2008

Microsoft Windows Server 2008 Implementation and Migration
At BHARAT HEAVY ELECTRICALS LIMITED

Wipro is submitting this document to BHEL on the understanding that the contents would not be divulged to any third party without prior written consent from Wipro Infotech. The contents of this document shall be used for the sole purpose of review & decision making. No part of this publication may be reproduced, stored in a retrieval system or transmitted in any form or by any means, whether electronic, mechanical, photocopying, recording or otherwise, without the written permission of Wipro. All product names referenced herein are trademarks of their respective companies.

Kamal Singh & Gurpreet Singh 12/22/2008

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Document Management Information

Document Title: Microsoft Windows Server 2008 Active Directory Implementation and Migration Document.

Document Status: Approved Wipro

Document Publication History
(All revisions made to this document must be listed in chronological order, with the most recent revision at the top.) Version Number Draft 22-12-2008 Kamal Singh & Gurpreet Singh 1.0 22-12-2008 Monojit Bhowmik Microsoft Windows Server 2008 Active Directory Implementation and Migration. Reviewed Date Author(s) Remark

Document Distribution List Ver. No. Name and Company Purpose
Microsoft Windows Server 2008

1.0

Bharat Heavy Electrical Limited

Active Directory Implementation and Migration.

WIPRO ² BHEL Confidential

Page 2

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Contents
About this Document................................................................................................. 5 About the Project .................................................................................................... 5 Overview of Project .................................................................................................. 5 1 1.1.1 1.1.2 1.1.3 1.1.4 1.1.5 1.1.6 1.1.7 1.1.8 1.1.9 1.1.10 1.1.11 1.1.12 1.1.13 1.1.14 1.1.15 1.1.16 1.1.17 1.1.18 1.1.19 1.1.20 1.1.21 1.1.22 1.1.23 1.2 1.3 1.4 1.5 1.5.2 Company Profile: ...................................................................................... 6 Introduction to Active Directory .................................................................... 6 Why Have a Directory Service? ...................................................................... 6 The Windows Server 2003/2008 Directory Service .............................................. 6 Active Directory Services Features ................................................................. 7 Active Directory Components ....................................................................... 8 Logical Structures ..................................................................................... 8 Physical Structures .................................................................................... 9 Catalog Services³The Global Catalog ............................................................ 10 Global Catalog Functions............................................................................ 10 Replication............................................................................................. 11 What Information Is Replicated .................................................................... 11 Trust Relationships ................................................................................... 11 Group Policies ......................................................................................... 12 DNS ...................................................................................................... 12 Operations Master Roles............................................................................. 12 Forest-Wide Operations Master Roles ............................................................. 12 Schema Master Role.................................................................................. 13 Domain Naming Master Role ........................................................................ 13 Domain-Wide Operations Master Roles ........................................................... 13 RID Master Role ....................................................................................... 13 PDC Emulator Role ................................................................................... 14 Infrastructure Master Role .......................................................................... 14 What Problems arises when Operation Masters Failure Occurs .............................. 14 What does an RODC do? ..................................................................................... 16 Who will be interested in this feature?................................................................... 16 Are there any special considerations? .................................................................... 17 What new functionality does this feature provide? .................................................... 17 TOOLS ................................................................................................ 123 Page 3

WIPRO ² BHEL Confidential

5....................3 1......................................................5 1.........................6 1.......................5...............................................................5..........................Wipro Infotech ....5...4 1..........Replmon Support Tool Utility ... 123 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL ..................... 128 REPLMON OVERVIEW .......7 1...............................................5....................................................................... 124 ADSIEDIT OVERVIEW ............ 134 Windows Server 2003/2008 ......................... 126 NETDIAG OVERVIEW ........ 124 DCDIAG OVERVIEW ...........8 NTDSUTIL Overview ....MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 1........ 135 WIPRO ² BHEL Confidential Page 4 ............5............

Overview of Project Project Management and Installation of the Complete Project carried out by Wipro MSBU Infrastructure Availability services team. Transfer FSMO Roles to the new Server 2008 Domain Controller. Configuring Sites and Setting for Across the PSER Region. This Document will serve as guideline for the Project Approach and Implementation & Migration of Active Directory 2008.Wipro Infotech . Raising the Domain Functional Level. Installing the new Additional Domain Controller. Installing Read Only Domain Controller for Budge-Budge & Bakreswar Remote Locations. About the Project The Customers objective for initiating this project is to have an in-house comprehensive solution for addressing and resolving change and configuration needs in IT Infrastructure. The Project flow is as follows: y y y y Configuration Gathering Implementation phase Documentation and Training Sign off for the Project WIPRO ² BHEL Confidential Page 5 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration About this Document This document is intended as reference guide for the Administrators of BHEL who was involved during the implementation of Active Directory Right Management Service and DHCP NAP Enforcement and the Specialists from Wipro and Customer s end who was involved in the Project. The activities involved in this project are as below: Installation of Windows Server 2008 with latest Service Packs and Hot fixes in BHEL Kolkata HQ. Creation of Microsoft Windows Server 2008 Additional Domain Controller.

and relocate users and resources easily. over 100 project sites. Sudipta Biswas DGM IT 1 Company Profile: BHEL is the largest engineering and manufacturing enterprise in India in the energy-related/infrastructure sector. etc. The wide network of BHEL's 14 manufacturing divisions.2 Why Have a Directory Service? A directory service provides the means to organize and simplify access to resources of a networked computer system.a dream that has been more than realized with a well-recognized track record of performance.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Team Involved executing the Project: Principal(S): Kamal Singh & Gurpreet Singh Mr. The high level of quality & reliability of its products is due to the emphasis on design. 1. 1. engineering and manufacturing to international standards by acquiring and adapting some of the best technologies from leading companies in the world.1. allowing you to add. four Power Sector regional centers. today. As illustrated in Figure 1-1. Telecommunication. For example. remove. This chapter introduces you to Active Directory concepts and administration tasks and walks you through the steps involved in planning an Active Directory infrastructure. However. A directory service makes it possible to find an object based on one or more of its characteristics. BHEL was established more than 40 years ago.1.1. BHEL manufactures over 180 products under 30 major product groups and caters to core sectors of the Indian Economy viz.Wipro Infotech . 1. Transportation. Active Directory includes the directory. Users and administrators might not know the exact name of the objects they need. they can use a directory service to query the directory for a list of objects that match known characteristics.efficiently and at competitive prices. The company has been earning profits continuously since 1971-72 and paying dividends since 1976-77. Renewable Energy. they might know one or more characteristics of the objects in question..1 Introduction to Active Directory Active Directory directory service provides a single point of network resource management. Industry. Find all color printers on the third floor queries the directory for all color printer objects that are associated with the third floor characteristic (or maybe a location characteristic that has been set to third floor ). as well as all the services that WIPRO ² BHEL Confidential Page 6 . eight service centers and 18 regional offices. systems and services -. enables the Company to promptly serve its customers and provide them with suitable products. which stores information about network resources. ushering in the indigenous Heavy Electrical Equipment industry in India . together with technologies developed in its own R&D Center.3 The Windows Server 2003/2008 Directory Service Active Directory is the directory service included in the Windows Server 2003/2008 family. Power Generation & Transmission.

user profiles. Policy-based administration In Active Directory. primary DNS zones can be stored in Active Directory. Although separate and implemented differently for different purposes.4 Active Directory Services Features Active Directory in the Windows Server 2003/2008 family is a significant enhancement over the flat domain model provided in Windows NT. such as user mobility and hard disk failures. and desktop-system lock down. Active Directory allows millions of objects per domain and uses indexing technology and advanced replication techniques to speed performance. Integration with the Domain Name System (DNS) Active Directory uses DNS. A single distributed data store requires less administration and duplication and improves the availability and organization of data. Active Directory is also the directory service included in Windows 2000.Wipro Infotech . Replication of information Active Directory provides multimaster replication technology to ensure information availability. Manageability In contrast to the flat domain model used in Windows NT. Active Directory and DNS have the same hierarchical structure.1. Client configuration management Active Directory provides new technologies for managing client configuration issues. or organizational unit. These organizational structures make it easier for you to control administrative privileges and other security settings. with a minimum of administration and user downtime. 1. domain. fault tolerance. and to make it easier for your users to locate network resources such as files and printers. an Internet standard service that translates easily readable host names to numeric Internet Protocol (IP) addresses. and other performance benefits. Policy-based management simplifies tasks such as operating system updates. enabling replication to other Active Directory domain controllers. allowing users easy access to the information from any location. Scalability Active Directory enables you to scale the directory to meet business and network requirements through the configuration of domains and trees and the placement of domain controllers. Extensibility The structure of the Active Directory database (the schema) can be expanded to allow customized types of information. load balancing.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration make the information available and useful. Active Directory is based on hierarchical organizational structures. When using the Windows Server 2003/2008 DNS service. Active Directory is integrated within the Windows Server 2003/2008 family and offers the following features: Centralized data store all data in Active Directory resides in a single. application installation. Active Directory clients use DNS to locate domain controllers. Multimaster replication enables you to update the directory at any domain controller and replicates directory changes to WIPRO ² BHEL Confidential Page 7 . distributed data repository. policies are used to define the permitted actions and settings for users and computers across a given site.

