You are on page 1of 75

Active Directory

Active Directory is a centralized and standardized system, stores information about objects in a network and makes this information available to users and network administrators. Domain Controller

In an Active Directory forest, the domain controller is a server that contains a writable copy of the Active Directory database, participates in Active Directory replication, and controls access to network resources. Global catalog server

A global catalog server is a domain controller that stores information about all objects in the forest. Like all domain controllers, a global catalog server stores full, writable replicas of the schema and configuration directory partitions and a full, writable replica of the domain directory partition for the domain that it is hosting. In addition, a global catalog server stores a partial, read only replica of every other domain in the forest. !artial replicas are stored on "lobal #atalog servers so that searches of the entire directory can be achieved without re$uiring referrals from one domain controller to another.

!artial information of other domains. !artial information nothing but classes and attributes %first name and last name and phones and addresses& attribute level security improvement in '(()*. OU:

+,rganizational -nits+, are administrative level containers on a computer, it allows administrators to organize groups of users together so that any changes, security privileges or any other administrative tasks could be accomplished more efficiently. Domain. /indows Domain is a logical grouping of computers that share common security and

user account information. Forest

A /indows forest is a group of 0 or more trusted /indows trees. 1he trees do not need to have contiguous D23 names. A forest shares a schema and global catalog servers. A single tree can also be called a forest. Tree: A /indows tree is a group of one or more trusted /indows domains with contiguous D23 domains. 41rusted5 means that an authenticated account from one domain isn6t rejected by another domain. 4#ontiguous D23 domains5 means that they all have the same root D23 name. Site: 3ites are manually defined groupings of subnets. ,bjects in a site share the same global catalog servers, and can have a common set of group policies applied to them. Schema: 1he schema defines what attributes, objects, classes, and rules are available in the Active Directory. 3ID %3ecurity Identifier&. 1he 3ID is a uni$ue name %alphanumeric character string& that is used to identify an object, such as a user or a group of users. "roup !olicy "roup policy Architecture. "roup !olicy objects %"!,&.

A "!, is a collection of "roup !olicy settings, stored at the domain level as a virtual object consisting of a "roup !olicy container %"!#& and a "roup !olicy template %"!1&. password history will store #omputer #onfiguration7/indows 3ettings73ecurity 3ettings7Account !olicies7!assword !olicy Group Policy Container (GPC

1he "roup !olicy container %"!#& is an Active Directory container that contains "!, properties, such as version information, "!, status, plus a list of other component settings. Group Polity Template (GPT

1he "roup !olicy template %"!1& is a file system folder that includes policy data specified by .adm files, security settings, script files, and information about applications that are available for installation. 1he "!1 is located in the system volume folder %3ys8ol& in the domain 7!olicies sub folder. Filtering the Scope o! a GPO

9y default, a "!, affects all users and computers that are contained in the linked site, domain, or organizational unit. 1he administrator can further specify the computers and users that are affected by a "!, by using membership in security groups.

3tarting with /indows '(((, the administrator can add both computers and users to security groups. 1hen the administrator can specify which security groups are affected by the "!, by using the Access #ontrol List editor. :nowledge #onsistency #hecker %:##&

1he :nowledge #onsistency #hecker %:##& is a /indows component that automatically generates and maintains the intra site and inter site replication topology. "ntrasite #eplication ;eplication that happens between controllers inside one site. All of the subnets inside the site should be connected by high speed network wires. "ntersite #eplication

Intersite replication is replication between sites and must be set up by an administrator. 3imple <ail 1ransfer !rotocol %3<1!& may be used for replication between sites. Active Directory #eplication$

;eplication must often occur both %intrasite& within sites and %Intersite& between sites to keep domain and forest data consistent among domain controllers that store the same directory partitions Adprep.e=e

Adprep.e=e is a command line tool used to prepare a <icrosoft /indows '((( forest or a /indows '((( domain for the installation of /indows 3erver '(() domain controllers. -3>.

