Cannot restore individual components of System State Must be local restore Three types of Restore available: Normal Restore (non authoritative) – Allows replication to update Authoritative Restore – Marks objects to be restored and replicated Primary Restore – Marks entire restore as the one to replicate

To restore Active Directory, enter Directory Services Restore Mode from the Advanced Options during start. You will be required to use the password created during AD installation for Directory Service Restore Mode. By going to Directory Services Restore Mode, directory services are not running so Active Directory portion of the System State can be restored. Use the same Backup Utility and select the Restore Wizard. Like the Backup, to restore System State, it must be entirely restored because it is not possible to select individual components.

Restore Options
Three options are available when restoring Active Directory: Normal Restore, Authoritative Restore and Primary Restore. Depending on the situation and the objects desired to restore will determine the type of restore that is appropriate. All restores are executed in Directory Services Restore Mode which can be accessed from the Advanced Options Menu. Directory Services Restore Mode turns Active Directory off allowing restoring the System State. The ntdsutil.exe function is a command-line utility used in Directory Services Restore mode to complete other Directory Services functions such as moving the database, using metadata cleanup to remove old objects and an offline defrag, among others.

Normal Restore
Normal Restore is also called nonauthoritative. Run the Backup Utility to restore the System State backup. It restores the entire System State to its original location. Once complete, the domain controller is rebooted and it will synchronize with the other domain controllers in the domain to receive the most up-to-date changes to Active Directory. Reasons for using a Normal Restore include: • Restoring a single domain controller when there are other domain controllers

19 August 2010

00:23

120 of 233

38676182.doc • Attempt to restore Sysvol or File Replication service data on domain controller other than first replica

Authoritative Restore
An Authoritative Restore allows the administrator to specify objects in The Active Directory database that should be restored to the entire network upon reboot. It 'marks' the objects so they are not written over when the domain controller is synchronized at reboot. It will replicate those marked objects to the other domain controllers in the network instead. To accomplish an Authoritative restore, a non-authoritative restore is completed, but the system is not rebooted. From a command prompt, complete the restore by using the Ntdsutil.exe utility. It is in this utility that the objects are indicated that should be replicated to the other domain controllers. The items are marked by increasing the USN number by 100,000 per day of the backup. This makes them the highest USN, which causes them to be replicated. Reasons to use the Authoritative restore include: • Rolling back or undoing changes to Active Directory objects • Resetting the data stored in the Sysvol folder

Primary Restore
The Primary Restore is similar to the Normal Restore. When executing the Backup Utility to restore the backup file, select the Advanced Options and indicate in the Advanced Restore Options dialog box "When restoring replicated data sets, mark the restored data as the primary data for all replicas' which marks it to be the data that is to be replicated to the other domain controllers, whether the data is older or not. It affectively marks the entire restored System State to be the authoritative objects for the domain. Reasons to use the Primary Restore include: • Restoring the only domain controller in an Active Directory environment .Restoring the first of several domain controllers • Restoring the first domain controller in a replica set The Restore function must be configured on the local machine. Note: When doing an authoritative restore, the objects that are being restored are sometimes referred to as subtrees. This would be an OU that is being restored. The LDAP path might look like: OU=Sales, DC=contoso, DC=com.

19 August 2010

00:23

121 of 233

38676182.doc

AD Replication Conflicts
Replication is at Attribute level: Same object, different attribute, no conflict Types of Conflicts: • Attribute conflict: Uses latest date stamp • Objects created in OU on one DC & OU deleted on another DC: OU deleted and objects placed in Lost and Found • Same object created on 2 DCs: Both objects created Second object includes GUID Replication for objects in Active Directory is executed at the attribute level. If changes to the same object are being made on two separate domain controllers, as long as the changes are being made to different attributes of the object, the replication will occur without any conflicts. For example, the home phone number is changed on one DC and the fax number is changed on another DC. Since these are different attributes, they will both replicate with no conflicts. Attribute conflicts will occur when the same attribute is modified on two DCs and then replicated at the same time. When this occurs, the date stamp is checked and the most recent change will be replicated. Objects created in OU on one DC and OU is deleted on another DC provides a challenge. The OU will be deleted and the objects that were created in the OU will be placed in the Lost and Found in AD Users and Computers. This will maintain the SIDs on the security principals. The OU can be recreated and the security principals moved from Lost and Found to the new OU. Same object created on 2 DCs and replicated at the same time will cause both objects to be created but one of the objects will have the GUID appended to the end of the name. It will be necessary to check the Properties of each account to determine the account that should be maintained.

19 August 2010

00:23

122 of 233

38676182.doc

Active Directory Garbage Collection
On Windows Server 2008, the DC from which an object is deleted informs the other DCs in the environment about the deletion by replicating what is known as a tombstone. It is necessary for the tombstone to stay in Active Directory until the deletion state can be replicated to all domain controllers so that the object is flagged as a tombstone for later removal. By default the tombstone lifetime is set at 180 days. (value is listed as <Not Set>) Backups older than the tombstone lifetime cannot be restored. When a new object is added to Active Directory, it is replicated to all other domain controllers so that they all have the same information. A garbage collection service runs every 12 hours to • Delete tombstones whose lifetime has expired • • Delete unnecessary log files Start online defragmentation

Garbage collection attributes • tombstoneLifetime • garbageCollPeriod These attributes can be changed in Active Directory by using ADSIEdit as shown in the slide. The attributes are in the object: CN =Directory Service, CN = Windows NT, CN =Services, CN=configuration,DC=forest root

19 August 2010

00:23

123 of 233

38676182.doc

Troubleshooting Active Directory
• o o o • o • o • o FSMO Roles Failure Troubleshooting: Objects can't be created - RID Master Domain can't be created - Domain Naming Master Infrastructure Master Password can't be changed - PDC Emulator Directory Services Restore Mode password Change in NTDSUTIL Resolving issues with Active Directory Use NTDSUTIL to move, compact, remove objects Removing Active Directory DCPromo /Forceremoval

Directory Services Restore Mode Password
Windows Server 2008 provides a way to change the Directory Services Restore Mode password that was originally created when AD was installed. To change it, go to a command prompt and enter NTSDUTIL > set dsrm password. Make sure you are logged in to the domain controller and Active Directory is running.

Resolving issues with AD
In order to manage AD database and log files, the domain controller must be in Directory Services Restore Mode. From the command prompt, use the NTDSUTIL to move, compact and remove objects from Active Directory. The part of the utility that allows objects to be removed is called Metadata Cleanup. An example where this is used would be when a domain controller fails and is not able to be removed from the domain properly. In order to remove any indications of the domain controller from Active Directory, use the Metadata Cleanup.

19 August 2010

00:23

124 of 233

38676182.doc

Removing Active Directory
The command to uninstall Active Directory is the same command as installing. Go to the Run command and type DCPROMO. The wizard will detect that the server has AD installed and will start the wizard to remove Active Directory. There is a checkbox to indicate if this is the last domain controller in the domain. The process of removing Active Directory will synchronize with another DC in the same domain, replicate any changes that have been made in Active Directory, transfer any FSMO roles the DC has and replicate any information it has in any of the partitions. If this is the last DC in the domain, make sure to check the box and it will contact the Forest Root server to replicate any pertinent information before removing AD. Once Active Directory is removed, all data in any of the partitions will be gone. If another DC in the same domain is not available or the time is not synchronized with the other DCs, the process will fail. In that case there are two options, run the DCPROMO again with the switch /forceremoval. This will force it to uninstall and will not attempt to contact another DC. It can also be taken off line, reinstalled, and any occurrence removed from AD through NTDSUTIL Metadata Cleanup.

ADSIEdit and LDP
Two GUI utilities used to view all objects in the directory (including schema and configuration information), modify objects and set access control lists on objects. ADSIEdit can also be used to create LDAP queries. ADSI scripting combined with VBScript can be used for bulk import, export, and modifications of AD objects.

19 August 2010

00:23

125 of 233

38676182.doc

Planning and Implementing User, Computer and Group Strategies

19 August 2010

00:23

126 of 233

38676182.doc

File Permissions
On a Windows computer, you can share files among both local and remote users. Local users log on to your computer directly through their own accounts or through a Guest account. Remote users connect to your computer over the network and access the files that are shared on your computer. You can access the Simple File Sharing UI (the default in some XP & Vista versions) by viewing a folder's properties. Through the Simple File Sharing UI, you can configure both share and NTFS file system permissions at the folder level. These permissions apply to the folder, all the files in that folder, subfolders, and all the files in the subfolders. Files and folders that are created in or copied to a folder inherit the permissions that are defined for their parent folder. This article describes how to configure access to your files, depending on permission levels. Some information that this article contains about these permission levels is not documented in the operating system files or in the Help file.

Turning on and turning off Simple File Sharing
Simple File Sharing is always turned on in Windows XP Home Edition-based computers. By default, the Simple File Sharing UI is turned on in Windows XP Professional-based computers that are joined to a workgroup. Windows XP Professional-based computers that are joined to a domain use only the classic file sharing and security interface. When you use the Simple File Sharing UI (that is located in the folder's properties), both share and file permissions are configured. You can use Simple File Sharing to configure five levels of access to shares and files:• Level 1: My Documents (Private) Level 2: My Documents (Default) Level 3: Files in shared documents available to local users Level 4: Shared Files on the Network (Readable by Everyone) Level 5: Shared Files on the Network (Readable and Writable by Everyone) If you turn off Simple File Sharing, you have more control over the permissions to individual users. However, you must have advanced knowledge of NTFS and share permissions to help keep your folders and files more secure. If you turn off Simple File Sharing, the Shared Documents feature is not turned off. To turn Simple File Sharing on or off in Windows XP Professional, follow these steps: 1. Double-click My Computer on the desktop. 2. On the Tools menu, click Folder Options.

19 August 2010

00:23

127 of 233

38676182.doc 3. Click the View tab, and then select the Use Simple File Sharing (Recommended) check box to turn on Simple File Sharing. (Clear this check box to turn off this feature.) To view a video about how to turn Simple File Sharing on or off, click the Play button () on the following Windows Media Player viewer:

Enabling the Security Tab in Windows XP
Like most other useful functions, the Security tab is not easy to find in the default Windows XP user interface. To enable the tab: • Open any Windows Explorer window. • • From the Tools menu, select Folder Options. Select the View tab.

• Scroll down the list of Advanced Settings (sic) and unselect the option Use simple file sharng (Recommended).

To examine the ACLs on a file (or folder), right-click on its icon and select Properties from the pop-up menu. In the Properties window, click on the Security tab to display a window similar to the one opposite. If you are using Windows XP and the Security tab is not present, check the setting described in the previous section. Alternatively, you may be looking at a file on a FAT rather than an NTFS partition. Windows does not protect files using ACLs on FAT format partitions. You can check a partition's format by examining the Properties of the disk icon. The top pane of the window lists all of the Users (or Groups of Users) that have permissions to the file; only listed Users and Groups can access the file. When a User is selected in the top pane, their permissions are shown in the lower pane. The Allow and Deny check boxes determine the permissions granted to a user: • If neither box is checked, the user is not allowed that right. • If the allow box only is checked, the user is allowed that right • If the deny box is checked, the user is always denied, even when the allow box is checked. In the above case, all of the Allow boxes are checked to give the Local Administrator Full Control over the file. The six main permissions are described below. They can be used in different combinations to allow various levels of access to users. 19 August 2010 00:23 128 of 233

38676182.doc

NTFS Permissions
Folder permissions include Full Control, Modify, Read & Execute, List Folder Contents, Read, and Write. Each of these permissions consists of a logical group of special permissions that are listed and defined in the following sections. Troubleshooting If the Security tab is not available and you cannot configure special permissions for users and groups, you may be experiencing the following issues : The file or folder where you want to apply special permissions is not on an NTFS drive. You can set permissions only on drives that are formatted to use NTFS. Simple file sharing is turned on. By default, simplified sharing is turned on. IMPORTANT: Groups or users who are granted Full Control on a folder can delete any files in that folder regardless of the permissions that protect the file. Note Although the List Folder Contents and the Read & Executefolder permissions appear to have the same special permissions, these permissions are inherited differently. List Folder Contents is inherited by folders but not files and it only appears when you view folder permissions. Read & Execute is inherited by both files and folders and is always present when you view file or folder permissions. In Windows XP Professional, the Everyone group does not include the Anonymous Logon group. Traverse Folder/Execute File – For folders: The Traverse Folder permission applies only to folders. This permission allows or denies the user from moving through folders to reach other files or folders, even if the user has no permissions for the traversed folders. Traverse Folder takes effect only when the group or user is not granted the Bypass Traverse Checking user right. The Bypass Traverse Checking user right checks user rights in the Group Policy snap-in. By default, the Everyone group is given the Bypass Traverse Checking user right. For files: The Execute File permission allows or denies access to program files that are running. If you set the Traverse Folder permission on a folder, the Execute File permission is not automatically set on all files in that folder. List Folder/Read Data – The List Folder permission allows or denies the user from viewing file names and subfolder names in the folder. The List Folder permission applies only to folders and affects only the contents of that folder. This permission is not affected if the folder that you are setting the permission on is listed in the folder list. The Read Data permission applies only to files and allows or denies the user from viewing data in files. Read Attributes – The Read Attributes permission allows or denies the user from viewing the attributes of a file or folder, such as read-only and hidden attributes. Attributes are defined by NTFS.

19 August 2010

00:23

129 of 233

38676182.doc Read Extended Attributes – The Read Extended Attributes permission allows or denies the user from viewing the extended attributes of a file or folder. Extended attributes are defined by programs and they may vary by program. Create Files/Write Data – The Create Files permission applies only to folders and allows or denies the user from creating files in the folder. The Write Data permission applies only to files and allows or denies the user from making changes to the file and overwriting existing content by NTFS. Create Folders/Append Data – The Create Folders permission applies only to folders and allows or denies the user from creating folders in the folder. The Append Data permission applies only to files and allows or denies the user from making changes to the end of the file but not from changing, deleting, or overwriting existing data . Write Attributes – The Write Attributes permission allows or denies the user from changing the attributes of a file or folder, such as read-only or hidden. Attributes are defined by NTFS. The Write Attributes permission does not imply that you can create or delete files or folders,. It includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, see Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete. Write Extended Attributes – The Write Extended Attributes permission allows or denies the user from changing the extended attributes of a file or folder. Extended attributes are defined by programs and may vary by program. The Write Extended Attributes permission does not imply that the user can create or delete files or folders, it includes only the permission to make changes to the attributes of a file or folder. To allow or to deny create or delete operations, view the Create Files/Write Data, Create Folders/Append Data, Delete Subfolders and Files, and Delete sections in this article. Delete Subfolders and Files – The Delete Subfolders and Files permission applies only to folders and allows or denies the user from deleting subfolders and files, even if the Delete permission is not granted on the subfolder or file.

19 August 2010

00:23

130 of 233

38676182.doc Delete – The Delete permission allows or denies the user from deleting the file or folder. If you do not have a Delete permission on a file or folder, you can delete the file or folder if you are granted Delete Subfolders and Files permissions on the parent folder. Read Permissions – The Read Permissions permission allows or denies the user from reading permissions about the file or folder, such as Full Control, Read, and Write. Change Permissions – The Change Permissions permission allows or denies the user from changing permissions on the file or folder, such as Full Control, Read, and Write. Take Ownership – The Take Ownership permission allows or denies the user from taking ownership of the file or folder. The owner of a file or folder can change permissions on it, regardless of any existing permissions that protect the file or folder. Synchronize – The Synchronize permission allows or denies different threads to wait on the handle for the file or folder and synchronize with another thread that may signal it. This permission applies only to multiple-threaded, multiple-process programs.

Set, view, change, or remove special permissions for files and folders

1. Click Start, click My Computer, and then locate the file or folder where you want to set special permissions. 2. Right-click the file or folder, click Properties, and then click the Security tab.

19 August 2010

00:23

131 of 233

38676182.doc 3. Click Advanced, and then use one of the following steps:

• To set special permissions for an additional group or user, click Add, and then in Name box, type the name of the user or group, and then click OK. • To view or change special permissions for an existing group or user, click the name of the group or user, and then click Edit. • To remove an existing group or user and the special permissions, click the name of the group or user, and then click Remove. If the Remove button is unavailable, click to clear the Inherit from parent the permission entries that apply to child objects. Include these with entries explicitly defined here check box, click Remove, and then skip steps 4 and 5.

4. In the Permissions box, click to select or click to clear the appropriate Allow or Deny check box. 5. In the Apply onto box, click the folders or subfolders where you want these permissions applied. 6. To configure security so that the subfolders and files do not inherit these permissions, click to clear the Apply these permissions to objects and/or containers within this container only check box. 7. Click OK two times, and then click OK in the Advanced Security Settings for FolderName box, where FolderName is the folder name. CAUTION: You can click to select the Replace permission entries on all child objects with entries shown here that apply to child objects. Include these with entries explicitly defined here check box. Therefore,all subfolders and files have all their permission entries reset to the same permissions as the parent object.If you do this, after you click Apply or OK, you cannot undo this operation if you click to clear the check boxes.

19 August 2010

00:23

132 of 233

38676182.doc

Security Group Strategy
• • o o o Use Built-in Groups when possible Group scopes Domain local: assign permissions Global: organize users Universal: ease permissions management in multi-domain forests

• Accounts> Global > (Universal) > Domain local > Permissions: AG(U)DLP • • o o • Changing Group Scope Changing Group Type Security: used for purposes of permission for resources. Distribution: used for e-mail only. Remove groups no longer being used -- Does not impact user account

When deciding what security groups need to be used and created in the Windows Server 2008 network, keep in mind to create groups and add users based on common access and tasks. There are built-in groups that can be used to assign rights and permissions to users to perform certain tasks in the network. In example would be the Backup Operators group. Instead of creating a group for the users who will be performing the backup task, just place them in the built-in group. The concept of creating groups to minimize administration tasks should be kept in mind when adding users to groups. Since users can belong to more than one group, it is easy to have them be members of a lot of groups. This can be an added administrative burden when access to a resource is not what is expected and the users group membership must be tracked down to determine which group is not allowing the access required. Keep group membership to a minimum, to make tracking permissions easier.

Group Scopes
Global
There are three different group scopes. The Global group is created in the domain where the users are located. The user accounts are placed in the Global groups. It is stored in the local domain but is referenced in the Global Catalog by its name with the domain where it is located. Only the name is recorded, not the group membership. Since it is in the Global Catalog, it can be viewed in other domains. It can 'travel' across the trusts to other domains.

19 August 2010

00:23

133 of 233

38676182.doc

Domain Local
The Domain Local groups are created in the domain where the resource is located and are used to assign permissions. Global groups should be added to the Domain Local groups. They are stored in the local domain only and cannot be viewed from any other domain.

Universal
When in Domain Functional Level Windows 2000 Native or higher, Universal groups are available. The Universal groups are stored in the Global Catalog and can have membership from any domain in the forest. Since it is stored in the GC, the membership should be fairly static so there are not many changes to the Global Catalog. By placing Global groups into Universal groups they are able to remain static, since it only has the Global group name, not the actual membership. When the Global group membership changes, it will not impact the Universal group.

Group Nesting
With Domain Functional Level Windows 2000 Native and higher, Group Nesting is available. This allows a Global group to be a member of another Global group in the same domain, or a Domain Local group is a member of another Domain Local group in the same domain. Nesting should be limited to only 2 levels to minimize the impact of combined permissions.

