ads dns dhcp raid

8/6/2019 Ads DNS Dhcp Raid

http://slidepdf.com/reader/full/ads-dns-dhcp-raid 1/44

Windows Server 2003

Features of windows2003• Multiple selection of directory objects

• Drag and Drop functionality

• Efficient search capabilities

• Saved Queries

•

Install ADC in existing domains using backup media• Universal Group membership cashing

• Domain and Forest functional levels

• Secure LDAP traffic

• Active Directory quotas

• RSOP

• Cross forest support

• Domain and domain controller renaming

Features of Windows 2008

• Main difference is Virtualization (Hyper-V for 64 bit) & management featuresin 2008.

• 2008 has more inbuild components and updated third party drivers.

• Windows server 2008 45 times faster than Server 2003.

• New power-saving features in 2008.

• Support for IPv6

• IIS 7.0

Difference between PDC & BDC

PDC contains a write copy of SAM database where as BDC contains read onlycopy of SAM database. It is not possible to reset a password with out PDC inWindows NT. But both can participate in the user authentication. If PDC fails, wehave to manually promote BDC to PDC from server manger.

Difference between DC & ADC.

There is no difference between in DC and ADC both contains write copy of AD.Both can also handles FSMO roles (If transfers from DC to ADC). Functionality wisethere is no difference. ADC just require for load balancing & redundancy. If twophysical sites are segregated with WAN link come under same domain, better tokeep one ADC in other site, and act as a main domain controller for that site. Thiswill reduce the WAN traffic and also user authentication performance will increase.

Difference between NT, Windows2000 and 2003 servers:Features

Windows NT 4Windows

2000Windows 2003

Database Flat HierarchalFile system support Not to Support Fat32 Support Fat32Plug n Play No YesMulti-masterreplication

No Yes

Rename domain or dcname

No No Yes

Authenticationprotocols

NTLM NTLM, Kerberos

Number of objects 40,000 1,000,000



DNS Manually UpdateDynamic Update (AD IntegratedZone)

So many more features introduced in windows 2000, those are not in Windows NT.

• NTFS v5 supports Disk quotas.

• Remote Installation Service

• Built in VPN & NAT support

• USB support.

• Distributed File System | Clustering support | ICS (Internet ConnectionSharing)

Active Directory: The Windows-based directory service. It stores informationabout objects on a network and makes this information available to users andnetwork administrators. Active Directory gives network users access to permittedresources anywhere on the network using a single logon process. It provides asingle point of administration for all network objects.

Active Directory’s the default authentication protocol is Kerberos version 5 andthe default directory access protocol is Lightweight Directory Access Protocol

(LDAP) version 3.When you install AD, the NTDS and SYSVOL folder will be created.

NTDS folder contains the AD database in a file named Ntds.dit and database logfiles. The default location is %Systemroot%\Ntds.

SYSVOL folder contains Group Policies and Scripts. The default location is%Systemroot%\Sysvol.

Verify an Active Directory Installation:

• Open Active Directory Users and Computers and verify the Computers,Users, Foreign Security Principles and domain Controller OU appear.

• Open Active Directory Sites and Services and verify the Default-First-Sitename appears.

• Verify the NTDS.dit, the Active Directory database in %system roor%NTDSfolder.

• Verify Global Catalog enabled.

• Check the computer role should be ‘Primary’ or ‘Backup’ by use thecommand Net Accounts.

• Check the SYSVOL folder as shared by use the command Net share.

• Check SRV records in DNS Console.

The physical components of Active Directory are sites and domaincontrollers.

The Logical components of Active Directory are domains, OUs, trees,and forests.

A Domain is a collection of computer, user, and group objects defined bythe administrator. These objects share a common directory database,

security policies, and security relationships with other domains. A Domain Controller is a computer running Windows Server 2003 that

stores a replica of the domain directory (local domain database). A domaincontroller can service only one domain. A domain controller also



authenticates user logon attempts and maintains the security policy for adomain.

An OU is a container used to organize objects within a domain into a logicaladministrative group. The primary reason for defining an OU is to delegateadministration.

A Tree is a grouping or hierarchical arrangement of one or more domains

that you create by adding one or more child domains to an existing parentdomain.

A Forest is a grouping or hierarchical arrangement of one or more separate,completely independent domain trees.

Recommended - 1 gigabyte (GB) of space to install Active Directory.Minimum of 200 megabytes (MB) of disk space for the Active Directorydatabase and 50 MB for the log files.

NSLOOKUP – the Command-line utility for verifying DNS.

Group policies are collections of user and computer configuration settingsthat can be linked to computers, sites, domains, and OUs to specify thebehavior of users’ desk-tops.

The Network Connectivity Tester (Netdiag) is a command-line,diagnostic tool that helps isolate networking and connectivity problems byperforming a series of tests to determine the state of a network client.

The Domain Controller Diagnostic tool (Dcdiag) is a command-line,diagnostic tool that analyzes the state of domain controllers in a forest orenterprise and reports any problems.

The Active Directory diagnostic tool (Ntdsutil) is a command-line toolthat provides management facilities for Active Directory.

The Resultant Set of Policy (RSoP) is provided to make policyimplementation and troubleshooting easier.

The distinguished name (DN) uniquely identifies the object and containsthe name of the domain that holds the object, as well as the complete paththrough the container hierarchy to the object.

The relative distinguished name (RDN) is the part of an object’s DN thatis an attribute of the object itself.

The globally unique identifier (GUID) is a 128-bit hexadecimal numberthat is guaranteed to be unique within the enterprise.

The user principal name (UPN) consists of a user account name and adomain name identifying the domain in which the user account is located.

File Transfer Protocol (FTP) is a standard way to transfer files betweencomputers. The method has built-in error checking.

TELNET is a terminal emulation that enables a user to connect to a remotehost or device using a telnet client. Telnet is considered insecure because ittransfers all data in clear text.

The port numbers are divided into three ranges: They are…

The Well Known Ports are those from 0 through 1023.



The Registered Ports are those from 1024 through 49151 The Dynamic and/or Private Ports are those from 49152 through

65535

The De-Militarized

Zone (DMZ) prevents users outside a local or wide area network from obtainingaccess to company data that is only for internal use and prevents access to allother internal services.

Master Boot Record (MBR) is the first sector of the computer hard disk drive

used to determine from which partition a computer will boot. The MBR tells thecomputer where to find and how to load the operating system.

Lmhost: A local hosts file used by Microsoft Wins Clients such as MicrosoftWindows 98 or Windows NT to provide mappings of IP addresses to NT computernames (NetBIOS name). The lmhosts file is located inWindows\System32\drivers\etc directory (WinXP, Win98), orWinnt\System32\drivers\etc (W2k, W2k3).

A global catalog server is a domain controller; it is a master searchable

database that contains information about every object in every domain in aforest. The global catalog contains a complete replica of all objects in ActiveDirectory for its host domain, and contains a partial replica of all objects in ActiveDirectory for every other domain in the forest.

It has two important functions:o Provides group membership information during logon and authentication.o Helps users to locate resources in Active Directory

By default, the first DC in the First Domain in the First Tree in the ADForest (the root domain) will be configured as the GC.

o Every forest requires at least one Global Catalog server. If a Global Catalogserver is not available, then nobody will be able to log into the domainexcept for the Administrator.

PortNo.

Protocols

88 KERBEROS

389 Lightweight Directory Access Protocol [LDAP]443 SSL (Secure Socket Layer)143 IMAP453 Domain Name System [DNS]546 Dynamic Host Configuration Protocol [DHCPv6

client].547 Dynamic Host Configuration Protocol [DHCPv6

server].20,21 File Transfer Protocol [FTP]

80 Hypertext Transfer Protocol [HTTP]110 Post office Protocol [POP]25 Simple mail Transfer Protocol [SMTP]23 Telnet

3389 RDP3268 &3269

Global Catalog lookup

http://www.computerhope.com/jargon/o/os.htm

http://www.computerhope.com/jargon/h/hostsfil.htm

http://www.computerhope.com/jargon/h/hostsfil.htm

http://www.computerhope.com/jargon/o/os.htm



o GC Server improves directory queries, support logon and provide data forapplications such as exchange server.

o Microsoft document that suggests placing a Global Catalog server into eachsite. Port 3268 (Global Catalog lookup port )

o If a site does not contain GC server, configure Universal Group membershipcaching to reduce user logon being denied.

o IF GC is not available UGMC is not available. If user logged on previous onhis computer, logon using cached credentials but cannot access networkaccess.

To configure a Windows 2003 Domain Controller as a GC server,perform the following steps:

1. From the Start menu, select Programs, Administrative Tools, ActiveDirectory Sites and Services Manager.2. Select the Sites branch.3. Select the site that owns the server, and expand the Servers branch.

4. Select the server you want to configure.5. Right-click NTDS Settings and select Properties.6. Select or clear the Global Catalog Server checkbox, which the Screen shows.

7. Click Apply, OK.

You must allow for the GC to replicate itself throughout the forest. This processmight take anywhere between 10-15 minutes to even several days, alldepending on the AD infrastructure.

Domain Functional Level: It provides a way to enable domain-wide ActiveDirectory features within your network environment.