/hen <icrosoft >=change 3erver is deployed in an organization, >=change 3erver uses Active Directory as a data store and it e=tends the /indows '((( Active Directory schema to enable it to store objects specific to >=change 3erver. 1he ldapDisplay2ame of the attribute schema ms >=ch Assistant 2ame, ms >=ch Labeled-;I, and ms >=ch ?ouse Identifier defined by >=change 3erver conflicts with the i2et,rg!erson schema that Active Directory uses in /indows 3erver '((). /hen /indows 3erver '(() 3ervice !ack 0 is installed, Adprep.e=e will be able to detect the presence of the schema conflict and block the upgrade of the schema until the issue has been resolved. "-ID.

/hen a new domain user or group account is created, Active Directory stores the account@s 3ID in the ,bject 3ID %object3ID& property of a -ser or "roup object. It also assigns the new object a globally uni$ue identifier %"-ID&, which is a 0'A bit value that is uni$ue not only in the enterprise but also across the world. "-IDs are assigned to every object created by Active Directory, not just -ser and "roup objects. >ach object@s "-ID is stored in its ,bject "-ID %object"-ID& property. Active Directory uses "-IDs internally to identify objects. 3ID.

A security identifier %3ID& is a data structure in binary format that contains a variable number of values. /hen a D# creates a security principal object such as a user or group, it attaches a uni$ue 3ecurity ID %3ID& to the object. 1his 3ID consists of a domain 3ID %the same for all 3IDs created in a domain&, and a relative ID %;ID& that is uni$ue for each security !rincipal 3ID created in a domain. Lingering objects

/hen a domain controller is disconnected for a period that is longer than the 13L, one or more objects that are deleted from Active Directory on all other domain controllers may remain on the disconnected domain controller. 3uch objects are called lingering objects. 9ecause the domain controller is offline during the time that the tombstone is alive, the domain controller never receives replication of the tombstone 3ysvol

3ysvol is a shared directory that stores the server copy of the domain6s public files, which are replicated among all domain controllers in the domain. 1he 3ysvol contains the data in a "!,. the "!1, which includes Administrative 1emplate based "roup !olicy settings, security settings, script files, and information regarding applications that are available for software installation. It is replicated using the Bile ;eplication 3ervice %B;3&. Bile ;eplication 3ervice %B;3&

In /indows '(((, the 3C38,L share is used to authenticate users. 1he 3C38,L share includes group policy information which is replicated to all local domain controllers. Bile replication service %B;3& is used to replicate the 3C38,L share. 1he +Active Directory -sers and #omputers+ tool is used to change the file replication service schedule. /in logon A component of the /indows operating system that provides interactive

logon support, /inlogon is the service in which the "roup !olicy engine runs. Lightweight Directory Access !rotocol %LDA!& It defines how clients and servers e=change information about a directory. LDA! version ' and version ) are used by /indows '((( 3erver@s Active Directory. An LDA! -;L names the server holding Active Directory services and the Attributed 2ame of the object. Bor e=ample. LDA!.DD3ome3erver.<yco.#omD#2Ejamessmith,#2E3ys,#2E!roduct,#2 EDivision,D#Emyco,D#Edomain controller -32

>ach object has an -pdate 3e$uence 2umber %-32&, and if the object is modified, the -32 is incremented. 1his number is different on each domain controller. -32 provides the key to multimaster replication. -niversal group membership caching

Due to available network bandwidth and server hardware limitations, it may not be practical to have a global catalog in smaller branch office locations. Bor these sites, you can deploy domain controllers running /indows 3erver '((), which can store universal group membership information locally.

9y default, the universal group membership information contained in the cache of each domain controller will be refreshed every A hours. -p to F(( universal group memberships can be updated at once. -niversal groups couldn@t be created in <i=ed mode. /hat is an A#L or access control listG A list of security protections that applies to an object. %An object can be a file, process, event, or anything else having a security descriptor.&

/hat is an A#> or access control entryG A#> contains a set of access rights and a security identifier %3ID& that identifies a trustee for whom the rights are allowed, denied, or audited. Ble=ible 3ingle <aster ,perations %B3<,& <ulti<aster ,peration.

