Beruflich Dokumente
Kultur Dokumente
Windows 2000 servers running Directory Services (DSs) perform a directory online defragmentation every 12 hours by default as part of the garbage-collection process. This defragmentation only moves data around the database file (ntds.dit) and doesn?t reduce the files size. To create a new, smaller ntds.dit file and to enable offline defragmentation, perform the following steps. 1. Back up Active Directory (AD) (see the FAQ How do I back up Active Directory and the System State?). 2. Reboot the server, select the OS option, and press F8 for advanced options. 3. Select the Directory Services Restore Mode option, and press Enter. Press Enter again to start the OS. 4. Win2K will start in safe mode, with no DS running. 5. Use the local Sams administrator account and password to log on. 6. Youll see a dialog box that says youre in safe mode. Click OK. 7. From the Start menu, select Run and type cmd.exe 8. In the command window, youll see the following text. (Enter the commands in bold.)
C:\> ntdsutil ntdsutil: files file maintenance: info .... file maintenance: compact to c:\temp
9. Youll see the defragmentation process. If the process was successful, enter quit
quit
10. to return to the command prompt. 11. Then, replace the old ntds.dit file with the new, compressed version. (Enter the commands in bold.)
C:\> copy c:\temp\ntds.dit %systemroot%\ntds\ntds.dit
The KCC runs every 15 minutes, adjusting the topology as necessary. As you create new DCs, the KCC automatically places them in the ring. To view the DC links, you can use the Microsoft Management Console (MMC) Active Directory Sites and Services snap-in. Expand the site, the Servers container, and the server. Under the NTDS Settings branch are the created connection objects. Because the KCC runs on all DCs, the rings are in order of the DCs? globally unique IDs (GUIDs) to ensure convergence on one topology. An exception to the ring rule is that no more than three hops can exist between two DCs within the ring. To protect the three-hop rule, the KCC adds extra links for seven or more DCs, as the Figure shows. These rings are for same-naming context (i.e., domains) in one site. If you have multiple domains in a site, rings exist for each domain in the site. Another type of ring that exists replicates schema and configuration information between DCs, as the Figure shows. Because all the domains share this information (i.e., the information is forestwide), each site has only one ring. Thus, if you have two domains in a site, you have three rings: one ring for each domain and one ring for the schema and configuration information. If you have only one domain in a site, one ring functions as two. Manual configuration of intrasite replication is unnecessary, and Microsoft doesn?t recommend such configuration. The only task you might need to perform is adding extra connection objects to reduce the hop count between DCs. When you make a change to the naming context (i.e., domain) data, the DC?s local copy of Active Directory (AD) records the change, then the DC waits 5 minutes (by default) before notifying its replication partners of the change. You can continue to make changes during this time period. The delay exists so that all changes transmit at once. If no changes occur during a particular time period (which you can configure in the intrasite connection object schedule), a replication sequence initiates to ensure no changes were missed. The SAM or the Local Security Authority (LSA) can trigger urgent replication during the following events: replication of a newly locked-out account (e.g., if you fire someone), change of an LSA secret (i.e., a trust account), and state changes to the Relative Identifier (RID) Manager. These events trigger immediate replication. Because urgent replication requires notification, this type of replication occurs only within a site (i.e., intrasite). However, you can modify site links to enable notification. An exception to multimaster normal replication is user passwords. As in other attribute changes, you can change a user password at any DC. However, the DC pushes the change to the PDC Flexible Single-Master Operation (FSMO) role holder on a best-attempt basis. Other DCs receive the password through normal replication. The reason for the extra password work is that if password validation fails, the validating DC will pass the
request to the PDC FSMO in case the password has changed and the DC hasn?t yet received the new password via standard replication.
In my example, the DCInstall section and parameters are added directly to the unattended answer file. The Microsoft Windows 2000 Resource Kit details the DCInstall section?s parameters in the file Unattend.doc. I?ve listed the main entries in the following table. AdministratorPassword AutoConfigDNS ChildName The new password for the domain Administrator account Specifies whether the wizard should configure DNS Name of the child part of the domain Specifies whether the domain will join an existing forest or CreateOrJoin create a new one DatabasePath Location for the Active Directory database Used when a new forest of domains is installed and no DNS DNSOnNetwork client is configured on the computer DomainNetBiosName NetBIOS name for the domain Only valid when demoting an existing domain controller to a IsLastDCInDomain member server LogPath Path for the Directory Service (DS) logs NewDomainDNSName Name of the new tree or when a new forest is created ParentDomainDNSName Specifies the name of the parent domain Password Password for the username used to promote the server RebootOnSuccess Specifies whether an automatic reboot should be performed ReplicaDomainDNSName Name of the domain to be replicated from Specifies whether a Windows NT 4.0 or 3.51 BDC being ReplicaOrMember upgraded should become a replica domain controller or be demoted to a regular member server Specifies whether the machine is a new domain controller in a ReplicaOrNewDomain new domain or a replica of an existing domain
Name of the site (Default-First-Site by default) Path of SYSVOL Specifies whether entry is a new tree or child of existing domain Domain for the user being used in promotion Name of the user performing the upgrade
Because the DCPROMO process occurs after setup, the created answer file is called $winnt$.inf and copies to the \system32 folder. The parameters are in this file, so you need to add the following text to the GUIRunOnce section of the unattended Setup answer file.
