Beruflich Dokumente
Kultur Dokumente
NET
John Craddock
Principal Consultant
v-jcradd@microsoft.com jcrad@kimberry.co.uk
Sally Storey
Consultant
sallysto@kimberry.co.uk Kimberry _______
Associates
Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
Lots of Demos!
netads01
example.com
London site
netads02
child.example.com
Kimberry _______
Associates
Demonstration Environment
Windows XP Host netads01 netads02 netads03 netads04
Virtual network 10.20.0.0 4 virtual machines running Windows .NET Enterprise Server
Kimberry _______
Associates
Health Warning!!
In this seminar we will show the use of tools that will allow direct access to AD objects and attributes Always test any changes before implementing them in a production environment
You could always make mistakes!
Kimberry _______
Associates
Seminar Slides
Not all slides in this published slide deck will be presented Excess slides have been included as background material
Kimberry _______
Associates
If you are interested in receiving further information, on future seminars and/or books please email
sales@kimberry.co.uk
Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security/Securing Directory Objects Advanced Administration/Advanced Delegation Creating the Active Directory Replication
Kimberry _______
Associates
10
Kimberry _______
Associates
11
Grouping Objects
Management tasks include:
Controlling object visibility Controlling access to objects Maintaining attribute values Identifying users and computers that will share a common group policy
Designed correctly, the AD will provide an ideal abstraction of resources for both users and management
Kimberry _______
Associates
12
An Ideal Model
Delegated Administration Group Policy Resource Access
Kimberry _______
Associates
13
Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Importing and Exporting Directory Objects Extending the User Interface Replicating the Directory Adding Naming Contexts The Global Catalog The Schema
Kimberry _______
Associates
14
Representing Entities
Attributes
Attribute values may be individually set or synchronized with the entitys properties
Object
Entity
An object may simply publish the existence of the entity or control its behaviour
Object attributes represent the entitys properties
Kimberry _______
Associates
15
Object Access
ACE
ACL
Directory Object
Kimberry _______
Associates
Naming Objects
mining.xyzgroup.com
UK
xyzgroup.com
16
USA ED
cn=john,ou=legal,ou=ed,ou=uk dc=mining,dc=xyzgroup,dc=com
LN
sales
legal legal
John
Each component of the DN is referred to as the Relative Distinguished Name (RDN) In addition to a DN (which may change), the object is uniquely identified by a GUID
cn = common name, ou = organizational unit, dc = domain component
Kimberry _______
Associates
17
Naming Contexts
mining.xyzgroup.com
Domain NC: dc=mining,dc=xyzgroup,dc=com
xyzgroup.com
Kimberry _______
Associates
18
Domain NC objects replicated from the other domains in the forest The GC stores only a partial set of attributes for each object
If an attributes definition in the schema has its isMemberOfPartialAttributeSet property set TRUE, it is replicated to the GC Kimberry _______
Associates
19
Programmatic Access
LDAP provides programmatic access to the directory
Search, compare, add, modify, delete, rename (ModifyDN), and more
20
RootDSE
All DCs maintain a node called RootDSE RootDSE provides information on:
Supported naming contexts The Root NC LDAP versions Supported controls
Extends the capabilities of LDAP
21
Kimberry _______
Associates
22
More complex search criteria can be established by using the custom search
OR
(&(|(l=london)(l=birmingham))(co=united kingdom))
Logical AND Logical OR Locality-Name identifies the City
AND
Kimberry _______
Associates
23
If the input string consists of two words, an additional check is made as follows:
(First word = GivenName AND Second word = Surname) OR (First word = Surname AND Second word = GivenName)
Kimberry _______
Associates
24
ANR Searches
The Find utility always makes an ANR search when searching for users
It can also be specified in an advanced custom search
(&(ANR=john)(co=united kingdom))
An attribute is a member of the ANR set if its definition in the schema has the ANR bit set in its searchFlags property
The attribute must also be indexed