Four domain functional levels are available: Windows 2000 mixed (default),Windows 2000 native, Windows Server 2003 interim, and Windows Server 2003.

• The Windows 2000 mixed functional level allows a Windows 2K3 DC tointeract with domain controllers in the same domain running Windows NT4, Windows 2000, or the Windows Server 2003 family.



• The Windows 2000 native functional level allows a W2K3 DC to interactwith domain controllers in the domain running Windows 2000 or WindowsServer 2003.

• The Windows Server 2003 interim functional level allows a W2K3 DC tointeract with domain controllers in the domain running Windows NT 4 orWindows Server 2003.

• The Windows Server 2003 functional level allows a W2K3 DC to interactonly with domain controllers in the domain running Windows Server 2003.

The change in domain functional level is one-way only; you cannot changefrom the Windows 2000 native or W2K3 functional level to the Windows 2000mixed or W2K3 interim functional level.

To change the domain functional level to Windows 2000 native orWindows Server 2003, complete the following steps:

1. Click Start, select Administrative Tools, and then click Active DirectoryDomains and Trusts.

2. Right click the domain and then click Raise Domain Functional Level.3. On the Raise Domain Functional Level dialog box, in the Select an AvailableDomain Functional Level list, select the domain functionality you want. ClickRaise.4. In the Raise Domain Functional Level message box, click OK.

Forest Functional Level: It provides a way to enable forest-wide ActiveDirectory features within your network environment.

Three forest functional levels are available: Windows 2000 (default),Windows Server 2003 interim, and Windows Server 2003.

• The Windows 2000 functional level allows a W2K3 DC to interact withdomain controllers in the domain running Windows NT 4, Windows 2000,or Windows Server 2003.

• The Windows Server 2003 interim functional level allows a W2K3 DC tointeract with domain controllers in the domain running Windows NT 4 orWindows Server 2003.

• The Windows Server 2003 functional level allows a W2K3 DC to inter-act only with domain controllers in the domain running Windows Server

2003.To change the forest functional level to Windows Server 2003, completethe following steps:

1. Click Start, select Administrative Tools, and then click Active DirectoryDomains and Trusts.2. Right click the Active Directory Domains and Trusts node and then clickRaise Forest Functional Level.3. On the Raise Forest Functional Level dialog box, click Raise. And then clickOK.

Forest characteristics :• All domains in a forest share a common schema and a common global

catalog.

• All domains in a forest are linked by implicit two-way transitive trusts.



• Trees in a forest have different naming structures, according to theirdomains.

• Domains in a forest operate independently, but the forest enablescommunication across the entire organization.

Backup: A duplicate copy of a program, a disk, or data.

Backup types: A type that determines which data is backed up and how it isbacked up.

There are five backup types: Copy, Daily, Differential, Incremental and Normal.

Copy backup: A backup that copies all selected files but does not mark each fileas having been backed up (in other words, the archive attribute is not cleared).Copying is useful if you want to back up files between normal and incrementalbackups because copying does not affect these other backup operations.

Daily backup: A backup that copies all selected files that have been modified theday the daily backup is performed. The backed-up files are not marked as havingbeen backed up (in other words, the archive attribute is not cleared).

Differential backup: A backup that copies files created or changed since the lastnormal or incremental backup. It does not mark files as having been backed up (inother words, the archive attribute is not cleared). If you are performing acombination of normal and differential backups, restoring files and folders requiresthat you have the last normal as well as the last differential backup.

Incremental backup: A backup that copies only those files created or changedsince the last normal or incremental backup. It marks files as having been backedup (in other words, the archive attribute is cleared). If you use a combination of

normal and incremental backups to restore your data, you will need to have thelast normal backup and all incremental backup sets.

Normal backup: A backup that copies all selected files and marks each file ashaving been backed up (in other words, the archive attribute is cleared). Withnormal backups, you need only the most recent copy of the backup file or tape torestore all of the files. You usually perform a normal backup the first time youcreate a backup set.

For Windows Server 2003, the system state data comprises the

• Registry

•

COM+ Class Registration database• System boot files

• Files under Windows File Protection

• Certificate Services database (if the server is a certificate server)

• Active Directory and the Sysvol directory (if the server is a domaincontroller)

To restore the system state data on a domain controller, you must first startyour computer in a special safe mode called directory services restoremode. This allows you to restore the Sysvol directory and Active Directorydirectory services database.

The default method of restoring the system state data to a domain controlleris nonauthoritative.

Non-authoritative Restore: A restore operation performed on an ActiveDirectory domain controller in which the objects in the restored directory are not



treated as authoritative. The restored objects are updated with changes held onother domain controllers in the domain.

Authoritative Restore: A type of restore operation performed on an ActiveDirectory domain controller in which the objects in the restored directory aretreated as authoritative, replacing (through replication) all existing copies of thoseobjects.

To non-authoritatively restore Active Directory, complete the followingsteps:

1. Restart the computer.

2. During the phase of startup where the operating system is normally selected,press F8.

3. On the Windows Advanced Options Menu, select Directory ServicesRestore Mode and press Enter. This ensures that the domain controller isoffline and is not connected to the network.

5. Log on to your domain as Administrator.o Note: When you restart the computer in directory services restore mode,

you must log on as an Administrator by using a valid Security AccountsManager (SAM) account name and password, not the Active DirectoryAdministrator’s name and password. This is because Active Directory isoffline, and account verification cannot occur. Rather, the SAM accountsdatabase is used to control access to Active Directory while it is offline. You specified this password when you set up Active Directory.

6. In the Desktop message box that warns you that Windows is running in safemode, click OK.

7. Point to Start, All Programs, Accessories, System Tools, and then selectBackup.

8. On the Welcome to the Backup or Restore Wizard page, click Next.

9. On the Backup or Restore page, select Restore Files and Settings. Click Next.

10. On the What to Restore page, expand the media type that contains the datathat you want to restore in the Items to Restore box or click Browse. The mediacan be either tape or file. Expand the appropriate media set until the data thatyou want to restore is visible. Select the data you want to restore, such as

system state, and then click Next.11. Ensure that media containing the backup file is in the correct location.

12. On the Completing The Backup Or Restore Wizard page, do one of thefollowing:

o Click Finish to start the restore process. The Backup Or Restore Wizardrequests verification for the source of the restore data and then performsthe restore. During the restore, the Backup Or Restore Wizard displaysstatus information about the restore.

o

Click Advanced to specify advanced restore options. Refer to the nextsection, “Specifying Advanced Restore Settings for a NonauthoritativeRestore” for details.

13. In the Warning message box that warns you that restoring system state willalways overwrite current system state, click OK.



14. The Restore Progress dialog box displays status information about therestore process. As with the backup process, when the restore is complete, youcan choose to view the report of the restore. The report contains informationabout the restore, such as the number of files that have been restored and theduration of the restore process.

15. Close the report when you have finished viewing it and then click Close toclose the restore operation.

16. When prompted to restart the computer, click Yes.

Performing an Authoritative Restore

An authoritative restore occurs after a nonauthoritative restore and designates theentire directory, a subtree, or individual objects to be recognized as authoritativewith respect to replica domain controllers in the forest. The Ntdsutil utility allowsyou to mark objects as authoritative so that they are propagated throughreplication, thereby updating existing copies of those objects throughout theforest.

To authoritatively restore Active Directory, complete the following steps:1. Perform a nonauthoritative restore as described previously.


3. During the phase of startup where the operating system is normally selected,press F8.

4. On the Windows Advanced Startup Options Menu, select Directory ServicesRestore Mode and press Enter. This ensures that the domain controller is offlineand is not connected to the network.

6. Log on as Administrator.

7. In the Desktop message box that warns you that Windows is running in safemode, click OK.

8. Point to Start, and then select Command Prompt.

9. At the command prompt, type ntdsutil and press Enter.

10. At the Ntdsutil prompt, type authoritative restore and press Enter.

11. At the authoritative restore prompt, do the following:

o To authoritatively restore the entire directory, type restore databaseand press Enter.

o To authoritatively restore a portion or subtree of the directory, such asan OU, use the OU’s distinguished name, type restore subtreesubtree_distinguished_name and press Enter.

For example, to restore the Security1 OU in the microsoft.com domain, thecommands would be

ntdsutil authoritative restore restore subtreeOU=Security1,DC=microsoft,DC=com

12. Type quit and press Enter to exit the Ntdsutil utility and close the CommandPrompt window. Replication also propagates the authoritatively restoredobject(s) to other domain controllers in the forest. The deleted objects thatwere marked as authoritative are replicated from the restored domain



controller to the additional domain controllers. Because the objects that arerestored have the same object globally unique identifier (GUID) and object SID,security remains intact, and object dependencies are maintained.

13. Restart the domain controller in normal mode and connect the restoreddomain controller to the network. When the restored domain controller is onlineand connected to the network, normal replication brings the restored domaincontroller

-------------------------------------------------------------------------------------------------------------------------------------

A security principal is a user, group, computer, or service that is assigned aunique security identifier (SID).