In /indows '((( H '((), every domain controller can receive changes, and the changes are replicated to all other domain controllers. 1he day to day operations that are associated with managing users, groups, and computers are typically multimaster operations.

1here is a set of Ble=ible 3ingle <aster ,perations %B3<,& which can only be done on a single controller. An administrator determines which operations must be done on the master controller. 1hese operations are all set up on the master controller by default and can be transferred later. B3<, operations types include. 3chema <aster. 1he schema master domain controller controls all updates and modifications to the schema. 1here can be only one schema master in the whole forest. Domain naming master. 1he domain naming master domain controller controls

the addition or removal of domains in the forest and responsibility of ensuring that domain names are uni$ue in the forest. 1here can be only one domain naming master in the whole forest. Infrastructure <aster. 3ynchronizes cross domain group membership changes. 1he infrastructure master cannot run on a global catalog server %unless all D#s are also "#s.&

1he infrastructure is responsible for updating references from objects in its domain to objects in other domains. At any one time, there can be only one domain controller acting as the infrastructure master in each domain. 1his works when we are renaming any group member ship object this role takes care.

2ote. 1he Infrastructure <aster %I<& role should be held by a domain controller that is not a "lobal #atalog server %"#&. If the Infrastructure <aster runs on a "lobal #atalog server it will stop updating object information because it does not contain any references to objects that it does not hold. 1his is because a "lobal #atalog server holds a partial replica of every object in the forest. As a result, cross domain object references in that domain will not be updated and a warning to that effect will be logged on that D#@s event log. If all the domain controllers in a domain also host the global catalog, all the domain controllers have the current data, and it is not important which domain controller holds the infrastructure master role. #elative "D (#"D %aster:

It assigns ;ID and 3ID to the newly created object like -sers and computers. If ;ID master is down %u can create security objects up to ;ID pools are available in D#s& else u can6t create any object one it3Ds down

/hen a D# creates a security principal object such as a user or group, it attaches a uni$ue 3ecurity ID %3ID& to the object. 1his 3ID consists of a domain 3ID %the same for all 3IDs created in a domain&, and a relative ID %;ID& that is uni$ue for each security principal 3ID created in a domain. !D# >mulator /hen Active Directory is in mi=ed mode, the computer Active

Directory is on acts as a /indows 21 !D#. 1he first server that becomes a /indows

'((( domain controller takes the role of !D# emulator by default. Bunctions performed by the !D# emulator.

-ser account changes and password changes. 3A< directory replication re$uests. Domain master browser re$uests Authentication re$uests. "!, 1ime synchronization 2ew Active Directory features in /indows 3erver '(() I<ultiple selection of user objects. IDrag and drop functionality. I>fficient search capabilities. 3earch functionality is object oriented and provides an efficient search that minimizes I3aved $ueries. 3ave commonly used search parameters for reuse in Active Directory -sers and #omputers IActive Directory command line tools.

IInet,rg!erson class. 1he inet,rg!erson class has been added to the base schema as a security principal and can be used in the same manner as the user class. 1he user!assword attribute can also be used to set the account password.

IAbility to add additional domain controllers using backup media. ;educe the time it takes to add an additional domain controller in an e=isting domain by using backup media.

I-niversal group membership caching. !revent the need to locate a global catalog across a /A2 when logging on by storing universal group membership information on an authenticating domain controller.

I3ecure LDA! traffic. Active Directory administrative tools sign and encrypt all LDA! traffic by default. 3igning LDA! traffic guarantees that the packaged data comes from a known source and that it has not been tampered with.