Kimberry _______
Associates
25
dsHeuristics
The dsHeuristics attribute effects the behaviour of the ANR search
It is an attribute of Directory Services
cn=Directory Services,cn=Windows NT, cn=Services,cn=Configuration
Kimberry _______
Associates
26
Attribute Search-Flags
Copy attribute when object is copied (user account copy)
16
enabled = 1, disabled = 0
Values can be changed programmatically
Limited access via Schema Manager
Kimberry _______
Associates
27
Kimberry _______
Associates
28
(searchFlags:1.2.840.113556.1.4.803:=5)
Rule OID provides an AND test, evaluates true if bits 0 AND 2 are set
(searchFlags:1.2.840.113556.1.4.804:=5)
Rule OID provides an OR test, evaluates true if bits 0 OR 2 are set Kimberry _______
Associates
29
LDAP v3 Controls
Controls extend the functionality of LDAP
Server controls are sent to the server Client controls affect the functionality of the LDAP API
30
Kimberry _______
Associates
31
Operational Attributes
Operational attributes provide a mechanism for triggering actions on the server via LDAP
They are not defined in the schema Writing to the attributes causes the server to perform a predefined action
32
Operational Attributes
Kimberry _______
Associates
34
LDIF
LDAP Data Interchange Format (LDIF)
Defined in RFC 2849
Actions include
Add, modify, delete
Kimberry _______
Associates
35
LDIF examples
Data is exported and imported using the ldifde utility
dn: cn=belle blackpool,ou=england,dc=example,dc=com changetype: modify add: otherHomePhone otherHomePhone: 362 456 789 dn: cn=angus aberdeen,ou=england,dc=example,dc=com changetype: delete
Kimberry _______
Associates
36
CSV
Data can be exported from the directory in Comma Separated Value (CSV) using the csvde utility
csvde takes the same command line switches as ldifde
38
Display Specifiers
Specifier for current locale selected
User shell
Administration tools
39
Extending the UI
The UI can be extended by adding property pages, wizards or context menu items to the appropriate Display Specifier
This must be done for each of the supported locales Kimberry _______
Kimberry _______
Associates
41
GC
Partial replica of all domain objects Hosted on one or more DCs
43
With the exception of security principals any type of object/attribute can be supported
Kimberry _______
Associates
44
example.com
child.example.com
Kimberry _______
Associates
45
Kimberry _______
Associates
46
Kimberry _______
Associates
48
Deployment Issues
Adding attributes to the GC partial attribute set causes all GCs to fully synchronize
Equivalent to repromoting all GCs No interruption in service Bandwidth, CPU intensive
Kimberry _______
Associates
49
Kimberry _______
Associates
50
GC
51
Deployment Issues
Logon fails if the GC is not available
Administrators can still logon
Kimberry _______
Associates
52
Deployment Issues
A GC at every site to avoid log on failures when the network is down Increased hardware costs Replication overhead
Kimberry _______
Associates
53
Kimberry _______
Associates
54
Membership Changes
Changes to universal and global group membership will not be seen until after the cache has been refreshed
The user must also log off and on to rebuild the security token
Kimberry _______
Associates
The Schema
56
The Schema
Object Objectdefinitions: definitions: Must Mustcontain containattributes attributes May contain attributes May contain attributes Possible Possibleparents parents More More Attribute Attributedefinitions: definitions: Unique identifier Unique identifier Syntax Syntax Range Range Indexed Indexed Replicated Replicatedto toGC GC Linked Linked Property Propertyset set More More
The Schema provides a formal definition of all the types of objects and attributes that can exist in a forest
Kimberry _______
Associates
57
An instance of the classSchema class defines a new object class An instance of the attributeSchema class defines an attribute
The instances properties (attributes) define the characteristics of the attribute and apply whenever the attribute is added to an object
Kimberry _______
Associates
58
Class Definitions
Class definitions include:
Class identifiers
cn, ldapDisplayName, SchemaIDGUID, OID
59
Class Inheritance
abstract top abstract subClassOf Person subClassOf
abstract
organizationalPerson subClassOf