To rename a domain controller:

1. Click Start, and then click Command Prompt.

2. At the command prompt, type: netdom computernameCurrentComputer-Name /add:NewComputerName,

3. Wait for replication latency time interval to ensure replication of theregistered DNS host (A) resource record(s) to all authoritative DNS servers.

4. At the command prompt type: netdom computernameCurrentComputerName /makeprimary: NewComputerName


6. Wait for the replication of the domain controller locator resource records tooccur on all authoritative DNS servers. These records are registered by thedomain controller after the renamed domain controller has been restarted and

contain the new computer name. The records that are registered are availableon the domain controller in the %Systemroot%\System32\Config\Netlogon.dnsfile.

7. To ensure that the domain controller has been successfully renamed, makethe following checks:

o Click Start, point to Control Panel, and then click System. On theComputer Name tab, verify that the correct name appears after FullComputer Name. Click Cancel.

o Click Start, and then click Command Prompt. At the command prompt,

validate the names that the computer is currently configured with bytyping: netdom computername NewComputerName /enumerate:,Note that the domain controller has two names.

8. At the command prompt, type: netdom computernameNewComputerName /remove:OldComputerName. This action removes theold domain controller name.



Flexible Single Master Operation ( FSMO) Roles:

In a forest, there are at least five FSMO roles that are assigned to one or moredomain controllers. The five FSMO roles are:

FSMO RolesRole

Placement

ForestSpecif

icRoles

SchemaMaster

[SchemaSnap-in]

Controls all updates and modification to

the schema. Role Failed: Can't modify the schema &Can't raise the forest functional role.Availability: It can remain offlineindefinitely until schema changes arenecessary.** It can't be transferred back to originalmaster after having been seized.It must be decommissioning.

For simplermanagement,the Schemaand Domain

namingmaster can beon the same

machinewhich shouldalso be a GC.

Domain

NamingMaster[ADDomainsand TrustsSnap-in]

Controls the addition or removal of domainand promote or demote DC.

Role Failed: Can't add or remove a domainand can't promote or demote DC.Availability: It can remain offlineindefinitely until above said.** It can't be transferred back to originalmaster after having been seized.It must be decommissioning.

Domain

Specif

icRoles

RIDMaster

[AD users&Computers Snap-in]

Responsible for processing RID pool requestfrom all DCs in a particular domain.Role Failed: Can't create new users or

groups.Availability: Without this role, can createusers and groups by DC receives a sizablepool of RIDs from RID Master.** It can't be transferred back to originalmaster after having been seized.It must be decommissioning.

PDC and RIDmasters

should be on

the samemachine,because PDC

is largeconsumer of

RID.

PDCEmulator

[AD users&Computers Snap-in]

It emulates the functions of Windows NT 4.0PDC. It is root time server for synchronizingthe clocks of all windows computers in theforest. It is also the Domain Master browser

and it handles password discrepancies.Role Failed: Users can't logon, Can't changepasswords, Account Lockout not working andcan't raise domain functional level.Availability: The most immediate impact onnormal operation and on users if it becomesunavailable.** It can be transferred back to originalmaster after having been seized.**Any time a user enters an incorrectpassword, the authentication is forwarded toPDC Emulator for a second opinion.



InfrastructureMaster[AD users&Computers Snap-in]

Responsible for updating references fromobjects in its domain to objects in otherdomains.Role Failed: Problem with universal groupmembership.Availability: Failure noticeable toadministrator not to users.** It can be transferred back to originalmaster after having been seized.** Responsible for updating the names of group members from other domains.

This roleshould not beplaced on aGC. It is OK toput, forest hasonly onedomain or if

every DC in aforest has theGC.

Schema - The set of definitions for the universe of objects that can be stored ina directory.

Netdom Query FSMO - Command line utility for verifies the

FSMO Roles.

Purpose of distribute FSMO Roles: To reduce the single point of failure instancesand improve performance.

Recognizing Operation Master failures: 1. Examining directoryservice event log.2. To perform a function managed by the master and the function fails.

Transfer the Schema Master Role

Use the Active Directory Schema Master snap-in to transfer the schema master

role. Before you can use this snap-in, you must register the Schmmgmt.dll file.

Register Schmmgmt.dll1.

Click Start, and then click Run.

2. Type regsvr32 schmmgmt.dll in the Open box,and then click OK .

3.

Click OK when you receive the message that theoperation succeeded.

Transfer the Schema Master Role

1.

Click Start, click Run, type mmc in the Open box, and then click OK .

2.

On the File, menu click Add/Remove Snap-in.

3.

Click Add.

4.

Click Active Directory Schema, click Add, click Close, and then click OK .

5

.

In the console tree, right-click Active Directory Schema, and then click

Change Domain Controller.6.

Click Specify Name, type the name of the domain controller that will be the newrole holder, and then click OK .

7.

In the console tree, right-click Active Directory Schema, and then clickOperations Master.



8.

Click Change.

9.

Click OK to confirm that you want to transfer the role, and then click Close.

Transfer the Domain Naming Master Role

1

.

Click Start, point to Administrative Tools, and then click Active Directory

Domains and Trusts.2.

Right-click Active Directory Domains and Trusts, and then click Connect toDomain Controller.

3.

Do one of the following:• In the Enter the name of another domain controller box, type the name

of the domain controller that will be the new role holder, and then click OK .-or-

• In the Or, select an available domain controller list, click the domaincontroller that will be the new role holder, and then click OK .

4

.

In the console tree, right-click Active Directory Domains and Trusts, and

then click Operations Master.5.

Click Change.

6.


Transfer the RID Master, PDC Emulator, and Infrastructure Master Roles

1.

Click Start, point to Administrative Tools, and then click Active DirectoryUsers and Computers.

2

.

Right-click Active Directory Users and Computers, and then click Connect

to Domain Controller.3.

Do one of the following:• In the Enter the name of another domain controller box, type the name

of the domain controller that will be the new role holder, and then click OK -or-

• In the Or, select an available domain controller list, click the domaincontroller that will be the new role holder, and then click OK .

4.

In the console tree, right-click Active Directory Users and Computers, pointto All Tasks, and then click Operations Master.

5

.

Click the appropriate tab for the role that you want to transfer (RID, PDC, or

Infrastructure), and then click Change.6.


Transfer or Seize the FSMO roles:

To transfer or seize the FSMO roles by using the Ntdsutil utility, followthese steps:1.

Log on to the domain controller that you are assigning FSMO roles to. Thelogged-on user should be a member of the Enterprise Administrators group totransfer Schema master or Domain naming master roles, or a member of theDomain Administrators group of the domain where the PDC emulator, RID master

and the Infrastructure master roles are being transferred.2.

Click Start, click Run, type ntdsutil in the Open box, and then click OK .

3. Type roles, and then press ENTER.Note To see a list of available commands at any one of the prompts in the



Ntdsutil utility, type ?, and then press ENTER.

4. Type connections, and then press ENTER.

5. Type connect to server servername, and then press ENTER, whereservername is the name of the domain controller you want to assign the FSMOrole to.

6

.

At the server connections prompt, type q, and then press ENTER.

7. Type transfer (or Seize) role, where role is the role that you want to transfer.For a list of roles that you can transfer, type ? at the fsmo maintenanceprompt, and then press ENTER, or see the list of roles at the start of this article.For example, to transfer the RID master role, type transfer rid master. The oneexception is for the PDC emulator role, whose syntax is transfer pdc, nottransfer pdc emulator.

8.

At the fsmo maintenance prompt, type q, and then press ENTER to gain accessto the ntdsutil prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

-------------------------------------------------------------------------------------------------------------------

------------------

A trust is a logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logonauthentications of a trusted domain.

Trust Types

o Tree-root trust: Implicitly (automatically) established when you add a newtree root domain to a forest. The trust is transitive and two-way.

o Parent-child trust: Implicitly (automatically) established when you add a new

child domain to a tree. The trust is transitive and two-way.o Shortcut trust: Explicitly (manually) created by a systems administrator

between two domains in a forest to improve user logon times. The trust istransitive and can be one- or two-way. A shortcut trust may also be referred toas a cross-link trust.

o Realm trust: Explicitly (manually) created by a systems administratorbetween a non– Windows Kerberos realm and a Windows Server 2003 domain. This trust provides interoperability between Windows Server 2003 and anyrealm used in Kerberos version 5 implementations. It can be transitive ornontransitive and one-or two-way.

o External trust: Explicitly (manually) created by a systems administratorbetween Windows Server 2003 domains that are in different forests or betweena Windows Server 2003 domain and a domain whose domain controller isrunning Windows NT 4 or earlier. This trust provides backward compatibilitywith Windows NT environments. The trust is nontransitive and can be one- ortwo-way.

o Forest trust: Explicitly (manually) created by a systems administratorbetween two forest root domains. If a forest trust is two-way, it effectivelyallows all authentication requests made from one forest to reach another. The

trust is transitive between two forests only and can be one- or two-way.



A Site is a set of IP subnets connected by a highly reliable and fast link,usually a LAN.

The main purpose of a site is to physically group computers to optimizenetwork traffic.

For optimum network response time and application availability, place atleast one domain controller in each site or two domain controllers in eachdomain.

The Active Directory Sites and Services console to configure sites.