Changing Group Scope
When the domain is in Domain Functional Level Windows 2000 Native or higher, it is possible to change the scope of the group. The Global group goes to Universal, Universal to Domain Local, Domain Local to Universal, and Universal to Global group. The Global group cannot be changed to Domain Local group directly or vice versa.

Removing Groups
Remove groups when they are no longer needed. Whenever a group is deleted, the users that belong to that group are not impacted because they are only associated with the group. The user account is maintained separately from the groups. Command line account management You can also use the command-line tools Dsadd, Dsmod, and Dsrm to manage user, computer, and group accounts in Active Directory. You must specify the type of object that you want to create, modify, or delete. For example, use the dsadd user command to create a user account. Use the dsrm group command to delete a group account. Although you can use Directory Service tools to create only one Active Directory object at a time, you can use the tools in batch files and scripts.

19 August 2010

00:23

134 of 233

38676182.doc The Csvde command-line tool uses a comma-delimited text file, also known as a comma-separated value format (Csvde format) as input to create multiple accounts in Active Directory. You use the Csvde format to add user objects and other types of objects to Active Directory. You cannot use the Csvde format to delete or modify objects in Active Directory. Before importing a Csvde file, ensure that the file is properly formatted. The input file: • Must include the path to the user account in Active Directory, the object type, which is the user account, and the user logon name (for Microsoft Windows NT® 4.0 and earlier). • Should include the user principal name (UPN) and whether the user account is disabled or enabled. If you do not specify a value, the account is disabled. • Can include personal information.for example, telephone numbers or home addresses. Include as much user account information as possible so that users can search in Active Directory successfully. • Cannot include passwords. Bulk import leaves the password blank for user accounts. Because a blank password allows an unauthorized person to access the network by knowing only the user logon name, disable the user accounts until users start logging on. To edit and format the input text file, use an application that has good editing capabilities, such as Microsoft Excel or Microsoft Word. Next, save the file as a comma-delimited text file. You can export data from Active Directory to an Excel spreadsheet or import data from a spreadsheet into Active Directory. The Ldifde command-line tool uses a line-separated value format to create, modify, and delete objects in Active Directory. An Ldifde input file consists of a series of records that are separated by a blank line. A record describes a single directory object or a set of modifications to the attributes of an existing object and consists of one or more lines in the file. Most database applications can create text files that you can import in one of these formats. The requirements for the input file are similar to those of the Csvde command-line tool.

How to Create Accounts Using the Csvde Tool
You can use the Csvde command-line tool to create multiple accounts in Active Directory. You can only use the Csvde tool to create accounts, not to change them. To create accounts by using the Csvde command-line tool, perform the following steps: • Create the Csvde file for importing. Format the file so that it contains the following information: • The attribute line. This is the first line of the file. It specifies the name of each attribute that you want to define for the new user accounts. You can

19 August 2010

00:23

135 of 233

38676182.doc put the attributes in any order, but you must separate the attributes with commas. The following sample code is an example of an attribute line: DN,objectClass,sAMAccountName,userPrincipalName, displayName,userAccountControl • The user account line. For each user account that you create, the import file contains a line that specifies the value for each attribute in the attribute line. The following rules apply to the values in a user account line: • The attribute values must follow the sequence of the attribute line. • If a value is missing for an attribute, leave it blank, but include all of the commas. • • If a value contains commas, include the value in quotation marks. The following sample code is an example of a user account line:

"cn=Suzan Fine,ou=HumanResources,dc=asia, dc=contoso,dc=msft",user,suzanf,suzanf@contoso.msft,Suzan Fine,514 You cannot use Csvde to create enabled user accounts if the domain password policy requires a minimum password length or requires complex passwords. In this case, use a userAccountControl value of 514, which disables the user account, and then enable the account using Windows Script Host or Active Directory Users and Computers. Run the csvde command by typing the following command at the command prompt: csvde -i -f filename -b UserName Domain Password Where: • -i indicates that you are importing a file into Active Directory

• -f indicates that the next parameter is the name of the file that you are importing • -b sets the command to run as username, domain, and password. The csvde command provides status information about the success or the failure of the process. It also lists the name of the file to view for detailed error information. Even if the status information indicates that the process was successful, use Active Directory Users and Computers to verify some of the user accounts that you created to ensure that they contain all of the information that you provided.

How to Create and Manage Accounts Using the Ldifde Tool
You can use the Ldifde command-line tool to create and make changes to multiple accounts. To create accounts by using the Ldifde command-line tool, perform the following steps:

19 August 2010

00:23

136 of 233

38676182.doc • Prepare the Ldifde file for importing.

• Format the Ldifde file so that it contains a record that consists of a sequence of lines that describe either an entry for a user account or a set of changes to a user account in Active Directory. The user account entry specifies the name of each attribute that you want to define for the new user account. The Active Directory schema defines the attribute names. For each user account that you create, the file contains a line that specifies the value for each attribute in the attribute line. The following rules apply to the values for each attribute: • Any line that begins with a pound-sign (#) is a comment line and is ignored when you run the Ldifde file. • If a value is missing for an attribute, it must be represented as AttributeDescription ":" FILL SEP. • The following sample code is an example of an entry in an Ldifde import file: # Create Suzan Fine dn: cn=Suzan Fine,ou=Human Resources,dc=NG,dc=DS,dc=ARMY, dc=MIL Changetype: Add objectClass: user sAMAccountName: suzanf userPrincipalName: suzanf@NG.DS.ARMY.MIL displayName: Suzan Fine userAccountControl: 514 Run the ldifde command to import the file and create multiple user accounts in Active Directory. Type the following command at the command prompt: ldifde -i -k -f filename -b UserName Domain Password

Where: • -i specifies the import mode. If not specified, the default mode is export. • • -k ignores errors during an import operation and continues processing. -f specifies the import or export filename.

• -b specifies the user name, the domain name, and the password for the user account that will be used to perform the import or export operation.

19 August 2010

00:23

137 of 233

38676182.doc

19 August 2010

00:23

138 of 233

38676182.doc

Domain User Account Policy
• Domain user account policy is configurable only at the domain object level up to 2003 Forest level & 2008 Domain level • Account Password Policy includes: • Enforce password history- how many passwords to remember. Maximum password age- how long before change is required. • Minimum password age- how long before change is allowed. • Minimum password length- how many characters are required. Password must meet complexity- upper case, lower case, alpha-numeric. Enabled by default. • Store passwords using reversible encryption- not a good option to enable. • Account Lockout Policy includes: • Account lockout duration- how long are you locked out after invalid attempts. A value of 0 signifies indefinite lockout, an administrator must reset the account. Account lockout threshold- how many invalid attempts are allowed before lockout. • Reset account lockout counter after- when does threshold count return to 0. • These are the domain-level settings. Fine-grained password policies will be covered later.

Password Challenges
When resetting user passwords the following information is no longer accessible: • Files that the user encrypted • • E-mail that is encrypted with the user's public key Internet passwords that are saved on the computer

Domain Accounts • Recover by archiving the Certificate private key of the users • Recovery Key Agent can then add the certificate key Local user accounts • Use a Password Reset Disk to prevent losing access • Allows user to connect and change password instead of resetting Local users can create a Password Reset Disk ahead of time to avoid losing access to the information listed above. It allows the user to login to the computer and then change the password, rather than reset it. Creating a Password Reset Disk: 19 August 2010 00:23 139 of 233

38676182.doc • Put a blank disk into the floppy drive.

• Press CTRL+ALT+DEL, and click to Change Password Enter the usemame for which you are creating the Reset Disk. In Log On To, select the local computer. • Don't change the password. • Click Backup to launch the Forgotten Password Wizard. Enter the current password for this user. • When Reset Disk is complete, click Next, then click Finish. Label disk and store in secure place. Forgotten Password Wizard: This wizard creates a security key pair; a private key is written to the password reset disk and a public key encrypts the local user's password on the computer. The private key is used to decrypt the public key. The user will be prompted to create a new password. Since the user is only changing the password, no user access to data is lost. Resetting a Password with the Reset Disk: • Open the Log On to Windows dialog box. • • Enter the usemame and select the local computer. Click OK without entering a password (or enter a bad password)

• The Logon Failed dialog box appears, which includes an invitation to use a password reset disk, is one exists. • Click Reset and insert your Password Reset Disk into the floppy drive. • Follow the prompts in the Password Reset Wizard to create a new password. (Option to create a hint to remember the password is provided) • Log on to the computer with the new password.

19 August 2010

00:23

140 of 233

38676182.doc

Planning Organization Units (OUs)
• • • • • • • • • • • • OU as a management tool Delegation Group Policies Organize objects OU as an organizational tool Location Department Project Command Structure Create in ADUC Can have parent/child relationships (nesting) Do not nest more than 3 deep

The Organizational Unit (OU) is a management tool that should be thought out carefully. It can play a major role in network administration since it can be used to delegate authority and apply group policies. There is only one OU created by default, which is the Domain Controllers OU. All others are containers. Along with delegation and group policies, it can be used to manage the AD objects. When deciding how to build the OU structure, an analysis of the current and future network should be conducted. The OU structure should be designed for IT administration, not to follow the organizational chart of the company. Determine the current and potential needs for either delegation or group policies. Use the inheritance factor to your benefit by creating the OU structure to allow a higher level OU to apply the majority of the policies and then child OUs for specific rolebased needs. There are a lot of different designs that can be used when creating the OU structure. For a smaller network, creating OUs for the different departments might be the best plan. If designing for a larger company with several divisions, create a parent OU for each division and then child OUs for the different departments. Department OUs then Project child OUs is another option. It is up to the administrator to create a complete picture of what the network requires and then structure the OUs accordingly. The OUs are created in Active Directory Users and Computers. It can be created from the shortcut menu of the domain, then New> Organizational Unit or there is an icon on the toolbar to create an OU. To create a child OU, select the parent and then create the child OU.

19 August 2010

00:23

141 of 233

38676182.doc Objects can be moved to the new OUs by right-clicking the object and selecting Move. A display of Active Directory structure will be displayed. Select the OU where the object is to be moved. Another new option with Windows Server 2008 is to use Drag and Drop. Care must be taken when using this method because it is easy to 'drop' the object in a location that is not desired.

19 August 2010

00:23

142 of 233

38676182.doc

Planning and Implementing Group Policy Group Policies
• • • • • • Apply to Users and Computers - NOT GROUPS It is a group or collection of policy elements Default Polices Local Security Policy Default Domain Policy Default Domain Controller Policy

• Creating GPOs requires membership in Domain Admins or Group Policy Creator/Owner group. • • • • • • • Applied only to Windows 2000 systems and up All pre-Windows 2000 systems use system policies L-S-D-OU Linking policies requires delegation of Manage GP Links Multiples linked to same site, domain or OU Bottom to the top (top being applied last) Last has the highest priority)

Group Policy Processing
• • • Policies are cumulative, last one applied wins Policies inherit down to child objects in the domain Use No Override (Enforce) and Block Policy Inheritance sparingly

By default, Group Policy is inherited and cumulative. GPOs are processed according to the following order: • Local GPO. Each computer has exactly one GPO that is stored locally, shared by all users of that computer. • Site. Any GPOs that have been linked to the site that the computer belongs to are processed next. Processing is in the order that is specified by the administrator, on the Linked Group Policy Objects tab for the site in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence. • Domain. Processing of multiple domain-linked GPOs is in the order specified by the administrator, on the Linked Group Policy Objects tab for the domain in GPMC. The GPO with the lowest link order is processed last, and therefore has the highest precedence.

19 August 2010

00:23

143 of 233

38676182.doc • Organizational units. GPOs that are linked to the organizational unit that is highest in the Active Directory hierarchy are processed first, then GPOs that are linked to its child organizational unit, and so on. Finally, the GPOs that are linked to the organizational unit that contains the user or computer are processed. At the level of each organizational unit in the Active Directory hierarchy, one, many, or no GPOs can be linked. If several GPOs are linked to an organizational unit, their processing is in the order in which GPOs are linked to the organizational unit. Alternatively, you can specify the order on the Linked Group Policy Objects tab for the organizational unit in GPMC.

19 August 2010

00:23

144 of 233

38676182.doc

Plan Policy Application Sequence
Linking and Options
There are several Group Policy options that can alter this default inheritance behavior. These options include: • Changing the link order. Within each domain, site, and organizational unit, the link order controls when links are applied. To change the precedence of a link, you can change the link order, moving each link up or down in the list to the appropriate location. The link with the higher order (with 1 being the highest order) has the higher precedence for a given site, domain, or organizational unit. For example, if you add six GPO links and later decide that you want the last one that you added to have highest precedence, you can move the GPO link to the top of the list. However, the link order of an inherited GPO cannot be altered. • Blocking Group Policy inheritance. You can block policy inheritance for a domain or organizational unit. Using block inheritance prevents GPOs linked to higher sites, domains, or organizational units from being automatically inherited by the child-level. By default, children inherit all GPOs from the parent, but it is sometimes useful to block inheritance. For example, if you want to apply a single set of policies to an entire domain except for one organizational unit, you can link the required GPOs at the domain level (from which all organizational units inherit policies by default), and then block inheritance only on the organizational unit to which the policies should not be applied. Blocking does not affect Local GPOs. • Enforcing a GPO link. You can specify that the settings in a GPO link should take precedence over the settings of any child object by setting that link to Enforced (formerly known as “no override”). GPO-links that are enforced cannot be blocked from the parent container. Without enforcement from above, the settings of the GPO links at the higher level (parent) are overwritten by settings in GPOs linked to child organizational units, if the GPOs contain conflicting settings. With enforcement, the parent GPO link always has precedence. Note that Enforce policy options always take precedence over Block Inheritance. • Disabling a GPO link. By default, processing is enabled for all GPO links. You can completely block the application of a GPO for a given site, domain, or organizational unit by disabling the GPO link for that domain, site, or organizational unit. Note that this does not disable the GPO itself, and if the GPO is linked to other sites, domains or organizational units, they will continue to process the GPO, if their links are enabled. • Disabling user and/or computer settings. A GPO may have its user settings disabled, its computer settings disabled, or all settings disabled. By default, neither user settings nor computer settings are disabled on a GPO.

19 August 2010

00:23

145 of 233

38676182.doc Notes: Every computer has a single local GPO that is always processed regardless of whether the computer is part of a domain or is a stand-alone computer. The Local GPO can’t be blocked by domain-based GPOs. However, settings in domain GPOs always take precedence since they are processed after the Local GPO. A GPO link may be enforced, or disabled, or both. By default, a GPO link is neither enforced nor disabled. If the link is enforced and disabled, the disabled link has precedence.

Group Policy Filtering
Group Policy filtering can be configured to allow or deny a policy from applying to a specific group, user, or computer. There are 2 ways to configure a GPO filter. • Leave the default permissions and set Deny-Read and Deny-Apply Group Policy permission to the group that should not get the policy. • Remove the Authenticated Users from the DACL of the policy. Add the group that should be affected by the policy and configure the Allow-Read and Apply-Group Policy permission.

WMI Filters
WMI filters can be use to allow or deny GPOs to specific systems based upon hardware and software configuration specifications and is useful for: • Deploying software upgrades to systems that already have a previous manually -installed version • Deploying software to systems that meet hardware/software specifications

Refreshing Group Policies
• • • • Member servers, workstations, users every 90 - 120 minutes DCs every 5 minutes Refreshes only changes unless set to process regardless of change GPUPDATE

• This utility takes the place of secedit /refreshpolicy. It is executed from a command prompt and can be issued without any parameters, which refreshes both the user and computer policy settings. Certain switches can be used to specify certain results. • /Target [computer/user] - specify to refresh only computer or user policy settings • /Force - reapplies all policy settings even if there are no changes. By default, only policies that have been changed are refreshed.

19 August 2010

00:23

146 of 233

38676182.doc • /Wait: [value] - set the number of seconds to wait for any policy setting to finish • /Logoff - causes the session to log off after the Group Policy settings have been refreshed. This enables those policies that are invoked at logon to be processed by forcing the user to logon to the system. • /Boot - causes the computer to restart after the Group Policy settings are updated. This enables those policies that specifically need to be invoked at startup to be processed. • A Description of the Group Policy Update Utility (KB298444)

19 August 2010

00:23

147 of 233

38676182.doc

Group Policy Settings
Two Types • • Categories • o • o o o o o • o o o o o o o Computer Configuration User Configuration Software Settings Software Installation Windows Settings Scripts Security Settings IE Maintenance Remote Installation Folder Redirection Administrative Templates -- Registry-based settings Desktop Control Panel Network Printers Start Menu System Windows Components

Group Policies are a collection (group) of policy elements that affect both users and computers. It is a great way to administer and secure the network environment. The features provided allow for ease of management along with increased security features in order to lockdown the environment. There are over 700 different policy elements that can be configured. There are two types of policies that can be applied: Computer Configuration and User Configuration. The Computer Configuration applies to computers and the User Configuration applies to Users. Group Policies DO NOT apply to groups. Any settings configured in the Computer Configuration area will be applied at Startup or Shutdown. Setting in User Configuration will be applied at logon or logoff. Policies are also refresh regularly to make sure the environment has the new security settings when a policy is changed. It can also be forced to take affect by going to a command prompt at the client and typing GPUPDATE. This command alone will pull any changes to the policy from both the Computer and User Configurations.

19 August 2010

00:23

148 of 233

38676182.doc

Categories
There are 3 categories of settings that can be applied in both the Computer and User Configuration settings. There are not many duplicate settings between the two areas. When there are duplicates, the computer policies will take precedence over the user policies. The categories of settings are: • Software Settings - provides software deployment using Microsoft Installer packages (.msi) • Windows Settings - some of the items located in this section include applying scripts (logon, logoff, startup, and shutdown), security settings, IE maintenance, remote installation, and folder redirection. • Administrative Templates - these settings are Registry-based settings. These include desktop configurations, control panel access, network access, printers, start menu configuration, system information and Windows components. There is no way to know all the policy settings that are available. There will be definite items that you will want to know for the exam and also knowing the general area where the item might be found is helpful.

19 August 2010

00:23

149 of 233

38676182.doc

Group Policies and Security Templates
• • • o o • o o o Import GPO Apply to computers in domain Security Configuration and Analysis Tool Create, modify, merge templates Monitor settings Secedit Useful for batch file administration /analyze to compare, /configure to deploy Run under Task Scheduler for consistent configuration

The instructor will demonstrate the use of the STIG to analyze and deploy templates..

19 August 2010

00:23

150 of 233

38676182.doc

Group Policy Management Console
• • • • • • • • • • • on Installing Takes the place of the Group Policy tab Resultant Set of Policies Planning Mode “what if” Simulate policy results if object moved to new location Generated on Windows Server 2008 domain controller Group Policy Modeling (GPMC) Group Policy Results (GPMC) Logging Mode "what's there" Result of what has already been applied Target computer must be on, firewall off, and user must have logged

The Group Policy Management Console (GPMC) must be downloaded from Microsoft's download website. The file name is gpmc.msi. Once this console is installed, it takes the place of the Group Policy tab. The tab will remain but there will now be a message referring to the GPMC with a button to open it.

