Active Directory


Published on

Active Directory

Published in: Technology
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Active Directory

  1. 1. Netmetric Solutions ( Meer Shahanawaz ) ( AbdullahTopics for FSMO • PDC Emulator • Infrastructure Master • Rid Master • Schema Master • Domain Naming Master • Troubleshooting FSMO • (Transfer FSMO Roles - Another page)PDC EmulatorOf the 5 roles, this is the role that you will miss the soonest. Not only with NT 4.0BDCs complain, but also there will be no time synchronization. Another problem isthat you probably will not be able to change or troubleshoot group policies as thedefault setting is for the PDC emulator also to be the group policy master.Implications for DuplicatesIf the old PDC emulator returns, then it is not as serious as duplicates with some ofthe other roles. Quickly seize PDC role from another machine.RID MasterOne Domain Controller is responsible for giving all the rest of the Domain Controllersa pack of unique numbers so that no two new objects have the same GUID (GloballyUnique Identifier).If you lose the RID master the chances are good that the existing Domain Controllerswill have enough unused RIDs to last a week or so do not be in a hurry to seize.Implications for DuplicatesYou must not allow two RID masters, as the possibility of two objects with the sameRID would be disastrous. So if the original is found it must be reformatted andreinstalled before re-joining the forest.Infrastructure MasterThe consequence for a missing Infrastructure master is that group memberships maybe incomplete. If you only have one domain, then there will be no impact as theInfrastructure Master is responsible for updating your users membership in otherdomains in the forest.Implications for Duplicates
  2. 2. No damage occurs if the old Infrastructure master returns, just check out the Rolesand decide which machine should hold the role.Forest Wide RolesSchema MasterIf you lose the Schema Master, then long term it is serious because you cannotinstall Exchange 2003 or extend the schema. However, short term no-one will noticea missing Schema Master, so try and repair the old one rather than seize the role.Implications for DuplicatesYou must not allow two Schema Masters, so if the original is found or repaired, itmust be completely rebuilt rather than allowed into the forest.Domain Naming MasterThis is a forest wide role that is responsible for adding child domains and new trees.Unless you are going to run DCPROMO, then you will not miss this FSMO role, so waitrather than seize the role.Implications for DuplicatesYou must not allow the original Domain Naming Master to return, rebuild before youlet the machine back in the forest. Windows Server 2003 - Global Catalog ServerWindows Server 2003 - Global CatalogMastering Global Catalog will not only give your users a better network experience,but also teach you about Windows Server 2003s Active Directory. Global Catalogsare deceptive. The bigger your Active Directory forest the more important it is toconfigure Global Catalogs. If you have Exchange 2003, then there are extra reasonsto position Global Catalogs close to the users.Topics for Windows Server 2003 Global Catalog • Global Catalog - From a Users Perspective • Global Catalog - Key Concepts • Configuring Global Catalog • No worries if you only have only one Domain • Global Catalog Servers SummaryGlobal Catalog - From a Users PerspectiveYour average user want answers to questions such as, Where are you DomainController? or Find this email address in the GAL. Naturally people dont normally
  3. 3. vocalise these requests, however they logon to the domain, and they attempt tosend email with outlook. The role of the Global Catalog Server is to answer requestsfor network resources, for example, LDAP queries to find a Domain Controller, or anExchange 2003 Server. Global Catalog - Key Concepts Now we come to the key Global Catalog concepts. Surprisingly, not every domain controller is a global catalog server. The reason is that by default there is only global catalog server. Microsofts thinking is that you may not want the extra overhead of being a global catalog server, and the more global catalog servers the more replication traffic on your network. Every Domain Controller knows about its own domain, after all, managing directory services is what a Domain Controller does. However, Domain Controllers that are also Global Catalog Servers know about other domains (key point). Microsofts paranoia is that there may be restrictions on a Universal Group in another domain, therefore, before a user logs on the Domain Controller must be able to enumerate Universal Group membership,just in case a Universal Group and hence a user, has been denied access.Incidentally, you may have seen Universal Group Caching which neatly solves thislatency. Universal Group Caching is one of the new features of Windows Server2003.Configuring Global CatalogConfiguring a Domain Controller as a Global Catalogs is a knack. Once you havedrilled down, and checked the Global Catalog box you always remember thattortuous path.Let us begin at the Active Directory Sites and Services snap-in. Expand Sites,Default-First-Site-Name, Servers. Select your server and seek the NTDS Settings,right click and choose Properties. All that remains is to tick the Global Catalog box.