The two main roles of Sites:

o To facilitate authentication, by determining the nearest domain controllerwhen a user logs on from a workstation

o To facilitate the replication of data between sites

Replication ensures that changes to a domain controller are reflected in all

domain controllers within a domain. Directory information is replicated to domaincontrollers both within and among sites.

Multimaster replication is a replication model in which any domain controlleraccepts and replicates directory changes to any other domain controller. Becausemultiple domain controllers are employed, replication continues, even if any singledomain controller stops working.

Active Directory replicates information in two ways: Intrasite (within a site) andInter-site (between sites).

Intrasite Replication Intersite Replication

Compression To save CPU time,replication data is notcompressed.

To save WAN bandwidth,replication data greater than 50kilobytes (KB) is compressed.

Replicationmodel

To reduce replicationlatency, replicationpartners notify each otherwhen changes need to bereplicated.

To save WAN bandwidth,replication partners do not notifyeach other when changes need tobe replicated.

Replicationfrequency

Replication partners polleach other periodically.

Replication partners poll eachother at specified intervals, onlyduring scheduled periods.

Transportprotocols

Remote procedure call(RPC).

IP or Simple Mail TransportProtocol (SMTP).

What Information Is Replicated?

The information stored in the directory (in the Ntds.dit file) is logically partitionedinto four categories. A directory partition is also referred to as a namingcontext. The directory contains the following partitions:

■ Schema partition: This partition defines the objects that can be created in thedirectory and the attributes those objects can have. This data is common to alldomains in a forest and is replicated to all domain controllers in a forest.

■ Configuration partition: This partition describes the logical structure of thedeployment, including data such as domain structure or replication topology. Thisdata is common to all domains in a forest and is replicated to all domaincontrollers in a forest.



■ Domain partition: This partition describes all of the objects in a domain. Thisdata is domain-specific and is not replicated to any other domains. However, thedata is replicated to every domain controller in that domain.

■ Application Directory partition: This partition stores dynamic application-specific data in Active Directory without significantly affecting networkperformance by enabling you to control the scope of replication and the placementof replicas. The application directory partition can contain any type of object

except security principals (users, groups, and computers).

Replication Triggers:

The following actions trigger replication between domain controllers:

• Creating |Modifying |Moving |Deleting an object

A domain controller stores and replicates:• The schema partition data for a forest.

• The configuration partition data for all domains in a forest.• The domain partition data (all directory objects and properties) for its domain.

A global catalog stores and replicates:• The schema partition data for a forest

• The configuration partition data for all domains in a forest

• A partial replica containing commonly used attributes for all directoryobjects in the forest

• A full replica containing all attributes for all directory objects in thedomain in which the GC is located.

Initiating Replication: several different methods to force replication.

1. Using the Active Directory Sites and Services MMC snap-in (Dssite.msc)2. Using Repadmin3. Using Replmon4. Using a script

A site link is a logical, transitive connection between two or more sites thatmirrors the network links and allows replication to occur. By default, all site linksare transitive.

A site link bridge connects two or more site links in a transport where transitivityhas been disabled in order to create a transitive and logical link between two sitesthat do not have an explicit site link.

Site Link Transitivity: By default, all site links are transitive, which simplymeans that if sites A and B are linked and sites B and C are linked, then site A andsite C are transitively linked. Site link transitivity is enabled or disabled byselecting the Bridge All Site Links check box in the Properties dialog box for eitherthe IP or the SMTP intersite transport. By default, site link transitivity is enabled foreach transport.

The following are some reasons why you might want to disable site link

transitivity:

o To have total control over replication traffic patterns



o To avoid a particular replication path, such as a path that involves a firewallo If your IP network is not fully routed

A bridgehead server is a single domain controller in a site, the contact point,used for replication between sites, and is designated automatically by the KCC.

Pull replication is more efficient for intersite replication because the destination

domain controller knows which replication data to request. In contrast, notificationand push replication are more efficient for intrasite replication, when domaincontrollers are well connected and not restrained by site link schedules.

To configure a site:

1. Create a site2. Create a subnet and associate it with site3. Create or move a domain controller object into the site4. Designate a site license server for the site

To create a site:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.2. Right-click the Sites container, and then click New Site.3. In the New Object–Site dialog box, type the name of the new site in theName box. Assign a site link to the site by selecting a site link in the Link Namecolumn, and then click OK.4. In the Active Directory message box, note that to finish the configuration of asite, you must

o Ensure that the site is linked to other sites with site links as appropriate.o Add subnets for the site to the Subnets container.o Install one or more domain controllers in the site or move existing domain

controllers into the site.o Select the licensing computer for the site.

5. Click OK.

Creating Subnets: Computers on TCP/IP networks are assigned to sites based ontheir location in a subnet or a set of subnets. Subnet information is used to find adomain controller in the same site as the computer that is authenticated during

the logon process, and is used during Active Directory replication to determine thebest routes between domain controllers. Each site must have at least one subnet,but a subnet can be assigned to only one site.

To create a subnet:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.2. Double-click the Sites folder.3. Right-click the Subnets folder, and then click New Subnet.4. In the New Object–Subnet dialog box, type the subnet address in the Addressbox. In the Mask box, type the subnet mask that describes the range of addresses included in this site’s subnet. Choose a site to associate this subnet.5. Click OK.

For optimum network response time and application availability, place atleast



o One domain controller in each site. A domain controller in each siteprovides users with a local computer that can service query requests fortheir domain over LAN connections.

o Two domain controllers in each domain. By placing at least two domaincontrollers in each domain, you provide redundancy and reduce the load onthe existing domain controller in the domain.

Reasons for placing additional domain controllers in a site are thefollowing:

o There are a large number of users in the site, and the link to the site isslow or near capacity. If a site has slow logon times and slow authenticationwhen attempting to access user resources, capacity might be insufficient. Bymonitoring domain controller usage, you can determine whether there isenough processing power and bandwidth to service requests. If performanceis lagging, you should consider adding another domain controller to the site.

o The link to the site is historically unreliable or only intermittentlyunavailable. If a single domain controller in a site fails, clients can connect toother domain controllers in other sites in the domain by crossing site links.How-ever, if site links are unreliable, users on that site may not be able tolog on to their computers. In this case, you should consider adding anotherdomain controller to the site.

In some situations, it might not be efficient to place a domain controllerin a site. These situations include:

o Sites with small numbers of users For sites with a small number of users,

using available bandwidth to log on and query the directory might be moreeconomical than adding a domain controller.

o Small sites that have client computers but no servers for sites with noservers, a domain controller is not necessary. Users can still log on usingcached credentials if the site link fails. Because there are no server-basedresources at the site, there is no need for further authentication.

To create a domain controller object in a site:

1. Click Start, point to Administrative Tools, and then click Active Directory Sitesand Services.

2. In the Active Directory Sites and Services console tree, double-click the sitethat you want to contain the new domain controller object.3. Right-click the Servers folder, point to New, and then clicks Server.4. In the New Object–Server dialog box, type the name for the new domaincontroller object in the Name box.5. Click OK.

To move a domain controller object into a site:

1. Click Start, point to Administrative Tools, and then click Active Directory Sitesand Services.

2. In the Active Directory Sites and Services console tree, right-click the domaincontroller object that you want to move to a different site, and then click Move.3. In the Move Server dialog box, click the site to which you want to move thedomain controller object, and then click OK.



The License Logging service on each server in a site collects and replicatesthis licensing information to a centralized database on a server for the sitecalled the site license server.

To view the site license server for a site:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.

2. In the console tree, click the site.3. In the details pane, click Licensing Site Settings.4. On the Action menu, click Properties.5. In the Licensing Site Settings Properties dialog box, the cur-rent site licenseserver is listed in the Computer and Domain boxes.

To change a license server for a site:

1. Click Start, point to Administrative Tools, and then click Active Directory Sitesand Services.2. Click the site for which you want to assign a licensing computer.3. In the details pane, right-click Licensing Site Settings, and then clickProperties.4. In the Licensing Site Settings Properties dialog box, click Change in theLicensing Computer box.5. In the Select Computer dialog box, select the computer you want todesignate as the licensing computer for this site, and then click OK.6. In the Licensing Site Settings Properties dialog box, click OK.

Creating Site Links

When you install Active Directory on the first domain controller in a site, the Active

Directory Installation Wizard automatically creates an object namedDEFAULTIPSITELINK in the IP container for the first default site. You can renamethe DEFAULTIPSITELINK to the name you want to use for the site link.

To create a site link:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.2. Open the Inter-Site Transports folder and right-click either the IP or SMTPfolder, depending on which protocol you want the site to use. Select New Site

Link.3. In the New Object–Site Link dialog box, type the name to be given to the sitelink in the Name field. Use a name that includes the sites that you are linking.4. In the Sites Not In This Site Link box, click two or more sites to connect, andthen click Add. Click OK.

Designating a Preferred Bridgehead Server

Bridgehead servers are the contact point for exchange of directory informationbetween sites. Replication occurs between bridgehead servers in different sites.When two sites are connected by a site link, the KCC automatically selectsbridgehead servers one in each site for each domain that has domain controllersin the site. The KCC then creates inbound-only connection objects between



bridgehead servers. You can designate bridgehead servers manually if you wantthe same servers to be always used as bridge-head servers.