trees. or organizational unit. replication continues. such as the Kerberos version 5 protocol. In addition.Wipro Infotech . The NSPI protocol. In addition. Active Directory makes the network s physical structure transparent to users. Security policies can be applied locally.509 version 3 certificates. trees.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration any other domain controller. secure authentication and authorization Active Directory authentication and authorization services provide protection for data while minimizing barriers to doing business over the Internet. Interoperability with other directory services Active Directory is based on standard directory access protocols. organizational units (OUs). Access control can be defined for each object in the directory and on each property of each object. Active Directory provides a powerful development environment through Active Directory Service Interfaces (ADSI). Active Directory completely separates the logical structure from the physical structure. Active Directory tools in Windows Server 2003/2008 sign and encrypt all LDAP traffic by default. and Transport Layer Security (TLS) using X. Secure Sockets Layer (SSL) version 3. Grouping resources logically allows you to easily find a resource by its name rather than by remembering its physical location. Because you group resources logically. Security integration Active Directory is integrated with Windows Server 2003/2008 security.x clients. Because multiple domain controllers are employed. 1.6 Logical Structures In Active Directory. Active Directory provides security groups that span domains. Because the LDAP directory access protocol is an industry-standard directory service protocol. The following Active Directory components represent physical structures in an organization: sites (physical subnets) and domain controllers. and the Name Service Provider Interface (NSPI).1. Active Directory supports multiple authentication protocols.1. Signed and encrypted LDAP traffic by default. Flexible. domain. which is used by Microsoft Exchange Server 4 and 5. 1. Signing LDAP traffic guarantees that the packaged data comes from a known source and that it has not been tampered with. and can interoperate with other directory services employing these protocols. even if any single domain controller stops working. or to a specified site. you organize resources in a logical structure a structure that mirrors organizational models using domains. and forests. and forests. is supported by Active Directory to provide compatibility with the Exchange directory. The following Active Directory components represent logical structures in an organization: domains. OUs. programs can be developed using LDAP to share Active Directory information with other directory services that also support LDAP. WIPRO ² BHEL Confidential Page 8 .5 Active Directory Components Various Active Directory components are used to build a directory structure that meets the needs of your organization. including Lightweight Directory Access Protocol (LDAP) version 3. Directory-enabled applications and infrastructure Features within Active Directory make it easier for you to configure and manage applications and other directory-enabled network components.

OUs provide a means for handling administrative tasks.  All domains in a forest share a common global catalog.  Domains in a forest operate independently. groups. The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains each domain can implement its own OU hierarchy. distributed components. or nesting.  Trees in a forest have different naming structures. OU: An OU is a container used to organize objects within a domain into a logical administrative group. and each domain stores information only about the objects it contains. you can provide administrative control in a hierarchical fashion. All network objects exist within a domain. such as the administration of users and resources. and other resources. Trees: A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003/2008 domains that you create by adding one or more child domains to an existing parent domain. Active Directory is made up of one or more domains.Wipro Infotech . applications. file shares. documents. which can store millions of objects. An OU can contain objects such as user accounts. you use these components to develop a directory structure that mirrors the physical structure of your organization. 1. but the forest enables communication across the entire organization. These vital objects are items the members of the networked community need in order to do their jobs: printers. according to their domains. A domain can span more than one physical location.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Domains: The core unit of logical structure in Active Directory is the domain. Objects stored in a domain are those considered vital to the network.1. As an administrator. databases. users. Domains in a tree share a contiguous namespace and a hierarchical naming structure. and other OUs from the same domain.  All domains in a forest are linked by implicit two-way transitive trusts. forests have the following characteristics:  All domains in a forest share a common schema.7 Physical Structures The physical components of Active Directory are sites and domain controllers. computers. printers. e-mail addresses. As such. as they are the smallest scope to which you can delegate administrative authority. completely independent domain trees. By adding OUs to other OUs. Namespaces are covered in detail in the next lesson Forests: A forest is a grouping or hierarchical arrangement of one or more separate. WIPRO ² BHEL Confidential Page 9 .

Fast network connections are at least 512 kilobits per second (Kbps). cheap and reliable network connections with one another. When you group subnets on your net-work. The partial replica stores attributes most frequently used in search operations (such as a user s first and last names. each domain controller in a domain has a complete replica of the domain s portion of the directory. and so on). Object attributes replicated to the global catalog inherit the same permissions as in source domains.1.8 Catalog Services The Global Catalog The global catalog is the central repository of information about objects in a tree or forest.Wipro Infotech . Domain Controllers A domain controller is a computer running Windows Server 2003/2008 that stores a replica of the domain directory (local domain database). A domain controller also authenticates user logon attempts and maintains the security policy for a domain. Because a domain can contain one or more domain controllers. 1. Attributes are marked or unmarked for replication in the global catalog when they are defined in the Active Directory schema. ensuring that data in the global catalog is secure.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize as much network traffic as possible. WIPRO ² BHEL Confidential Page 10 . By default. a site has the same boundaries as a local area network (LAN). logon name. An available bandwidth (the average amount of bandwidth that is available for use after normal network traffic is handled) of 128 Kbps and higher is sufficient for a site. 1. It stores a full replica of all object attributes in the directory for its host domain and a partial replica of all object attributes contained in the directory for every domain in the forest. you should combine only subnets that have fast. Active Directory uses multimaster replication to replicate the global catalog information between global catalog servers in other domains. Typically.9 Global Catalog Functions The global catalog performs the following two key functions: It enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. A domain controller that holds a copy of the global catalog is called a global catalog server. a global catalog is created automatically on the initial domain controller in the first domain in the forest. You can designate any domain controller in the forest as a global catalog server. A domain controller can service only one domain.1.

The application directory partition can contain any type of object except security principals (users. These directory partitions are the units of replication. groups. This data is domain-specific and is not replicated to any other domains.1. as shown in Figure 1-13.  Domain partition: This partition describes all of the objects in a domain. 1. This data is common to all domains in a forest and is replicated to all domain controllers in a forest. Replication ensures that changes to a domain controller are reflected in all domain controllers within a domain. configuration.1. Directory information is replicated to domain controllers both within and among sites.  Application Directory partition: This partition stores dynamic application-specific data in Active Directory without significantly affecting network performance by enabling you to control the scope of replication and the placement of replicas.1.10 Replication Users and services should be able to access directory information at any time from any computer in the domain tree or forest. including data such as domain structure or replication topology. The directory contains the following partitions:  Schema partition: This partition defines the objects that can be created in the directory and the attributes those objects can have.Wipro Infotech . 1. Each of these information categories is referred to as a directory partition.dit file) is logically partitioned into four categories. the data is replicated to every domain controller in that domain. Data can be explicitly rerouted to administrator-specified domain controllers within a forest in order to prevent unnecessary replication traffic.12 Trust Relationships A trust relationship is a link between two domains in which the trusting domain honors the logon authentication of the trusted domain. 1. However. or it can be set to replicate everything to all domain controllers in the same fashion as the schema. and domain partitions. A directory partition is also referred to as a naming context.11 What Information Is Replicated The information stored in the directory (in the Ntds. and computers). This data is common to all domains in a forest and is replicated to all domain controllers in a forest.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration It enables finding directory information regardless of which domain in the forest actually contains the data.  Configuration partition: This partition describes the logical structure of the deployment. Users and applications are authenticated in the Windows Server 2003/2008 family using one of two trust protocols: Kerberos version 5 or NT LAN WIPRO ² BHEL Confidential Page 11 .

Wipro Infotech . using group policies. sites. If any computer involved in a transaction does not support Kerberos version 5. When a user enters a user-friendly DNS name in an application. There are two domains in a trust relationship the trusting and the trusted Domain.1. The Kerberos version 5 protocol is the default protocol for computers running Windows Server 2003/2008. Other roles must appear in every domain in the forest. some changes are impractical to perform in multimaster fashion. Some roles must appear in every forest.microsoft. For example. 1. However. However. domains.com. the programs that appear on the user s desktop.13 Group Policies Group policies are collections of user and computer configuration settings that can be linked to computers.16 Forest-Wide Operations Master Roles Every Active Directory forest must have the following roles:   Schema master Domain naming master Page 12 WIPRO ² BHEL Confidential . For example.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Manager (NTLM).1. five operations master roles must be assigned to one or more domain controllers. computers communicate over a network by using numeric addresses. such as the Internet. and OUs to specify the behavior of users desk-tops. A trust relationship is also permitted with any MIT Kerberos version 5 realms.14 DNS DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) net-works. DNS provides a way to map the user-friendly name for a computer or service to its numeric address. it s easy for most users who want to locate a computer on a network to remember and learn a friendly name such as example. In any Active Directory forest. and Start menu options. such as an IP address. to locate computers and services through user-friendly names. DNS provides a method of naming computers and network services using a hierarchy of domains. Operations master roles are assigned to domain controllers to perform single-master operations. so one or more domain controllers can be assigned to perform operations that are single-master (not permitted to occur at different places in a network at the same time). If you have used a Web browser. you have used DNS.1. 1.1. 1. the NTLM protocol is used. 1.15 Operations Master Roles Active Directory supports multimaster replication of the Active Directory database between all domain controllers in the domain. You must be aware of operations master roles assigned to a domain controller if problems develop on the domain controller or if you plan to take it out of service. you can set the programs that are available to users. DNS services can resolve the name to other information associated with the name.

it assigns the object a unique security ID. To move an object between domains (using Movetree. PDC emulator master. This means that throughout the entire forest there can be only one schema master and one domain naming master. there can be only one schema master in the entire forest. 1. 1. and infrastructure master.17 Schema Master Role The domain controller assigned the schema master role controls all updates and modifications to the schema. 1. or computer object. master Primary domain controller (PDC) emulator Infrastructure master These roles must be unique in each domain.1. At any time.1. The security ID consists of a domain security ID (that is the same for all security IDs created in the domain) and a relative ID that is unique for each security ID created in the domain. This means that each domain in the forest can have only one RID master.18 Domain Naming Master Role The domain controller holding the domain naming master role controls the addition or removal of domains in the forest. there can be only one domain controller acting as the RID master in each domain in the forest. At any time.1. 1.Wipro Infotech . To update the schema of a forest. Whenever a domain controller creates a user. you must have access to the schema master. you must initiate the move on the domain controller acting as the RID master of the domain that currently contains the object.20 RID Master Role The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various domain controllers in its domain. group. There can be only one domain naming master in the entire forest at any time.1.exe: Active Directory Object Manager).MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration These roles must be unique in the forest.19 Domain-Wide Operations Master Roles Every domain in the forest must have the following roles:    Relative identifier (RID). WIPRO ² BHEL Confidential Page 13 . or relative ID.