Resultant Set of Policies
The Resultant Set of Policies feature is available both in Active Directory Users and Computers and through the Group Policy Management Console. It is used to evaluate policy settings under two different circumstances: simulating an object being moved and the policies that will be applied OR analyzing what is currently being applied to a computer or user. The report generated when using ADUC is similar to the Group Policy Editor and displays only those policies elements that are in affect or will be. When executing the report through the GPMC, it generates a HTML report which contains a lot more detailed information about the query and what is being applied. However, ADUC and GPMC call the queries something different. The report that simulates what policies will be applied if the OU, computer or user account is moved is called the Resultant Set of Policy (Planning) in ADUC. It is called Group Policy Modeling in the GPMC. The report generated to show what policies are currently being applied to a computer or user is called in ADUC Resultant Set of Policy (Logging) and in GMPC Group Policy Results.

19 August 2010

00:23

151 of 233

38676182.doc In order to execute either query for an existing user or computer, the user must be a member of the local Administrators, Domain Admins or Enterprise Admins groups. Specific permissions can be applied on the container to allow for other users to run the query remotely (logging). The permissions can be set in AD Users and Computers in the Security tab of the container. The Permissions are Generate Resultant Set of Policy (Logging) or Generate Resultant Set of Policy (Planning). Permissions on the OU is Generate Resultant Set of Policy (Planning) only. If the RSoP query includes site GPOs that cross domain boundaries in the same forest, an Enterprise Admin must execute the query. There are several places that the Resultant Set of Policy Wizard can be accessed. The Group Policy Management Console has a node for both Group Policy Modeling and Resultant Set of Policy. The Resultant Set of Policy snap-in can be added to a MMC console, Both Active Directory Users and Computers and Active Directory Sites and Services provides access to the wizard by right-clicking the object desired to view, select All Tasks, then either Resultant Set of Policy Planning or Logging. • Planning Mode - enables you to plan by seeing what would happen if a policy was applied to a particular computer or user. Policy settings, software installations and security can all be viewed in various scenarios. Different scenarios can be simulated to view the impact on the computer and/or user accounts. This includes being able to determine the impact of an object/objects move from one place to another. • Logging Mode- enables you to review existing GPO settings, software installation applications and security for a user account or computer account that has already been applied. • Whether called Resultant Set of Policy (Planning) in Active Directory Users & Computers/Sites & Services or Group Policy Modeling in the Group Policy Management Console, the wizard steps and the end results are the same. • Select the domain desired to conduct the analysis then select any domain controller or a specific domain controller to conduct the analysis. • In order to run Group Policy Modeling, at least one Domain Controller is required. You must also have the correct permissions set on Active Directory container where you want to run the analysis. Set the permission on the Security tab of the container and select Resultant Set of Policy - Planning • Select either the container or specific user/computer desired for the analysis. • Select advanced simulation options. Options include to simulate a Slow Network Connection, analyze using the Loopback processing and an option is given to select the site desired. • Select the user security groups desired to view how the policies affect them, should they be part of that container.

19 August 2010

00:23

152 of 233

38676182.doc • Select the computer security groups desired to view how the policies affect them should they be moved to the that container. • Select specific WMI filters for users/computers to be associated with the analysis. Filters have to already be created in order to select them. • Confirm selections and select Next to run the analysis. • Once completed, if using Resultant Set of Policy (Planning), an MMC console will open and the results can be viewed. Save the MMC console to the Administrative Tools folder in order to use the analysis another time. If executing as part of the GPMC, the report will appear in the detail window. To permanently save the report, right-click the report and click Save Reports.

Group Policy Result Wizard
Group Policy Result Wizard is queried either through the Group Policy Management Console or by using Active Directory Users & Computers or Active Directory Sites & Services (Resultant Set of Policy - Logging). The person executing the query must have the appropriate permissions by being part of the Local Admins, Domain Admins or Enterprise Admins group or have specific permissions applied through the Security tab of the container. • Select the computer to be queried. Options include to select the computer where the query is being configured or select another computer. A checkbox is provided to select not to show the computer results as part of the final report. • Select the user to be queried. Options include the current logged on user where the query is being configured or to select another user. A checkbox is provided to select not to show the user results as part of the final report. • Summary of selections is provided and the query is started. • If query has been configured through Active Directory Users & Computers or Active Directory Sites & Services, the final report will appear in an MMC console. Save the console in order to run the report again. Please note that the RSoP console is saved, not the actual report. • Using Group Policy Management Console, the report is saved as part of the console but can be permanently saved by right-clicking the report and selecting Save Report. • When using the Group Policy Management Console to generate the Resultant Set of Policy query, the report generates 3 different sections. • Summary - Lists information regarding the container being analyzed, lists information for both user and computer configuration settings including the Group Policy Objects that have been Applied/Denied, Simulated Security Groups involved in the analysis, and WMI filters that were applied as part of the simulation.

19 August 2010

00:23

153 of 233

38676182.doc • Settings - Lists information for both Computer and User Configurations. Provides detailed listing of the Group Policy, the effective setting and the Winning Group Policy Object (the policy that caused the effective policy setting). • Policy Events - Gives a listing of all event entries pertaining to the policies that apply to the queried computer/user.

19 August 2010

00:23

154 of 233

38676182.doc

Software Deployment
Software can be deployed using a native or custom .msi package to either • Computers or Users • • • o o o • o Computer - Assign only Users - Assign or Publish Published Software is installed by selecting Shortcut icon Add/Remove Programs file extension activation Application without a Windows Installer – assigned only Package can use Application (.zap) files

• Users can manually install from a file share with limited permissions if the "Always install with elevated privileges" option is enabled in a policy. • Publish optional applications to users. Assign mandatory applications to users or computers. • Enable the Uninstall application when it falls out of the scope of management option to prevent continued use Windows 2000 introduced the feature of Software Deployment through a Group Policy Object. Now with Windows Server 2008, several features have been added. Software Deployment can be used as long as there is an Active Directory domain and the clients are Windows 2000 Professional or later. Software Deployment is available in both the User and Computer Configuration of the Group Policy. Decision points on where to execute the deployment depends if the software is to be available to anyone on the computer or if it is to be available to only certain users. Another deciding factor is how the software is deployed. Two choices are available. It can either be Assign or Publish. A deployment that has been Assigned indicates that the shortcut is available on Start Menu and is installed if the user selects the shortcut. It can also be installed if a file with the software extension is selected. For example, if Adobe Acrobat has been Assigned, double-clicking an attached .pdf file would cause Acrobat to install. An application that is assigned can be deployed either to Computers or Users. When Published, the availability of the software is listed in Add/Remove Programs and will be installed when requested by the user. It will also install if a file with the software extension is selected. Only Users can have a Published deployment.

19 August 2010

00:23

155 of 233

38676182.doc

Windows Installer Service
The Windows Installer Service works in the background allowing the Windows Installer files to process the installation of the software according to the instructions in the installer file. It provides a way back to the original state should there be a problem during software installation. It provides a self-repairing feature that detects if files are missing or corrupted and will reinstall the files. The Windows Installer Service also provides a means of removing the software package completely when it is no longer needed. Any shortcuts that the Windows Installer package created, it will remove. Any shortcuts that are created by the user must be deleted separately.

Windows Installer Packages
Native Windows Installer Package (.msi) files - are available as part of the application and take advantage of all aspects of the Windows Installer service. The publisher of the software can usually provide a Native .msi package upon request if not included with the original distribution. Multiple applications may be contained in a single .msi package. Features can be selected to vary the installation through a transform file. Repackaged application (.msi) files - the repackaged .msi file is very similar to the native file except it is one single product in one file. It must be installed in its entirety with no choices of features to install. In order to allow users to install, a policy settings must also be made to use Elevated privileges for software deployment. Users, by default, do not have the rights to install software. By elevating privileges, the software is installed using administrator privileges and then lowed back to the user's privilege as soon as the install is complete. Customizing Windows Installer Package - Two methods can be used to customize the Windows Installer Package. They are a Transform file (.mst) and a Patch file (.msp). The Transform file is used to customize the installation. The publisher of the application provides a configuration tool that allows the transform file to be created. For example, Microsoft Office 2007 has Microsoft Word, Excel, PowerPoint and Access as applications that can be installed. A Transform file can be created to specify to only install Microsoft Excel. The Microsoft Office 2007.msi package is configured to be deployed through a Group Policy Object and the transform file (.mst) is added to the configuration to only allow Microsoft Excel to be installed. The Patch file (.msp) is used to add software patches, service packs and some updates files to the existing Installer package (.msi) file deployment.

19 August 2010

00:23

156 of 233

38676182.doc

Application (.zap) Files
For those applications that do not have a Native or Repackaged installer package available, an Application Files (.zap) can be used to deploy software. The files are text files that contain instructions about how to publish an application and point to an existing setup program (setup.exe, install.exe). An application being deployed by a .zap file can only be published. It is only available in Add/Remove Programs and cannot be installed by selecting a software file extension. For a how to: http://support.microsoft.com/kb/231747

Software Distribution Point (SDP)
• Access to all of the installation files can be controlled with NTFS permissions. • • Users - Read Administrators - Full Control

All files relating to the deployment of the software must be copied to a Software Distribution Point. This is the network location for the installer files for the Group Policy Object and will also be the location used when the application is installed. With Windows Server 2008, this SDP can be in another forest, as long as there is a two-way trust in place. Once the SDP is created, copy the software packages, modifications, all necessary files, and components to a folder. Some software provides commands to facilitate the copying of the files to the SDP. For example: if you use setup for with Office XP, it allows you to enter the software key once for all users and it copies the files to the folder on the Software Distribution Point.

Creating Package
To create the software package, Right-click the Software Installation node, select New/Package. Make sure to select a UNC path for the Software Distribution Point, not a local path. Once the path has been entered, select whether to Assign or Publish. If you are configuring a deployment under the Computer Configuration section of the GPO, publish will be grayed out because it is not a valid option. Once the package is created you can then modify the settings. To go directly to the properties of the package, select Advanced instead of Assign or Publish. This opens up the dialog box so additional settings can be selected. If adding a Transform or Patch file, make sure to select Advanced to add the appropriate files before the package is deployed. On the Deployment tab is the option to Publish or Assign, Uninstall application when it falls out of the scope of management, option to not show in Add/Remove Programs, and the newest option, Install the application at logon.

19 August 2010

00:23

157 of 233

38676182.doc Uninstall application when it falls out of the scope of management option will uninstall the application when the user account is moved from the OU where the policy is linked. For example, Sue's user account is in the accounting OU and special accounting software has been deployed. When she changes to the marketing department, her use account is moved to the marketing OU. Any accounting software that was deployed to Sue will be removed when she logs on after the user account is moved. The Install application at logon completely installs the application at logon instead of having to select a shortcut or file extension. This option is only available when the package is Assigned to Users.

Upgrading Software
In order to upgrade a software deployment, create a new package for the new version and select Advanced to open the Properties of the package, On the Deployment tab select either Assign (users or computers) or Publish (users), On the Upgrade tab select Add to select the software package this one is going to upgrade. At the bottom of the window are options to install over the existing software or uninstall the existing software and then install the upgrade. After making the desired selection, select OK to return to the Upgrade tab. The package that is being replaced will be seen in the top window. The last configuration for the upgrade is to determine if the upgrade is required or not. If it is required, check the box in the center of the Upgrade window that states "Required upgrade for existing packages." Once the upgrade has been configured, the original package will display the upgrade package in the bottom of the Upgrade tab.

Redeployment - can be used when small changes are made to the original
deployment package. Most of the time redeployment is used when new features are desired from the original deployment.

Removing Applications
To remove an application that has been installed by a software installation package, right-click the software package in the Group Policy Object and select All Tasks/Remove. There are two selections: Forced Removal which causes "immediate uninstall" or Optional Removal which allows users to continue using but no installations are provided. Note: An "immediate removal" does not trigger uninstallation until the user logs off and back on for an application deployed to Users. For an application Assigned to Computers, the machine must be rebooted to uninstall the application.

19 August 2010

00:23

158 of 233

38676182.doc Another option is to setup the uninstall as part of the original installation package by selecting to Uninstall the application if the user/computer falls out of the scope of management. If the user/computer is moved from the original location where the Group Policy Object with the installation package is deployed, the application will uninstall at the next logon/reboot. This provides a means of removing software specific for an OU when the user/computer no longer belongs to that OU. For instance: a user's account belongs to an Accounting OU and has special Accounting software deployed. When that user's account is moved to the Marketing OU, the Accounting software will be removed. This can prevent potential licensing problems.

Terminal Services and Software Installation
Terminal Services does not support software deployment for a user. Any software that needs to be available for a Terminal Services session must be installed on the computer and access controlled through permissions.

19 August 2010

00:23

159 of 233

38676182.doc

Software Restriction Policies
Available for Windows XP, Vista, Windows Server 2003, and Windows Server 2008 to regulate unknown, unwanted or untrusted code. The Software Restriction Policies are provided to protect the computer environment from unknown code by allowing identification of approved applications to run on the systems. The policies can apply to either computer or users. To create the Software Restriction Policies, a combination of Security levels and Rules are used to determine what files and applications can be used. Software Restrictions Policies provide the following: • Control ability of specific programs to be run on the system. Can disallow certain types of file extensions so they are not able to be executed. • Permit users to run only specific files on a computer that is shared with multiple users. This ensures the user is only able to use applications and files that are specific for their needs. • Provide a method of specifying who can add trusted publishers to the computer • Control if software restriction policies are applied to all users or just to certain users • Prevent specific files from being executed on a local computer, site, domain or OU. Two security levels are provided, Unrestricted and Disallowed. The default setting is Unrestricted. The Unrestricted option allows all software to run using the user's full rights whereas Disallowed does not allow software to run, no matter what the user's access rights. If Unrestricted is used, rules can be created to prohibit the undesirable programs from being run. With Disallowed, rules must be created for all programs desired to run. The rules created provide exceptions to the Default Security Levels. Because of the nature of the Disallowed security level, four Registry rules are automatically created when Disallowed is selected. This allows certain operating system programs that are required to still function. Consider the impact of selecting Disallow before implementing this level. There are many items that are considered programs such as logon scripts that will have to have exception rules created to make them usable. The default setting has a check mark beside the item in the Group Policy. To change the default setting, right-click the other option and select Set as Default.

Software Rules
• • Rules override default security level Determine as part of rule if it is allowed to run

19 August 2010

00:23

160 of 233

38676182.doc • • Rule Select Unrestricted or Disallowed within the rule Rules include: Hash rule, Certificate Rule, Path Rule and Internet Zone

The Software Rules determine the programs and files that can be executed on a computer system and override the Security Levels. Each Software Rule will specify if that program/file will be allowed to run by selecting either Unrestricted (allow to run) or Disallowed (not allowed to run). There are four rules besides the Registry rules created when Disallowed Security level is selected. These four are: Hash Rule, Certificate Rule, Path Rule and Internet Zone Rule. The rules are applied in the order listed. Hash Rule - A Hash Rule allows the file that is being either restricted or allowed to be identified by a hash, which is a series of bytes that uniquely identifies a program or file. The file is selected in the New Hash Rule Dialog box and it automatically creates the hash. Information about the file: filename, size and creation date, populates the rule automatically. Select whether to allow the hash (unrestricted) or restrict (disallowed). Certificate Rule - A Certificate Rule identifies the software by the signed certificate. This indicates the software is from a trusted source and will not prompt the user. Certificate Rules can be applies to scripts and Windows Installer Packages. They do not apply to .exe or .dll file extensions. To create the rule, select the certificate and then whether to allow (unrestricted) or restrict (disallowed). Path Rule - A Path Rule identifies the file by the file path. If the file is moved, the Rule will no longer apply. Select to allow (unrestricted) or restrict (disallowed). Internet Zone Rule - An Internet Zone Rule apply only to Windows Installer packages. It identifies software through the Internet Zone specified in the rule. Select to allow (unrestricted) or restrict (disallowed).

Designated File Types
All of the rules use specific file types and those must be identified in the Designated File Types dialog box. It can be located by selecting the Software Restriction Policies node, then double-click the Designated File Types in the details pane. Basic file extensions are already listed. Check to make sure the file extension being designated in the rules is listed, then Add the extension if it is not listed.

Enforcement
To prevent the Software Restriction Rules from being applied to the local administrator, double-click Enforcement, located in the details pane when the Software Restrictions node is selected. Under Apply software restrictions to the following users: select All users except local administrator.

19 August 2010

00:23

161 of 233

38676182.doc

Redirected Folders
• • • • • • My Documents Desktop Settings Start Menu Application Settings Basic: Redirect for all users Advanced: redirect by security group

• Four possible options available for target location depending on what is being redirected o o o o Redirect back to local Redirect to following location -- %userprofile%\My Documents Redirect to the local user profile Settings tab, redirect back when policy deleted

There are four areas of the user's profile that can be redirected to another location. The four areas are My Documents, Start Menu, Desktop Settings and Application Settings. Using Redirect Folders can be a definite asset for Roaming Profiles since the information is being stored in a location other than the profile, it will not be downloaded to the client system every time the user logs in. For My Documents, this is a big advantage. Besides the profile loading faster and not using excessive bandwidth, there are no documents cached on the local system that might cause a security breach. The Start Menu and Desktop Settings can have permissions applied to them to be Read only so the user cannot change any of the settings stored in either of these areas. There are two settings available for all redirected folders: Basic - to redirect the folders for all users or Advanced - select the security group and the location for the target for each security group separately. There are some significant changes with where the folders can be redirected and the choices provided for the administrator when configuring. The first key difference is My Documents can be redirected to a user's home folder, as long as the home folder structure is already in place. This is not the preferred method but is provided for organizations that have already deployed the home folder environment. It is restricted to Windows XP Professional clients.

19 August 2010

00:23

162 of 233

38676182.doc In order to redirect to the home folder certain things must be taken in consideration by the administrator. By redirecting to home folder, the security of the network environment is relaxed and the security of the contents of My Documents is not guaranteed secure because of the following items: • Security - There is no security settings checked or altered in the process of the redirection. • Ownership - Redirection occurs without any type of ownership check to make sure the user redirecting is actually the owner of the folder. • Home directory - The Home Folder location indicated in the Properties of the User's account in Active Directory is used to redirect. If this path fails or is incorrect in anyway, the redirect fails.

Target Folder Options
Depending on the type of redirection, several options are now available to assist with the configuration of Redirected Folders. The options are listed in the drop-down box for both all users (Basic) and for a specific security group (advanced). Create a Folder for Each User Under the Root Path - creates a folder for the user in the root path (\\servername\SYSVOL\%usemame%) and automatically applies the usemame and folder name when policy is applied. This option is not available for Start Menu redirection. Redirect to the Following Location - specify the UNC path or valid local path to redirect the folders. If using the UNC path (\\servemame\sharename), add the parameter %usemame% at the end of the path to automatically create the folder for the user and to change the permissions of the folder so the user is the only one with permissions to the folder. Redirect to the Local Userprofile Location - redirects to the local default user profile folder Redirect to the User's Home Directory - redirect the My Documents folder to the user's home folder location. Only available for the My Documents folder. With this option, the domain administrators automatically have Full Control permission, even if the Grant the User Exclusive Rights to My Documents has been selected.

19 August 2010

00:23

163 of 233

38676182.doc

Additional Policy Settings
• • • Automatically enroll computer/user certificates Allow cross-forest user policy and Roaming User profile IPSec settings for computer

• Message Text and Message Title for configuring log on warnings and messages. • o o Slow link detection Only security settings and Registry settings Software deployment will not run

• Turn off background refresh to improve performance and delay refresh until logoff/logon or reboot

Group Policy Loopback
GP Loopback forces a specific User Configuration to a computer no matter who the user is that is attempting logon. Replace is absolute, merge combines the user configurations. Loopback was introduced with Windows 2000 Server Active Directory. The Loopback Replace option allows administrators to configure GPO for machines that must always have the same GPO settings regardless of who logs on.