IActive Directory $uotas. Juotas can be specified in Active Directory to control the number of objects a user, group, or computer can own in a given directory partition. Domain Administrators and >nterprise &in'o(s Functional levels

In /indows '((( Active Directory domains is the concept of <i=ed and 2ative <odes. 1he default mi=ed mode allows both 21 and /indows '((( domain controllers to coe=ist. ,nce you convert to 2ative <ode, you are only allowed to have /indows '((( domain controllers in your domain. 1he conversion is a one way conversion introduced it cannot be reversed. In /indows 3erver '((), <icrosoft

forest and domain functional levels. 1he concept is rather similar to switching from <i=ed to 2ative <ode in /indows '(((. 1he new functional levels give you additional capabilities that the previous functional levels didn6t have. 1here are four domain functional levels.

0. /indows '((( <i=ed %supports 21KD'(((D'(() D#s& '. /indows '((( 2ative %supports '(((D'(() D#s& ). /indows 3erver '(() Interim %supports 21KD'(() D#s&

K. /indows 3erver '(() %supports only '(() D#s& And three forest functional levels.

0. /indows '((( %supports 21KD'(((D'(() D#s& '. /indows '((( Interim %supports 21KD'(() D#s& ). /indows 3erver '(() %supports only '(() D#s&

1o raise the domain functional level, you go to the properties of your domain in Active Directory Domains and 1rusts. 1o raise the forest functional level you go to the properties of Active Directory Domains and 1rusts at the root. ,f course, if your domains are not at the correct level, you won6t be able to raise the forest functional level. Directory partition

A directory partition, or naming conte=t, is a contiguous Active Directory subtree replicated on one, or more, /indows '((( domain controllers in a forest. 9y default, each domain controller has a replica of three partitions. the schema partition the #onfiguration partition and a Domain partition. 3chema partition It contains all class and attributes definitions for the forest. 1here is one schema directory partition per forest.

#onfiguration partition It contains replication configuration information %and other information& for the forest. 1here is one configuration directory partition per forest. Domain partition It contains all objects that are stored by one domain. 1here is one domain directory partition for each domain in the forest. Application Directory !artition

Application directory partitions are most often used to store dynamic data. An application partition can not contain security principles %users, groups, and computers&.1he :## generates and maintains the replication topology for an application directory partition Application. 1he application partition is a new feature introduced in /indows 3erver

'((). 1his partition contains application specific objects. 1he objects or data that applications and services store here can comprise of any object type e=cluding security principles. 3ecurity principles are -sers, "roups, and #omputers. 1he application partition typically contains D23 zone objects, and dynamic data from other network services such as ;emote Access 3ervice %;A3&, and Dynamic ?ost #onfiguration !rotocol %D?#!&. Dynamic Data. A dynamic entry is an object in the directory which has an associated time to

live %11L& value. 1he 11L for an entry is set when the entry is created. 3ecurity !rinciples ,bjects that can have permissions assigned to them and each contain security identifiers. 1he following objects are security principles.

o-ser o#omputer o"roup ;!#.

Active Directory uses ;!# over I! to transfer both intersite and intrasite replication between domain controllers. 1o keep data secure while in transit, ;!# over I! replication uses both the :erberos authentication protocol and data encryption. 3<1!.

If you have a site that has no physical connection to the rest of your network, but that can be reached using the 3imple <ail 1ransfer !rotocol %3<1!&, that site has mail based connectivity only. 3<1! replication is used only for replication between sites. Cou also cannot use 3<1! replication to replicate between domain controllers in the same domainLonly inter domain replication is supported over 3<1! %that is, 3<1! can be used only for inter site, inter domain replication&. 3<1! replication can be used only for schema, configuration, and global catalog partial replica replication.

3<1! replication observes the automatically generated replication schedule. #hanging of ntds.dit file from one Drive to another

0. 9oot the domain controller in Directory 3ervices ;estore mode and log on with the Directory 3ervices ;estore mode administrator account and password %this is the password you assigned during the Dcpromo process&. '. At a command prompt, typent dsut il.e=e. Cou receive the following prompt. ntdsutil. ). 1ypefiles to receive the following prompt.

file maintenance. K. 1ypeinfo. 2ote the path of the database and log files. F. 1o move the database, type move db to Ms %where Ms is the target folder&.