21 PDC Emulator Role If the domain contains computers operating without Windows Server 2003/2008 client soft-ware or if it contains Windows NT backup domain controllers (BDCs). At any time. If the domain naming master will be unavailable for an unacceptable WIPRO ² BHEL Confidential Page 14 . The infrastructure master of the group s domain is responsible for updating the group so it knows the new name or location of the member. that change takes time to replicate to every domain controller in the domain. The infrastructure master distributes the update via multimaster replication.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 1. 1. When you rename or move a member of a group (and the member resides in a different domain from the group). Domain Naming Master Failure Temporary loss of the domain naming master is not visible to network users.23 What Problems arises when Operation Masters Failure Occurs Schema Master Failure Temporary loss of the schema operations master is not visible to network users. Only an administrator looking at that particular group membership would notice the temporary inconsistency. the domain controller assigned the PDC emulator role acts as a Windows NT PDC. However. It is not visible to network administrators either. There is no compromise to security during the time between the member rename and the group update.Wipro Infotech . seizing this role is a step that you should take only when the failure of the schema master is permanent. It is not visible to network administrators either. Even after all systems are upgraded to Windows Server 2003/2008.1. the group might temporarily appear not to contain that member. If the schema master will be unavailable for an unacceptable length of time. unless they are trying to modify the schema or install an application that modifies the schema during installation. It processes password changes from clients and replicates updates to the BDCs. unless they are trying to add a domain to the forest or remove a domain from the forest. there can be only one domain controller acting as the infrastructure master in each domain. At any time.22 Infrastructure Master Role The domain controller assigned the infrastructure master role is responsible for updating the group-to-user references whenever the members of groups are renamed or changed. the PDC emulator receives preferential replication of password changes performed by other domain controllers in the domain.1.1. If a logon authentication fails at another domain controller due to a bad password. there can be only one domain controller acting as the PDC emulator in each domain in the forest. If a password was recently changed. you can seize the role to the domain controller you ve chosen to act as the standby schema master. and the Windows Server 2003/2008 domain is operating at the Windows Server 2003/2008 functional level. that domain controller forwards the authentication request to the PDC emulator before rejecting the logon attempt. 1.

seizing this role is a step that you should take only when the failure of the RID master is permanent. ideally in the same site as a global catalog server. However. However. When the original infrastructure master is returned to service. organizations can easily deploy a domain controller in locations where physical security cannot be guaranteed. you can transfer the role back to the original domain controller. It can also hamper access to network resources. With an RODC. branch offices often have poor network bandwidth when they are connected to a hub site. WIPRO ² BHEL Confidential Page 15 . Infrastructure Master Failure Temporary loss of the infrastructure master is not visible to network users. It is not visible to network administrators either. when the PDC emulator is not available. seizing this role is a step that you should take only when the failure of the domain naming master is permanent. An RODC hosts read-only partitions of the Active Directory® Domain Services (AD DS) database. unless they are creating objects and the domain in which they are creating the objects runs out of relative identifiers. seize the PDC emulator role to the domain controller you ve chosen to act as the standby PDC emulator. In many cases.Wipro Infotech . this was not an efficient solution. you can seize the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any domain). you might need to immediately seize the role. you can seize the role to the domain controller you ve chosen to act as the standby domain naming master. PDC Emulator Failure The loss of the PDC emulator affects network users. It is not visible to network administrators either. RID Master Failure Temporary loss of the RID operations master is not visible to network users. If the infrastructure master will be unavailable for an unacceptable length of time. Read-Only Domain Controllers A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008 operating system. if users had to authenticate with a domain controller over a wide area network (WAN).MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration length of time. Branch offices often cannot provide the adequate physical security that is required for a writable domain controller. Therefore. you can seize the role to the domain controller you ve chosen to act as the standby RID master. Before the release of Windows Server 2008. or if it contains Windows NT backup domain controllers. there was no real alternative. Furthermore. If the current PDC emulator will be unavailable for an unacceptable length of time and its domain has clients without Windows Server 2003/2008 client software. you can return the role to the original domain controller. When the original PDC emulator is returned to service. If the RID master will be unavailable for an unacceptable length of time. unless they have recently moved or renamed a large number of accounts. This can increase the amount of time that is required to log on.

An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a primary threat. the LOB application owner must often log on to the domain controller interactively or use Terminal Services to configure and manage the application. your organization may also choose to deploy an RODC for special administrative requirements. if you are in any of the following groups: WIPRO ² BHEL Confidential Page 16 . 1. You can grant a non-administrative domain user the right to log on to an RODC while minimizing the security risk to the Active Directory forest. In such cases. However. and the additional supporting documentation about RODC. in an extranet or application-facing role. a line-of-business (LOB) application may run successfully only if it is installed on a domain controller. for example.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Beginning with Windows Server 2008. This situation creates a security risk that may be unacceptable on a writable domain controller. the domain controller might be the only server in the branch office.Wipro Infotech .3 Who will be interested in this feature? RODC is designed primarily to be deployed in remote or branch office environments. and it may have to host server applications. For example. An RODC provides a way to deploy a domain controller more securely in locations that require fast and reliable authentication services but cannot ensure physical security for a writable domain controller.2 What does an RODC do? Inadequate physical security is the most common reason to consider deploying an RODC. an organization can deploy an RODC to address these problems. Branch offices typically have the following characteristics:  Relatively few users  Poor physical security  Relatively poor network bandwidth to a hub site  Little knowledge of information technology (IT) You should review this section. As a result. users in this situation can receive the following benefits:  Improved security  Faster logon times  More efficient access to resources on the network 1. Or.

This response directs them to a writable domain controller. In addition. Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the forest. Local applications that request Read access to the directory can obtain access. However. Changes must be made on a writable domain controller and then replicated back to the RODC.1. changes cannot be made to the database that is stored on the RODC.Wipro Infotech . credentials. network bandwidth.4 Are there any special considerations? To deploy an RODC. This set of attributes is called the RODC filtered attribute set.2 RODC filtered attribute set Some applications that use AD DS as a data store might have credential-like data (such as passwords.5 What new functionality does this feature provide? RODC addresses some of the problems that are commonly found in branch offices. you can dynamically configure a set of attributes in the schema for domain objects that will not replicate to an RODC. Or. 1. For these types of applications.1. 1. The following RODC functionality mitigates these problems:  Read-only AD DS database  Unidirectional replication  Credential caching  Administrator role separation  Read-only Domain Name System (DNS) 1.5. normally in a hub site. WIPRO ² BHEL Confidential Page 17 .1 Read-only AD DS database Except for account passwords. Lightweight Directory Application Protocol (LDAP) applications that request Write access receive an LDAP referral response.5. at least one writable domain controller in the domain must be running Windows Server 2008. an RODC holds all the Active Directory objects and attributes that a writable domain controller holds.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration  IT planners and analysts who are technically evaluating the product  Enterprise IT planners and designers for organizations  Those responsible for IT security  AD DS administrators who deal with small branch offices 1. These locations might not have a domain controller. or encryption keys) that you do not want to be stored on an RODC in case the RODC is compromised. the functional level for the domain and forest must be Windows Server 2003 or higher. they might have a writable domain controller but not the physical security. or local expertise to support it.

By default. The RODC performs normal inbound replication for AD DS and SYSVOL changes. Accordingly. it is recommended that the schema master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set. Security Accounts Manager (SAM. such as Kerberos. no changes originate at the RODC. This also reduces the workload of bridgehead servers in the hub and the effort required to monitor replication. However. If the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2008. If you try to add a systemcritical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master. Credentials consist of a small set of approximately 10 passwords that are associated with security principals. ensure that forest functional level is Windows Server 2008 if you plan to configure the RODC filtered attribute set. A system-critical attribute has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE). the replication request is denied. writable domain controllers that are replication partners do not have to pull changes from the RODC. RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of SYSVOL. If you try to add a system-critical attribute to the RODC filtered set while the schema master is running Windows Server 2008. You must explicitly allow any other credential caching on an RODC. An attribute is system-critical if it is required for AD DS.1. the operation appears to succeed but the attribute is not actually added.3 Unidirectional replication Because no changes are written directly to the RODC. The RODC filtered attribute set is configured on the server that holds the schema operations master role. The exceptions are the computer account of the RODC and a special krbtgt account that each RODC has. an RODC does not store user or computer credentials. WIPRO ² BHEL Confidential Page 18 . This ensures that system-critical attributes are not included in the RODC filtered attribute set. if the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003. When the forest functional level is Windows Server 2008.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate attributes that are defined in the RODC filtered attribute set.5. to function properly.Wipro Infotech . This means that any changes or corruption that a malicious user might make at branch locations cannot replicate from the RODC to the rest of the forest. 1. the replication request can succeed. as a security precaution. Therefore.4 Credential caching Credential caching is the storage of user or computer credentials.1. 1. You cannot add system-critical attributes to the RODC filtered attribute set.5. and Microsoft-specific Security Service Provider Interfaces (SSPIs). Therefore. The RODC uses a different krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts ticket-granting ticket (TGT) requests. the server returns an "unwillingToPerform" LDAP error. The RODC is advertised as the Key Distribution Center (KDC) for the branch office. an RODC that is compromised cannot be exploited in this manner because domain controllers that are running Windows Server 2003 are not allowed in the forest. Local Security Authority (LSA).