The Implications of Using a Preferred Bridgehead Server

If the active preferred bridgehead server fails, Active Directory selects anotherpreferred bridgehead server to be the active preferred bridgehead server from theset you designate. If no other preferred bridgehead servers are specified or noother preferred bridgehead servers are available, replication does not occur tothat site even if there are servers that can act as bridgehead servers.In addition, if you specify preferred bridgehead servers, you must assign onebridge-head server for each domain and writable directory partition combination inyour forest, which might result in high costs in a large organization.

Replacement of a Failed Preferred Bridgehead Server

If a preferred bridgehead server fails and you want the KCC to be able to fail overto other domain controllers but there are no other preferred bridgehead servers

available, you must perform one of the following tasks at a domain controller ineach site:

o Add new domain controllers and designate them as preferred bridgeheadservers for the corresponding directory partitions, site, and transport. If there is more than one domain represented in the site, you must add apreferred bridgehead server for each domain.

o Remove all preferred bridgehead designations that you have made for thecorresponding directory partition, site, and transport, and allow the KCC toselect new bridgehead servers automatically.

Because the KCC creates only inbound connections, a bridgehead server cannotcreate an outbound connection to another bridgehead server. This is the reasonwhy changes to preferred bridgehead server status must be made on a domaincontroller in each affected site so that inbound connections are created in eachsite.

To designate a preferred bridgehead server:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.2. In the Active Directory Sites And Services console tree, click the site that

contains the domain controller that you want to make a preferred bridgeheadserver.3. In the Active Directory Sites And Services console tree, right-click the domaincontroller that you want to make a bridgehead server, and then click Properties.4. In the Properties dialog box for the domain controller, in the TransportsAvailable For Inter-Site Data Transfer box, select the intersite transport ortransports for which this computer will be a preferred bridgehead server. ClickAdd, and then click OK.

Creating Site Link Bridges

When more than two sites are linked for replication and use the same transport,by default, all of the site links are “bridged” in terms of cost, assuming the sitelinks have common sites. If site link transitivity is enabled, which it is by default,creating a site link bridge has no effect. It is seldom necessary to create site linkbridges. However, if site link transitivity has been disabled, you need to create a



site link bridge manually if a transitive link is required to handle yourorganization’s replication strategy.

To create a site link bridge:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.2. Open the Inter-Site Transports folder and right-click either the IP or SMTP folder,and then click New Site Link Bridge.3. In the New Object–Site Link Bridge dialog box, type a name for the site linkbridge in the Name box.4. In the Site Links Not In This Site Link Bridge box, click two or more sites toconnect, and then click Add. Click OK.

To disable site link transitivity:

1. Click Start, point to Administrative Tools, and then click Active Directory SitesAnd Services.

2. Open the Inter-Site Transports folder and right-click either the IP or SMTP folder,then click Properties.

3. On the General tab in the IP Properties or SMTP Properties dialog box, clear theBridge All Site Links check box. Click OK.

Windows Support Tools provide the following tools for monitoring andtroubleshooting replication:o Replmon.exe: Active Directory Replication Monitor

o Repadmin.exe: Replication Diagnostics Toolo Dsastat.exeReplmon.exe: Active Directory Replication Monitor

The Active Directory Replication Monitor (Replmon) enables administrators to viewthe low-level status of Active Directory replication, force synchronization betweendomain controllers, view the topology in a graphical format, and monitor thestatus and performance of domain controller replication.

To start Replmon:

1. Click Start, point to Command Prompt, type replmon, and then press Enter.2. In the console tree, right-click Monitored Servers, and select Add MonitoredServer.

3. On the Add Monitored Server Wizard page, select Add the Server Explicitly byName, and then click Next.

4. On the Add Server To Monitor page, type the name of the server you want tomonitor in the Enter The Name Of The Server To Monitor Explicitly box, and thenclick Finish.

5. In the Active Directory Replication Monitor window, the server you chose formonitoring appears in the console tree. You can now monitor replicationprocesses for this server.

Repadmin.exe: Replication Diagnostics Tool: The Replication Diagnostics Tool (Repadmin), a command-line tool, allows you to view the replication topologyas seen from the perspective of each domain controller.



Dsastat.exe

Dsastat.exe compares and detects differences between directory partitions ondomain controllers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytesper server, objects per server, and megabytes per object class, and compares theattributes of replicated objects.

Some of the common problems you might encounter with ActiveDirectory replicationŽinclude the following:o New users are not recognized.o Directory information is out-of-date.o Service requests are not handled in a timely fashion.o Domain controllers are unavailable.

-------------------------------------------------------------------------------------------------------------------------------------



The components that are monitored in Windows are:

CPU UtilizationMonitor CPU usage - check if CPUs are running at fullcapacity or are they being underutilized.

Memory UtilizationAvoid the problem of your windows system running outof memory. Get notified when the memory usage is high

(or memory is dangerously low).Disk Utilization

Maintain a margin of available disk space. Get notifiedwhen the disk space falls below the margin.

Process MonitoringMonitor critical processes running in your system. Getnotified when a particular process fails.

Windows ServiceMonitoring

Monitor the critical Windows Services running in yourWindows system. Monitoring is possible only in WMImode of monitoring.

Windows Event LogMonitoring

Monitor the windows events generated, if the mode of monitoring is WMI.

Windows Performance

Counters

Monitors the windows performance counters values

through WMI.

To monitor performance by using the directory service log, the filereplication service log, and System Monitor.

The directory service log contains errors, warnings, and informationgenerated by Active Directory.

The File Replication service (FRS) is a service that provides multimaster filereplication for designated directory trees between designated serversrunning Windows Server 2003. The designated directory trees must resideon disk partitions formatted with the version of the NTFS file system used in

the Windows Server 2003 family. FRS is used by Active Directory toautomatically synchronize content of the system volume information acrossdomain controllers. The file replication service log contains errors, warnings,and information generated by FRS.

System Monitor is a tool that supports detailed monitoring of the use of operating system resources.

System Monitor enables you too Collect real-time performance data from a local computer or from a specific

computer on the network where you have permissiono View current or previously recorded performance datao Present data in a printable graph, histogram, or report viewo Create reusable monitoring configurations that can be installed on other

computers using Microsoft Management Console (MMC)o Incorporate System Monitor functionality into applications that support

ActiveX controls: for example, Web pages, Microsoft Word, or otherapplications in the Microsoft Office suite

o Create HTML pages from performance views

Performance Objects and Performance Counters To monitor performance, you select performance objects and their associated

performance counters. A performance object is a logical collection of performancecounters that is associated with a resource or service that can be monitored. Aperformance counter is a data item associated with a performance object. Foreach performance counter selected, System Monitor presents a value



corresponding to a particular aspect of the performance that is defined for theperformance object.

To monitor Active Directory, you monitor the activity of the NT Directory Services(NTDS) performance object. The counters in the NTDS performance object reflectthe functions of Active Directory, including the

o Address book (AB)o

Asynchronous thread queue (ATQ)o Directory Replication Agent (DRA)o Directory service (DS)o Key distribution center (KDC)o Kerberos authentications | LDAP | NTLM authentications | Security Accounts

Manager (SAM) There are over 120 performance counters provided for the NTDS performanceobject.Monitoring Active Directory Performance To monitor Active Directory performance, you must first select the performancecounters to monitor. Then you can set sampling parameters and display options.

To select performance counters:1. Click Start, point to Administrative Tools, and then click Performance.2. Right-click the System Monitor details pane and click Add Counters.

Alternatively, click the plus sign (+) icon on the System Monitor menu bar.3. In the Add Counters dialog box, select one of the following:

o To monitor the computer on which System Monitor is running, click Use LocalComputer Counters.

o To monitor a specific computer, regardless of where System Monitor isrunning, click Select Counters From Computer and select the Uniform

Naming Convention (UNC) name (the name of the local computer is selectedby default) of the computer you want to monitor in the text box. Or, you cantype the Internet Protocol (IP) address of the computer you want to monitor.

4. In the Performance Object list, select NTDS.5. To select the counters to monitor, choose one of the following:

o To monitor all counters for the NTDS performance object, click All Counters.o To monitor only selected counters, click Select Counters From List, and

select the counters you want to monitor from the list. You can selectmultiple counters by clicking on a counter and holding the Ctrl key.

6. Click Add.7. When you are finished adding counters, click Close. The counters that you

selected appear in the lower part of the System Monitor screen; each counter isrepresented by its own color. Choose either the graph, histogram, or reportdisplay view by clicking the appropriate toolbar button.

Counter Logs: Counter logs record sampled data about hardware resources andsystem services based on performance objects and counters in the same manneras System Monitor.

Trace Logs: Trace logs collect event traces that measure performance statisticsassociated with events such as disk and file I/O, page faults, and thread activity.