19 August 2010

00:23

164 of 233

38676182.doc

Linking, Disabling, and Deleting GPOs
• Policies can be linked, disabled and deleted from within the Group Policy Management Console • Polices can be created and linked at the same time or link existing policies • Can use drag and drop to link policies from the Group Policy Container to a site, domain or OU • o • To disable, right-click the Policy and deselect Link Enabled Arrow on the icon will be grayed out to show it is disabled To delete, right-click the Policy and select Delete

o If deleting policy on a site, domain, or OU - it will delete from this object only o If delete policy from Group Policy Container - it will delete from domain but not from other domain

Disabling and Deleting GPOs
Right-click the Domain or OU to view the options that are available in the Group Policy Management Console. Among the options when the Domain has been selected are the options to Create and Link a GPO, Link an Existing GPO, Block Inheritance (entire container), run the Group Policy Modeling Wizard, and create an OU There is also an option to open Active Directory Users and Computers directly from the GPMC. When viewing the shortcut menu for a policy, Edit will open the Group Policy Editor to view and modify the policy settings. Enforce is the same as No Override. It will mark the policy icon to indicate the policy has Enforce applied. Disable the policy by selecting the Link Enabled listing to remove the check mark. To enable, select to add the check mark. Save Report option gives the opportunity to permanently save the reports viewed in the details pane to the right regarding the current policy settings and how it is applied to the different areas. Notice you can view the policies under the item it is linked to as well as viewing all of the policies under the Group Policy Object node. If you select the policy under the item where it is linked and select delete, it will only delete the link, not the policy settings. To remove the policy from all linked areas and delete the policy from the domain, select the policy under the Group Policy Objects node and delete. If the policy is linked in other domains, it will not remove them.

19 August 2010

00:23

165 of 233

38676182.doc

GP processing
By default in Windows XP Professional, the Fast Logon Optimization feature is set for both domain and workgroup members. This results in the asynchronous application of policies when the computer starts and when the user logs on. This application of policies is similar to a background refresh process and can reduce the length of time it takes for the Logon dialog box to display and the length of time it takes for the shell to be available to the user. An administrator can change the default by using the Group Policy Object Editor. Fast Logon Optimization is always off during logon under the following conditions: • When a user first logs on to a computer. • When a user has a roaming user profile or a home directory for logon purposes. • When a user has synchronous logon scripts.

19 August 2010

00:23

166 of 233

38676182.doc

Backing Up, Importing, and Restoring GPOs
• • Use GPMC to backup, import and restore GPOs and to manage backups Select the Group Policy Container to view all GPOs Backup - only backs up components of a GPO that are in the GPO in Active Directory and in the GPO file in SYSVOL. Does not capture items stored outside the GPO, such as the WMI filters, links to the site, domain or OUs and IP Security policies. It will maintain the link to a WMI filter, but not the filter itself. Backup contains an XML report of the GPO settings, date and time stamp, and the user-supplied description. Can be viewed within the GPMC as HTML. Each backup has a unique ID which allows one or multiple GPOs to be backed up to the same location. To backup all GPOs right-click the Group Policy Object node and select Back Up All. To specify the GPOs to backup, select the them in the Contents tab of the Group Policy Objects details node. Right-click and select Back-Up. Managing Backups - provides a way to view the GPOs that are backed up. In the Manage Backups dialog box, you can sort, delete, restore or view the backup settings. Restore - allows the GPO to be restored to a previous state, whether it has been deleted or is currently available, but needs to be rolled back to a previous state. To Restore, right-click the Group Policy Object node and select Restore from Backup or select the GPO desired in Manage Backups dialog box and select Restore. To restore to an existing GPO, the user must have Edit settings, delete, and modify security permissions on the GPO. Must also have Read permissions to the backup file location. Restoring a deleted GPO requires the user to have the right to create GPOs in the domain, as well as Read access to the backup file location. This is necessary because the GPO is being recreated as part of the Restore and the person who performs the restore becomes the new creator owner. Importing - used to transfer settings across GPOs within the same domain, to other domains in the same forest, and to domains in a separate forest. The target of an import is an existing GPO on a Windows Server 2008 domain controller. Requires Edit permission on the target GPO. To perform an import, in the GPMC of the target domain, select Import Settings. A wizard provides prompts needed to complete the import operation. You may need to build a migration table to accomplish this. Copy - used to transfer settings of an existing GPO in Active Directory as the source and creates a new GPO at its destination. Can be used to create a new GPO in the same domain, a domain in the same forest, or a domain in a separate forest. Trusts are required between the source and destination domains. Copying a GPO requires GPO Creation rights on both the source and destination domains since a new GPO is being created.

19 August 2010

00:23

167 of 233

38676182.doc

Replacing Security Templates
DCGPOFIX -- This utility will revert the default domain and default domain controller policies to their original state when first installed. This would be used if the security templates had been modified and there was a need to go back to the default settings. Import GptTmpl.inf -- The Domain GPO uses a template, and, by default, it enables default security settings that are related to account policy only. None of the other settings are enabled initially. Sometimes, changing the default settings or enabling or disabling other settings may produce undesirable outcomes. This may result in a condition where unexpected restrictions exist on user accounts. If the changes are unexpected, or if the changes were not recorded so that you do not know what changes were made, it may be necessary to reset these security settings to their defaults. Open the Gpttmpl.inf file with a text editor, such as Notepad. This file is located in the your Sysvol folder. The default path for the Sysvol is %SystemRoot%\Sysvol. To completely reset the security settings to the default settings, replace the existing inform in the Gpttmpl.inf file with the default information that you can copy from a freshly installed machine.

Security Templates
Any customized security templates can be backed up from one domain and then imported into another domain.

19 August 2010

00:23

168 of 233

38676182.doc

Troubleshooting Group Policy
• o • o o o • o o • o o o o o Computer/User configurations conflict Computer configuration will be applied Software not installed as expected: Is it Assigned or Published? Is the SDP available? Check permissions Policy settings didn't take affect: Is it linked properly? And enabled? Troubleshooting Tools Event Viewer RSoP Log files Gpresult.exe Gpupdate.exe

Resultant Set of Policy Wizard provides a detailed report showing the policies that are being applied and the result of those policies. Gpresult is a command-line utility which is used to show the policies that are being applied to both the user and computer. The actual result of the application is not provided. It creates returns the same information as Resultant Set of Policies (logging mode). If GPRESULT returns an error message that the Sysvol folder was not able to be contacted, a file in the Sysvol may be corrupted. Recover the Sysvol folder from the last backup. Gpupdate is used to force a refresh of the Group Policies for the user/computer. Using the /Force switch will force all policy settings to be reapplied whereas using the Gpudate without a parameter will only update the policy settings that have been changed. Event Viewer and Log Files are always good resources to view whether policies have been executed successfully or if there were errors in the process.

19 August 2010

00:23

169 of 233

38676182.doc New user and computer accounts are created in the CN=Users and CN=Computers containers by default. It is not possible to apply Group Policy directly to these containers, although they inherit GPOs linked to the domain. Redirusr.exe (for user accounts) and Redircomp.exe (for computer accounts) are two new tools included with Windows Server 2003 that enable you to change the default location where new user and computer accounts are created so you can more easily scope GPOs directly to newly created user and computer objects. By running Redirusr.exe and Redircomp.exe once for each domain, the domain administrator can specify the organizational units into which all new user and computer accounts are placed at the time of creation. These tools are located in %windir%\system32.

19 August 2010

00:23

170 of 233

38676182.doc

IP Addressing
An IP address is a 32 bit binary number that identifies a node (computer, interface card). A binary number is a sequence of 0s and 1s. The 32 bits are interpreted as 4 groups of 8 bits. The IP address as we know it is called an IPv4 (4 octets). The 4 octets, when converted to decimal, can be any value between 0-255. When converting from binary to decimal, draw lines representing the 8 bits. Starting from the right, write a 1 under the first line. Then proceeding to the left, multiply by 2. The numbers under each line represent the value of that bit. Each bit can have either a 1 or 0 as its binary value. Compare any binary number to the value chart. Any bit that has a 1 is considered to be 'on' and all the values of the '1' bits are added together to get the decimal conversion. For instance: a binary number of 10110011 could be converted to decimal by determining the value of all the' I' bits and adding them together which would be: 128+32+16+2+1=179. To convert a decimal number to binary, use the value chart, starting from left to right. Determine if the decimal number can have 128 subtracted, if yes, place a 1 in the 128 spot. Determine the value left. Can 64 be subtracted? If yes, place a 1 in the 64 spot. Determine the value left and continue through until the total decimal number has been converted. For Example: Consider the decimal number 203. We can subtract 128 from 203, so there is a 1 in the 128 place. The value left is 75. We can subtract 64 from 75, so a 1 goes in the 64 place. We have 11 remaining. We can't take 32 or 16 from 11, so0s go in those places. We can take 8 from 11 with 3 left over. Place a 1 in the 8 spot. We can't subtract 4 from 3. Place a 0 in the 4 spot. The last two bits equal 3, which is what we have left, so place a 1 in the 2 and 1 spot. Our new binary number is: 11001011. With some practice, converting from binary to decimal and back is not a difficult process. Learn the bit value table and it will get you a long way.

Address Classes
There are 5 classes of addresses, 3 of those classes can be assigned to individual systems. The first three classes, A, B, and C, are the classes that can be used to address clients. Class D is used for Multicasting, which provides a central pool of addresses for video conferencing and other types of multicasting traffic. There are a series of addresses that are Reserved for future growth.

19 August 2010

00:23

171 of 233

38676182.doc The first octet of the IP address will identify the class of the address. The ranges listed in the chart above should be memorized. Each IP address has two parts: network and host. The network portion is used to determine if the packet being sent from a source is local to the computer or remote. If the network portions do not match, they cannot communicate without a router. The host portion must be unique to the segment. By identifying the class of the address, you determine the portion of that address that is being used for the network and the host. Class A addresses use the first octet as the host or the first 8 bits. The network bits are often times represented as a slash or CIDR notation at the end of the IP address. This indicates the number of bits that are being used to represent the network. The remaining bits are for the host.

Private Addressing and APIPA
Three ranges of addresses are considered as Private addresses and will not be assigned by the Internet for public use. These addresses are often times used to address the private networks, since it is more secure they will not match any public address. These ranges are: • 10.0.0.0/8 (10.0.0.0 - 10.255.255.255) • • 172.16.0.0/12 (172.16.0.0 - 172.31. 255.255) 192.168.0.0/16 (192.168.0.0 - 192.168.255.255)

Also the 127.0.0.0/8 (127.0.0.0 - 127.255.255.255) range is excluded from assignment. This range is reserved for the Loopback, which is 127.0.0.1. This is used to test connectivity of the network interface and installation of TCP/IP. It is used for troubleshooting only.

Automatic Private IP Addressing (APIPA)
The Automatic Private IP addressing is a way for hosts to obtain addresses and communicate locally on the network without a DHCP server or a static address. When a Windows 2000, Windows XP or Windows Server 2003 host is installed, the IP address is configured to be automatically assigned. If there is no server available to assign an address, it will take an APIPA address. It is also used as a troubleshooting tool. If a DHCP server is not running, has run out of addresses in its address scope, or the connection has been severed for some reason, the APIPA address will appear in the IPConfig on the client. This is a sure sign that there is something wrong. The APIPA address is 169.254.x.x. Make sure and memorize this. If this is seen as the IP configurations on a system, it is not getting an address from DHCP for one of the reasons listed above.

19 August 2010

00:23

172 of 233

38676182.doc When the host cannot obtain an address, it will select an address from the 169.254.0.0 range and send out a broadcast to see if any other host has that address. If it does not receive a reply, it will assign that address to the host. The system will continue to try to obtain a valid address. The APIPA address will be maintained until the server or connection problem is corrected or a static address is assigned. APIPA can be disabled by making a registry change but it is not recommended.

19 August 2010

00:23

173 of 233

38676182.doc

Subnetting
• The process of creating more networks with fewer hosts per network by "borrowing" bits in the subnet mask. • Supernetting aggregates multiple routes to a single network via the opposite process • o o o Why subnet? Make communication more efficient. Reduce network broadcasts by creating broadcast domains. Dividing large IP networks into smaller, more efficient ones.

Subnet Masks
Use Decimal notation (255.0.0.0) or CIDR Notation (/8) to identify the subnet mask value. Each IP address has an associated subnet mask which is used by the computer to identify the network portion of the address. When converted to binary, the 1sin the subnet mask represent the network portion and the0s represent the host portion. The 3 classes have default subnet masks, which represent the full range of addresses in the available bits. With a class A network address, 16,777,216 (21\24) hosts can be configured. For a class B, 65,536 (21\16) hosts are available. In a class C, 256 (21\8) hosts are available. In order to calculate the number of valid addresses available, count how many bits are available for the hosts and use that number as the exponent. (2 to the power of u) The 2 comes from the possibilities in 1 bit - 0 or 1. The u represents the number of unmasked bits in the IP address.

Network/Broadcast Address
Another item to consider in determining the valid number of hosts that can be configured, is the rule that the host bits cannot be all 0s or all 1s in binary. When the host bits are all0s it is called the Network Address. It is the first address in the range and is not available to address a host. Network addresses appear in routing tables on PCs and routers. When the host bits of an IP address are all 1 's, that is the Broadcast Address used by all PCs in that network. It is the last address in the range and cannot be configured to a host. When a PC broadcasts an announcement, it will send that packet to the Broadcast Address. With this in mind, the Class A can have 16,777,214 (16,777,216 - 2) hosts, class B can have 65,534 (65,536 - 2) hosts and a Class C can have 254 (256 - 2) hosts.

19 August 2010

00:23

174 of 233

38676182.doc All 0s in 8 bits has a decimal value of 0 and all 1s has a decimal value of 255. Don't get confused that any address ending in decimal 0 or 255 is invalid. It is binary host bits that need to be considered. If a class B address is being used, it could have a 0 or 255 at the end of some addresses, but there would be a 1 or 0 somewhere in the total number of host bits. In order to manage the range of addresses available, it is possible to break those addresses into portions or subnets. The network borrows bits from the host in order to create the subnets. If a class B address borrows bits from the host portion, it will still be a class B address (16 bits) plus have additional bits that can identify the subnet. The subnet bits will allow the hosts to be identified as local or remote by comparing the bits that have been borrowed for the network. The 1s in the subnet mask must be consecutive so there are only 9 possibilities for subnet masks: 0, 128, 192,224,240,248,252,254, and 255. Notice in the chart the l's are consecutive. There are no other possibilities.

19 August 2010

00:23

175 of 233

38676182.doc

Determining Local and Remote Hosts
An address that is local is one that shares the same network. This may be using the default network only or the total network bits if it is subnetted. The remote address is on a different network than the source. There are two methods available to determine if an address is local or remote. One is called ANDing, which requires converting both the source, destination, and subnet mask to binary and then comparing bits. The other method is Ranging. With this method you determine the valid ranges from the subnet mask and then compare the addresses to see if they are in the same range. You can do a modified ANDing by only converting the subnetted octet values to binary and comparing the bits.

19 August 2010

00:23

176 of 233

38676182.doc

Common Ports to Know
In order to designate specific communications for applications and services, ports numbers are used to designate the data being sent. This is the port the system service listens for incoming traffic. Port numbers range from 1 to 1024 are commonly used ports. Ports above that are assigned to specific services or applications. These ports are ones you need to know for the exam. • 20/21 FTP (File Transfer Protocol) • • • • • • • • • • • • • • • • • • • • • • • • 22 23 25 53 67 80 88 110 123 135 137-139 220 389 443 445 464 636 993 996 1701 L2TP 1723 PPTP 3269 Global Catalog 3389 Remote Desktop IPSec has no set port but is protocol 51 (AH) & 50 (ESP) ssh (secure shell Telnet SMTP (Simple Mail Transport Protocol) DNS (Domain Naming Service) (udp < 512 bytes < tcp) DHCP HTTP (Hypertext Transfer Protocol) Kerberos POP3 (Post Office Protocol 3) NTP RPC NetBIOS names (WINS) imap ldap https—SSL (Secure Socket Layer) Microsoft DS, SMB Kerberos v5 LDAP SSL IMAP over SSL POP over SSL

19 August 2010

00:23

177 of 233

38676182.doc

• See also :Port Requirements for the Microsoft Windows Server System (KB832017)

19 August 2010

00:23

178 of 233

38676182.doc

IPv6
• 128 bit address o Unicast IPv6 addresses are divided into 2 parts: a 64 bit network and 64 bit host. o Host component is typically based on MAC, or can be randomly generated • • • o o o o o o • o o o o o o Eight blocks for four hexadecimal digits Coloned hexadecimal Can be shortened by eliminating leading Os: 2001:0db8:0000:0000:0000:0000:1428:57ab 2001:0db8:0000:0000:0000::1428:57ab 2001:0db8:0:0:0:0:1428:57ab 2001:0db8:0:0::1428:57ab 2001:0db8::1428:57ab 2001:db8::1428:57ab Special addresses :: -- unspecified address ::1 – loopback fe80::/10 – link local (auto-configuration address, not routable) 2001::/32 – Teredo 2002::/16 – 6to4 addressing fd00::/8 – routable unicast (normal)

Since all Link-Local Addresses (LLAs) share the same network id (fe80::), you can't determine which interface an LLA is bound to just by looking at the address. If a PC has multiple network interface cards bound to different networks, each network is identified by a zone id. The zone id will follow a "%" sign.

Teredo
Teredo client: computer enabled with both IPv6 and IPv4 and that is located behind a router performing IPv4 NAT. The Teredo client creates a Teredo tunneling interface and configures a routable IPv6 address with the help of a Teredo server. Through this interface, Teredo clients communicate with other Teredo clients or with other IPv6 hosts on the IPv6 Internet

19 August 2010

00:23

179 of 233

38676182.doc Teredo Server: Public server connected both to the IPv4 Internet and the IPv6 Internet. Its job is to perform configuration of addresses of the Teredo clients while also configuring the initial communication. Teredo Relay: A Teredo Relay is a Teredo tunnel endpoint. It is an IPv6/IPv4 router that can forward packets between Teredo clients on the IPv4 Internet and IPv6-only hosts

19 August 2010

00:23

180 of 233

38676182.doc

DHCP
When a DHCP client boots it broadcasts a DHCP Discover packet. All DHCP servers with a valid available address will respond to this packet with a DHPC Offer. The client will select one of these offers to accept, it then sends a DHCP Request. The issuing server responds with a DHCP Acknowledgement. This process is commonly known as DORA. If no offer is received, the client will rebroadcast its Discover at 2, 4, 8, and 16 seconds (+/- a randomized delay of up to 1 second). If after all this no Offer is received, the client will revert to APIPA and retry the process every five minutes. APIPA ensures that computers in a broadcast domain can communicate with each other even without a DHCP server. At 50% of the lease duration, the client will begin renewal attempts. This consists of a renewal Request from the client, and an Ack by the originally issuing server. If the issuing server is not available at 87.5% of the lease duration, a general Discover packet is issued as in the initial boot process. If a client requests renewal of an invalid address, the server will issue a DHCP deny (NAK), which forces the client to release its current address and begin the DORA process again. Information contained in a DHCP offer must include an IP address and subnet mask. It may include a number of optional parameters: gateway address, DNS server address, WINS server address, disable NetBIOS over TCP, and release DHCP Lease on Shutdown. Note that APIPA configuration contains no information beyond IP address and subnet mask. The DHCP process occurs on UPD ports 67 & 68, which may not be forwarded by some switches in default configuration. It may be necessary to configure broadcast forwarding on these ports before deploying DHCP. Unless otherwise specified in the DHCP options, a client will not release its DHCP address on shutdown. It will automatically attempt renewal on restart. If the issuing server is not available, but the gateway is reachable, the client will continue using the lease until its expiration. If the default gateway is also unreachable, the client will release the IP and use APIPA until a DHCP server is available. DHCP clients can be manually manipulated using the ipconfig /release & /renew command. These can be useful when moving computers, or renumbering a network.