only a small subset of domain users has credentials cached on any given RODC. In this way.5. Therefore. If the DNS server is installed on an RODC. in the event that the RODC is stolen. such as upgrading a driver. clients can query it for name resolution as they query any other DNS server. If the Password Replication Policy allows it.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration After an account is successfully authenticated. the branch user cannot log on to any other domain controller or perform any other administrative task in the domain.1. However. 1. and the RODC caches them. This permits a local branch user to log on to an RODC and perform maintenance work on the server. Creation of Root Domain Controller on Windows Server 2008. Typically. The writable domain controller recognizes that the request is coming from an RODC and consults the Password Replication Policy in effect for that RODC. the RODC can directly service that user's logon requests until the credentials change. only those credentials that are cached can potentially be cracked. If another domain controller signs the TGT. the DNS server on an RODC is read-only and therefore does not support client updates directly.Wipro Infotech . the branch user can be delegated the ability to effectively manage the RODC in the branch office without compromising the security of the rest of the domain. (When a TGT is signed with the krbtgt account of the RODC. An administrator can modify the default Password Replication Policy to allow users' credentials to be cached at the RODC. the RODC forwards requests to a writable domain controller. WIPRO ² BHEL Confidential Page 19 . An RODC is able to replicate all application directory partitions that DNS uses. After the credentials are cached on the RODC. including ForestDNSZones and DomainDNSZones.) By limiting credential caching only to users who have authenticated to the RODC. but it results in all authentication requests being forwarded to a writable domain controller.5. 1. However. the RODC attempts to contact a writable domain controller at the hub site and requests a copy of the appropriate credentials. The Password Replication Policy determines if a user's credentials or a computer's credentials can be replicated from the writable domain controller to the RODC. TCP/IP configuration of Root Domain Controller in Salt-lake.1.5 Administrator role separation You can delegate local administrative permissions for an RODC to any domain user without granting that user any user rights for the domain or other domain controllers. the potential exposure of credentials by a compromise of the RODC is also limited. the RODC recognizes that it has a cached copy of the credentials. the writable domain controller replicates the credentials to the RODC. Leaving credential caching disabled might further limit exposure.6 Read-only DNS You can install the DNS Server service on an RODC.

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration GENERAL CONFIGURATION ON SALT-LAKE RDC. HARD DISK PARTITION INFORMATION OF RDC. WIPRO ² BHEL Confidential Page 20 .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration A New Simple volume created for AD Database. WIPRO ² BHEL Confidential Page 21 .

WIPRO ² BHEL Confidential Page 22 . Specify the size of volume.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Welcome wizard click next.Wipro Infotech . Choose a Drive Letter and then click next.

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Format the volume with NTFS file system with appropriate details.

WIPRO ² BHEL Confidential

Page 23

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Format completed successfully.

WIPRO ² BHEL Confidential

Page 24

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Installation of DNS server role on BHELPSERRDC01.
Welcome wizard, click next.

WIPRO ² BHEL Confidential

Page 25

WIPRO ² BHEL Confidential Page 26 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the DNS server and then click next.Wipro Infotech . Click Next.

RDC Creation in salt-lake: WIPRO ² BHEL Confidential Page 27 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Process of adding the DNS server role started.

Welcome wizard.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration To configure this server as an additional Root Domain Server.in. Click next. Check the advanced mode installation check box then Click next. WIPRO ² BHEL Confidential Page 28 .Wipro Infotech .co. firstly we configure it as Additional Domain Controller for the domain bhelpser.

WIPRO ² BHEL Confidential Page 29 . Supply the credential of domain admin for creating ADC.Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Existing forest and Add a DC to an existing domain. Provide the name of the existing domain name.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the domain bhelpser. WIPRO ² BHEL Confidential Page 30 . Select the default first site and then click next.Wipro Infotech .in and then click next.co.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the Global catalog option and then click next. Select the first option for replicating the database over the network.Wipro Infotech . WIPRO ² BHEL Confidential Page 31 .

Supply the credentials. WIPRO ² BHEL Confidential Page 32 . These credentials will be used incase of any failure to restore the Active Directory.Wipro Infotech . Summary of the whole wizard. Specify the path for Active Directory Database.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the appropriate domain controller.

Process of installation of Active Directory Services started. After the restart we have given the server more than 24hrs to complete the replication of all Active Directory components. WIPRO ² BHEL Confidential Page 33 .dit indicates the completion of replication from Root Domain Controller. Once the replication is complete the size of AD Database file ndts.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click next.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration After the replication all the DNS records are also available on BHELPSERRDC01 including Nameserver and forwarders. DNS records. WIPRO ² BHEL Confidential Page 34 .Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration WIPRO ² BHEL Confidential Page 35 .

WIPRO ² BHEL Confidential Page 36 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Name Servers.Wipro Infotech .

Open Active Directory Users and Computers. function levels of existing RDC must be raised.in and then Raise the Domain Functional level.co.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Forwarder Raising the Domain Functional Level. Before transferring the Roles.Wipro Infotech . Right click on bhelpser. WIPRO ² BHEL Confidential Page 37 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Windows Server 2008 and then Raise. WIPRO ² BHEL Confidential Page 38 . Click ok to proceed. Domain Functional Level successfully raised.Wipro Infotech .

Wipro Infotech .in and then Raise the Forest Functional level. Select Windows Server 2008 then click Raise.co. WIPRO ² BHEL Confidential Page 39 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Open Active Directory Domain and Trust. Right click on bhelpser.

Forest Functional Level successfully raised. Upgrading the schema Upgrading the schema of windows server 2008 requires its installation files. WIPRO ² BHEL Confidential Page 40 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click OK to proceed.Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration WIPRO ² BHEL Confidential Page 41 .

bhelpser.co.bhelpser.bhelpser.in cal002.bhelpser.in The command completed successfully. Microsoft Windows [Version 5.in Domain role owner PDC role RID pool manager Infrastructure owner cal002.bhelpser. Transferring the five Operation Master Roles to BHELPSERRDC01.3790] (C) Copyright 1985-2003/2008 Microsoft Corp.in cal002.co.co. our 2003 server able to recognize the windows server 2008.Wipro Infotech .in cal002.co. Querying the Naming master roles on our existing Windows Server 2003 RDC. WIPRO ² BHEL Confidential Page 42 . C:\>netdom query fsmo Schema owner cal002.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration After upgrading.co.2.

Type roles then press enter.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration To transfer the roles through command-line ntdsutil command is used.Wipro Infotech . WIPRO ² BHEL Confidential Page 43 . Type connections then press enter.

WIPRO ² BHEL Confidential Page 44 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration To connect the server type connect to server bhelpserrdc01 then it will connect to our server 2008.Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration To transfer Domain Naming Master type transfer domain naming master . Domain Naming Master transferred to bhelpserrdc01 . To transfer Infrastructure Master type transfer infrastructure master . WIPRO ² BHEL Confidential Page 45 . Click yes to confirmation dialog box.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click yes to confirmation dialog box. WIPRO ² BHEL Confidential Page 46 . To transfer PDC type transfer pdc . Infrastructure Master transferred to bhelpserrdc01 . Click yes to confirmation dialog box.Wipro Infotech .

RID master transferred to bhelpserrdc01 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration PDC transferred to bhelpserrdc01 . WIPRO ² BHEL Confidential Page 47 . To transfer RID master type transfer rid master . Click yes to confirmation dialog box.

Click yes to confirmation dialog box. WIPRO ² BHEL Confidential Page 48 . Schema master transferred to bhelpserrdc01 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration To transfer Schema master type transfer schema master .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Querying the Naming master roles WIPRO ² BHEL Confidential Page 49 .Wipro Infotech .

WIPRO ² BHEL Confidential Page 50 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Creation of separate OUs for Kolkata-Salt lake. Budge-budge and Bakreswar sites. Provide a name for the OU.

Wipro Infotech . WIPRO ² BHEL Confidential Page 51 . Hierarchical Structure for Bakreswar site.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Hierarchical Structure for Kolkata site.

Wipro Infotech . Hierarchical OU structure has been created. WIPRO ² BHEL Confidential Page 52 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Hierarchical Structure for Kolkata site OU s.

Check both Success and failure events. Account will lock out after 3 invalid logon attempts.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Group Policy Settings Account lockout duration set to 15 minutes. Enable the policy Shutdown system immediately if unable to log security audits.Wipro Infotech . WIPRO ² BHEL Confidential Page 53 .

Set the security log size to 10MB. WIPRO ² BHEL Confidential Page 54 .Wipro Infotech . Enables auditing of all user rights in conjunction with Audit Privilege Use auditing being enabled. Set the maximum application log size to 10MB z .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Set the maximum system log size to 10MB.