Structural user
SystemAuxiliaryClass
Kimberry _______
Associates
60
Aggregated Attributes
top person organizationalPerson user securityPrincipal mailRecipient
Resultant attributes are aggregated from all the associated classes Kimberry _______
Associates
61
62
Auxiliary classes can be associated with an instantiated object Support for dynamic objects
Dynamic objects have a TTL after which they are removed from the directory
Kimberry _______
Associates
63
Attribute Properties
The properties of an attribute define settings which include:
Attribute identifiers
OID, ldapDisplayName, SchemaIDGUID
The syntax of the data stored in an instance of the attribute Singlevalued or multivalued data storage The allowable data range Attribute management
Linked, indexed, member of ANR set, replicated to the GC and more
Kimberry _______
Associates
64
65
Kimberry _______
Associates
66
Linked Attributes
Forward-link Manager Tom Sally Debbie Peter Simon Paul Amy Simon Linked attributes Simon Back-link Direct Reports Tom Peter The Direct reports (reports) attribute is multivalued and contains the DNs of the objects that contain forward links that reference this object Linked attributes are identified by their linkID properties being set to n and n+1 The forward-link is identified by an even value of n, n+1 identifies the back-link
Linked attributes are pairs of attributes where the value of the back-link is derived from the forward-link details Kimberry _______
Associates
67
DN of referenced object B
Database Object A Object B DN etc DN etc Database location reference to object B Database records
If attributes reference other objects, rather than storing the DN of the reference object, the database location of the object is stored
This avoids the need to change multiple attributes if the DN of the object changes
Kimberry _______
Associates
68
Phantom Records
View presented by DSA
DN of referenced object Z
Phantom NoDN, record for object GUID and SIDZ of referenced object object Z Create phantom:
A phantom record is created if an attribute references an object in another domain; this maintains the database reference paradigm
The phantom is created locally on each DC that receives a replica of object A Phantoms are not required on the GC, as a database record for the referenced object already exists Kimberry _______
Associates
69
Maintaining Phantoms
The Infrastructure Master runs on one DC in the domain and maintains phantoms that are held in the DCs database
It checks phantom record data against the corresponding GC entries
If changes to the referenced objects are detected these are replicated to all other DCs in the domain z
Kimberry _______
Associates
70
Existing attributes
Existing object class Can be used with existing object instances New attribute
The Schema can be extended by creating new object classes and attributes
Kimberry _______
Associates
71
OIDs
Object classes, attributes and syntaxes are defined using OIDs The preferred method of obtaining an OID is to obtain your own root ID
web.ansi.org/public/services/reg_org.html www.iso.ch/addresse/membodies.html
72
Category 1 objects are identified by the 0x10 bit being set in the systemFlags
This value cannot be changed The systemFlags also define if the object can be moved, deleted or renamed
Kimberry _______
Associates
73
Kimberry _______
Associates
74
Schema Protection
Only members of the Schema Admins group can make changes to the schema
Make sure that the Schema administrators are aware of their responsibilities
75
schemaUpdateNow: schemaUpdateNow: 1
76
Kimberry _______
Associates
77
Windows .NET will allow Schema objects set as defunct to have their identification properties reused
E.g. OID, ldapDisplayName, mapiId Identification properties can only be redefined if the Forest is in .NET functional level or higher
Kimberry _______
Associates
78
Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
79
AD Architecture
LDAP/ADSI Replication transports REPL NT SAM calls SAM Outlook clients MAPI
LDAP
DB Layer
Kimberry _______
Associates
80
ESE
Originally code named JET Blue
Completely different to the Access database (JET Red) ESE97 Exchange 5.5 ESENT Windows 2000 (esent.dll)
Uses the same format and engine ulVersion (620,2) as ESE97
81
Whats Required?