Managing Active Directory Performance from the Command Line:In addition to using the Performance console, you can use the following command-line utilities to monitor and manage Active Directory performance:



o Logman: The Logman command manages and schedules performancecounter and event trace log collections on local and remote systems.

o Perfmon: The Perfmon command allows you to open a Performance consoleconfigured with the System Monitor ActiveX control and Performance LogsAnd Alerts service.

o Relog: The Relog command extracts performance counters fromperformance counter logs into other formats, such as text-TSV (tab-delimitedtext), text-CSV (comma-delimited text), binary-BIN, or SQL.

o Tracerpt: The Tracerpt command processes event trace logs or real-timedata from instrumented event trace providers and allows you to generatetrace analysis reports and CSV files for the events generated.

o Typeperf: The Typeperf command writes performance counter data to thecommand window or to a supported log file format.

o Lodctr: The Lodctr command registers new performance counter namesand Explain text for a service or device driver and saves and restorescounter settings and Explain text.

o Unlodctr: The Unlodctr command removes performance counter names andExplain text for a service or device driver from the system registry.



Dynamic Host Configuration Protocol

Dynamic Host Configuration Protocol used to assign an IP address to acomputer or device connected to a network automatically.

Netsh - Command-line administration tool that for DHCP servers.

BOOTstrap Protocol (BOOTP) is a protocol that allows a disklessworkstation to discover certain network information; for example, its own IPaddress.

DHCP terminology

Term Description

scopeA scope is the full consecutive range of possible IP addresses for anetwork.

superscop

e

A superscope is an administrative grouping of scopes that can beused to support multiple logical IP subnets on the same physical

subnet.

MulticastScope

Multicast scopes are supported through the use of Multicast AddressDynamic Client Allocation Protocol (MADCAP). The multicast address range uses an additional address class, Class Dthat includes IP addresses that range from 224.0.0.0 to239.255.255.255 for use in IP multicasting.

exclusionrange

An exclusion range is a limited sequence of IP addresses within ascope, excluded from DHCP service offerings.

address

pool

After define a DHCP scope and apply exclusion ranges, the remainingaddresses form the available address pool within the scope. Pooled

addresses are eligible for dynamic assignment by the server to DHCPclients on your network.

leaseA lease is a length of time that a DHCP server specifies, during which aclient computer can use an assigned IP address..

reservation

A reservation to create a permanent address lease assignment by theDHCP server. Reservations assure that a specified hardware device onthe subnet can always use the same IP address.

optiontypes

Option types are other client configuration parameters a DHCP servercan assign when serving leases to DHCP clients.

optionsclass

An options class is a way for the server to further manage option

types provided to clients. When an options class is added to the server,clients of that class can be provided class-specific option types for theirconfiguration. For Microsoft® Windows® 2000 and Windows XP, clientcomputers can also specify a class ID when communicating with theserver. Options classes can be of two types: vendor classes and userclasses.

User ClassUser-defined classes are used for managing DHCP options assigned toclients identified by a common need for a similar DHCP optionsconfiguration.

VendorClass

Vendor-defined classes are used for managing DHCP options assigned

to clients identified by vendor type.BackupandRestore

Maintaining a backup of the DHCP database protects you from dataloss if the DHCP database is lost.

• Synchronous backups that occur automatically. The defaultbackup interval is 60 minutes.



• Asynchronous (manual) backups, performed by using the Backupcommand on the DHCP console.

DHCP Lease Stages

1. Lease Request - The client sends a broadcast requesting an IP address2. Lease Offer - The server sends the information and marks the offered

address as unavailable. The message sent is a DHCPOFFER broadcastmessage.

3. Lease Acceptance - The first offer received by the client is accepted. Theacceptance is sent from the client as a broadcast (DHCPREQUESTmessage) including the IP address of the DNS server that sent the acceptedoffer. Other DHCP servers retract their offers and mark the offered address

as available and the accepted address as unavailable.4. Server lease acknowledgement - The server sends a DHCPACK or aDHCPNACK if an unavailable address was requested.

DHCP discover message - The initial broadcast sent by the client to obtain aDHCP lease. It contains the client MAC address and computer name. This is abroadcast using 255.255.255.255 as the destination address and 0.0.0.0 as thesource address. The request is sent and then the client waits one second for anoffer. The request is repeated at 9, 13, and 16 second intervals with additional 0 to1000 milliseconds of randomness. The attempt is repeated every 5 minutesthereafter.

The client uses its own port 68 as the source port with port 67 as the destinationport on the server to send the request to the server. The server uses its own port67 as the source port with port 68 as the destination port on the client to reply tothe client. Therefore the server is listening and sending on its own port 67 and theclient is listening and sending on its own port 68.

DHCP Lease Renewal - After 50% of the lease time has passed, the client willattempt to renew the lease with the original DHCP server that it obtained the leasefrom using a DHCPREQUEST message. At 87.5% of the lease completion, theclient will attempt to contact any DHCP server for a new lease. If the lease expires,the client will send a request as in the initial boot when the client had no IPaddress. If this fails, the client TCP/IP stack will cease functioning.

Using the 80/20 rule for scopes

For balancing DHCP server usage, a good practice is to use the "80/20" rule todivide the scope addresses between the two DHCP servers. If Server 1 isconfigured to make available most (approximately 80%) of the addresses, thenServer 2 can be configured to make the other addresses (approximately 20%)available to clients. The following illustration is an example of the 80/20 rule:



Using more than one DHCP server on the same subnet provides increased faulttolerance for servicing DHCP clients located on it. With two DHCP servers, if oneserver is unavailable, the other server can take its place and continue to leasenew addresses or renew existing clients

To start or stop a DHCP server using command:

o net start dhcpserver o net stop dhcpserver

DHCP Relay Agents

May be placed in two places:

• Routers• Subnets that don't have a DHCP server to forward DHCP requests.

The DHCP Relay Agent in the Windows Server 2003 family must be configured

with the IP address of the DHCP server in order to relay DHCP requests betweenSubnet A and Subnet B. For more information about setting up the DHCP RelayAgent.

To configure the DHCP Relay Agent to work over remote access:

1. Click Start, point to Programs, point to Administrative Tools, and

then click Routing and Remote Access.

2. In the object tree, expand Your_Server , expand IP Routing, right-

click General, and then click New Routing Protocol.

3. In the Routing Protocols list, click DHCP Relay Agent, and then

click OK .

4. Right-click DHCP Relay Agent, and then click Properties.

5. In the DHCP Relay Agent Properties dialog box, type the IP

addresses of your DHCP servers in the Server Address box, click ADD,

and then click OK .



6. Right-click DHCP Relay Agent, and then click New Interface.

7. Click Internal.

Internal represents the virtual interface that is connected to all remote

access clients.



Domain Name System

DNS is a hierarchical, distributed database of names and IP addresses that isstored on servers all over the Internet. A DNS name consists of a single host nameplus a domain name that consists of two or more words, separated by periods.

A zone is an administrative entity you create on a DNS server to represent a

discrete portion of the namespace.

A DNS server that contains no zones and is hosting no domains is called acaching-only server.

A forwarder is a DNS server that receives queries from other DNS servers thatare explicitly configured to send them.

Conditional forwarders: A conditional forwarder is a DNS server on a networkthat is used to forward DNS queries according to the DNS domain name in thequery. For example, a DNS server can be configured to forward all the queries it

receives for names ending with widgets.example.com to the IP address of aspecific DNS server or to the IP addresses of multiple DNS servers.

Understanding Zone Types: Every zone consists of a zone database, whichcontains the resource records for the domains in that zone. The three zone typesare as follows:

■ Primary zone: A primary zone contains the master copy of the zone database,where administrators make all changes to the zone’s resource records, is in theprimary zone.

■ Secondary zone: A duplicate of a primary zone on another server, thesecondary zone contains a backup copy of the primary master zone database file,stored as an identical text file on the server’s local drive. You cannot modify theresource records in a secondary zone manually; you can only update them byreplicating the primary master zone database file, using a process called a zonetransfer. You should always create at least one secondary zone for each primaryzone in your namespace, both to provide fault tolerance and to balance the DNStraffic load.

■ Stub zone: A copy of a primary zone that contains Start Of Authority (SOA) and

Name Server (NS) resource records, plus the Host (A) resource records thatidentify the authoritative servers for the zone.

• Keep delegated zone information current. By updating a stub zone forone of its child zones regularly, the DNS server hosting both the parentzone and the stub zone will maintain a current list of authoritative DNSservers for the child zone.

• Improve name resolution. Stub zones enable a DNS server to performrecursion using the stub zone's list of name servers without needing toquery the Internet or internal root server for the DNS namespace.

•

Simplify DNS administration. By using stub zones throughout your DNSinfrastructure, you can distribute a list of the authoritative DNS servers fora zone without using secondary zones. However, stub zones do not servethe same purpose as secondary zones and are not an alternative whenconsidering redundancy and load sharing.



You can use each of these zone types to create forward lookup zones or reverselookup zones. Forward lookup zones contain name-to-address mappingsand reverse lookup zones contain address-to-name mappings. If you want aDNS server to perform name and address resolutions for a particular domain, youmust create both forward and reverse lookup zones containing that domain.

Active Directory-Integrated Zones: When you are running the DNS serverservice on a computer that is an Active Directory domain controller and you selectthe Store the Zone in Active Directory (Available Only If DNS Server is aDomain Controller) check box while creating a zone in the New Zone Wizard, theserver does not create a zone database file.