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration This feature is provided for the system availability reasons such as the user s machine being disconnected from the network or domain controllers not being available. Creation of separate DNS zones for different subnets. WIPRO ² BHEL Confidential Page 55 .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Welcome wizard. Select Primary zone. Select the method for the replication. Click next. WIPRO ² BHEL Confidential Page 56 .

WIPRO ² BHEL Confidential Page 57 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the IPv4 addresses. Provide the network Id for the creation of zone.Wipro Infotech . Zone created successfully.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Welcome wizard. Select the primary zone.Wipro Infotech . WIPRO ² BHEL Confidential Page 58 . Select the method for the replication. Click next.

WIPRO ² BHEL Confidential Page 59 .Wipro Infotech . Provide the unique network Id for this zone.secure and secure updates. Select for both no.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the IPv4 Addresses.

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Zone created successfully. WIPRO ² BHEL Confidential Page 60 .

Select primary zone. WIPRO ² BHEL Confidential Page 61 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Welcome wizard. Select the method for the replication of zone.

Provide the unique network Id for this zone. WIPRO ² BHEL Confidential Page 62 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select IPv4 addresses. Select for both non-secure and secure updates.Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Zone created successfully. WIPRO ² BHEL Confidential Page 63 .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Sites and settings for different sites. Different Sites and settings will be created for the replication between Domain Controllers. Creation of different Subnets. Right click on Subnet and select New Subnet to create a Subnet. WIPRO ² BHEL Confidential Page 64 .

Right click on Subnet and select New Subnet to create a Subnet.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Provide the IP Subnet and its subnet mask. WIPRO ² BHEL Confidential Page 65 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Provide the IP Subnet and its Subnet Mask.Wipro Infotech . Creation of different Sites. WIPRO ² BHEL Confidential Page 66 . Right click on Sites and select New Site to create a Site.

Site for Bakreswar successfully created. Go to the properties of Subnet. WIPRO ² BHEL Confidential Page 67 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Provide the name for Bakreswar Site and select the Default Site Link.Wipro Infotech .

Creation of different site link.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Set the description to recognize easily. Select New Site Link WIPRO ² BHEL Confidential Page 68 .Wipro Infotech .

WIPRO ² BHEL Confidential Page 69 .Wipro Infotech . Choose the settings for replication between Domain Controllers.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Set the name for New Site Link. Decrease the replication frequency.

WIPRO ² BHEL Confidential Page 70 . Set the name for new site.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Create a Site for Budge-budge. Select New Site.Wipro Infotech .

Wipro Infotech . WIPRO ² BHEL Confidential Page 71 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Go to the properties page of subnet.

Verify that replication is available all the week.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Add the Budge-budge site in Site link. WIPRO ² BHEL Confidential Page 72 .Wipro Infotech .

Basic details of ADC. TCP/IP configuration of Additional Domain Controller in Salt-lake. WIPRO ² BHEL Confidential Page 73 . Creation of Additional Domain Controller on Windows Server 2008.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Different Sites and settings are created for the replication between Domain Controllers.Wipro Infotech .

WIPRO ² BHEL Confidential Page 74 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Sever name changes to BHELPSERADC01. Hard disk partition information of BHELPSERRDC01.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration A New Simple volume created for AD Database. WIPRO ² BHEL Confidential Page 75 .Wipro Infotech . Welcome wizard click next.

WIPRO ² BHEL Confidential Page 76 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Specify the size of volume. Format the volume with NTFS file system with appropriate details. Choose a Drive Letter and then click next.Wipro Infotech .

WIPRO ² BHEL Confidential Page 77 . Installation of DNS BHELPSERADC01.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Format completed successfully.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Add roles Welcome wizard.Wipro Infotech . click next WIPRO ² BHEL Confidential Page 78 .

WIPRO ² BHEL Confidential Page 79 . Click next.Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the DNS server and then click next.

DNS server role service successfully installed.Wipro Infotech . WIPRO ² BHEL Confidential Page 80 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Process of adding the DNS server role started.

Configure this server as an additional Active Directory Domain Server for the domain bhelpser. Welcome wizard. WIPRO ² BHEL Confidential Page 81 .in. Open cmd and type dcpromo.co.Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration ADC creation in salt-lake.

Wipro Infotech . WIPRO ² BHEL Confidential Page 82 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the advanced mode installation check box then Click next. Click next.

Provide the name of the existing domain name.Wipro Infotech . WIPRO ² BHEL Confidential Page 83 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Existing forest and Add a DC to an existing domain.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Supply the credential of domain admin for creating ADC.in and then click next.co. WIPRO ² BHEL Confidential Page 84 . Select the domain bhelpser.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the default first site and then click next.Wipro Infotech . Check the Global catalog option and then click next. WIPRO ² BHEL Confidential Page 85 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the first option for replicating the database over the network. WIPRO ² BHEL Confidential Page 86 . Select the root domain controller.Wipro Infotech .

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Specify the path for Active Directory Database.

Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.

WIPRO ² BHEL Confidential

Page 87

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Summary of the whole wizard. Click next.

Process of installation of Active Directory Services started.

WIPRO ² BHEL Confidential

Page 88

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Click on Finish button.

Click finish and restart before the changes take effect.

After the restart server will require more than 24hrs to complete the replication of all Active Directory components.

WIPRO ² BHEL Confidential

Page 89

Sever name changes to BHELBUDGRODC01.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Creation of Read Only Domain Controller on Windows Server 2008 at Budge-budge. WIPRO ² BHEL Confidential Page 90 . TCP/IP configuration of Read-only Domain Controller at Budge-budge.Wipro Infotech .

WIPRO ² BHEL Confidential Page 91 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Installation of DNS on BHELBUDGRODC01.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Add roles Welcome wizard. WIPRO ² BHEL Confidential Page 92 .Wipro Infotech . click next Check the DNS server and then click next.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click next. Process of adding the DNS server role started.Wipro Infotech . WIPRO ² BHEL Confidential Page 93 .

Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.Wipro Infotech . RODC creation in Budge-budge. Open cmd and type dcpromo.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration DNS server role service successfully installed.in. WIPRO ² BHEL Confidential Page 94 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Welcome wizard. Check the advanced mode installation check box then Click next.Wipro Infotech . WIPRO ² BHEL Confidential Page 95 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click next. WIPRO ² BHEL Confidential Page 96 . Select Existing forest and Add a DC to an existing domain.Wipro Infotech .

WIPRO ² BHEL Confidential Page 97 . Supply the credential of domain admin for creating ADC.Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Provide the name of the existing domain name.

co. WIPRO ² BHEL Confidential Page 98 .Wipro Infotech .in and then click next.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the domain bhelpser.

Select Gloabal catalog and RODC then click next. WIPRO ² BHEL Confidential Page 99 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the budge-budge site and then click next.Wipro Infotech .

Add Domain Users. Select Allow password for the account to replicate to this RODC.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Allowed RODC Password Replication and click next. WIPRO ² BHEL Confidential Page 100 .Wipro Infotech .

Select the first option for replicating the database over the network.Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Set the domain administrator user account for delegation of RODC Installation and Administration. WIPRO ² BHEL Confidential Page 101 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the root domain controller. Specify the path for Active Directory Database. WIPRO ² BHEL Confidential Page 102 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Supply the credentials.Wipro Infotech . WIPRO ² BHEL Confidential Page 103 . Summary of the whole wizard. These credentials will be used incase of any failure to restore the Active Directory. Click next.

bhelpser. . If you leave the values for "Password" and/or "DNSDelegationPassword" . then you will be asked for credentials at runtime. Run-time flags (optional) . as "*".Wipro Infotech . .exe /unattend:C:\Bhel Implementation\rodc-settings. Read-Only Replica DC promotion ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=bhelpser.co. Usage: . [DCInstall] .in UserName=bhelpser. .in . You may need to fill in password fields prior to using the unattend file.co.co. RebootOnCompletion=Yes Process of installation of Active Directory Services started.co.txt . . Set SafeModeAdminPassword to the correct value prior to using the unattend file SafeModeAdminPassword= . CriticalReplicationOnly=Yes .in\emperor Password=* ReplicationSourceDC=BHELPSERRDC01.in DatabasePath="D:\Windows\NTDS" LogPath="D:\Windows\NTDS" SYSVOLPath="D:\Windows\SYSVOL" . dcpromo. WIPRO ² BHEL Confidential Page 104 . RODC Password Replication Policy PasswordReplicationDenied="BUILTIN\Administrators" PasswordReplicationDenied="BUILTIN\Server Operators" PasswordReplicationDenied="BUILTIN\Backup Operators" PasswordReplicationDenied="BUILTIN\Account Operators" PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group" PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group" PasswordReplicationAllowed="BHELPSER\Domain Users" DelegatedAdmin="BHELPSER\emperor" SiteName=Budge-Budge InstallDNS=Yes ConfirmGc=Yes CreateDNSDelegation=No UserDomain=bhelpser. DCPROMO unattend file (automatically generated by dcpromo) .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Exported settings of DCPROMO wizard.

Click finish and restart before the changes take effect. WIPRO ² BHEL Confidential Page 105 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click on Finish Button. After the restart server will require enough time to replicate.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration In RODC there is no option grayed out for Creating any users & groups. TCP/IP configuration of Read-only Domain Controller at Bakreswar. WIPRO ² BHEL Confidential Page 106 . Creation of Read Only Domain Controller on Windows Server 2008 at Bakreswar.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Sever name changes to BHELBAKRRODC01.Wipro Infotech . WIPRO ² BHEL Confidential Page 107 . Installation of DNS on BHELBAKRRODC01.

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Add roles Welcome wizard.Wipro Infotech . click next WIPRO ² BHEL Confidential Page 108 .