[GUIRunOnce] "DCpromo /answer:%systemroot%\system32\$winnt$.inf"
After the DCPROMO process completes, DCPROMO removes password information from the $winnt$.inf file. To make this process easier because the RunOnce command doesn?t execute until someone logs on to the computer, you can add the following text to the unattended answer file.
[GUIUnattended] Autologon = yes ; automatically logs on the administrator account AutoLogoncount = n ; number of times to perform auto-admin logon
Don't use items such as %systemroot% or %windir%, because the unattended installation process doesn?t understand them. You can just create a DCInstall section directly in your unattend.txt file to avoid having multiple unattended setup files. Enter text such as the following.
[DCInstall] AdministratorPassword = cartman CreateOrJoin = Create DomainNetBiosName = savtech NewDomainDNSName = savtech.com RebootOnSuccess = Yes ReplicaOrNewDomain = Domain SiteName = "London" TreeOrChild = Tree
My example script would create a new forest with the domain savtech.com at the top and the new domain controller in the site London. The SYSVOL, logs, and Active Directory (AD) files would be in the default locations. The new domain Administrator account password would be cartman. If you want to use DCPROMO outside an unattended installation, enter
dcpromo /answer:<DCInstall answer filename>
You?ll see a dialog box that says DCPROMO is running in unattended mode. Then, the machine will reboot.
13. To view the log files, at the file maintenance prompt, type "info":
14. file maintenance: info 15.
16. Type "quit" (without the quotation marks) twice to return to a C prompt. 17. Restart the computer in Normal mode.
and press Enter. Double-click the new value, and enter the number of seconds for how often you want the KCC to run. Click OK, then close the Registry editor. Restart the machine for the change to take effect
8. The rightmost window will show auditing levels. Double-click Audit Directory Service Access. 9. Select the relevant checkboxes (e.g., Audit successful attempts, Audit failed attempts), as the Screen shows. Click OK. 10. Close the Group Policy window. 11. In the main Domain Controllers Properties dialog box, click OK. 12. Close the Active Directory Users and Computers MMC snap-in. You can use Event Viewer to view the logs in the Security log. Because domain controllers poll for policy changes every 5 minutes, the policy change might take as long as 5 minutes to take effect. Other domain controllers in the enterprise receive the changes after the 5-minute interval, plus replication time.
/O=Internet - Organization=Internet /DC=COM - Domain Component=COM /DC=SavillTech - Domain Component=SavillTech (the full Domain Component is SavillTech.com) /CN=Users - Common Names=Users /CN=John Savill - Common Names=John Savill
A DN might also include an organizational unit (OU). For more information about DNs, see RFC 1779 A String Representation of Distinguished Names. The RDN is also known as the friendly name. The RDN for the above example is CN=John Savill. The RDN for the Users container is CN=Users.
LDAP URL names begin with LDAP://, then include an LDAP server and a modified DN that identifies the object (e.g., LDAP://titanic.savilltech.com/ou=Sales,cn=JSavill,dc=SavillTech,dc=com). An LDAP canonical name is the LDAP name without certain information (i.e., ou=, cn=, dc=). An example LDAP canonical name is savilltech.com/Sales/Jsavill. Many administrative tools use these names. The user principal name contains the username and DNS domain name, linked with the symbol @ (e.g., jsavill@savilltech.com). The SAM account name (e.g., savillj) is in the Windows NT 4.0 format. Because of this names single-layer convention, each name must be unique within an organization. Objects are actually stored as globally unique IDs. A GUID is a 128-bit number that generates at object creation and is stored in the object attribute objectGUID. GUIDs dont change.
typing the following statement at a command prompt: set SAFEBOOT_OPTION=DSREPAIR Don't use this approach on a live or important machine because it could result in system damage if you try to perform system modifications when the system isn't in Directory Restore mode.
The default switch is -out. To see a list of other switches, use the /? switch.
Over time, the database can become fragmented. Although objects are deleted while the database is online, you can't compact the database online (compacting requires a manual offline defragmentation). If a DC is a Global Catalog (GC), it contains information about objects of other domains in the forest, thus making it larger than non-GC servers. The displayed size of the ntds.dit file is the size of the file when you started the DC; if many objects are added and you restart one DC, that DC's ntds.dit file size will appear larger.
How can I set the RPC port that intrasite replication uses?
For security, Windows 2000 sets the remote procedure call (RPC) replication port dynamically. However, you might want to manually set the port (e.g., to monitor data). 1. Start regedit. 2. Go to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Para meters registry entry. 3. From the Edit menu, select New, DWORD Value. 4. Enter
TCP/IP Port
and press Enter. 5. Double-click the new entry, and enter the port you want to use. (Make sure the port isn?t already in use.) Click OK. 6. Close the registry editor. 7. Reboot the machine. After monitoring finishes, you need to remove the registry entry you created. Removing this entry reinstates the security that dynamic RPC port allocation provides.