19 August 2010

00:23

181 of 233

38676182.doc

Configuring TCP/IP
• o o • o o  o o o Dynamically Obtain an IP address automatically Default setting Statically Use the following IP address Manually enter IP address Subnet Mask Default Gateway DNS Server

 Use alternate for Fault Tolerance, alternate will respond when preferred does not  Optimize name resolution by directing clients to local DNS servers IP addresses can be configured either dynamically or statically. To configure the settings, go to the Properties of the Network Interface Card located in the Network Connections dialog box. On the General tab, select Internet Protocol and Properties. The Properties for the IP settings will open. The General tab provides radio buttons to choose either to Obtain in IP address automatically or to assign a static address. When selecting to obtain an address dynamically, a DHCP server must be running in the network in order to obtain an address. If not, an APIP A address will be assigned. This is the default setting. To statically enter an IP address, select to Use the Following IP address. The IP address and subnet mask must be manually keyed. The Default Gateway, which is the near side of the router, is optional. It must be provided if Internet or remote communication is desired. When obtaining an IP address automatically, all other options can be configured dynamically as well, including the DNS server addresses. DNS provides name resolution for the network and is necessary for the Windows Server 2008 network along with communicating on the Internet. This address points to a DNS server that can provide name resolution. If statically entered, the Preferred DNS server is the first server that will be contacted. The Alternate DNS server is only used if the preferred server is unavailable.

Advanced TCP/IP Settings
• Multiple IP Addresses

19 August 2010

00:23

182 of 233

38676182.doc o o • o o o o More than one IP address per adapter Select Advanced from General tab Alternate IP Address Tab available with "Obtain an IP address automatically" enabled Provides alternate address in case DHCP server is not available APIPA is default (169.254.X.Y) Static address can be configured

The advanced settings include the capability of statically assigning multiple addresses to one network interface and configuring an alternate static address for an automatically assigned IP address.

Multiple IP Addresses
There are a lot of reasons multiple IP addresses may be required on a single interface. One reason would be for a web server hosting multiple web sites. To accomplish multiple IP address, Select the Advanced button at the bottom of the Properties window where the original IP address has been assigned. At the top of the IP settings tab, there is an Add button. Select this and enter the additional IP address and subnet mask. Once the addresses are added here, they will then be available to select throughout the system.

Alternate (Static) IP Address
This feature provides an alternative to APIPA if a DHCP server is not available. When configuring the IP address, if automatically assigned is selected, a second tab is available for Alternate Configuration. Select the tab to see that APIPA is selected by default. When User Configured is selected, an alternative, static configuration can be entered. IP address, subnet mask, default gateway, 2 DNS servers and 2 WINS servers can be configured. These options will not be used unless DHCP is unavailable.

IP Troubleshooting Tools
• o • o o o IPConfig View IP settings Ping Check name resolution Test connectivity IP address or FQDN 00:23 183 of 233

19 August 2010

38676182.doc • o o • Tracert Trace the route (hops) for a specific IP address or FQDN –d for ‘no name resolution’ Path Ping

o Combination of Tracert and Ping Traces route and provides statistics for lost packets o Slower than the others

IPConfig
This is probably the most used tools, next to PING. This tool displays a view of the IP configuration along with executing other tasks. When entered by itself, IPConfig will show the network interfaces configured with the IP address, subnet mask and default gateway. To see all the configuration settings, type IPConfig /all. This will show all the network interface information including any additional options that have been configured (DNS, WINS), if it is enabled for DHCP, the DHCP server address where it obtained its address, the lease for the address, the host name, the DNS suffix being used and the MAC address of the interface. Some of the other tasks that can be executed with IPConfig involve DNS and DHCP. Use /release and /renew to refresh a DHCP configured address and /registerdns, /flushdns, /displaydns for DNS. They force registration of the client to DNS, flush the DNS cache, and will show the entries in the DNS cache.

Ping
Ping is a command-line utility used to test connectivity. The IP address or fully qualified domain name (FQDN) can be used to execute a ping. A Ping sends out 4 packets to the specific address/FQDN and waits for a reply. The four responses are then displayed. This is the first thing to do when troubleshooting a connection. The rule for troubleshooting is to start with yourself and then work out. Ping the loopback address (127.0.0.1), then the local host address. Then try a host on the same subnet. Then try the default gateway address. If all those work, then ping a remote address. If all hosts return a ping, then start looking at other possibilities. Most of the time, if there is connectivity problems, one of the ping attempts will fail. It can be a bad cable, bad device or incorrect addressing that can be causing the failure. This gives a better place to start looking for the problem.

19 August 2010

00:23

184 of 233

38676182.doc

Tracert
The Tracert command is used with either IP address or fully qualified domain names (FQDN) to trace the route of the packet.- It will display each time the packet touches a router as a hop. If the packet is not reaching its destination, this can assist with tracking down where it is dropping. Many times it may be a firewall or proxy server that has been instituted that does not allow packets from the source area to pass.

PathPing
Traces the route a packet takes to a destination and displays information on packet losses for each router in the path. This gives detailed statistics about the packet and its path.

19 August 2010

00:23

185 of 233

38676182.doc

Event Viewer
• • • • View events from multiple event logs Save useful event filters as custom views that can be reused Schedule a task to run in response to an event Create and manage subscriptions

Event Viewer is a Microsoft Management Console that allows you to browse and manage event logs. It is a useful tool for monitoring the health of systems and troubleshooting issues when they arise. When looking for improper logon events, an administrator must examine the Security log of every DC that may have received the logon requests. Viewing events from Multiple Logs: When you use Event Viewer to troubleshoot a problem, you need to locate events related to the problem, regardless of which event log they appear in. To specify a filter that spans multiple logs, you need to create a custom View. Reusable Custom Views: When you work with Event Logs, your primary challenge is to narrow the set of events to just those that you are interested in. Sometimes this involves a good deal of effort. Now, Event Viewer allows you to save these custom views once they are created. Integration with Task Scheduler: By right-clicking on a task, you are now able to schedule a task to run when that specific event is logged in the future. Event Subscriptions: You can collect events from remote computers and store them locally by creating event subscriptions. This is definitely testable!!!

Event Subscriptions
• o o • o o Configure Forwarding computer Winrm quickconfig (Windows Remote Management) Add the server to the Event Log Readers Group Configure Collecting Computer Wecutil qc (Windows Event Collector) - Configure the subscription Setup collection of Event Viewer data

You will have one machine that will forward Event Viewer data (Forwarding computer) and one computer to collect the data (Collector) and then create an subscription on the Collecting computer for what should be collected (all entries are probably not so interesting).

19 August 2010

00:23

186 of 233

38676182.doc

Configure Forwarding computer
1. On the Forwarding computer run an elevated cmd (or power shell) and configure Windows Remote Management service to be started and create a listener on default port tcp/80 (it is encrypted by SSP even under HTTP, it is possible to setup to run under HTTPS if needed, but that is not included in this KB), run the following command: winrm quickconfig 2. If you have Windows Firewall enabled it will ask you if you want to create an exception for this port, type Y to do so. 3. To decide who can collect Event Viewer data from this Forwarding computer you must add the people or machine to the Event Log Readers group. This can be done with the graphical mmc but since we already have an elevated cmd from running the winrm command we will use that to add our Collecting computer to the Event Log Readers group by using net localgroup command: Net local "Event Log Readers" Server3$@fabrikam.com /add Notice: Don't forget the $ sign after the computer name.

Configure Collecting computer
On the collecting computer (must run Windows Vista or Windows Server 2008) run the following command in an elevated cmd to collect data from the Forwarding computer: 1. Wecutil /qc normally you are more interested in errors than in entries of telling information that services started successfully so we will create an Event Subscription that only forward entries from Event Viewer on the Collecting computer that has the Event level Critical and Error status. 2. In Event viewer right click on the folder Subscriptions and choose Create Subscription. 3. Add the following data at minimum: Subscription Name 4. Press Add button and add the Forwarding machine a. NOTICE: Don't panic with the message "Error: Source status unavailable" it is normal and will be gone when you save the subscription! 5. Press Select Events.

Check the forwarded Event Viewer entries
Event Viewer -> Windows Logs -> Forwarded Events **It may take up to 15 minutes before the error messages show up in the Forwarded Events Log.

19 August 2010

00:23

187 of 233

38676182.doc

DFS -- Distributed File System
• • • o o WAN-friendly replication Simplified, highly-available access to geographically dispersed files Two technologies in DFS: DFS Namespaces DFS Replication

DFS Namespaces. Enables you to group shared folders that are located on different servers into one or more logically structured namespaces. Each namespace appears to users as a single shared folder with a series of subfolders. This structure increases availability and automatically connects users to shared folders in the same Active Directory Domain Services site, when available; instead of routing them over WAN connections. DFS Replication. DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication Service (FRS) as the replication engine for DFS Namespaces, as well as for replicating the AD DSSYSVOL folder in domains that use the Windows Server 2008 domain functional level.

19 August 2010

00:23

188 of 233

38676182.doc

DFS Namespaces
A namespace is a virtual view of shared folders in an organization. The path to a namespace is similar to a Universal Naming Convention (UNC) path to a shared folder, such as \\Server1\Public\Software\Tools. In this example, the shared folder Public and its subfolders Software and Tools are all hosted on Serverl. A namespace server hosts a namespace. The namespace server can be a member server or a domain controller. The namespace root is the starting point of the namespace. In the previous figure, the name of the root is Public, and the namespace path is \\Contoso\Public. This type of namespace is a domain-based namespace because it begins with a domain name (for example, Contoso) and its metadata is stored in Active Directory Domain Services (AD DS). Although a single namespace server is shown in the previous figure, a domain-based namespace can be hosted on multiple namespace servers to increase the availability of the namespace. Folders without folder targets add structure and hierarchy to the namespace, and folders with folder targets provide users with actual content. When users browse a folder that has folder targets in the namespace, the client computer receives a referral that transparently redirects the client computer to one of the folder targets. A folder target is the UNC path of a shared folder or another namespace that is associated with a folder in a namespace. The folder target is where data and content is stored. In the previous figure, the folder named Tools has two folder targets, one in London and one in New York, and the folder named Training Guides has a single folder target in New York. A user who browses to \\Contoso\Public\Software\Tools is transparently redirected to the shared folder \\LDN-SVR-O1\Tools or \\NYC-SVR-01\Tools, depending on which site the user is currently located in.

Create a namespace :
1. Click Start, point to Administrative Tools, and then click DFS Management. 2. In the console tree, right-click the Namespaces node, and then click New Namespace. 3. Follow the instructions in the New Namespace Wizard. To create a folder in a namespace 1. Click Start, point to Administrative Tools, and then click DFS Management. 2. In the console tree, under the Namespaces node, right-click a namespace or a folder within a namespace, and then click New Folder. 3. In the Name text box, type the name of the new folder.

19 August 2010

00:23

189 of 233

38676182.doc 4. To add one or more folder targets to the folder, click Add and specify the Universal Naming Convention (UNC) path of the folder target, and then click OK. To add a folder target 1. Click Start, point to Administrative Tools, and then click DFS Management. 2. In the console tree, under the Namespaces node, right-click a folder, and then click Add Folder Target. 3. Type the path to the folder target, or click Browse to locate the folder target. 4. If the folder is replicated by using DFS Replication, you can specify whether to add the new folder target to the replication group. Note - Folders can contain folder targets or other DFS folders, but not both, at the same level in the folder hierarchy.

19 August 2010

00:23

190 of 233

38676182.doc

DFS Replication
DFS Replication is an efficient, multiple-master replication engine that you can use to keep folders synchronized between servers across limited bandwidth network connections. It replaces the File Replication service (FRS) as the replication engine for DFS Namespaces, as well as for replicating Active Directory Domain Services (AD DS) SYSVOL folder in domains that use the Windows Server 2008 domain functional level. For more information about replicating SYSVOL using DFS Replication, see the Microsoft Web site (http://go.microsoft.com/fwlink/?Linkld=93057). DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file. To use DFS Replication, you must create replication groups and add replicated folders to the groups. Replication groups, replicated folders, and members are illustrated in the above figure. This figure shows that a replication group is a set of servers, known as members, which participates in the replication of one or more replicated folders. A replicated folder is a folder that stays synchronized on each member. In the figure, there are two replicated folders: Projects and Proposals. As the data changes in each replicated folder, the changes are replicated across connections between the members of the replication group. The connections between all members form the replication topology. Creating multiple replicated folders in a single replication group simplifies the process of deploying replicated folders because the topology, schedule, and bandwidth throttling for the replication group are applied to each replicated folder. To deploy additional replicated folders, you can use Dfsradmin.exe or a follow the instructions in a wizard to define the local path and permissions for the new replicated folder. Each replicated folder has unique settings, such as file and subfolder filters, so that you can filter out different files and subfolders for each replicated folder. The replicated folders stored on each member can be located on different volumes in the member, and the replicated folders do not need to be shared folders or part of a namespace. However, the DFS Management snap-in makes it easy to share replicated folders and optionally publish them in an existing namespace. You can administer DFS Replication by using DFS Management, the DfsrAdmin and Dfsrdiag commands, or scripts that call WMI.

Create a replication group
1. Click Start, point to Administrative Tools, and then click DFS Management.

19 August 2010

00:23

191 of 233

38676182.doc 2. In the console tree, right-click the Replication node, and then click New Replication Group. 3. Follow the instructions in the New Replication Group Wizard. When you first set up replication, you must choose a primary member. Choose the member that has the most up-to-date files that you want to replicate to all other members of the replication group, because the primary member's content is considered "authoritative." This means that during initial replication, the primary member's files will always win the conflict resolution that occurs when the receiving members have files that are older or newer than the associated files on the primary member. The following concepts will help you better understand the initial replication process: Initial replication does not begin immediately. The topology and DFS Replication settings must be replicated to all domain controllers, and each member in the replication group must poll its closest domain controller to obtain these settings. The amount of time this takes depends on AD DS replication latency and the long polling interval (60 minutes) on each member. Initial replication always occurs between the primary member and the receiving replication partners of the primary member. After a member has received all files from the primary member, that member will replicate files to its receiving partners as well. In this way, replication for a new replicated folder starts from the primary member and then progresses to the other members of the replication group. When receiving files from the primary member during initial replication, if a receiving member contains files that are not present on the primary member, those files are moved to their respective DfsrPrivate\PreExisting folder. If a file is identical to a file on the primary member, the file is not replicated. If the version of a file on the receiving member is different from the primary member's version, the receiving member's version is moved to the Conflict and Deleted folder and remote differential compression (RDC) can be used to download only the changed blocks. To determine whether files are identical on the primary member and receiving member, DFS Replication compares the files by using a hash algorithm. If the files are identical, only minimal metadata is transferred. After the initialization of the replicated folder, when all existing files in the replicated folder are added to the DFS Replication database, the primary member designation is removed. That member is then treated like any other member and its files are no longer considered authoritative over other members that have completed initial replication. Any member that has completed initial replication is considered authoritative over members that have not completed initial replication.

Create a replicated folder
1. Click Start, point to Administrative Tools, and then click DFS Management.

19 August 2010

00:23

192 of 233

38676182.doc 2. In the console tree, under the Replication node, right-click a replication group, and then click New Replicated Folders. Follow the instructions in the New Replicated Folders Wizard. 3. Note Replication of the new replicated folder does not begin immediately. The new DFS Replication settings must be replicated to all domain controllers, and each member in the replication group must poll its closest domain controller to obtain these settings. The amount of time this takes depends on AD OS replication latency and the long polling interval ( 60 minutes) on each member.

DFS Requirements
• • • • • • o o o Members of the replication group must be running 2003 R2 or 2008 Install File Services Role with DFS Replication Role Service Replicated folders must be stored on NTFS volumes Not available on Server Core Single Forest Only Third-party software compatible with DFS Replication. Defragmentation/disk maintenance Antivirus Backup

• Not fully compatible with/aware of clustering, if deployed on a cluster node locate replicated folders on the local storage of the node, not shared.

19 August 2010

00:23

193 of 233

38676182.doc

DFS Commands
• • • DFSUtil DFSdiag DFSradmin

Windows Server 2008 includes an updated version of the DFSUtil command, the new DFSdiag command, and the new DFSradmin which you can use to diagnose namespace issues. The test is mainly concerned with DFSUtil. DFSUtil Examples Example 1: Control a DFS Client's Ability to Link to Sites Enabling the insite setting of a DFS server is useful when: You don't want the DFS clients to connect outside the site. You don't want the DFS client to connect to a site other than the site it is in, and hence avoid using expensive WAN links. Dfsutil /insite:\\example.com\dfsroot /enable After using this command statement, clients will not get any referral for a replica outside the dfsroot site. This means that if the Replica sets in the client Site are down, the client will not do a failover to a Replica set in another site. Disabling the insite setting of a DFS server is useful when you want to enable outside site referrals. If you want your DFS clients to be able to link to outside sites when no local server is available, and the DFS clients never seem to link outside the site, it may be because connectivity has been limited to an internal site using the /insite enable setting. Disabling this setting will restore the ability of clients to link outside the site. To reset your site preferences, type the following at the command prompt: DFSUtil /insite:\\example.com\Sales /disable Example 2: Configure a DFS Server to be Site Cost Aware You want DFS clients to be able to connect outside the internal site, but you want clients to connect to the closest site first, saving the expensive network bandwidth. You want to maintain high availability as a priority, but obviously you want DFS clients to connect to closer sites rather than farther sites when the former are reachable and up. To configure the server to be site cost aware, type either of the following statements at the command line: DFSUtil /sitecosting:\\example.com\sales /enable DFSUtil /root:\\example.com\sales /sitecosting /enable

19 August 2010

00:23

194 of 233

38676182.doc Now the server sends the referral list composed of the randomly ranked targets in the same site as the client, followed by the targets in the next closest site from the site in which the client resides, followed by targets in the second closest site, and then the third and so on. Example 3: Back up the DFS Namespace You want to back up the DFS namespace for a specified root so that you can restore it later in case of system crash and loss of namespace from the system. Backing up namespace information is especially important when you have large namespaces. Using a single command statement per root, you can back up the namespaces into simple files. The files are in an XML format. To back up a namespace, type the following at the command line: DFSUtil /root: \\example.com\sales /export: c:\NameSpaceBackups\Dir\file.txt Note: The output of the export file is in XML in Windows Server 2003 DFS. This means that, if your current DFS is a prior version and the output file is coming from a prior version, it should be converted to the XML format used by the /import parameter. Example 4: Restore the DFS Namespace from a Back Up Your system has crashed and you have lost your namespace data. In order to restore the namespace, type the following at the command line: DFSUtil /root: \\example.com\sales /import: c:\NameSpaceBackups\Dir\file.txt /set

19 August 2010

00:23

195 of 233

38676182.doc

Shadow Copy
Shadow copying of files in shared folders is a feature administrators can use to create backup copies of files on designated volumes automatically. You can think of these backup copies as point-in-time snapshots that can be used to recover previous versions of files. Normally, when a user deletes a file from a shared folder, it is immediately deleted and doesn’t go to the local Recycle Bin. This means the only way to recover it is from backup. The reason for this is that when you delete files over the network, the files are permanently deleted on the remote server and never make it to the Recycle Bin. This problem changes with shadow copying. If a user deletes a file from a network share, she can go back to a previous version and recover it—and she can do this without needing assistance from an administrator. Volume Shadow Copy service is a new feature of Microsoft Windows Server 2003. It offers two important features: Shadow copying of files in shared folders: Allows you to configure volumes so that shadow copies of files in shared folders are created automatically at specific intervals during the day. This allows you to go back and look at earlier versions of files stored in shared folders. You can use these earlier versions to recover deleted, incorrectly modified, or overwritten files. You can also compare versions of files to see what changes were made over time. Up to 64 versions of files are maintained. Shadow copying of open or locked files for backups: Allows you to use backup programs, such as Windows Backup, to back up files that are open or locked. This means you can back up when applications are using the files and no longer have to worry about backups failing because files were in use. Backup programs must implement the Volume Shadow Copy application programming interface (API). Both features are independent of each other. You do not need to enable shadow copying of a volume to be able to back up open or locked files on a volume.