WIPRO ² BHEL Confidential Page 109 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the DNS server and then click next. Click next.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Process of adding the DNS server role started. WIPRO ² BHEL Confidential Page 110 . DNS server role service successfully installed.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration RODC creation in Bakreswar.Wipro Infotech . Open cmd and type dcpromo. Welcome wizard.in. Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co. Click on Next Button WIPRO ² BHEL Confidential Page 111 .

Click on Next.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Check the advanced mode installation check box then Click next. WIPRO ² BHEL Confidential Page 112 .Wipro Infotech .

Provide the name of the existing domain name. WIPRO ² BHEL Confidential Page 113 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Existing forest and Add a DC to an existing domain.Wipro Infotech .

in and then click next.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Supply the credential of domain admin for creating ADC.co. WIPRO ² BHEL Confidential Page 114 . Select the domain bhelpser.Wipro Infotech .

WIPRO ² BHEL Confidential Page 115 . Select Global catalog and RODC then click next.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the bakreswar site and then click next.Wipro Infotech .

Wipro Infotech . WIPRO ² BHEL Confidential Page 116 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Allowed RODC Password Replication and click next. Select Allow password for the account to replicate to this RODC. Add Domain Users.

WIPRO ² BHEL Confidential Page 117 .Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Set the domain administrator user account for delegation of RODC Installation and Administration. Select the first option for replicating the database over the network.

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select the root domain controller. WIPRO ² BHEL Confidential Page 118 .

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Specify the path for Active Directory Database.

Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory. bhel@123# DSRM Passwords

WIPRO ² BHEL Confidential

Page 119

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Summary of the whole wizard. Click next.

Exported settings of DCPROMO wizard.
; DCPROMO unattend file (automatically generated by dcpromo) ; Usage: ; dcpromo.exe /unattend:C:\rodc setting.txt ; ; You may need to fill in password fields prior to using the unattend file. ; If you leave the values for "Password" and/or "DNSDelegationPassword" ; as "*", then you will be asked for credentials at runtime. ; [DCInstall] ; Read-Only Replica DC promotion ReplicaOrNewDomain=ReadOnlyReplica ReplicaDomainDNSName=bhelpser.co.in ; RODC Password Replication Policy PasswordReplicationDenied="BUILTIN\Administrators" PasswordReplicationDenied="BUILTIN\Server Operators" PasswordReplicationDenied="BUILTIN\Backup Operators" PasswordReplicationDenied="BUILTIN\Account Operators" PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group" PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group" DelegatedAdmin="BHELPSER\emperor" SiteName=Bakreswar InstallDNS=Yes ConfirmGc=Yes CreateDNSDelegation=No UserDomain=bhelpser.co.in UserName=bhelpser\emperor Password=* ReplicationSourceDC=BHELPSERRDC01.bhelpser.co.in DatabasePath="d:\Windows\NTDS" LogPath="d:\Windows\NTDS" SYSVOLPath="d:\Windows\SYSVOL"

WIPRO ² BHEL Confidential

Page 120

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration

Process of installation of Active Directory Services started.

Click finish and restart before the changes take effect.

After the restart server will require enough time to replicate. WIPRO ² BHEL Confidential Page 121

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration User Creation and Deletion Option is just Grayed out in RODC. WIPRO ² BHEL Confidential Page 122 .Wipro Infotech .

This experiment is more for gaining experience of the NTDSutil interface than the probability of finding any duplicate SIDs. 5.2 TOOLS There are various Tools Available to Monitor/Troubleshooting purpose for Active Directory. 8..microsoft. This is what I typed at the command prompt. NTDSUTIL DCDIAG NLTEST NETDIAG DNSLINT ADSIEDIT ADPREP REPADMIN REPLMON 10. WIPRO ² BHEL Confidential Page 123 .5. RSOP 1.. Removing metadata left behind by domain controllers How to Transfer and Seize Operating Master roles with this tool please look below URL Address http://support.com/kb/255504 Security Account Management (Maintenance) With NTDSUTIL Let us start gently and check for duplicate SIDs. 1. my commands are in bold: E:\ntdsutil>ntdsutil ntdsutil: security account management Security Account Maintenance: connect to server BigServer Security Account Maintenance: check duplicate sid . 9. 2. 4. 6. Managing and controlling operations master roles.5. 3.3 NTDSUTIL Overview NTDSUTIL. This utility is used to perform the following tasks: y y y Performing database maintenance of Active Directory.EXE is a command-line tool that is used to manage Active Directory.Wipro Infotech . 7.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 1.

5. you have to be careful as there is no error checking. While ADSI Edit is not Microsoft's most difficult tool. The two can get out of synch because they are stored in separate databases. Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. Without ADSI Edit experience. this is such an insignificant job. it is not my intention to cure a specific Windows Server 2003/2008 problem.5. when your Windows server 2003/2008 was first installed. WIPRO ² BHEL Confidential Page 124 . Check dupsid. E:\ntdsutil>ntdsutil ntdsutil: set dsrm password Reset DSRM Administrator Password: reset password on server BigServer Please type password for DS Restore Mode Administrator Account: ******** Please confirm new password: ******** Password has been set successfully. In many ways.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL Here is where I challenge you to perform a real task. No-one gets to be a top Windows Server 2003/2008 techie before they have explored the Domain and Configuration partitions with ADSI Edit.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Duplicate SID check completed successfully. In your Windows Active Directory career you will find dozens of occasions where the only cure to your problem is editing the Domain or Configuration partition with ADSI Edit. in other ways it saves frustration of being thwarted by not having the administrative password for this context.Wipro Infotech . On this page. Once upon a time. Incidentally some call this Microsoft utility adsiedit. many TechNet articles will be beyond your skill level. I merely chose the examples to give you a good grounding in the utility.log for any duplicates Security Account Maintenance: 1. Now is your chance to reset the password that will be required if ever you need to restart the server in Active Directory Restore Mode. therefore take the time to install ADSI Edit and explore Active Directory's properties and values.5 ADSIEDIT OVERVIEW ADSI Edit (Active Directory Services Interface) is the best Windows 2003/2008 Server tool for combining learning with troubleshooting. 50% of Administrator's don't realize that this Directory Services Restore Mode password is different from the normal Administrator password. setup asked the installer for a separate directory service restore mode password. Reset DSRM Administrator Password: quit ntdsutil: quit E:\ntdsutil> 1. 90% of administrators ignored the box or forgot the password. The number of configuration tasks that require ADSI Edit is on the increase.

uk/ScriptsGuy/adsi.co. the crucial attribute is createDialog (not description). First Name. Display Specifies. What we want is the user-Display Properties. attention to detail and a real life scenario where there is no other way of configuring the settings. (Although you could change those too.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Here you can download this tool http://www.) The above diagram shows the final result. but that would be a separate project.computerperformance. Now it took me four tries before I perfected the string value: %<sn>. 2. 3. Our objective is to change the display from: First Name. CN=409 means English sort order (not Spanish or Arabic). %<givenName> WIPRO ² BHEL Confidential Page 125 . let us see how we achieve this goal. Our mission is to change the first field in Active Directory Users and Computers. 1. Last Name to: Last Name.zip Example how to use ADSIEDIT This example has all the ingredients for learning about ADSI Edit namely. Next it's CN=Configuration. planning. the column called 'Name' and not the 'Display Name' or 'Description' column. let us be clear which field we are changing. From the outset.Wipro Infotech . Launch ADSI Edit and make sure you start at the Configuration container. 4.

6 DCDIAG OVERVIEW DCDiag is one of those command line utilities that you should turn to when you have a Windows Server 2003/2008 problem. Resetting the Directory Service Administrator's password. 3. Running down Kerberos authentication problems. I had no idea that there were so many. Troubleshooting Group Policy. You may have guessed that the DC in DCDiag means domain controller. 2. Fixing servers Service Principle Name (SPN) error. /v I have to admit that at first I had no idea that DCDiag had switches. 3. the Domain Controller. 6. My point is that many utilities have this switch and normally I avoid it. 4. which I use at every opportunity. /s As always. '/s specifies the server. 7. /q From the sublime /v you could go to the ridiculous /q which only report errors.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 1. As a source of Active Directory clues. but in the case of DCDiag the /v is a little gem. Task could be down with this tool 1. Whilst I should have known that Microsoft would provide switches. DCDiag switches 1.Wipro Infotech . Investigating Active Directory not replicating frssysvol error. I have never before know the /v (verbose) to be of any use. or in this case.5. 4. 2. /fix Fixes Service Principal Names (SPN) problems. 5. I will let you into another secret. Preparing to install or migrate to Exchange 2003/2008. Checking FSMO roles. DCDiag comes second only to the Event Logs. WIPRO ² BHEL Confidential Page 126 .