A fast and highly optimised way of storing and retrieving loosely-structured and semistructured data Integrity and crash survival (ACID)
Transactions are:
Atomic Consistent Isolated Durable
Kimberry _______
Associates
82
Transaction Logging
Update Checkpoint
c
Database write request
edb.chk
ESE
f
Commit transaction
d
Transaction buffer
Write to database
g
ntds.dit
e
edb.log
The write is only confirmed once the transaction has been written to the log file Kimberry _______
Associates
83
Log Files
There is always a delay between the transaction log being written and the transaction being committed
This delta is referred to as the checkpoint depth
84
Circular Logging
The Active Directory uses circular logging (no supported way of disabling)
When all the transactions in the log file have been committed, the file is deleted
85
Recovery
If the system crashes before all of the transactions are committed, the lost transactions are recovered from the log file ESE determines which transactions have been committed by reading the dbTime value in the log file
edb.chk is only used to identify which log files should be checked
This speeds up the operation
Kimberry _______
Associates
86
File Summary
ntds.dit
edb.log
edb0000x.log
edb.chk
res1.log
res2.log
ntds.pat
87
ntds.dit
Check point
edb.log
2. Freeze checkpoint
Transactions that cause fundamental changes to the structure, for instance B-tree page splits are written to the patch file
ntds.pat
Kimberry _______
Associates
88
ntdsutil
ntdsutil is the primary tool for checking the database files
Invokes esentutl
89
Offline defragmentation
Online defragmentation automatically occurs every 12 hrs
Recovers storage, but does not reduce the size of the database files
Move
Changes the location of the database and log files
Kimberry _______
Associates
90
Object Deletion
On deletion
IsDeleted set TRUE Marked as Tombstoned
Default tombstone life 60 days
91
Garbage collection
Deleted objects with an expired tombstone are removed by the garbage collection services Default garbage collection every 12 hours
Kimberry _______
Associates
92
Be Careful
Always do a full system backup before making any changes to the database Backup before and after moving the database Backups are only valid for the tombstone period
Kimberry _______
Associates
93
Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
94
Object Access
ACE
ACL
Directory Object
Kimberry _______
Associates
95
UI Security Tab
%SystemRoot%\System32\dssec.dat [serviceInstance] @=7 adminDescription=7 adminDisplayName=7 Do NOT display object
Kimberry _______
Associates
96
Object
Identifies security principal to which the ACE applies Specifies type of access Delete Read/Write object security
Generic Read/Write access to object and all attributes Create/Delete child Read/Write property Extended write operation
Kimberry _______
Associates
97
Extended Rights
Only a limited number of operations can be defined through the access mask
Extended rights are used to define special operations and property sets
Special operations include resetting passwords, managing replication and changing FSMO roles
98
ACL
RightsGUID Added to attributeSecurityGUID for all members of the property set
The objects to which extended rights apply are defined in the appliesTo attribute
z
Access to an extended right is controlled by adding the rightsGUID attribute value to the objects ACL
The rightsGUID also identifies the attributes that are members of a property set Kimberry _______
Associates
99
Property Sets
Property Sets (Attribute Sets) allow attributes to be grouped
Read/Write access to the set is controlled using a single ACE
100
Detective Work
We want to confirm that the user Notes property is a member of the Personal Information property set
Kimberry _______
Associates
101
Kimberry _______
Associates
102
ACEs
DENY SID1 W Allow SID3 RX Allow SID1 RX Allow SID3 W