Using Shadow Copies of Shared Folders
Shadow copies of shared folders are designed to help recover files that were accidentally deleted, corrupted, or inappropriately edited. Once you configure shadow copies on a server, the server creates and maintains previous versions of all files and folders created on the volumes you’ve specified. It does this by creating snapshots of shared folders at predetermined intervals and storing these images in shadow copy storage in such a way that users and administrators can easily access the data to recover previous versions of files and folders. Shadow Copies for Shared Folders is made possible through the Shadow Copy API. The shadow copy driver (Volsnap.sys) and the Volume Shadow Copy service executable (Vssvc.exe) are key components used by this API.

19 August 2010

00:23

196 of 233

38676182.doc

Shadow copy client configuration
Before users can access previous versions, the client must be installed on their computer. Two clients are available: • Previous Versions Client • Shadow Copy Client With either client, users can access the Previous Versions tab by right-clicking a shared file or folder, selecting Properties, and choosing Previous Versions. Users will then be able to view a version of a file, save a version of a file to a new location, or restore a previous version of a file. The clients can be distributed through Group Policy or Microsoft Systems Management Server (SMS). You can use Group Policy or SMS to distribute either client. You can also simply copy the file to a user’s computer. Both clients are made available as MSI packages that require Microsoft Windows Installer 2 or later, which is available automatically on Microsoft Windows XP or later versions of the Windows operating system.

Installing the Previous Versions Client
The Previous Version client is stored in the: %SystemRoot %\System32\Clients\Twclient\X86 folder Its installer is named Twcli32.msi. Computers running: • Windows Server 2003 • • • Windows XP Microsoft Windows 2000 Service Pack 3+ Microsoft Windows 98

can use this client. Once the client is on the user’s computer, you run it by doubleclicking it. This starts the Previous Versions Client Setup Wizard. The wizard automatically installs the client, and you only need to click Next and then click Finish.

Installing the Shadow Copy Client
The Shadow Copy Client can be downloaded from the Microsoft Web site. Its installer is ShadowCopyClient.msi. Computers running: • Windows Server 2003 • • Windows XP Windows 2000 Service Pack 3+

19 August 2010

00:23

197 of 233

38676182.doc can use this client. If you use this client with earlier versions of the Windows operating system, you must install the Shadow Copy Client on both the servers using shadow copies and the user computers that must access shadow copies.

Configuring Shadow Copies in Computer Management
You can use Computer Management to configure shadow copying by following these steps: • Start Computer Management • Expand Storage • Select Disk Management • Right-click a volume in the Disk Management Volume or Graphical View • Select Properties • In the Properties dialog box:Select the Shadow Copies tab • Select the volume for which you want to configure shadow copies, and then click Settings. This displays the Settings dialog box: • Use the Located On This Volume selection list to specify where the shadow copies should be created. Shadow copies can be created on the volume you are configuring or any other volume available on the computer. • Click Details to see the free space and total available disk space on the selected volume, and then click OK.

List

19 August 2010

00:23

198 of 233

38676182.doc • Use the Maximum Size options to set the maximum size that shadow copies for this volume can use. • Click Schedule to display the dialog box shown. Two run schedules are set automatically. Use the selection list to view these schedules. If you don’t want to use a scheduled run time, select it, and then click Delete. To add a run schedule, configure the run times using the Schedule Task, Start Time, and Schedule Task Weekly options, then click New. When you are finished configuring run times, click OK twice to return to the volume’s Properties dialog box. • • • • • Select the volume on which you want to enable shadow copies Click Enable When prompted, click Yes to confirm the action Windows will then create a snapshot of the volume.

• Configure any additional volumes for shadow copying by repeating steps 3 through 8. • Click OK when you are finished.

Enabling Shadow Copying from the Command Line
To enable shadow copying of a volume, you use the ADD SHADOWSTORAGE command. The syntax is as follows: vssadmin add shadowstorage /for=ForVolumeSpec /on=OnVolumeSpec With the following parameter definitions: /for=ForVolumeSpec is used to specify the local volume for which you are configuring or managing shadow copies. /on=OnVolumeSpec is used to specify the volume on which the shadow copy data will be stored. Consider the following example: vssadmin add shadowstorage /for=c: /on=d: Here, you are configuring the C volume to use shadow copies, and the shadow copy data is stored on D. Both values can be set to the same volume as well, such as vssadmin add shadowstorage /for=e: /on=e: Here, you are configuring the E volume to use shadow copies, and the shadow copy data is stored on that same volume.

19 August 2010

00:23

199 of 233

38676182.doc With vssadmin, shadow copying is configured by default so that there is no maximum size limit for shadow storage. To set a specific limit, you can use the /MaxSize parameter. This parameter expects to be passed a numeric value with one of the following suffixes: • KB = kilobytes • • • • • • MB = megabytes GB = gigabytes TB = terabytes PB = petabytes EB = exabytes This parameter must be set to 100 MB or greater.

Consider the following example: vssadmin add shadowstorage /for=c: /on=d: /maxsize=2GB Here, you are configuring the C volume to use shadow copies, and the shadow copy data is stored on D. The maximum size allowed for the shadow storage is 2 GB. The following table describes some common command-line tools to use when you manage Active Directory.

Tool Dsadd Dsmod

Description Adds objects, such as computers, users, groups, organizational units, and contacts, to Active Directory. Modifies objects, such as computers, servers, users, groups, organizational units, and contacts, in Active Directory. Runs queries in Active Directory according to specified criteria. You can run queries against servers, computers, groups, users, sites, organizational units, and partitions. Moves a single object, within a domain, to a new location in Active Directory, or renames a single object without moving it. Deletes an object from Active Directory. Displays selected attributes of a computer, contact, group, organizational unit, server, or user in Active Directory. Imports and exports Active Directory data by using comma-separated format. Creates, modifies, and deletes Active Directory objects.

Dsquery

Dsmove

Dsrm Dsget Csvde Ldifde

19 August 2010

00:23

200 of 233

38676182.doc Can also extend the Active Directory schema, export user and group information to other applications or services, and populate Active Directory with data from other directory services.

19 August 2010

00:23

201 of 233

38676182.doc

Server Manager
Provides a console with which to manage the basic functions of the server. This utility has replaced Computer Management and has enhanced the functionality while still retaining some of the original features.

Server Manager Interface
• • • • • Roles Features Diagnostics Configuration Storage

• Replaces "Configure Your Server" and Add/Remove Programs~ Windows Components

Roles
No Roles are installed by default. For instance, DNS is now configured as a role of the server. To install DNS, you would need to add that role. Many roles have Role Services that can be installed. For instance, File Services is an available role on the server. The role services associated with the File Services Role are things like DFS (Distributed File System), Windows Search Services, etc. Role Services add the functionality to the Role. Another example of a role and role service is Active Directory Domain Service Role. The role service that gives its functionality is Active Directory Domain Controller Role Service. Roles and Role Services can be added, removed and their status monitored from within the Roles page. Features are software programs that enhance the functionality of the server. Features do not necessarily correspond with roles, though they sometimes do. For instance, the Failover Clustering feature can be used to augment the roles of File Services or DHCP services, by enabling them to join server clusters. However, Bitlocker drive encryption is a feature that is available regardless of the roles installed.

Diagnostics
• Event Viewer: An advanced tool that displays detailed information about significant events on your computer. Event viewer's main logs are the Application Log, the System Log, and the Security Log. Other logs are available, depending upon what roles and services are installed on the system

19 August 2010

00:23

202 of 233

38676182.doc • Reliability and Performance Monitor: MMC snap-in utility that provides tools for analyzing system's performance. Reliability and Performance monitor allows an administrator to monitor hardware and software performance in real time. Customize what data is collected configure alerts and generate reports. • Device Manger: Allows a user to view the installed devices on a system, verify hardware functionality and upgrade or rollback drivers.

Configuration
• Task Scheduler: Allows scheduling of automated tasks to perform actions at a specific time • Windows Firewall with Advanced Security: Combines a host firewall and IPSec. This is an extension of the Windows Basic Firewall that includes stateful packet inspection and filtering • Services: Provides access to configure how services run. Services are programs or processes that run in the background that provide support to other program. • WMI control: Windows Management Instrumentation (WMI) is the primary management technology for Windows operating systems. It enables consistent and uniform management, control, and monitoring of systems throughout your enterprise. Based on industry standards, WMI allows system administrators to query, change, and monitor configuration settings on desktop and server systems, applications, networks, and other enterprise components. System administrators can write scripts that use the WMI Scripting Library to work with WMI and create a wide range of systems management and monitoring scripts.

Storage
• Windows Server Backup: MMC snap-in and command-line utility that provides a complete solution for day-to-day backup and recovery needs. The GUI is Wizard-driven to enable ease of use. This utility allows for the backup and recovery of the entire server, selected volumes only or the system state data. The command-line is wbadmin.exe • Disk Management: System utility for managing the hard disks and volumes or partitions which they contain. As always, this utility is used to initialize disks, create volumes or partitions, format those volumes or partitions and most other disk-related tasks. New functionality includes the ability to extend or shrink volumes, regardless of whether or not the disk is basic or dynamic.

19 August 2010

00:23

203 of 233

38676182.doc

Active Directory Lightweight Directory Services
By using the Windows Server 2008 Active Directory Lightweight Directory Services (AD LDS) role, formerly known as Active Directory Application Mode (ADAM), you can provide directory services for directory-enabled applications without incurring the overhead of domains and forests and the requirements of a single schema throughout a forest. AD LDS is a Lightweight Directory Access Protocol (LDAP) directory service that provides flexible support for directory-enabled applications, without the dependencies that are required for Active Directory Domain Services (AD DS). AD LDS provides much of the same functionality as AD DS, but it does not require the deployment of domains or domain controllers. You can run multiple instances of AD LDS concurrently on a single computer, with an independently managed schema for each AD LDS instance. AD DS provides directory services for both the Windows Server operating system and for directory-enabled applications. For the server operating system, AD DS stores critical information about the network infrastructure, users and groups, network services, and so on. In this role, AD OS must adhere to a single schema throughout an entire forest. The AD LDS server role, on the other hand, provides directory services specifically for directory-enabled applications. AD LDS does not require or rely on Active Directory domains or forests. However, in environments where AD DS exists. AD LDS can use AD DS for the authentication of Windows security principals. You can use the AD LDS server role to create multiple AD LDS instances on a single computer. Each instance runs as a separate service in its own execution context. The AD LDS server role includes the following features to make it easy to create, configure, and manage AD LDS instances: • A wizard that guides you through the process of creating an AD LDS instance • Command-line tools for performing unattended installation and removal of AD LOS instances .Microsoft Management Console (MMC) snap-ins for configuring and managing AD LDS instances, including the schema for each instance • AD LDS-specific command-line tools for managing, populating, and synchronizing AD LDS instances • In addition to these tools, you can also use many Active Directory tools to administer AD LDS instances. The Windows Server 2008 operating system includes the additional AD LDS features:

19 August 2010

00:23

204 of 233

38676182.doc • Install from Media - with this feature, you can use a one-step Ntdsutil.exe or Dsdbutil.exe process (IFM) Generation to create installation media for subsequent AD LDS installations. With this feature, you can set up AD LDS auditing with a new audit subcategory to log old and new values when changes are made to objects and their attributes. • Audit AD LDS changes - with this feature. You can view directory data that is stored online in snapshots that are taken at different points in time to better decide which data to restore without having to restart the server. • Data Mining Tool- (aka database Mounting Tool) - although The Active Directory database mounting tool does not recover deleted objects by itself, it helps streamline the process for recovering objects that have been accidentally deleted. Before the Windows Server@ 2008 operating system, when objects or organizational units (OUs) were accidentally deleted, the only way to determine exactly which objects were deleted was to restore data from backups. This approach had two drawbacks: Active Directory had to be restarted in Directory Services Restore Mode to perform an authoritative restore; and an administrator could not compare data in backups that were taken at different points in time (unless the backups were restored to various domain controllers, a process which is not feasible). The purpose of the Active Directory database mounting tool is to expose AD DS data that is stored in snapshots or backups online. Administrators can then compare data in snapshots or backups that are taken at different points in time, which in turn helps them to make better decisions about which data to restore, without incurring service downtime. • Support for Active Directory Sites and Services - with this feature, you can use Active Directory Sites and Services snap-in to manage replication among AD LDS instances. To use this tool, you must import the classes in MSADLDS-DisplaySpecifiers.LDF to extend the schema Active Directory Sites of a configuration set that you want to manage. To connect to an AD LDS and Services instance that hosts your configuration set, specify the computer name and the port number of a server that hosts this AD LOS instance. • Dynamic list of LDAP Data Interchange - with this feature, you can make custom LDIF files available during AD LOS Format (LDIF) files instance setup -in addition to the default LDIF files that are provided with AD LOS-by adding the files to the %systemroot%\ADAM directory during instance setup To learn more about AD LDS, click the AD LDS Help link in Server Manager.

19 August 2010

00:23

205 of 233

38676182.doc

ADRMS - Active Directory Rights Management Services
Active Directory Rights Management Services. Active Directory Rights Management Services (AD RMS) role service is a required role service that installs the AD RMS components used to publish and consume rights-protected content. The goal of an AD RMS deployment is to be able to protect information, no matter where it is moved. Once AD RMS protection is added to a digital file, the protection stays with the file. By default, only the content owner is able to remove the protection from the file. The owner can grant rights to other users to perform actions on the content, such as the ability to view, copy, or print the file. By using Active Directory Rights Management Services (AD RMS) and the AD RMS client, you can augment an organization's security strategy by protecting information through persistent usage policies, which remain with the information, no matter where it is moved. You can use AD RMS to help prevent sensitive information-such as financial reports, product specifications, customer data, and confidential e-mail messages-from intentionally or accidentally getting into the wrong hands. An AD RMS system includes a Windows Server 2008-based server running Active Directory Rights Management Services (AD RMS) server role that handles certificates and licensing, a database server, and the AD RMS client. The latest version of the AD RMS client is included as part of the Windows Vista operating system. AD RMS runs on a computer running the Windows Server 2008 operating system. When the AD RMS server role is installed, the required services are installed, one of which is Internet Information Services (lIS). AD RMS also requires a database such as Microsoft SOL Server which can be run either on the same server as AD RMS or on a remote server and an Active Directory Domain Services forest. The AD RMS-enabled client must have an AD RMS-enabled browser or application, such as Microsoft Word, Outlook, or PowerPoint in Microsoft Office 2007. In order to create rights-protected content, Microsoft Office 2007 Enterprise, Professional Plus, or Ultimate is required. For additional security, AD RMS can be integrated with other technologies such as smart cards. Windows Vista includes the AD RMS client by default, but other client operating systems must have the RMS client installed. The RMS client with Service Pack 2 (SP2) can be downloaded from the Microsoft Download Center and works on versions of the client operating system earlier than Windows Vista and Windows Server 2008.

19 August 2010

00:23

206 of 233

38676182.doc

AD RMS Benefits
Safeguard sensitive information. Applications such as word processors, e-mail clients, and line-of-business applications can be AD RMS-enabled to help safeguard sensitive information Users can define who can open, modify, print, forward, or take other actions with the information. Organizations can create custom usage policy templates such as "confidential - read only" that can be applied directly to the information. Persistent protection. AD RMS augments existing perimeter-based security solutions, such as firewalls and access control lists (ACLs), for better information protection by locking the usage rights within the document itself, controlling how information is used even after it has been opened by intended recipients. Flexible and customizable technology. Independent software vendors (ISVs) and developers can AD RMS-enable any application or enable other servers, such as content management systems or portal servers running on Windows or other operating systems, to work with AD RMS to help safeguard sensitive information. ISVs are enabled to integrate information protection into server-based solutions such as document and records management, e-mail gateways and archival systems, automated workflows, and content inspection. Identity Federation Support. The identity federation support role service is an optional role service that allows federated identities to consume rights-protected content by using Active Directory Federation Services. AD RMS combines the features of Rights Management Services (RMS) in Windows Server 2003, developer tools, and industry security technologies-including encryption, certificates, and authentication-to help organizations create reliable information protection solutions. For more detailed information about hardware and software considerations with AD RMS, see the Pre-installation Information for Active Directory Rights Management Services topic on the Windows Server 2008 Technical Library (http://go.microsoft.comlfwlink/?Linkld=84733). For detailed instructions about installing and configuring AD RMS in a test environment, see the AD RMS installation Step-by-Step Guide (http://go.microsoft.com/fwlink/?Linkld=72134). To learn more about AD RMS, you can view the Help on your server. To do this, open Active Directory Rights Management Services console, and then press F 1, or visit Active Directory Rights Management Services TechCenter (http://go.microsoft.comlfwlink/?Linkld=80907).

19 August 2010

00:23

207 of 233

38676182.doc

AD FS - Active Directory Federation Services
• Active Directory Federation Services • Provides Web Single-Sign-On to authenticate a user to multiple Web Applications, even across forest boundaries with partner organizations • Bypass the need for secondary accounts Active Directory Federation Services (AD FS) is a feature in the Server2003 R2 and Windows Server 2008 operating systems that provides Web single-sign-on (SSG) technologies to authenticate a user to multiple, related Web applications over the life of a single online session. AD FS accomplishes this by securely sharing digital identity and entitlement rights, or "claims," across security and enterprise boundaries.

Federation and Web SSG
When an organization uses Active Directory Domain Services (AD DS), it experiences the benefit of SSG functionality through Windows Integrated Authentication within the organization's security or enterprise boundaries. AD FS extends this functionality to Internet-facing applications. This makes it possible for customers, partners, and suppliers to have a similar streamlined Web SSO user experience when the access the organization's Web-based applications. Furthermore federation servers can be deployed in multiple organizations to facilitate business-to-business B2B federated transactions between partner organizations.