In Active Directory-integrated zones, the zone database is replicatedautomatically, along with all other Active Directory data. Active Directory uses amultiple master replication system so that copies of the database are updated onall domain controllers in the domain. You don’t have to create secondary zones ormanually configure zone transfers, because Active Directory performs the

database replication automatically. Active Directory conserves network bandwidthby replicating only the DNS data that has changed since the last replication, andby compressing the data before transmitting it over the network. The zonereplications also use the full security capabilities of Active Directory, which areconsiderably more robust than those of file-based zone transfers.

DNS record types.

Type Name Function

Zone

SOA Start of Authority Defines a DNS zone of authority

NS Name Server Identifies servers for a zone

Basic

A Address Name to address translation

PTR Pointer Address to name translation

MX Mail Exchanger Controls EMail routing

Optional

CNAME Canonical Name Nicknames for a host

HINFO Host info Identifies hardware and OS

RPResponsiblePerson

Technical contact for a host

WKS Well KnownServices Services provided by a host

TXT Text Comments

The SOA Record: The SOA record marks the start of a zone. A DNS domainmaps into at least two zones: One for forward DNS - translating a hostname to anIP address, and the other for reverse DNS - translating an IP address to ahostname.

The NS Record: The NS (Name Server) record identifies the servers that are

authoritative for a given zone.

The A Record: The A (Address) records provide the mapping from hostnameto IP addresses.



The PTR Record: The PTR (Pointer) record provides the reverse mappingfrom IP address to hostname. As with the A record, a host must have one foreach network interface.

The MX Record: The MX (Mail Exchange) records are used by the mail systemsto route mail more efficiently. An MX record also provides a way to deliver mail toan alternate host when the destination host is not available.

The CNAME Record: The CNAME (Canonical name) records are used to assignnicknames (or alias) to a host. Nicknames are commonly used to either shorten aname, or to associate a function to a host. CNAME's must refer to a real name, notanother CNAME.

The HINFO Record: The HINFO (Host information) record specifies themanufacturer and the operating system type. Most sites do not use HINFO recordsbecause of security reasons, if everyone knows what type of hardware you haveand what type of OS is running, you are more vulnerable to break-ins.

The RP Record: The RP (Responsible Person) record, is a new type of record,that offers a way to assign an EMail (with the @ sign replaced by a., [email protected] would become ahj.aber.ac.uk) address to a host.

The WKS Record: The WKS records are used to list well known services that ahost supports. Again for security reasons, most do not use it.

The TXT Record: The WKS record is used to add text to hosts DNS records.

Command-line utilities:Command Description

Nslookup Used to perform query testing of the DNS domain namespace.

Dnscmd

A command-line interface for managing DNS servers. This utility is useful in scripting batch

files to help automate routine DNS management tasks, or to perform simple unattended

setup and configuration of new DNS servers on your network

Ipconfig

This command is used to view and modify IP configuration details used by the computer.

Additional command-line options are included with this utility to provide help in

troubleshooting and supporting DNS clients.

DNS Query Types: DNS servers recognize two types of name resolutionrequests: recursive queries and iterative queries.

In a recursive query, the DNS server receiving the name resolution request takesfull responsibility for resolving the name. If the server possesses information aboutthe requested name, it replies immediately to the requestor. If the server has noinformation about the name, it sends referrals to other DNS servers until it obtainsthe information it needs. TCP/IP client computers send recursive queries to theirdesignated DNS servers.

In an iterative query, the servers that receive the name resolution requestimmediately respond with the best information they possess at the time, whetherthat information is a fully resolved name or a reference to another DNS server.DNS servers use iterative queries when communicating with each other.

DNS query process:



When the DNS server receives a query, it first checks to see if it can answer thequery authoritatively based on resource record information contained in a locallyconfigured zone on the server. If the queried name matches a correspondingresource record in local zone information, the server answers authoritatively, using

this information to resolve the queried name.

If no zone information exists for the queried name, the server then checks to see if it can resolve the name using locally cached information from previous queries. If a match is found here, the server answers with this information. Again, if thepreferred server can answer with a positive matched response from its cache tothe requesting client, the query is completed.

If the queried name does not find a matched answer at its preferred server —either from its cache or zone information — the query process can continue, using

recursion to fully resolve the name. This involves assistance from other DNSservers to help resolve the name. By default, the DNS Client service asks theserver to use a process of recursion to fully resolve names on behalf of the clientbefore returning an answer. In most cases, the DNS server is configured, bydefault, to support the recursion process.

In order for the DNS server to do recursion properly, it first needs some helpfulcontact information about other DNS servers in the DNS domain namespace. Thisinformation is provided in the form of root hints, a list of preliminary resourcerecords that can be used by the DNS service to locate other DNS servers that areauthoritative for the root of the DNS domain namespace tree. Root servers are

authoritative for the domain root and top-level domains in the DNS domainnamespace tree.

Finally, the "example.microsoft.com." server is contacted. Because this servercontains the queried name as part of its configured zones, it respondsauthoritatively back to the original server that initiated recursion. When theoriginal server receives the response indicating that an authoritative answer wasobtained to the requested query, it forwards this answer back to the requestingclient and the recursive query process is completed.

Dynamic update enables DNS client computers to register and dynamicallyupdate their resource records with a DNS server whenever changes occur. Thisreduces the need for manual administration of zone records, especially for clientsthat frequently move or change locations and use DHCP to obtain an IP address.

Dynamic updates can be sent for any of the following reasons or events:



• An IP address is added, removed, or modified in the TCP/IP propertiesconfiguration for any one of the installed network connections.

• An IP address lease changes or renews with the DHCP server any one of theinstalled network connections. For example, when the computer is started orif the ipconfig /renew command is used.

• The ipconfig /registerdns command is used to manually force a refresh of the client name registration in DNS.

• At startup time, when the computer is turned on.• A member server is promoted to a domain controller.

When one of the previous events triggers a dynamic update, the DHCP Clientservice (not the DNS Client service) sends updates. This is designed so that if achange to the IP address information occurs because of DHCP, correspondingupdates in DNS are performed to synchronize name-to-address mappings for thecomputer. The DHCP Client service performs this function for all networkconnections used on the system, including connections not configured to useDHCP.

How dynamic update works:

Dynamic updates are typically requested when either a DNS name or IP addresschanges on the computer. For example, suppose a client named "oldhost" is firstconfigured in System properties with the following names:

Computer name oldhost

DNS domain name of computer

example.microsoft.com

Full computer nameoldhost.example.microso

ft.com

In this example, no connection-specific DNS domain names are configured for thecomputer. Later, the computer is renamed from "oldhost" to "newhost", resultingin the following name changes on the system:

Computer name newhost

DNS domain name of computer

example.microsoft.com

Full computer namenewhost.example.microsoft.com

Once the name change is applied in System properties, you are prompted torestart the computer. When the computer restarts Windows, the DHCP Clientservice performs the following sequence to update DNS:

1. The DHCP Client service sends a start of authority (SOA) type queryusing the DNS domain name of the computer.

The client computer uses the currently configured FQDN of the computer(such as "newhost.example.microsoft.com") as the name specified in this

query.

2. The authoritative DNS server for the zone containing the clientFQDN responds to the SOA-type query.



For standard primary zones, the primary server (owner) returned in the SOAquery response is fixed and static. It always matches the exact DNS name asit appears in the SOA RR stored with the zone. If, however, the zone beingupdated is directory-integrated, any DNS server loading the zone canrespond and dynamically insert its own name as the primary server (owner)of the zone in the SOA query response.

3. The DHCP Client service then attempts to contact the primary DNSserver.

The client processes the SOA query response for its name to determine theIP address of the DNS server authorized as the primary server for acceptingits name. It then proceeds to perform the following sequence of steps asneeded to contact and dynamically update its primary server:

a. It sends a dynamic update request to the primary server determined inthe SOA query response.

If the update succeeds, no further action is taken.

b. If this update fails, the client next sends an NS-type query for the zonename specified in the SOA record.

c. When it receives a response to this query, it sends an SOA query tothe first DNS server listed in the response.

d. After the SOA query is resolved, the client sends a dynamic update tothe server specified in the returned SOA record.

If the update succeeds, no further action is taken.

e. If this update fails, then the client repeats the SOA query process bysending to the next DNS server listed in the response.

4. Once the primary server is contacted that can perform the update,the client sends the update request and the server processes it.

The contents of the update request include instructions to add A (andpossibly PTR) RRs for "newhost.example.microsoft.com" and remove thesesame record types for "oldhost.example.microsoft.com", the name that waspreviously registered.

The server also checks to ensure that updates are permitted for the clientrequest. For standard primary zones, dynamic updates are not secured, soany client attempt to update succeeds. For Active Directory–integratedzones, updates are secured and performed using directory-based securitysettings.

Dynamic updates are sent or refreshed periodically. By default, computers send arefresh once every 7 days. If the update results in no changes to zone data, thezone remains at its current version and no changes are written. Updates result inactual zone changes or increased zone transfer only if names or addressesactually change.

Note that names are not removed from DNS zones if they become inactive or arenot updated within the refresh interval (7 days). DNS does not use a mechanism torelease or tombstone names, although DNS clients do attempt to delete or updateold name records when a new name or address change is applied.