N. 1o move the log files, type move logs to Ms %where Ms is the target folder&. O. 1ype$uit twice to return to the command prompt. A. ;eboot the computer normally. D23 D23 %Domain 2ame system& Domain 2ame 3ystem %D23& is a database system that translates a computer@s fully $ualified domain name into an I! address. 1he local D23 resolver 1he following graphic shows an overview of the complete D23 $uery process. D23 Pones Borward lookup zone 2ame to I! address map. ;everse lookup zone I! address to name map.

!rimary Pones It ?olds ;ead and /rite copies of all resource records %A, 23, Q3;8&. 3econdary Pones which hold read only copies of the !rimary Pones. 3tub Pones #onceptually, stub zones are like secondary zones in that they have a read only copy of a primary zone. 3tub zones are more efficient and create less replication traffic.

3tub Pones only have ) records, the 3,A for the primary zone, 23 record and a ?ost %A& record. 1he idea is that if a client $ueries a record in the 3tub Pone, your D23 server can refer that $uery to the correct 2ame 3erver because it knows its ?ost %A& record. Jueries Juery types are. Inverse a "etting the name from the I! address. 1hese are used by servers as

security check. Iterative server 3erver gives its best answer. 1his type of in$uiry is sent from one

to another. ;ecursive #annot refer the $uery to another name server.

#onditional Borwarding

Another classic use of forwards is where companies have subsidiaries, partners or

people they know and contact regularly $uery. Instead of going the long way around using the root hints, the network administrators configure #onditional Borwarders !urpose of ;esource ;ecords

/ithout resource records D23 could not resolve $ueries. 1he mission of a D23 Juery is to locate a server that is Authoritative for a particular domain. 1he easy part is for the Authoritative server to check the name in the $uery against its resource records. 3,A %start of authority& recordeach zone has one 3,A record that identifies which D23 server is authoritative for domains and sub domains in the zone. 23 %name server& record An 23 record contains the BJD2 and I! address of a D23 server authoritative for the zone. >ach primary and secondary name server authoritative in the domain should have an 23 record. A %address& record 9y far the most common type of resource record, an A record is used to resolve the BJD2 of a particular host into its associated I! address. #2A<> %canonical name& record A #2A<> record contains an alias %alternate name& for a host. !1; %pointer& record the opposite of an A record, a !1; record is used to resolve the I! address of a host into its BJD2. 3;8 %service& record

An 3;8 record is used by D23 clients to locate a server that is running a particular serviceLfor e=ample, to find a domain controller so you can log on to the network. 3;8 records are key to the operation of Active Directory. <R %mail e=change& record An <R record points to one or more computers that process 3<1! mail for an organization or site. /here D23 resource records will be stored.

After running D#!;,<,, A te=t file containing the appropriate D23 resource records for the domain controller is created. 1he file called 2etlogon.dns is created in the MsystemrootM73ystem)'7config folder and contains all the records needed to register the resource records of the domain controller. 2etlogon.dns is used by the /indows '((( 2etLogon service and to support Active Directory for non /indows '((( D23 servers. !rocedures for changing a 3erver6s I! Address

,nce D23 and replication are setup, it is generally a bad idea to change a servers I! address %at least according to <icrosoft&. Sust be sure that is what you really want to do before starting the process. It is a bit kin to changing the Internal I!R number of A 2ovell server, but it can be done. 0. #hange the 3erver6s I! address '. 3top the 2>1L,",2 service. ). ;ename or delete 3C31><)'7#,2BI"72>1L,",2.D23 and 2>1L,",2.D29 K.

;estart the 2>1L,",2 service and run 4I!config DregisterD235 F.