Each ACE grants or denies permissions for an individual security principal The ACL is only checked until the requested access has been granted or denied
Kimberry _______
Associates
103
Canonical Ordering
ALLOW DENY administrators NETWORK Full RD ALLOW DENY administrators NETWORK Full RD ALLOW Users RD
104
Kimberry _______
Associates
105
Object ACLs
OU
ACL applies to OU ACL ACL Inheritable ACL ACL Directory Object ACL
Explicit ACL
106
ACE Ordering
Explicit
DENY SID20 W DENY SID15 RWX Allow SID3 R DENY SID1 RWD Allow SID1 R Allow SID11 R Allow SID3 W Allow SID31 W
Inherited
107
Inheritance Propagation
ACL ACL ACL ACL
ou ou
ou
ou ou ou
ou
ou
ACL
ou ACL
ACL
ou ACL
ACL ou
ACL ou
108
Controlling Inheritance
ACL ACL
ou ou ou
ou
ACL
ou ou ou
ou
ou
ACL
ou
ACL
ou
ou
Kimberry _______
Associates
109
ACE Inheritance
ACE Type Inheritance Audit Access Mask Object Type Inherited Object Type Trustee(SID)
Inheritance FLAGS Inherit this ACE Only propagate one level Inherit only ACE does not apply to this object This ACE was inherited Object Applies to Attribute Extended right
Object type that will inherit this ACE All objects OR object specified by GUID
The SE_DACL_PROTECTED flag in the objects security descriptor control prevents the object from inheriting ACEs from its parents
Kimberry _______
Associates
110
dsacls
C:\>dsacls C:\>dsaclscn=jill,dc=child,dc=example,dc=com cn=jill,dc=child,dc=example,dc=com Access list: Access list: Effective EffectivePermissions Permissionson onthis thisobject objectare: are: Allow CHILD\Domain Admins FULL Allow CHILD\Domain Admins FULLCONTROL CONTROL Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow NT AUTHORITY\SYSTEM FULL CONTROL Allow BUILTIN\Account Operators FULL Allow BUILTIN\Account Operators FULLCONTROL CONTROL Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forPersonal PersonalInformation Information WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forPhone Phoneand andMail MailOptions Options WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\SELF SPECIAL Allow NT AUTHORITY\SELF SPECIALACCESS ACCESSfor forWeb WebInformation Information WRITE PROPERTY WRITE PROPERTY READ READPROPERTY PROPERTY Allow NT AUTHORITY\Authenticated Users Allow NT AUTHORITY\Authenticated Users SPECIAL SPECIALACCESS ACCESSfor forPersonal PersonalInformation Information READ PROPERTY READ PROPERTY
111
Set programmatically during creation Inherit ACL from parent and combine with explicit Schema default ACL for the particular object type Kimberry _______
Kimberry _______
Associates
112
Sales data
X
For many of the objects, the default ACL from the schema provide Read for the Authenticated Users
To control the visibility, this ACE must be removed
Kimberry _______
Associates
113
The permissions from the schema can be reapplied using dsacls /S /T Check if schema defaults apply to an object with acldiag /schema
SDDL = Security Descriptor Definition Language
Kimberry _______
Associates
114
115
Kimberry _______
Associates
116
AdminSDHolder
If different, replace and disable inheritance
ACL ACL
Template ACL
cn=AdminSDHolder,cn=system,dc=domain,dc
The ACL on user accounts that are domain administrators are automatically set and refreshed to enhance security
The propagator thread runs every hour on the PDC FSMO
Kimberry _______
Associates
117
Default Template
The default ACL template on AdminSDHolder cannot be fully edited through the UI
For example, there is no Change Password ACE for a container
Kimberry _______
Associates
118
Seminar Topics
Introduction Anatomy of an Object Data Storage Securing Directory Objects Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
119
Problem
The European division is a child domain of corporate HQ in the US
The European Domain Administrators need to authorize their own DHCP servers
Authorization fails
HQ is not prepared to elevate the European domain admins to Enterprise admins How do you solve the dilemma?