then use /f:filename to output to a file. "DC=cp. Personally. 1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9. 1> canonicalName: cp. 1> canonicalName: cp. 1> canonicalName: cp. 1> canonicalName: cp.DC=cp.DC=com 2> objectClass: top.txt). 1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182.CN=Builtin.DC=com. 2.CN=AppCategories.DC=cp. attrList. 1> cn: Account Operators.CN=Machine. 1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182.CN=AppCategories.DC=com. 1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6.txt Slightly confusing given that there is also a /fix switch.Wipro Infotech .DC=com 3> objectClass: top.CN=Machine. 1> description: Members can administer domain user and group accounts.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 5.com/System/Policies/{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902dae9a3881bce9. group.DC=cp.CN=Builtin. >> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6. I consoled myself that you can always get the information by running the full test and just reading the parts that are of interest.DC=com 2> objectClass: top. DCDiag Example using my favorite /v ***Searching.CN=Operations.CN={4627307D-103B-4A81-99D0B5B06B8AD999}. container.CN=Packages.CN=DomainUpdates.CN=Policies.DC=cp.CN=Operations.DC=com. >> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84.DC=cp. I copy and paste from the command prompt.CN={4627307D-103B-4A81-99D0B5B06B8AD999}.CN=Policies.com/System/Default Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84.CN=System.CN=Default Domain Policy. 1> name: abab2104-5729-4bed-ac94-a65c89516e84.CN=System. but if you are more organized.com/System/DomainUpdates/Operations/ab402345-d3c3-455d-9ff7-40268a1099b6.DC=com 2> objectClass: top.DC=com. However. 1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6. /test: Confession time. 1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9.CN=Class Store. container.DC=com". I just could not get it to filter the dns tests as advertised. 0.CN=System. 6.CN=System.DC=com.CN=System. packageRegistration.CN=Default Domain Policy..DC=cp. 1> distinguishedName: CN=Account Operators. >> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9.CN=Operations. WIPRO ² BHEL Confidential Page 127 . 1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182.. 1> name: ab402345-d3c3-455d-9ff7-40268a1099b6. I gave up with the /test. 1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9.CN=Class Store. It works like the redirect pipe (> filename.DC=com 2> objectClass: top. "(cn=a*)". ldap_search_s(ld. I got the /test switch working perfectly with NetDiag.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182. 1> name: Account Operators.CN=DomainUpdates. categoryRegistration.DC=cp. leaf.DC=cp. 1> cn: abab2104-5729-4bed-ac94-a65c89516e84.CN=Operations.CN=System. 1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84.CN=DomainUpdates.CN=DomainUpdates.DC=cp. >> Dn: CN=Account Operators.CN=System.CN=Packages.DC=cp. /f:logfile.CN=System. &msg) Result <0>: (null) Matched DNs: Getting 24 entries: >> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182.

Installing Exchange and you wish to check that you can connect to other servers. You are having problems with IPSEC. NetDiag checks that Domain Controllers are all able to 'speak' LDAP. 1> name: Administrator. 1> name: Administrators. 1> description: Administrators have complete and unrestricted access to the computer/domain. As usual. DNS problems. When you run NetDiag from the command line it carries out a battery of tests. wrong version incompatibilities. Computers cannot 'see' their domain controller on the LAN. 1> distinguishedName: CN=Administrators. >> Dn: CN=Administrators. Checking VPN network tunnels on the WAN.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 1> canonicalName: cp.Wipro Infotech .com/Users/Administrator.CN=Users. NetDiag /v really does produce chapter and verse on your network cards and their binding. Examples of NetDiag 1. which test your servers' ability to operate successfully. WIPRO ² BHEL Confidential Page 128 . 6.5. 1> canonicalName: cp. group. 3. 1> cn: Administrator.DC=cp. 5.com/Builtin/Administrators. Check the Network Card Bindings from the command prompt. my goal in this NetDiag tutorial is to show you how to get testing your Lan or Wan network. 7.DC=cp.DC=cp.com/Builtin/Account Operators.DC=com. NetDiag switches 1. /v If you need the full report on your network availability.7 NETDIAG OVERVIEW NetDiag provides a master class in testing Network Availability. 4.DC=cp. A quick check on hotfixes. Unlike the /v of other utilities. 1. 1> distinguishedName: CN=Administrator. 1> cn: Administrators.DC=com 4> objectClass: top. Winsock corruption. person. organizationalPerson. >> Dn: CN=Administrator. 1> description: Built-in account for administering the computer/domain. 1> canonicalName: cp.CN=Users.CN=Builtin. 2. then append this verbose switch to the command. 8. user.CN=Builtin.DC=com.DC=com 2> objectClass: top.

this is the switch for troubleshooting.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 2. 4. /q When you just need to know if there are any errors. The /q is the antithesis of the /v and /debug.Wipro Infotech . NetDiag's test switched worked perfectly Example . /test: Unlike DCDiag. /Debug This debug switch was disappointing in that it did not produce any more details than those supplied by the /v. Perhaps I would have received extra information if my Windows Server 2003/2008 really had a network connectivity problem.NetDiag using my favourite /v ' NetDiag printout Owner of the binding path : Remote Access NDIS WAN Driver Binding Enabled: Yes Interfaces of the binding path: -Interface Name: ndiswanasync Upper Component: Remote Access NDIS WAN Driver Lower Component: RAS Async Adapter Component Name : Message-oriented TCP/IP Protocol (SMB session) Bind Name: NetbiosSmb Binding Paths: Component Name : WINS Client(TCP/IP) Protocol Bind Name: NetBT Binding Paths: Owner of the binding path : WINS Client(TCP/IP) Protocol Binding Enabled: Yes Interfaces of the binding path: -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndis5 Upper Component: Internet Protocol (TCP/IP) Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : WINS Client(TCP/IP) Protocol Binding Enabled: Yes Interfaces of the binding path: -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndiswanip Upper Component: Internet Protocol (TCP/IP) Lower Component: WAN Miniport (IP) Component Name : Internet Protocol (TCP/IP) Bind Name: Tcpip Binding Paths: WIPRO ² BHEL Confidential Page 129 . 3.

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Owner of the binding path : Internet Protocol (TCP/IP) Binding Enabled: Yes Interfaces of the binding path: -Interface Name: ndis5 Upper Component: Internet Protocol (TCP/IP) Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : Internet Protocol (TCP/IP) Binding Enabled: Yes Interfaces of the binding path: -Interface Name: ndiswanip Upper Component: Internet Protocol (TCP/IP) Lower Component: WAN Miniport (IP) Component Name : Client for Microsoft Networks Bind Name: LanmanWorkstation Binding Paths: Owner of the binding path : Client for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios_smb Upper Component: Client for Microsoft Networks Lower Component: Message-oriented TCP/IP Protocol (SMB session) Owner of the binding path : Client for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: Client for Microsoft Networks Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndis5 Upper Component: Internet Protocol (TCP/IP) Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : Client for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: Client for Microsoft Networks Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndiswanip Upper Component: Internet Protocol (TCP/IP) Lower Component: WAN Miniport (IP) Component Name : WebClient Bind Name: WebClient Binding Paths: Component Name : Virtual Machine Network Services Bind Name: VPCNetS2 Binding Paths: WIPRO ² BHEL Confidential Page 130 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Owner of the binding path : Virtual Machine Network Services Binding Enabled: Yes Interfaces of the binding path: -Interface Name: ndis5 Upper Component: Virtual Machine Network Services Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : Virtual Machine Network Services Binding Enabled: No Interfaces of the binding path: -Interface Name: ndiswanasync Upper Component: Virtual Machine Network Services Lower Component: RAS Async Adapter Owner of the binding path : Virtual Machine Network Services Binding Enabled: No Interfaces of the binding path: -Interface Name: ndiscowan Upper Component: Virtual Machine Network Services Lower Component: WAN Miniport (L2TP) Owner of the binding path : Virtual Machine Network Services Binding Enabled: No Interfaces of the binding path: -Interface Name: ndiswan Upper Component: Virtual Machine Network Services Lower Component: WAN Miniport (PPTP) Owner of the binding path : Virtual Machine Network Services Binding Enabled: No Interfaces of the binding path: -Interface Name: ndiswan Upper Component: Virtual Machine Network Services Lower Component: WAN Miniport (PPPOE) Owner of the binding path : Virtual Machine Network Services Binding Enabled: No Interfaces of the binding path: -Interface Name: ndiscowan Upper Component: Virtual Machine Network Services Lower Component: Direct Parallel Component Name : DHCP Server Bind Name: DHCPServer Binding Paths: Component Name : Wireless Configuration Bind Name: wzcsvc Binding Paths: Component Name : Network Load Balancing Bind Name: Wlbs Binding Paths: Owner of the binding path : Network Load Balancing Binding Enabled: No Interfaces of the binding path: -Interface Name: ndis5 WIPRO ² BHEL Confidential Page 131 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Upper Component: Network Load Balancing Lower Component: VIA Rhine II Fast Ethernet Adapter Component Name : Steelhead Bind Name: RemoteAccess Binding Paths: Component Name : Dial-Up Server Bind Name: msrassrv Binding Paths: Component Name : Remote Access Connection Manager Bind Name: RasMan Binding Paths: Component Name : Dial-Up Client Bind Name: msrascli Binding Paths: Component Name : File and Printer Sharing for Microsoft Networks Bind Name: LanmanServer Binding Paths: Owner of the binding path : File and Printer Sharing for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios_smb Upper Component: File and Printer Sharing for Microsoft Networks Lower Component: Message-oriented TCP/IP Protocol (SMB session) Owner of the binding path : File and Printer Sharing for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: File and Printer Sharing for Microsoft Networks Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndis5 Upper Component: Internet Protocol (TCP/IP) Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : File and Printer Sharing for Microsoft Networks Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: File and Printer Sharing for Microsoft Networks Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndiswanip Upper Component: Internet Protocol (TCP/IP) Lower Component: WAN Miniport (IP) Component Name : NetBIOS Interface WIPRO ² BHEL Confidential Page 132 .Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Bind Name: NetBIOS Binding Paths: Owner of the binding path : NetBIOS Interface Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: NetBIOS Interface Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndis5 Upper Component: Internet Protocol (TCP/IP) Lower Component: VIA Rhine II Fast Ethernet Adapter Owner of the binding path : NetBIOS Interface Binding Enabled: Yes Interfaces of the binding path: -Interface Name: netbios Upper Component: NetBIOS Interface Lower Component: WINS Client(TCP/IP) Protocol -Interface Name: tdi Upper Component: WINS Client(TCP/IP) Protocol Lower Component: Internet Protocol (TCP/IP) -Interface Name: ndiswanip Upper Component: Internet Protocol (TCP/IP) Lower Component: WAN Miniport (IP) Component Name : Generic Packet Classifier Bind Name: Gpc Binding Paths: Component Name : Application Layer Gateway Bind Name: ALG Binding Paths: Component Name : WAN Miniport (Network Monitor) Bind Name: NdisWanBh Binding Paths: Component Name : WAN Miniport (IP) Bind Name: NdisWanIp Binding Paths: Component Name : Direct Parallel Bind Name: {008B21D9-D54E-4E48-89D4-6AFE56D46BD9} Binding Paths: Component Name : WAN Miniport (PPPOE) Bind Name: {64B56A43-AB5C-4651-BA33-C2FD789C4FB9} Binding Paths: Component Name : WAN Miniport (PPTP) Bind Name: {DC610D9D-0B7F-44A6-896A-385E053E25FD} Binding Paths: Component Name : WAN Miniport (L2TP) WIPRO ² BHEL Confidential Page 133 .