"o to one of the other D#s and verify that its D23 is now pointing to the new I! address of the server. If not, change the records manually and give it 0F minutes to replicate the D23 changes out. N. ;un ;>!L<,2 and make sure that replication is working now. Cou may have to wait a little while for things to straighten out. "ive it an hour or two if necessary. If a server shows that it isn6t replicating with one of its partners, there are several issues to address. A. #heck to see that the servers can ping each other. 9. <ake sure that both servers6 D23 entries for each other point to the proper I! addresses

#. If server A says it replicated fine, but server 9 says it couldn6t contact 3erver A, check the D23 setup on 3erver 9. #hances are it has a record for 3erver A pointing to the wrong place. D. ;un 2etdiag and see if it reports any errors or problems. 1rust ;elationship I ,ne way trust /hen one domain allows access to users on another domain, but the other domain does not allow access to users on the first domain. I

1wo way trust domain. I

/hen two domains allow access to users on the other

1rusting domain domain. I 1rusted domain

1he domain that allows access to users on another

1he domain that is trusted, whose users have access to

the trusting domain. I 1ransitive trust A trust which can e=tend beyond two domains to other

trusted domains in the tree. I Intransitive trust domains. I >=plicit trust A trust that an administrator creates. It is not transitive and is one way only. I #ross link trust An e=plicit trust between domains in different trees or in the same tree when a descendentDancestor %childDparent& relationship does not e=ist between the two domains. I Borest trust /hen two forests have a functional level of /indows '((), A one way trust that does not e=tend beyond two

you can use a forest trust to join the forests at the root. I 3hortcut trust /hen domains that authenticate users are logically distant

from one another, the process of logging on to the network can take a long time. Cou can manually add a shortcut trust between two domains in the same forest to speed authentication. 3hortcut trusts are transitive and can either be one way or two way. /indows '((( only supports the following types of trusts. I 1wo way transitive trusts I ,ne way non transitive trusts. 9A#:-! Archive bit. 1he archive bit is used to determine what files have been backuped up previously on a /indows file system. 1he bit is set if a file is modified 1ypes of 9ackups. 2ormal the 3aves files and folders and shows they were backed up by clearing

archive bit. #opy 3aves files and folders without clearing the archive bit. Incremental Incremental backup stores all files that have changed since the last Bull, Differential or Incremental backup. 1he archive bit is cleared. Differential A differential backup contains all files that have changed since the last B-LL backup. 1he archive bit is not cleared. Daily 3aves files and folders that have been changed that day. 1he archive bit is

not cleared. <ultiple=ing.

<ultiple=ing sends data from multiple sources to a single tape or disk device. 1his is useful if you have a tape or disk device that writes faster than a single system can send data, which %at this point& is just about every tape device. <ultistreaming.

<ultistreaming establishes multiple connections, orthr e ads, from a single system to the backup server. 1his is useful if you have a large system with multiple ID, devices and large amounts of data that need backing up. 1o perform a backup, select +3tart+, +!rograms+, +Accessories+, +3ystem 1ools+, and +9ackup+. 1he /indows '((( +9ackup -tility+ will start. It has these tabs. 3ystem data.

0. 1he registry '. 3ystem startup files ). #omponent services data class registration database K. Active Directory %/indows '((( H '(() 3ervers only& F. #ertificate server database %/indows '((( H '(()3ervers only& N. 3C38,L folder %/indows '((( H '(() 3ervers only& 2on authoritative Active Directory restoresT #hanges are accepted from other domain controllers after the backup is done.

/hen you are restoring a domain controller by using backup and restore programs, the default mode for the restore is non authoritative. 1his means that the restored server is brought up to date with its replicas through the normal replication mechanism.

Authoritative Active Directory restores. #hanges are 2,1 accepted from other domain controllers after the backup is done.