Kimberry _______
Associates
120
Solution
Enable auditing on the directory
Smile
Kimberry _______
Associates
121
Solution
cn=NetServices,cn=Services,cn=Configuration,dc=example,dc=com
ACL
Enable creation of dHCPClass objects Enable updating of the DhcpRoot cn=DhcpRoot 2. Update root X
ACL
dHCPClass objects
Kimberry _______
Associates
122
Kimberry _______
Associates
123
delegwiz.inf
Classes template applies to [Version] signature="$CHICAGO$" [DelegationTemplates]
Templates = template1, template3, template4, template5 ;-----------------------------------------------------[template1] AppliesToClasses=domainDns,organizationalUnit,container Create & delete user objects @ specifies class defined on the ObjectTypes line GA Generic All (full control) Description = "Create, delete, and manage user accounts" ObjectTypes = SCOPE, user [template1.SCOPE] user=CC,DC Applies to this object and all objects Applies to user objects
Kimberry _______
Associates
124
Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
125
Creating Domains
dcpromo creates a new DC
Initial database from \system32\ntds.dit Default objects in DIT from \system32\schema.ini
126
Log Files
dcpromoui.log Logs user interaction with the wizard and the promotion process Increase logging levels via the Registry value dcpromoui HKLM\Software\Microsoft\Windows\ CurrentVersion\AdminDebug dcpromo.log Logs promotion process dcpromos.log Logs domain upgrades
Kimberry _______
Associates
127
Promotion Failure
If the promotion stops
Dont automatically cancel the wizard Troubleshoot and you may be able to complete the promotion Check the logs if the message from the AD Installation Wizard is unclear
Kimberry _______
Associates
128
129
dchelp.exe uses csvde to import over 1000 display specifier settings into the AD Data files dcpromo.csv , 409.csv (409.csv .NET only)
Check for successful completion in dcpromohelp.log
Kimberry _______
Associates
130
Kimberry _______
Associates
131
Kimberry _______
Associates
132
Debug logging
Kimberry _______
Associates
133
134
Kimberry _______
Associates
135
Promotion
Original DC Target server
136
137
Metadata Cleanup
ntdsutil can be used to clean the metadata from the forest
Before using check that all domain controllers are fully replicated
138
Retiring an Orphaned DC
Instead of reinstalling you can try the following:
Reboot into Directory Services Restore mode Edit the registry key
\HKLM\SYSTEM\CCS\Control\Product Options
Change ProductType from LanmanNT to ServerNT Delete the AD database and log files Restart and the computer will be a member server To complete the cleanup promote the server into a new domain and then demote again
Kimberry _______
Associates
139
Kimberry _______
Associates
140
Functionality Levels
Initial compatibility with current systems is always important
Some new features may not be compatible with older systems
Windows 2000 Native mode only enabled after all the Windows NT 4 BDCs have been retired
Kimberry _______
Associates
141
Partitions Container
Shows the current forest functionality level
If the attribute is missing then the version is taken as 0 (Windows 2000) Kimberry _______
Associates
142
Kimberry _______
Associates
143
144
Kimberry _______
Associates
145
Seminar Topics
Introduction Anatomy of an Object Data Storage Object Security Advanced Delegation of Administration Creating the Active Directory Replication
Kimberry _______
Associates
146
Replication Model
Replication is at attribute level
The replication model is described as multimaster, loose consistency with convergence
Multimaster
Changes can be made at any DC
Loose consistency
There is a latency between changes being made and their availability throughout the enterprise
Convergence
Eventually the changes will propagate to all DCs and conflicts will have to be detected and resolved Kimberry _______
Associates
147
Identifying Changes
USN 1327 USN 1326 USN 1325 USN 1324 USN 1323 USN 1322 USN 1321 SRV1 Send me your changes I have all changes up to USN 1324 SRV2 High-watermark Before:1324 After: 1327
Kimberry _______
Associates
148
Propagation Dampening
Originating database & USN Send USN 2237 USN 2236 USN 2235 USN 2234 USN 2233 USN 2232 USN 2231 SRV1 USN 2237 9 SRV3 USN 5432 9 SRV1 USN 2235 9 SRV3 USN 5430 8 SRV1 USN 2233 9 SRV1 USN 2232 SRV1 USN 2231 SRV1 Send me your changes I have all changes up to USN 2232 I have all the changes from SRV 3 up to USN 5430 SRV2