When the DHCP Client service registers A and PTR resource records for acomputer, it uses a default caching Time to Live (TTL) of 15 minutes for hostrecords. This determines how long other DNS servers and clients cache acomputer's records when they are included in a query response.



RAID ( R edundant A rray of Independent D isks )

RAID is a method of combining multiple disk drives into a single entity in order toimprove the overall performance and reliability of your system. The differentoptions for combining the disks are referred to as RAID levels. There are severaldifferent levels of RAID available depending on the needs of your system. One of the options available to you is whether you should use a Hardware RAID solution

or a Software RAID solution.

RAID Hardware is always a disk controller to which you can cable up the diskdrives. RAID Software is a set of kernel modules coupled together.

RAID 0 – Striping (minimum 2 HDD required)

RAID 1- Mirroring (minimum 2 HDD required)

RAID 5 – Striping with Parity (Minimum 3 HDD required)

RAID levels 1 and 5 only gives redundancy

RAID Level 0 requires a minimum of 2 drives to implement

For Highest performance, the controller must be able to perform two concurrent separate Reads per mirrored pair or two duplicate Writes per mirrored pair.




Each entire data block is written on a data disk; parity for blocks in the same rank is generated on Writes,recorded in a distributed location and checked on Reads.


RAID Level 0+1 requires a minimum of 4 drives to implement

RAID Levels 0+1 (01) and 1+0 (10) (Required Minimum 4 hard disks)

Common Name(s): RAID 0+1, 01, 0/1, "mirrored stripes", RAID 1+0, 10, 1/0, "striped mirrors"

Technique(s) Used: Mirroring and striping without parity.

• Strengths: Highest performance, highest data protection (can tolerate multiple drive failures).

• Weaknesses: High redundancy cost overhead; Because all data is duplicated, twice the storage

capacity is required; Requires minimum of four drives.

DRIVE 1 DRIVE 2 DRIVE 3 DRIVE 4

Data A Data A mA mA

Data B Data B mB mB

Data C Data C mC mC

Original Data Original Data Mirrored Data Mirrored Data



INFORMATION TECHNOLOGY INFRASTRUCTURE LIBRARY

ITIL: Information Technology Infrastructure Library is a framework of bestpractices to manage IT operations and services.

Incident Management: It is a process to manage disruptions in critical ITServices and restore them ASAP.

An Incident is a disruption of normal service that affects the user and the business. The goal of IM is to restore IT services to normal state ASAP with work around orsolution to make sure that it does not affect the business.

Problem Management: It is to find the root cause of incidents and reduce theimpact of business. Problem management is a proactive approach that preventsthe recurrence of incidents.

Change Management: The Change management process helps you coordinatechanges with minimal disruptions and accepted risk.

Release Management: The goal of Release management is to plan, educate

users and implement changes smoothly.

CMDB(Configuration Management DataBase): The goal of CMDB is to build andmaintain an asset database of hardware, software, associated documents andtheir relationships.

CLUSTER

Clustering is a technology, which is used to provide high availability for missioncritical applications. We can configure cluster by installing MCS (Microsoft ClusterService) component from Add/Remove programs, which can available in EnterpriseEditions and Data Center Edition.

NLB (Network Load Balancing) Cluster for balancing load between servers. This cluster will not provide any high availability.

Server Cluster provides high availability by configuring active-active or active-passive cluster.

Quorum: A shared storage need to provide for all servers which keeps informationabout clustered application and session state is useful in FAILOVER situation. Thisis very important if quorum disk fails entire cluster will fails.

Heartbeat is a private connectivity between the servers in the cluster, which isused to identify the status of other servers in cluster.

FIREWALL

A firewall is used to prevent unauthorized users from accessing private networksthat are connected to other networks.

Typically, a firewall prevents external users from accessing internal corporatenetwork from the Internet.



INTERNETWORKINGInternetworking: Take two or more LANs or WANS and connect them via a Routerand configure a logical address networking scheme with a protocol like IP.

Network Segmentation: Breaking up a larger network into a number of smallerones.

Possible Causes of LAN traffic congestion:• Too many hosts in a broad cast domain | Broadcast storms

• Multicasting | Low bandwidth

Routers: are used to connect networks together and route packets of data fromone network to another.

By default routers break up a broadcast domain and collision domain.By default routers don’t forward broadcast.

Switches: The main purpose of switch is to make a LAN work better, to optimizeits performance and providing more bandwidth for LAN users.

Switches don’t forward packets to other networks.“Switch“frames from one port to another within the switched network.By default, switches break up broadcast domain and collision domain.Each and Every port on a switch represent its own collision domain.

HUB: It has only one broadcast and collision domain.

Bridge: It has only two or four ports (upto 16 ports)

OSI (Open System Interconnection): In 1970, the OSI reference model wascreated by ISO (International Organization for Standardization).

OSI Model: It is the primary architectural model for networks. It described how

data and network information are communicated from an application on onecomputer through the network media, to an application on another computer.Theprimary purpose of OSI model is to allow different vendors network tointeroperate.

OSI Layers: The OSI has seven different layers, divided into two groups. The top3 layers define how the application within the end stations will communicate witheach other and with users. The bottom 4 layers defined how data is transmittedend to end.

Application Layer – File print, message, database and application service

Presentation Layer – Data Encryption, compression and translation servicesSession Layer – Dialog Control Transport Layer – End to End connection – SegmentNetwork Layer – Routing – PacketsDatalink Layer – Framing – Frames



Physical Layer – Physical topology – Bits

Three types of Cables are1. Straight through – Host to Switch & Router to Switch2. Cross Over – Host to Host, Switch to Switch & Router to Host3. Rolled – Router console serial communication

1. Straight Through Cable: 2. Cross Over Cable:

11 1 1

22 2 2

33 3 3

66 6 6

Private IP Address Range:Class A – 10.0.0.0 through 10.255.255.255Class B – 172.168.0.0. through 172.31.255.255Class C – 192.168.0.0 through 192.168.255.255

Subnetting: Take one larger network and break it into a bunch of smallernetworks.

Reason for subnetting:• Reduced network traffic

• Optimized network performance

• Simplified Management

IP Routing: It is process of moving packets from one network to another network

using Router.

Routing Protocol: It is used by routers to dynamically find all the networks in theinternetwork and to ensure that all routers have the same routing table.Eg.: RIP, IGRP, EIGRP & OSPF

Routed Protocols: This can be used to send user data (packets) through theestablished enterprise.Eg.: IP & IPX

Types of Routing:

1. Static Routing2. Default Routing3. Dynamic Routing

Static Routing: Manually add routes in each router’s routing table.

WGG

WOB

WBO

WBB



Default Routing: To send packets with a remote destination network host in therouting table to the next hop counter.

Dynamic Routing: Protocols are used to find networks and update routing tableson routers.

Administrative Distance: It is used to rate the trustworthiness of routinginformation received on a router from a neighbor router. AD - 0 to 255, 0 is themost trusted | 255 no traffic will be passed via this route.

Route Source Default AD:Connected Interface 0Static Route 1EIGRP 90IGRP 100OSPF 110RIP 120

External EIGRP 170Unknown 255Hop: Each time a packet goes through a router.

RIP & IGRP (Using) - Distance Vector ProtocolOSPF (Using) – Link State ProtocolEIGRP (Using) – Hybrid protocols

RIP (Routing Information Protocol): It send the complete routing table out toall active interfaces every 30 seconds.

Hop count – 15 by default

IGRP (Interior Gateway Routing Protocol): Same as RIP but use AutonomousSystem Number. All routers must be the same number inorder to share routingtable information.

Hop count – 100 by defaultAutonomous System Number – 1 to 65535

Access List: It can be used to permit or deny packets moving through the router.Access list is filtering unwanted packets when implementing security policies.

Three types of modes:1. User mode2. Privileged mode3. Global Configuration Mode

Router Aux port – to connect the modemRouter AUI port – Attachment Unit Interface for a 10Mbps Ethernet networkconnection

Running Configuration stored in DRAMStartup Configuration stored in NVRAM



EXCHANGE SERVER 2003

Pre-requisites:

• .NET Framework• ASP.NET

• WWW Service

• SMTP

• NNTP

ForestPrep updates the schema and configuration partition in Active Directory.

\setup.exe /forestprep

Domainprep updates the domain partition in Active Directory.

\setup.exe /domainprep

Exchange Server 2003 is licensed in per seat mode only.

Unattended installation answer file type is .ini

Front End Server – Incoming client connections

Back End Servers – Mail boxes and Public folders The front end and back end servers for mainly load balancing and redundancy.

Recipient Object Types:



• User

• Contact

• Group

• Public folder

User Recipient:

•

Mailbox enabled user – Mailbox in exchange server, user account in AD• Mail enabled user – does not have mailbox in Exchange Server. Official Email

ID assign to personal Email ID.

Contact Recipient: Similar to mail enabled user, send mail to a particularaddress outside the organization.

Deleted mailbox retention period is 30 days by default.

Deleted items retention period is 7 days by default.

Backup data – transaction logs and database files.

ads dns dhcp raid

Documents