Authoritative restore allows the administrator to recover a domain controller, restore it to a specific point in time, and mark objects in Active Directory as being authoritative with respect to their replication partners. Authoritative restore has the ability to increment the version number of the attributes of all objects in an entire directory. Cou can authoritatively restore only objects from the configuration and domain naming conte=ts. Authoritative restores of schema naming conte=ts are not supported. 1o perform an authoritative restore, you must start the domain controller in Directory 3ervices ;estore <ode. Authoritative ;estore >=ample

>.7ntdsutilUntdsutil ntdsutil. authoritative restore authoritative restore. restore sub tree ,-Ebosses,D#Eourdom,D#Ecom ,pening DI1 database... Done. 1he current time is (N 0O (F 0'.)K.0'. <ost recent database update occurred at (N 0N (F ((.K0.'F. Increasing attribute version numbers by 0(((((. #ounting records that need updating... ;ecords found.(( ( (( ( ((0' Directory 3tore Biles that are backed up Database file 3tored in 3ystem;oot721D37ntds.dit, it holds all AD objects and attributes. #ontains these tables. I 2tds.dit is the Active Directory database which stores the entire active

directory objects on the domain controller. 1he .dit e=tension refers to the directory information tree. 1he default location is the MsystemrootM72tds folder. Active Directory records each and every transaction log files that are associated with the 2tds.dit file. I >dbV.log is the transaction log file. >ach transaction file is 0( megabytes %<9&. /hen >db.log file is full, active directory renames it to >dbnnnnn.log, wherennnnn is an increasing number starts from 0. I >db.chk is a checkpoint file which is use by database engine to track the data

which is not yet written to the active directory database file. 1he checkpoint file act as a pointer that maintains the status between memory and database file on disk. It indicates the starting point in the log file from which the information must be recovered if a failure occurs. I ;es0.log and ;es'.log. 1hese are reserved transaction log files. 1he

amount of disk space that is reserved on a drive or folder for this log is '( <9. 1his reserved disk space provides a sufficient space to shut down if all the other disk space is being used. ;ecovery without ;estore uncommitted AD 1ransaction logs are used to recover

changes after a system crash. 1his is done by the system automatically without using a restore from a tape backup. ?ow to restore a domain controller system.

0. ;eboot the domain controller. '. !ress BA while booting. ). ,pen Advanced ,ptions <enu, select +Directory 3ervices ;estore <ode+. K. 3elect the correct /indows '((( 3erver operating system if more than one system is on the computer. F. During safe mode, press #1;L AL1 D>L. N. Log on as Administrator. O. 3elect +3tart+, +!rograms+, +Accessories+, +3ystem 1ools+, and +9ackup+.

A. -se the +;estore /izard+. W. After the restore, if an authoritative restore was done use the +ntdsutil+ command line utility. 1ype +authoritative restore+. 3ynta= for restoration of partial database format. restore subtree ,-E,-name, D#Edomainname, D#Erootdomain 1ype +restore database+ to make the entire database authoritative. 0(. ;eboot the Domain #ontroller. ?ow to 1ransfer the B3<, ;oles. 1o 1ransfer the 3chema <aster ;ole. 0. ;egister the3chmmg mt. dl l library by pressing 3tart U ;-2 and typing. regsvr)' schmmgmt.dll '. !ress ,:. Cou should receive a success confirmation. ). Brom the ;un command open an <<# #onsole by typing<<#.

K. ,n the #onsole menu, press AddD;emove 3nap in. F. !ress Add. 3elect Active Directory 3chema. N. !ress Add and press #lose. !ress ,:. O.

If you are 2,1 logged onto the target domain controller, in the snap in, right click the Active Directory 3chema icon in the #onsole ;oot and press #hange Domain #ontroller. A. !ress 3pecify... . and type the name of the new role holder. !ress ,:. W.

;ight click right click the Active Directory 3chema icon again and press ,peration <asters. 0(. !ress the #hange button. 00. !ress ,: all the way out. 1ransferring the B3<, ;oles via 2tdsutil 1o transfer the B3<, roles from the 2tdsutil command. #aution. -sing the 2tdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 0.