SRV3
149
More details
The up-to-date vectors control propagation dampening
The originating database is identified by the DSA GIUD
This is the invocationId property of the NTDS settings object
150
Observing Metadata
C:\>repadmin C:\>repadmin /showmeta /showmeta cn=g1,dc=child,dc=example,dc=com cn=g1,dc=child,dc=example,dc=com Loc.USN Loc.USN originating originating DSA DSA Org.USN Org.USN Org.Time/Date Org.Time/Date Ver Ver Attribute Attribute ======= =============== ======= ============= === ========= ======= =============== ======= ============= === ========= 9845 9845 9845 London\Srv1 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectClass objectClass 9845 London\Srv1 9845 2002-09-07 15:34.02 1 cn 9845 London\Srv1 9845 2002-09-07 15:34.02 1 cn 9847 9847 9847 London\Srv1 London\Srv1 9847 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 description description 9863 9863 9863 London\Srv1 London\Srv1 9863 2002-09-07 2002-09-07 15:41.53 15:41.53 2 2 member member 9845 London\Srv1 9845 2002-09-07 15:34.02 1 instanceType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 instanceType 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 whenCreated whenCreated 9845 London\Srv1 9845 2002-09-07 15:34.02 1 nTSecurityDescriptor 9845 London\Srv1 9845 2002-09-07 15:34.02 1 nTSecurityDescriptor 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 name name 9845 9845 9845 London\Srv1 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectSid objectSid 9845 London\Srv1 9845 2002-09-07 15:34.02 1 sAMAccountName 9845 London\Srv1 9845 2002-09-07 15:34.02 1 sAMAccountName 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 sAMAccountType sAMAccountType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 groupType 9845 London\Srv1 9845 2002-09-07 15:34.02 1 groupType 9845 London\Srv1 9845 9845 London\Srv1 9845 2002-09-07 2002-09-07 15:34.02 15:34.02 1 1 objectCategory objectCategory
Kimberry _______
Associates
151
Authoritative Restores
The system is booted into AD Restore mode and the system state restored from backup
ntdsutil is used to mark a branch of domain or configuration NCs as authoritative
This bumps the version numbers of all the attributes by 100,000 for each day since the original backup
Kimberry _______
Associates
152
Kimberry _______
Associates
153
SYSVOL Replication
Multimaster replication of files and folders Uses intersite schedules Replicates file and folder attributes including ACLs.
Kimberry _______
Associates
154
Resolving Conflicts
Unique stamp version Originating time Originating DSA GUID Replicated attribute
If replica version number higher accept change else if originating time later accept change else tie-break on Originating DSA GUID
Kimberry _______
Associates
155
Other Issues
An add or move operation to a container is performed on one DC as the container is deleted on another
The object is placed in the LostAndFound container
Adding or moving objects on different DCs results in the objects having the same DNs
The RDN of the newer object is retained The RDN of the other object becomes: RDN*CNF:<object GUID>
Kimberry _______
Associates
156
Multivalued Attributes
Sally Members John Members
G1
SRV1
G1
Chloe Pete
Multivalued attributes are replicated as a single entity If the same group is simultaneously updated, after replication only one set of users will be retained
Kimberry _______
Associates
157
Storage and protocol incompatible with Windows 2000 - only works with Windows .NET
Requires Windows .NET Forest Mode
Kimberry _______
Associates
158
Microsoft IT Forum
19-23 November, Copenhagen, Denmark Get CONNECTED at Europes Premier Conference for technology professionals.
159
Save 300 if you take advantage of the early bird special by registering on or before 21 October 2002.
http://www.microsoft.com/europe/itforum/ Hear from Microsoft executives and technical experts Choose from over 140 technical breakout sessions Attend extensive hands-on training labs Explore the hottest new tools and technologies
....connect
Take advantage of the company or individual TechEd Attendee Discount. Kimberry _______
http://www.microsoft.com/europe/itforum/special.asp
Associates
160
k n ha
o f u o y
o c r
g n i m
Kimberry _______
Associates