However. Getting Started with Replmon Installing Replmon is straightforward. WIPRO ² BHEL Confidential Page 134 . . Load the Windows 2003/2008 CD into the caddy and navigate to the \support\tools and double click suptools.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Bind Name: {3169BFB1-4CA5-4B6E-B6C1-3F97DA23E954} Binding Paths: Component Name : RAS Async Adapter Bind Name: {8F35788C-3CFD-41A6-B23B-720020295CF7} Binding Paths: Component Name : VIA Rhine II Fast Ethernet Adapter Bind Name: {C5C19000-0322-4FC1-9566-A647EF0EB900} Binding Paths: WAN configuration test . . : Passed IP Security test . . . a word of warning. . . . Thus. Replmon is the fussiest about being run from its default location. . . Forest and Schema partitions come to life when you can actually see the topology and the links. I have a tutorial to get you started with Replmon. . A bonus of keeping all the support files in their default folder is that you can type the name of the executable in the Run dialog box and it will execute because the operating system has learnt the 'Path'. . The theory of Domain. Modem diagnostics test . : Skipped Note: run "netsh ipsec dynamic show /?" for more detailed information The command completed successfully C:\Documents and Settings\guyt> 1. Before I explored Replmon I could not picture how Directory Replication works. What I like about Replmon is the way that it combines business with pleasure and practical with theory.msi. . . . because there are so many .Wipro Infotech . . : Skipped No active remote access connections. with Replmon I can see precisely what data is replicated to which partition.5. .dlls and associated Replmon files it is best to keep the files in their original locations. . in this instance type: replmon in the Run Dialog box. .8 REPLMON OVERVIEW Replmon is one of the most exciting tools in the Windows Server 2003/2008 toolkit. Of all of the support tools.

however in a big organization there are likely to be several sites each with their own ring of linked servers. and connect to the desired Domain Controller. Does Replmon magically synchronize. Introduction to Directory Replication Replmon displays information about Active Directory Replication. WIPRO ² BHEL Confidential Page 135 . In Windows Server 2003/2008. Both Windows 2000 and 2003/2008 use the same components namely. Replmon will give you clues why replication is not happening. multi master model. with Replmon I can see precisely what data is replicated to which partition. keep looking for more detail by right clicking on any object that you see. Microsoft have improved upon Windows 2000 in two ways. Now follow your nose.Replmon Support Tool Utility Replmon is one of the most exciting tools in the Windows Server 2003/2008 toolkit. Note in passing. Before I explored Replmon I could not picture how Directory Replication works. If you do get replication errors. Below is an example of right clicking the Domain Controller object. explore the 4 or 5 Configuration containers. Windows Server 2003/2008 . that as beginners we just focus on one site. Forest and Schema partitions come to life when you can actually see the topology and the links. or do you get a new meaningful error message? 3. which have changed and not the whole object. If you have already used Active Directory Sites and Services to manually replicate Active Directory or to check on which servers hold Global Catalogs. then you cannot help noticing that the similarities between the interfaces. What I like about Replmon is the way that it combines business with pleasure and practical with theory. say when you run DCDiag. Reasons for Using Replmon 1. change notification and pull replication. Here in Replication Monitor. I have a tutorial to get you started with Replmon. The theory of Domain. 2. Sift through Active Directory replication messages and find the last successful synchronization. then force the KCC (Knowledge Consistency Checker) to recreate the topology.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration First look at the Replication Monitor Once Replication Monitor executes click on the Edit Menu and Add Monitored Server. See what happens when you try and force replication.Wipro Infotech . reduced latency. and only replicating the attributes.

Load the Windows 2003/2008 CD into the caddy and navigate to the \support\tools and double click suptools. in this instance type: replmon in the Run Dialog box. that as beginners we just focus on one site. then you cannot help noticing that the similarities between the interfaces. Note in passing. a word of warning. within or between forests. Again I confess a bias as I need LDAP attributes for my VBScripts. in particular the attributes of objects.dlls and associated Replmon files it is best to keep the files in their original locations. If you have already used Active Directory Sites and Services to manually replicate Active Directory or to check on which servers hold Global Catalogs.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration 4. Thus. WIPRO ² BHEL Confidential Page 136 . with the corresponding names of the policies as seen in the GPMC (or Active Directory Users and Computers) Getting Started with Replmon Installing Replmon is straightforward. however in a big organization there are likely to be several sites each with their own ring of linked servers. Replmon also matches those strange hex numbers files which you find under sysvol. In multiple domain configurations you could experiment creating shortcut links. However. Should you have the luxury of a large forest. Replmon will give you an understanding of how the domain controllers are joined by three separate rings. 7. 6. Active Directory and FRS. Of all of the support tools.msi. Investigate if there are any complications with Trusts. Group Policies can be troublesome because there are two separate replication paths. Replmon displays the objects and their correct LDAP syntax. A bonus of keeping all the support files in their default folder is that you can type the name of the executable in the Run dialog box and it will execute because the operating system has learnt the 'Path'.Wipro Infotech . Examine the trust relationships. Replmon is the fussiest about being run from its default location. Discover more about the meta data. First look at the Replication Monitor Once Replication Monitor executes click on the Edit Menu and Add Monitored Server. because there are so many . Now follow your nose. 5. and connect to the desired Domain Controller.

then you can trace the differences between domain and forest topologies. the word 'Site' reminds us that to begin with. we are investigating just the Default-First-Site. with Replmon you need two Domain Controllers to see any action. the more you appreciate the clever ways in which replication functions. but if you click on the View Menu.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Here in Replication Monitor. In fact the more Domain Controllers you add. then all Domain Controller appear. Contrast the Schema ring with domain ring which has a separate ring topology for each domain. Appreciating the Scope of Replmon Unlike other Windows Server 2003/2008 tools where you can practice on just one Domain Controller. Let us try another right click. At this point I pay attention to detail. whereas Inter is like Inter-City and means between. Best of all. What you should now see is topology links between all the Domain Controller. Connection Objects only. this example shows the value of right-clicking on any object that you meet. keep looking for more detail by right clicking on any object that you see. WIPRO ² BHEL Confidential Page 137 .Wipro Infotech . in a production network there may be multiple sites. Incidentally. I remember that Intra means within. still no sign of the replication links. and select 'Show Intra-Site Connections'. explore the 4 or 5 Configuration containers. with Replmon you can actually see the one Schema ring containing every domain controller. Theory says that all domain controllers in the forest share the same schema. My advice is to begin by right clicking the ServerName object. At first it seems as though there is nothing to see. from the resulting drop down menu select. As well as viewing how all the domain controllers are linked. if you have a multi domain forest. 'Show Replication Topologies'. Below is an example of right clicking the Domain Controller object.

Install Windows Command Line tool in Server 2008 Manager WIPRO ² BHEL Confidential Page 138 .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration If you have 5 or more servers in the ring. this is particularly true for Windows 2000 networks where latency is much longer than Windows Server 2003/2008. Active Directory and System State Backup Procedure. you may consider right clicking and adding extra links to speed up replication.Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Select Command Line Tools WIPRO ² BHEL Confidential Page 139 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Install Button WIPRO ² BHEL Confidential Page 140 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Installation Begin Installation Succeeded WIPRO ² BHEL Confidential Page 141 .Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Opening Windows Server Backup Console WIPRO ² BHEL Confidential Page 142 .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Backup Once Option in Right Pane WIPRO ² BHEL Confidential Page 143 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Next Select Full Server WIPRO ² BHEL Confidential Page 144 .Wipro Infotech .

MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Specify Destination WIPRO ² BHEL Confidential Page 145 .Wipro Infotech .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Specify path on Network WIPRO ² BHEL Confidential Page 146 .

Wipro Infotech .MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Click Backup Progress begin WIPRO ² BHEL Confidential Page 147 .

com/en-us/library/cc731835.com/en-us/library/cc771045.Wipro Infotech .com/en-us/library/cc730683.aspx End of the Document ============================================================================== WIPRO ² BHEL Confidential Page 148 .microsoft.aspx http://technet.aspx http://technet.microsoft. Please find below links for the restoration purposes for AD and Full Computer Restore http://technet.MSBU Division BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration Backup Completed.microsoft.