Web Services (WS)-* interoperability
AD FS provides a federated identity management solution that interoperates with other security products that support the WS-* Web Services Architecture. AD FS does this by employing the federation specification of WS-*, called WS-Federation. The WS-Federation specification makes it possible for environments that do not use the Windows identity model to federate with Windows environments. For more information about WS-* specifications, see Resources for AD FS.

Extensible architecture
AD FS provides an extensible architecture that supports the Security Assertion Markup Language (SAML) 1.1 token type and Kerberos authentication (in the Federated Web SSO with . Forest Trust design. AD FS can also perform claim mapping, for example, modifying claims using custom business logic as a variable in an access request. Organizations can use this extensibility to modify AD FS to coexist with their current security infrastructure and business policies. For more information about modifying claims, see Understanding Claims. 19 August 2010 00:23 208 of 233

38676182.doc

Extending AD DS to the Internet
AD DS serves as a primary identity and authentication service in many organizations. With Windows Server 2003 Active Directory and Windows Server 2008 AD DS, forest trusts can be created between two or more Windows Server 2003 forests or Windows Server 2008 forests to provide access to resources that are located in different business units or organizations. For more information about forest trusts, see How Domain and Forest Trusts Work (http://go.microsoft.comlfwlink/?LinkId=3 5356). However, there are designs in which forest trusts are not a viable option. For example, access across organizations may have to be limited to only a small subset of individuals, not every member of a forest. By employing AD FS, organizations can extend their existing Active Directory infrastructures to provide access to resources that are offered by trusted partners across the Internet. These trusted partners can include external third parties or other departments or subsidiaries in the same organization. AD FS supports distributed authentication and authorization over the Internet. AD FS can be integrated into an organization's or department's existing access management solution to translate the claims that are used in the organization into claims that are agreed on as part of a federation. AD FS can create, secure, and verify the claims that move between organizations. It can also audit and monitor the communication activity between organizations and departments to help ensure secure transactions. A typical setup of two partner organizations establishing an ADFS relationship would entail the installation of at least one server with ADFS in each organization.

19 August 2010

00:23

209 of 233

38676182.doc

WDS
Windows Deployment Services is included in the Windows Automated Installation Kit (Windows AIK) and in Windows Server 2003 SP2. For more information about the Windows Deployment Services role, see http://go.microsoft.com/fwlink/? LinkId=81873.

What is Windows Deployment Services?
The Windows Deployment Services is the updated and redesigned version of Remote Installation Services (RIS). Windows Deployment Services enables you to deploy Windows operating systems, particularly Windows Vista. You can use it to set up new computers by using a network-based installation. This means that you do not have to install each operating system directly from a CD or DVD. Windows Deployment Services includes changes to the RIS feature set, including the following: • Ability to deploy Windows Vista and Windows Server 2008. • • • • Windows PE is the boot operating system. Image-based installation, using Windows image (.wim) files. An extensible and higher-performing PXE server component. A new boot menu format for selecting boot operating systems.

• A new graphical user interface on the client computer that you use to select images. • The Windows Deployment Services Microsoft Management Console (MMC) snap-in and the WDSUTIL command-line tool, which enable you to configure and manage Windows Deployment Services. • Deploys Windows images to computers without operating systems. • Supports mixed environments that include Windows Vista, Microsoft Windows XP and Microsoft Windows Server 2003. • Built on standard Windows Vista setup technologies including Windows PE, .wim files, and image-based setup.

Server functionality modes
There are three server modes with Windows Deployment Services in Windows Server 2003. To check the operating mode that the server is in, you can either rightclick the server in the MMC snap-in, click Properties, and view the General tab, or you can run WDSUTIL /get-server /show:config.

19 August 2010

00:23

210 of 233

38676182.doc The Legacy mode is equivalent RIS; it is Windows Deployment Services binaries with RIS functionality. To run in this mode, install and configure RIS and then install (but do not configure) Windows Deployment Services. In general, if you do not have Windows Vista in your environment, you should use Legacy mode. Windows Deployment Services was designed to deploy these new operating systems and while it is compatible with older operating systems, you need the Windows Vista installation media in order to deploy images. Boot environment: OSChooser Image Types: RISETUP and RIPREP Administration experience: RIS toolset In mixed mode, you can deploy RISETUP and RIPREP image types using OSChooser, and you can deploy Windows image (.wim) files using the Windows Deployment Services management tools. From the client computer, you can choose to boot into RIS or into one of the boot images that contain Windows PE. To run in Mixed mode, configure Windows Deployment Services on a RIS server that has existing RIS images. For instructions, see Steps for configuring Windows Deployment Services. Boot environment: OSChooser and Windows PE Image Types: .wim, RISETUP, and RIPREP Administration experience: RIS toolset to manage RISETUP and RIPREP images and Windows Deployment Services management tools to manage .wim images. With Native mode, you use Windows Deployment Services to deploy only .wim images. To configure your server in Native mode, install and configure Windows Deployment Services on a server that has RIS installed but not configured (that is, there are no RIS images on the server). For instructions, see Steps for configuring Windows Deployment Services. If you already configured RIS, then you will need to uninstall RIS and reinstall it before installing Windows Deployment Services. Boot environment: Windows PE Image Types: .wim Administration experience: Windows Deployment Services management tools

Known issues with configuring Windows Deployment Services
If you are running Windows Deployment Services and a non-Microsoft DHCP server on the same computer, in addition to configuring the server to not listen on port 67, you will need to use your DHCP tools to add Option 60 to their DHCP scopes. If DHCP is installed on a server that is located in a different subnet, then you will need to do one of the following:

19 August 2010

00:23

211 of 233

38676182.doc • (recommended) Configure your IP Helper tables. All DHCP broadcasts on UDP port 67 by client computers should be forwarded directly to both the DHCP server and the Windows Deployment Services PXE server. Also, all traffic to UDP port 4011 from the client computers to the Windows Deployment Services PXE server should be routed appropriately (these requests direct traffic to the server, not broadcasts). • Add DHCP options 66 and 67. Option 66 should be set to the Windows Deployment Services server, and option 67 should be set to boot\x86\wdsnbp.com.

Prerequisites:
• Active Directory. A Windows Deployment Services server must be either a member of an Active Directory domain or a domain controller for an Active Directory domain. The Active Directory domain and forest versions are irrelevant; all domain and forest configurations support Windows Deployment Services. • DHCP. You must have a working Dynamic Host Configuration Protocol (DHCP) server with an active scope on the network because Windows Deployment Services uses PXE, which relies on DHCP for IP addressing. • DNS. You must have a working Dynamic Name Services (DNS) server on the network to run Windows Deployment Services.

Install & Configure:
• If you already had RIS installed and configured. When you install SP2, your computer will automatically be upgraded to Windows Deployment Services. • If you had RIS installed but not configured. Install the Windows Deployment Services component from Add/Remove Windows Components. When the installation is complete, restart the server. On the PXE Server Initial Settings page, select how you want the server to respond to clients. Known client computers are computers that have been created (prestaged) in Active Directory before the operating system is installed. For more information, see the PXE Boot chapter at http://go.microsoft.com/fwlink/? LinkId=81031.

Add Images:
After you configure Windows Deployment Services, you must add at least one boot image, and one install image before you will be able to PXE boot a computer to install an operating system (unless you use RIS). Once you have added the default images using the instructions in this section, you will be ready to deploy operating systems. Alternatively, you can use the instructions in the rest of this guide to perform more advanced tasks like creating your own install images, creating discover images, or configuring an unattended installation. 19 August 2010 00:23 212 of 233

38676182.doc • Boot images. Boot images are images that you boot a client computer into to perform an operating system installation. In most scenarios, you can use the Boot.wim from the installation DVD (in the \Sources directory). The Boot.wim contains Windows PE and the Windows Deployment Services client (which is basically Windows Vista Setup.exe and supporting files). • Install images. Install images are the operating system images that you deploy to the client computer. You can also use the install.wim from the installation DVD, or you can create your own install image using the steps in creating custom install images. To add the default boot image included in the product installation DVD: 1. In the left-hand pane of the Windows Deployment Services MMC snap-in, right-click the Boot Images node, and then click Add Boot Image. 2. Browse to choose the default boot image (Boot.wim) located on the Windows Vista DVD, in the \Sources directory. 3. 4. Click Open, and then click Next. Follow the instructions in the wizard to add the image.

To add the default install image included in the product installation DVD 1. In the Windows Deployment Services MMC snap-in, right-click the Install Images node, and then click Add Install Image. 2. Specify a name for the image group, and then click Next.

3. Browse to select the default install image (install.wim) located on the Windows Vista DVD, in the \Sources directory, and then click Open. 4. To add a subset of the images included in the install.wim, clear the check boxes for the images that you do not want to add to the server. You should only add the images for which you have licenses. 5. Follow the instructions in the wizard to add the images.

6. Now that you have a boot image and an install image on the server, you can PXE boot a client computer to install an operating system using the instructions in the following section.

To install an operating system
1. Configure the BIOS of the computer to enable PXE boot, and set the boot order so that it is booting from the network is first. 2. Restart the computer and when prompted, press F12 to start the network boot. 3. Select the appropriate boot image from the boot menu. (This boot image selection menu will only be available if you have two or more boot images on the server. For more information, see Configuring the boot menu)

19 August 2010

00:23

213 of 233

38676182.doc 4. Follow the instructions in the Windows Deployment Services user interface screens. 5. When installation is complete, the computer will restart and Setup will continue. For more information, see Windows PE Customization How-To Topics (http://go.microsoft.com/fwlink/?LinkId=122641).

Unattended Installation
Optionally, you can automate the entire installation. To do this, you use two different unattend files: one for the Windows Deployment Services UI screens, and one for the latter phases of Setup. Two files are necessary because Windows Deployment Services can deploy two image types: Windows Vista images that support the Unattend.xml format, and Windows XP and Windows Server 2003 images, which do not support the Unattend.xml format. • Windows Deployment Services client unattend file. This file uses the Unattend.xml format, and it is stored on the Windows Deployment Services server in the \WDSClientUnattend folder. It is used to automate the Windows Deployment Services client user-interface screens (such as entering credentials, choosing an install image, and configuring the disk). • Image unattend file. This file uses either the Unattend.xml or Sysprep.inf format, depending upon the version of the operating system of the image. It is used to configure unattended installation options during Windows Setup and to automate the remaining phases of Setup (for example, offline servicing, Sysprep specialize, and mini-setup). It is stored in a subfolder (either $OEM$ structure or \Unattend) of the per-image folder. Two unattend files are necessary because Windows Deployment Services can deploy two image types: Windows Vista and Windows Server 2008 images that support the Unattend.xml format, and Windows XP and Windows Server 2003 images, which do not support the Unattend.xml format. To automate the installation, create the appropriate unattend file depending on whether you are configuring the Windows Deployment Services screens or Windows Setup. We recommend that you use Windows System Image Manager, (included as part of the Windows AIK) to author the unattend files. Then copy the unattend file to the appropriate location, and assign it for use. You can assign it at the server level or the client level. The server level assignment can further be broken down by architecture, allowing you to have different settings for x86-based and x64-based clients. Assignment at the client level overrides the server-level settings. For more information, see Performing Unattended Installations (http://go.microsoft.com/fwlink/?LinkId=89226) and Sample Unattend Files (http://go.microsoft.com/fwlink/?LinkId=122642). Additional references

19 August 2010

00:23

214 of 233

38676182.doc • For more detailed information, see Deploying and Managing the Windows Deployment Services Update on Windows Server 2003 http://go.microsoft.com/fwlink/?LinkId=81031 • For more information about the Windows Deployment Services role that is included in Windows Server 2008 see http://go.microsoft.com/fwlink/? LinkId=81873 • For a newsgroup about Windows Deployment Services, see Setup and Deployment (http://go.microsoft.com/fwlink/?LinkId=87628) • Windows AIK (http://go.microsoft.com/fwlink/?LinkId=81030) • Windows AIK User's Guide for Windows Vista (http://go.microsoft.com/fwlink/?LinkID=53552

19 August 2010

00:23

215 of 233

38676182.doc

Hyper-V
Server Consolidation
Businesses are under pressure to ease management and reduce costs while retaining and enhancing competitive advantages, such as flexibility, reliability, scalability, and security. The fundamental use of virtualization to help consolidate many servers on a single system while maintaining isolation helps address these demands. One of the main benefits of server consolidation is a lower total cost of ownership (TCO), not just from lowering hardware requirements but also from lower power, cooling, and management costs.

Business Continuity and Disaster Recovery
Business continuity is the ability to minimize both scheduled and unscheduled downtime. That includes time lost to routine functions, such as maintenance and backup, as well as unanticipated outages. Hyper-V includes powerful business continuity features, such as live backup and quick migration, enabling businesses to meet stringent uptime and response metrics.

Testing and Development
Using virtual machines, development staffs can create and test a wide variety of scenarios in a safe, self-contained environment that accurately approximates the operation of physical servers and clients. Hyper-V maximizes utilization of test hardware which can help reduce costs, improve life cycle management, and improve test coverage.

Dynamic Data Center
Hyper-V, together with your existing system management solutions, such as Microsoft System Center, can help you realize the dynamic data center vision of providing self-managing dynamic systems and operational agility. With features like automated virtual machine reconfiguration, flexible resource control, and quick migration, you can create a dynamic IT environment that uses virtualization to not only respond to problems, but also to anticipate increased demands.

Key Features of Hyper-V
Windows Server 2008 R2 Hyper-V adds new features to the first version of Hyper-V. For example, by using live migration in Windows Server 2008 R2 Hyper-V, you can migrate running VMs from one physical computer to another, and add or remove storage from a VM while it is running. In addition, Windows Server 2008 R2 Hyper-V takes better advantage of physical computer hardware with greater processor support and deeper support for physical computer hardware.

19 August 2010

00:23

216 of 233

38676182.doc

Live Migration
Hyper-V in Windows Server 2008 R2 includes the much-anticipated live migration feature, which allows you to move a virtual machine between two virtualization host servers without any interruption of service. Hyper-V live migration is integrated with Windows Server 2008 R2 Hyper-V and Microsoft Hyper-V Server 2008 R2. With it you can move running VMs from one Hyper-V physical host to another without any disruption of service or perceived downtime.

Increased Hardware Support for Hyper-V Virtual Machines
Hyper-V in Windows Server 2008 R2 now supports up to 64 logical processors in the host processor pool. This is a significant upgrade from previous versions and allows not only greater VM density per host, but also gives IT administrators more flexibility in assigning CPU resources to VMs. Also new, Hyper-V processor compatibility mode for live migration allows migration across different CPU versions within the same processor family (for example, ”Intel Core 2-to-Intel Pentium 4” or “AMD Opteron-to-AMD Athlon”), enabling migration across a broader range of server host hardware.

Cluster Shared Volumes
With Windows Server 2008 R2, Hyper-V uses Cluster Shared Volumes (CSV) storage to simplify and enhance shared storage usage. CSV enables multiple Windows Servers to access SAN storage using a single consistent namespace for all volumes on all hosts. Multiple hosts can access the same Logical Unit Number (LUN) on SAN storage. CSV enables faster live migration and easier storage management for Hyper-V when used in a cluster configuration. Cluster Shared Volumes are available as part of the Windows Failover Clustering feature of Windows Server 2008 R2.

Cluster Validation Tool
Windows Server 2008 R2 includes a Best Practices Analyzer (BPA) for all major server roles, including Failover Clustering. This analyzer examines the best practices configuration settings for a cluster and cluster nodes.

Management of Virtual Data Centers
Even with all the efficiency gained from virtualization, VMs still need to be managed. The number of VMs tends to proliferate much faster than physical computers because machines typically do not require a hardware acquisition. Therefore, management of virtual data centers is even more imperative than ever before.

19 August 2010

00:23

217 of 233

38676182.doc

Enhanced Networking Support
In Windows Server 2008 R2 there are three new networking features that improve the performance of virtual networks. Support for Jumbo frames, previously available in non-virtual environments, has been extended to work with VMs. This feature enables VMs to use Jumbo Frames up to 9014 bytes if the underlying physical network supports it. Supporting Jumbo frames reduces the network stack overhead incurred per byte and increases throughput. In addition, there is a significant reduction of CPU utilization due to the fewer number of calls from the network stack to the network driver. TCP Chimney (TCP Offload Engine or TOE), which allows the offloading of TCP/IP processing to the network hardware, has been extended to the virtual environment. It improves VM performance by allowing the VM to offload network processing to hardware, especially on networks with bandwidth over 1 GB. This feature is especially beneficial for roles involving large amounts of data transfer, such as the file server role. The Virtual Machine Queue (VMQ) feature allows physical computer network interface cards (NICs) to use direct memory access (DMA) to place the contents of packets directly into VM memory, increasing I/O performance.

Dynamic VM storage
Windows Server 2008 R2 Hyper-V supports hot plug-in and hot removal of storage. By supporting the addition or removal of Virtual Hard Drive (VHD) files and passthrough disks while a VM is running, Windows Server 2008 R2 Hyper-V makes it possible to reconfigure VMs quickly to meet changing workload requirements. This feature allows the addition and removal of both VHD files and pass-through disks to existing SCSI controllers for VMs.

Broad OS Support
Broad support for simultaneously running different types of operating systems, including 32-bit and 64-bit systems across different server platforms, such as Windows, Linux, and others.

Network Load Balancing
Hyper-V includes new virtual switch capabilities. This means virtual machines can be easily configured to run with Windows Network Load Balancing (NLB) Service to balance load across virtual machines on different servers.

Virtual Machine Snapshot
Hyper-V provides the ability to take snapshots of a running virtual machine so you can easily revert to a previous state, and improve the overall backup and recoverability solution. 19 August 2010 00:23 218 of 233

38676182.doc

High Availability
Providing High Availability solutions to mission-critical applications, services, and data is a primary objective of successful IT departments. When services are down or fail, business continuity is interrupted, which can result in significant losses. Windows Server 2008 R2 supports High Availability features to help organizations meet their uptime requirements for their critical systems.

Failover Clustering
Failover clustering can help you build redundancy into your network and eliminate single points of failure. The improvements to failover clusters (formerly known as server clusters) in Windows Server 2008 R2 are aimed at simplifying clusters, making them more secure, and enhancing cluster stability.

Cluster Migration
When migrating a clustered service from one cluster to another, cluster settings can be captured and copied to another cluster. This reduces the time it takes to build the new cluster and configure the services. The migration process supports every workload currently supported on Windows Server 2003 and Windows Server 2008, including DFS-N, DHCP, DTC, File Server, Generic Application, Generic Script, Generic Service, iSNS, MSMS, NFS, Other Server, TSSB, and WINS, and supports most common network configurations.

Cluster Infrastructure
The cluster quorum contains the configuration settings for the entire cluster. With Windows Server 2008 R2, you can configure a cluster so that the quorum resource is not a single point of failure by using the majority node set or a hybrid of the majority node set and the quorum resource model. The cluster service can also isolate DLLs that perform actions incorrectly to minimize impact to the cluster, as well as verify consistency among copies of the quorum resource.

Cluster Storage
Failover clusters now support GUID partition table (GPT) disks that can have capacities of larger than 2 terabytes, for increased disk size and robustness. Administrators can now modify resource dependencies while resources are online, which means they can make an additional disk available without interrupting access to the application that will use it.