(See Diagrams Opposite)With a Windows Server 2000 Server you have to reboot, eccentrically the interfacedoes not tell you to reboot. All this nonsense is cured in Windows Server 2003, youdo not have to reboot when you enable or disable Global Catalog.The only variation on these instructions is that your servers may be in different sitesand not in the strangely named, Default-First-Site-Name.If you have firewall restrictions, LDAP uses port 389 for read and write operationsand port 3268 for global catalog search operations.No worries if you only have only one Domain.To be honest, if you have only one domain then nothing bad will happen if you donthave a local Global Catalog server. However, if you have a forest then delays can bea problem - unless you place Global Catalog servers judiciously. The root of theproblem is enumerating Universal Group membership. In a single domain itspointless using Universal Groups, and even if you did, they will only be users in yourdomain. There are no other domains to check.
  4. 4. Global Catalog Servers SummaryThe key point with Active Directory is that Domain Controllers, which are not alsoGlobal Catalog Servers, cannot deduce Universal Groups in other domains. Forsecurity, until they contact a Global Catalog server Domain Controller cannot proceedwith the logon request. As a result of this knowledge you can plan extra GlobalCatalog servers. However, if you only have one domain, there is no need for anymore Global Catalog servers. Windows Server 2003 - SchemaIntroduction to Windows 2003s SchemaThe Windows Server 2003 Schema Snap-in is not available by default. There lies aclue that ordinary administrators are not meant to change the Schema. However, tocomplete your understanding of Active Directory take time to appreciate the objectmodel that underpins Windows Server 2003.Topics for Windows Server 2003 Schema • What you need to know about the Schema. • Major changes compared with Windows 2000 • Getting Started • RecommendationsWhat you need to know about the Schema.Object based NatureIt us useful to understand the nature of the Schema. Active Directory is an objectbased system. The schema keeps a list of the definitions for each object such asComputer or User. The list is divided into Classes and Attributes and the Schemarecycles attributes like location and applies an instance to the site, printer orcomputer object.Flexible MasterThe Schema is one of the five single master operations, this means that only onedomain controller has a read / write copy of the schema. Take the time to find outwhich machine hold the Schema Master role. Right Click the Schema Snap-in, selectOperations Master from the short cut menu.Modification by Exchange 2003 and Schema AdminsExchange 2003 relies on Active Directory for definitions of the users mailboxes.When you install Exchange 2003, firstly you have to be a member of the Schema
  5. 5. Admin Global group; secondly Exchange extends the schema to include these extraattributes like mailbox server. While it is possible to add attributes and classesyourself - resist. Modifying the schema affects the entire forest and in my opinionshould only be done by a developer when there is a clear business need.Role of the Global CatalogThe Global Catalog server keeps track of a subset of the most important attributes,and the Global Catalog replicates this information to other Global Catalog servers.Be aware that you can add extra attributes to the list, for example, information ondepartment could be replicated. The benefit is you could search on department orany other attribute that you added.Major changes compared with Windows 2000Deactivating attributesActive Directory will not allow you to delete classes or attributes but you candeactivate them if you are sure they will not be needed.Improved replicationIn Windows Server 2003, only changes in attributes are replicated, the benefit is lessreplication traffic and less change of a conflict.WINS Servers in Windows 2003 - The BasicsWINS - The Basics of Name ResolutionIt goes without saying that you have to implement DNS, but thats another story. Inthis section I want to concentrate on WINS for those few occasions where NetBIOSname resolution is vital. While both WINS and DNS deal with mappingComputerName to IP addresses, there are two important differences; DNS ishierarchical and can support up to 254 characters, WINS, on the other hand, is aflat-field database limited to 15 letters. One of the few advantages that WINSformerly had over DNS was that WINS is dynamic. Well, starting with Windows2000, DNS is also dynamic, so the only point of WINS in the 21st century isspecifically for NetBIOS name resolution.Keep in mind, especially when troubleshooting, the reason why we need databasessuch as WINS or DNS. The answer is name resolution. We humans prefer toremember friendly names like BigServer, whereas computers prefer IP addresses indot decimal notation for example, resolution started with two files called hosts and LMHosts files. The hosts fileevolved into DNS and WINS took over the name resolution provided by LMHosts.Every Microsoft machine is born with these files in the folder: %systemroot%system32driversetc. Here is a typical entry for LMHosts. bigserver