19 August 2010

00:23

219 of 233

38676182.doc

Cluster Network
Networking has been enhanced to support Internet Protocol version 6 (IPv6) as well as Domain Name System (DNS) for name resolution, removing the requirement to have WINS and NetBIOS name broadcasts. Other network improvements include managing dependencies between network names and IP addresses: If either of the IP addresses associated with a network name is available, the network name will remain available. Because of the architecture of Cluster Shared Volumes (CSV), there is improved cluster node connectivity fault tolerance that directly affects Virtual Machines running on the cluster. The CSV architecture implements a mechanism, known as dynamic I/O redirection, in which I/O can be rerouted within the failover cluster based on connection availability.

Cluster Security
Internet Protocol security (IPsec) can be used between clients and the cluster nodes, as well as between nodes so that you can authenticate and encrypt the data. Access to the cluster can also be audited to determine who connected to the cluster and when.

Network Load Balancing
Network Load Balancing, a clustering technology included in the Microsoft Windows 2000 Advanced Server and Datacenter Server operating systems, enhances the scalability and availability of mission-critical, TCP/IP-based services, such as Web, Terminal Services, virtual private networking, and streaming media servers. This component runs within cluster hosts as part of the Windows 2000 operating system and requires no dedicated hardware support. To scale performance, Network Load Balancing distributes IP traffic across multiple cluster hosts. It also ensures high availability by detecting host failures and automatically redistributing traffic to the surviving hosts. Network Load Balancing provides remote controllability and supports rolling upgrades from the Windows NT 4.0 operating system. The Microsoft Windows 2000 Advanced Server and Datacenter Server operating systems include two clustering technologies designed for this purpose: Cluster service, which is intended primarily to provide failover support for critical line-ofbusiness applications such as databases, messaging systems, and file/print services; and Network Load Balancing, which serves to balance incoming IP traffic among multi-node clusters. We will treat this latter technology in detail here. Network Load Balancing provides scalability and high availability to enterprise-wide TCP/IP services, such as Web, Terminal Services, proxy, Virtual Private Networking (VPN), and streaming media services. Network Load Balancing brings special value to enterprises deploying TCP/IP services, such as e-commerce applications, that link clients with transaction applications and back-end databases.

19 August 2010

00:23

220 of 233

38676182.doc Network Load Balancing distributes IP traffic to multiple copies (or instances) of a TCP/IP service, such as a Web server, each running on a host within the cluster. Network Load Balancing transparently partitions the client requests among the hosts and lets the clients access the cluster using one or more "virtual" IP addresses. From the client's point of view, the cluster appears to be a single server that answers these client requests. As enterprise traffic increases, network administrators can simply plug another server into the cluster.

Advantages of Network Load Balancing
Network Load Balancing is superior to other software solutions such as round robin DNS (RRDNS), which distributes workload among multiple servers but does not provide a mechanism for server availability. If a server within the host fails, RRDNS, unlike Network Load Balancing, will continue to send it work until a network administrator detects the failure and removes the server from the DNS address list. This results in service disruption for clients. Network Load Balancing also has advantages over other load balancing solutions—both hardware- and softwarebased—that introduce single points of failure or performance bottlenecks by using a centralized dispatcher. Because Network Load Balancing has no proprietary hardware requirements, any industry-standard compatible computer can be used. This provides significant cost savings when compared to proprietary hardware load balancing solutions.

Host Priorities
Each cluster host is assigned a unique host priority in the range of 1 to 32, where lower numbers denote higher priorities. The host with the highest host priority (lowest numeric value) is called the default host. It handles all client traffic for the virtual IP addresses that is not specifically intended to be load-balanced. This ensures that server applications not configured for load balancing only receive client traffic on a single host. If the default host fails, the host with the next highest priority takes over as default host.

Port Rules
Network Load Balancing uses port rules to customize load balancing for a consecutive numeric range of server ports. Port rules can select either multiple-host or single-host load-balancing policies. With multiple-host load balancing, incoming client requests are distributed among all cluster hosts, and a load percentage can be specified for each host. Load percentages allow hosts with higher capacity to receive a larger fraction of the total client load. Single-host load balancing directs all client requests to the host with highest handling priority. The handling priority essentially overrides the host priority for the port range and allows different hosts to individually handle all client traffic for specific server applications. Port rules also can be used to block undesired network access to certain IP ports.

19 August 2010

00:23

221 of 233

38676182.doc When a port rule uses multiple-host load balancing, one of three client affinity modes is selected. When no client affinity mode is selected, Network Load Balancing load-balances client traffic from one IP address and different source ports on multiple-cluster hosts. This maximizes the granularity of load balancing and minimizes response time to clients. To assist in managing client sessions, the default single-client affinity mode load-balances all network traffic from a given client's IP address on a single-cluster host. The class C affinity mode further constrains this to load-balance all client traffic from a single class C address space. By default, Network Load Balancing is configured with a single port rule that covers all ports (0-65,535) with multiple-host load balancing and single-client affinity. This rule can be used for most applications. It is important that this rule not be modified for VPN applications and whenever IP fragmentation is expected. This ensures that fragments are efficiently handled by the cluster hosts.

Remote Control
Network Load Balancing provides a remote control program (Wlbs.exe) that allows system administrators to remotely query the status of clusters and control operations from a cluster host or from any networked computer running Windows 2000. This program can be incorporated into scripts and monitoring programs to automate cluster control. Monitoring services are widely available for most client/server applications. Remote control operations include starting and stopping either single hosts or the entire cluster. In addition, load balancing for individual port rules can be enabled or disabled on one or more hosts. New traffic can be blocked on a host while allowing ongoing TCP connections to complete prior to removing the host from the cluster. Although remote control commands are password-protected, individual cluster hosts can disable remote control operations to enhance security.

How Network Load Balancing Works
Network Load Balancing scales the performance of a server-based program, such as a Web server, by distributing its client requests among multiple servers within the cluster. With Network Load Balancing, each incoming IP packet is received by each host, but only accepted by the intended recipient. The cluster hosts concurrently respond to different client requests, even multiple requests from the same client. For example, a Web browser may obtain the various images within a single Web page from different hosts in a load-balanced cluster. This speeds up processing and shortens the response time to clients.

19 August 2010

00:23

222 of 233

38676182.doc Each Network Load Balancing host can specify the load percentage that it will handle, or the load can be equally distributed among all of the hosts. Using these load percentages, each Network Load Balancing server selects and handles a portion of the workload. Clients are statistically distributed among cluster hosts so that each server receives its percentage of incoming requests. This load balance dynamically changes when hosts enter or leave the cluster. In this version, the load balance does not change in response to varying server loads (such as CPU or memory usage). For applications, such as Web servers, which have numerous clients and relatively short-lived client requests, the ability of Network Load Balancing to distribute workload through statistical mapping efficiently balances loads and provides fast response to cluster changes. Network Load Balancing cluster servers emit a heartbeat message to other hosts in the cluster, and listen for the heartbeat of other hosts. If a server in a cluster fails, the remaining hosts adjust and redistribute the workload while maintaining continuous service to their clients. Although existing connections to an offline host are lost, the Internet services nevertheless remain continuously available. In most cases (for example, with Web servers), client software automatically retries the failed connections, and the clients experience only a few seconds' delay in receiving a response.

Managing Application State
Application state refers to data maintained by a server application on behalf of its clients. If a server application (such as a Web server) maintains state information about a client session—that is, when it maintains a client's session state—that spans multiple TCP connections, it is usually important that all TCP connections for this client be directed to the same cluster host. Shopping cart contents at an ecommerce site and Secure Sockets Layer (SSL) authentication data are examples of a client's session state. Network Load Balancing can be used to scale applications that manage session state spanning multiple connections. When its client affinity parameter setting is enabled, Network Load Balancing directs all TCP connections from one client IP address to the same cluster host. This allows session state to be maintained in host memory. However, should a server or network failure occur during a client session, a new logon may be required to re-authenticate the client and re-establish session state. Also, adding a new cluster host redirects some client traffic to the new host, which can affect sessions, although ongoing TCP connections are not disturbed. Client/server applications that manage client state so that it can be retrieved from any cluster host (for example, by embedding state within cookies or pushing it to a back-end database) do not need to use client affinity.

19 August 2010

00:23

223 of 233

38676182.doc To further assist in managing session state, Network Load Balancing provides an optional client affinity setting that directs all client requests from a TCP/IP class C address range to a single cluster host. With this feature, clients that use multiple proxy servers can have their TCP connections directed to the same cluster host. The use of multiple proxy servers at the client's site causes requests from a single client to appear to originate from different systems. Assuming that all of the client's proxy servers are located within the same 254-host class C address range, Network Load Balancing ensures that the same host handles client sessions with minimum impact on load distribution among the cluster hosts. Some very large client sites may use multiple proxy servers that span class C address spaces. In addition to session state, server applications often maintain persistent, serverbased state information that is updated by client transactions, such as merchandise inventory at an e-commerce site. Network Load Balancing should not be used to directly scale applications, such as Microsoft SQL Server(other than for read-only database access), that independently update inter-client state because updates made on one cluster host will not be visible to other cluster hosts. To benefit from Network Load Balancing, applications must be designed to permit multiple instances to simultaneously access a shared database server that synchronizes updates. For example, Web servers with Active Server Pages should have their client updates pushed to a shared back-end database serve

19 August 2010

00:23

224 of 233

38676182.doc

Windows System Resource Manager (WSRM)
Windows System Resource Manager (WSRM) on Windows Server 2008 allows you to control how CPU and memory resources are allocated to applications, services, and processes on the computer. Managing resources in this way improves system performance and reduces the chance that applications, services, or processes will take CPU or memory resources away from one another and slow down the performance of the computer. Managing resources also creates a more consistent and predictable experience for users of applications and services running on the computer. You can use WSRM to manage multiple applications on a single computer or users on a computer on which Terminal Services is installed. For more information about WSRM, see the WSRM Help in the Windows Server 2008 Technical Library (http://go.microsoft.com/fwlink/?LinkId=106538). Resource-Allocation Policies WSRM uses resource-allocation policies to determine how computer resources, such as CPU and memory, are allocated to processes running on the computer. There are two resource-allocation policies that are specifically designed for computers running Terminal Services. The two Terminal Services-specific resource-allocation policies are: Equal_Per_User Equal_Per_Session

19 August 2010

00:23

225 of 233

38676182.doc

Windows Server Update Services 3.0
The WSUS server allows administrators to manage and distribute updates through the WSUS 3.0 Administration console, which can be installed on any Windows computer in the domain. In addition, a WSUS server can be the update source for other WSUS servers within the organization. At least one WSUS server in the network must connect to Microsoft Update to get available update information. The administrator can determine, based on network security and configuration, whether or not other servers should connect directly to Microsoft Update. Automatic Updates is built into the Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP, and Windows 2000 SP4 operating systems. Automatic Updates enables both server and client computers to receive updates from Microsoft Update or from a WSUS server.

Prerequisites for WSUS servers
• • • • Windows Server 2003 SP1 or later, or Windows Server 2008 Microsoft Internet Information Services (IIS) 6.0 or later Windows Installer 3.1 or later Microsoft .NET Framework 2.0

Prerequisites for using the WSUS 3.0 Administration Console
• Windows XP SP2, Windows Vista, Windows Server 2003, or Windows Server 2008 • • Microsoft Management Console 3.0 Microsoft Report Viewer Redistributable 2005

Prerequisites for WSUS client computers
Windows Vista, Windows Server 2003 (any edition), Windows Server 2008, Windows XP, or Windows 2000 SP4.

How it works
At least one upstream WSUS server connects to Microsoft Update to get available updates and update information, while other downstream servers get their updates from the upstream server. Administrators can choose which updates are downloaded to a WSUS server during synchronization, based on the following criteria: • Product or product family (for example, Microsoft Windows Server 2003 or Microsoft Office) • Update classification (for example, critical updates, and drivers) 00:23 226 of 233

19 August 2010

38676182.doc • Language (for example, English and Japanese only)

In addition, administrators can specify a schedule for synchronization to initiate automatically. An administrator must approve every automated action to be carried out for the update. Approval actions include the following: • Approve • • Remove (this action is possible only if the update supports uninstall) Decline

In addition, the administrator can enforce a deadline: a specific date and time to install or remove (uninstall) updates. The administrator can force an immediate download by setting a deadline for a time in the past. WSUS 3.0 can be configured to send e-mail notification of new updates and status reports. Specified recipients can receive update notifications as they arrive on the WSUS server. Status reports can be sent at specified times and intervals. WSUS 3.0 now automatically scans updates to determine the computers on which they should be installed. Before actually planning and deploying the update for installation, the administrator can analyze the update’s impact by means of a status report that can be generated directly from the update view for a single update, a subset of updates, or all updates. Targeting enables administrators to deploy updates to specific computers and groups of computers. Targeting can be configured either on the WSUS server directly, on the WSUS server by using Group Policy in an Active Directory network environment, or on the client computer by editing registry settings. The WSUS database stores update information, event information about update actions on client computers, and WSUS server settings. Administrators have the following options for the WSUS 3.0 database: • The Windows Internal Database that WSUS can install during setup on Windows Server 2003. • An existing Microsoft SQL Server™ 2005 Service Pack 1 database. WSUS enables administrators to create an update management infrastructure consisting of a hierarchy of WSUS servers. WSUS servers can be scaled out to handle any number of clients.

19 August 2010

00:23

227 of 233

38676182.doc With replica synchronization, the administrator of the central WSUS server can create updates, target groups, and approvals that are automatically propagated to WSUS servers designated as replica servers. This means that branch office clients can get centrally approved updates from a local server without the need for a local WSUS administrator. Also, offices with a low-bandwidth link to the central server pose less of a problem, because the branch WSUS server connects only to the central WSUS server. Update status reports can be generated for all the clients of a replica server. WSUS 3.0 now allows administrators to manage a WSUS server hierarchy from a single WSUS console. The WSUS administration snap-in to the Microsoft Management Console can be installed on any computer in the network. Using WSUS reports, administrators can monitor the following activity (all reports are in a printable format and can be exported to Excel spreadsheets or Adobe .pdf files): • Update status: Administrators can monitor the level of update compliance for their client computers on an ongoing basis using Update Status reports, which can provide status for update approval and deployment per update, per computer, and per computer group, based on all events that are sent from the client computer. • Computer status: Administrators can assess the status of updates on client computers. For example, they can request a summary of updates that have been installed or are needed for a particular computer. • Computer compliance status: Administrators can view or print a summary of compliance information for a specific computer, including basic software and hardware information, WSUS activity, and update status. • Update compliance status: Administrators can view or print a summary of compliance information for a specific update, including the update properties and cumulative status for each computer group. • Synchronization (or download) status: Administrators can monitor synchronization activity and status for a given time period, and view the latest updates that have been downloaded. • WSUS configuration settings: Administrators can see a summary of options they have specified for their WSUS implementation. Administrators have the flexibility of configuring computers to get updates directly from Microsoft Update, from an intranet WSUS server that distributes updates internally, or from a combination of both, depending on the network configuration. Administrators can configure a WSUS server to use a custom port for connecting to the intranet or Internet, if appropriate. (The default port used by a WSUS server is port 80.) It is also possible to connect via SSL, in which case the default port is 443.

19 August 2010

00:23

228 of 233

38676182.doc

Client-side features
In an Active Directory service environment, administrators can configure the behavior of Automatic Updates by using Group Policy. In other cases, administrators can remotely configure Automatic Updates using registry keys through the use of a logon script or similar mechanism. • Administrator capabilities for configuring client computers include the following: • Configuring notification and scheduling options for users through Group Policy. • Configuring how often the client computer checks the update source (either Microsoft Update or another WSUS server) for new updates. • Configuring Automatic Updates to install updates that do not require reboots or service interruptions as soon as it finds them and not to wait until the scheduled automatic installation time. • Managing client computers through the Component Object Model (COM)–based API. An SDK is available. • Self-updating for client computers • WSUS client computers can detect from the WSUS server if a newer version of Automatic Updates is available, and then upgrade their Automatic Updates service automatically. • Automatic detection of applicable updates • Automatic Updates can download and install specific updates that are truly applicable to the computer. Automatic Updates works with the WSUS server to evaluate which updates should be applied to a specific client computer. • Under-the-hood efficiency • The Automatic Updates service works in the background so that the perceptible impact on employee productivity and network functionality is minimal. • Automatic Updates consolidates updates that require computer restarts into a single restart. • Automatic Updates eliminates the need for users in a managed environment to interact with Microsoft Software License Terms. License terms are accepted on the WSUS server by administrators on behalf of client computers. • BITS 2.0 employs delta compression to facilitate downloads that are invisible to the user. For example, after Automatic Updates downloads an update to a client computer, it will continue to monitor either the upstream WSUS server or Microsoft Update, and then download only changes in an update file to the client computer. This technology also enables efficient distribution of service packs through Automatic Updates.

19 August 2010

00:23

229 of 233

38676182.doc

WSUS 3.0 Deployment Scenarios
WSUS is flexible enough to meet the update management needs of a wide range of organizations—from small businesses with dial-up connectivity to the largest businesses with thousands of users distributed across multiple sites. Depending on the size of the organization, its location, and its connectivity infrastructure, administrators can determine the most efficient way to scale out their WSUS servers —a decision that might involve one or many WSUS servers. In this section, you can learn more about the common scenarios for deploying WSUS components in small, medium, and restricted networks.

Single WSUS server (small-sized or simple network)
In a single WSUS server scenario, administrators can set up a server running WSUS inside their corporate firewall, which synchronizes content directly with Microsoft Update and distributes updates to client computers, as shown in the following figure. Multiple WSUS servers (medium-sized or more complex network) The following are common scenarios for deploying WSUS components in a medium-sized or more complex network.

19 August 2010

00:23

230 of 233

38676182.doc

Multiple independent WSUS servers

Administrators can deploy multiple servers that are configured so that each server is managed independently and each server synchronizes its content from Microsoft Update, as shown in the following figure. The deployment method in this scenario would be appropriate for situations in which different local area network (LAN) or wide area network (WAN) segments are managed as separate entities (for example, a branch office). It would also be appropriate when one server running WSUS is configured to deploy updates only to client computers running a certain operating system (such as Windows 2000), while another server is configured to deploy updates only to client computers running another operating system (such as Windows XP).

19 August 2010

00:23

231 of 233

38676182.doc

Multiple internally synchronized WSUS servers

Administrators can deploy multiple servers running WSUS that synchronize all content within their organization’s intranet. In the following figure, only one server is exposed to the Internet. In this configuration, this is the only server that downloads updates from Microsoft Update. This server is set up as the upstream server—the source to which the downstream server synchronizes. When applicable, servers can be located throughout a geographically dispersed network to provide the best connectivity to all client computers.

19 August 2010

00:23

232 of 233

38676182.doc

Disconnected WSUS servers (limited or restricted Internet connectivity)

If corporate policy or other conditions limit computer access to the Internet, administrators can set up an internal server running WSUS, as illustrated in the following figure. In this example, a server is created that is connected to the Internet but is isolated from the intranet. After downloading, testing, and approving the updates on this server, an administrator would then export the update metadata and content to the appropriate media; then, from the media, the administrator would import the update metadata and content to servers running WSUS within the intranet. Although the following figure illustrates this model in its simplest form, it could be scaled to a deployment of any size.

More Information
Windows Server Update Services site: (http://go.microsoft.com/fwlink/? LinkId=71198) to: Step-by-Step Guide to Getting Started: (http://go.microsoft.com/fwlink/? LinkID=71190) Readme for Server Update Services: (http://go.microsoft.com/fwlink/?LinkId=71220)

19 August 2010

00:23

233 of 233

Sign up to vote on this title
UsefulNot useful