,n any domain controller, click 3tart, click ;un, type2 tdsut il in the ,pen bo=, and then click ,:. <icrosof t /indow s X8ersion F.'.)OW(Y %#& #opyright 0WAF '(() <icrosoft #orp. #.7/I2D,/3Untdsutil ntdsutil. '. 1yper o le s, and then press >21>;. ntdsutil. roles fsmo maintenance. 2ote. 1o see a list of available commands at any of the prompts in the 2tdsutil tool, typeG And then press >21>;. ). 1ypeco nne ctio ns, and then press >21>;. f smo maintenance. connections server connections. K. 1ype connect to server ms dc(K wherems dc(K is the name of the server you want to use, and then press >21>;. server connections. connect to server ms dc(K 9inding to ms dc(K ... #onnected ms dc(K using credentials of locally logg server connections. F. At the server connections. prompt, type$, and then press >21>; again. server connections. $

fsmo maintenance. N. 1ype transfer ZroleU. whereZr o le U is the role you want to transfer. Bor e=ample, to transfer the ;ID <aster role, you would type transfer rid master. ,ptions are. 1ransf er domain naming master 1ransfer infrastructure master 1ransfer !D# 1ransfer ;ID master 1ransfer schema master O. Cou will receive a warning window asking if you want to perform the transfer. #lick on Ces. A.

After you transfer the roles, type$ and press >21>; until you $uit 2tdsutil.e=e. W. ;estart the server and make sure you update your backup. 1o seize the B3<, roles by using 2tdsutil, follow these steps. #aution. -sing the 2tdsutil utility incorrectly may result in partial or complete loss of Active Directory functionality. 0. ,n any domain controller, click 3tart, click ;un, type2 tdsut il in the ,pen bo=, and then click ,:.

<icrosof t /indow s X8ersion F.'.)OW(Y %#& #opyright 0WAF '(() <icrosoft #orp. #.7/I2D,/3Untdsutil ntdsutil. '. 1yper o le s, and then press >21>;. ntdsutil. roles fsmo maintenance. 2ote. 1o see a list of available commands at any of the prompts in the 2tdsutil tool, type G, and then press >21>;. ). 1ypeco nne ctio ns, and then press >21>;. f smo maintenance. connections server connections. K. 1ype connect to server ms dc(K, where ms dc(K is the name of the server you want to use, and then press >21>;. server connections. connect to server ms dc(K 9inding to ms dc(K... #onnected to ms dc(K using credentials of locally lo server connections. F. At the server connections. prompt, type$, and then press >21>; again. server connections. $ fsmo maintenance. N.

1ype seize ZroleU, whereZro le U is the role you want to seize. Bor e=ample, to seize the ;ID <aster role, you would type seize rid master. ,ptions are. 3eize domain naming master 3eize infrastructure master 3eize !D# 3eize ;ID master 3eize schema master O. Cou will receive a warning window asking if you want to perform the seize. #lick on Ces. 2ote. All five roles need to be in the forest. If the first domain controller is out of the forest then seize all roles. Determine which roles are to be on which remaining domain controllers so that all five roles are not on only one server. A. ;epeat steps N and O until you@ve seized all the re$uired B3<, roles. W. After you seize or transfer the roles, type $, and then press >21>; until you $uit the 2tdsutil tool. 2ote. Do not put the Infrastructure <aster %I<& role on the same domain

controller as the "lobal #atalog server. If the Infrastructure <aster runs on a "# server it will stop updating object information because it does not contain any references to objects that it does not hold. 1his is because a "# server holds a partial replica of every object in the forest.


Dynamic host configuration protocol is used to automatically assign 1#!DI! addresses to clients along with the correct subnet mask, default gateway, and D23 server. 1wo ways for a computer to get its I! address. D)CP Scopes 3cope that A range of I! addresses that the D?#! server can assign to clients

are on one subnet. 3uper scope A range of I! addresses that span several subnets. 1he D?#!

server can assign these addresses to clients that are on several subnets. <ulticast scope A range of class D addresses from ''K.(.(.( to

')W.'FF.'FF.'FF that can be assigned to computers when they ask for them. A multicast group is assigned to one I! address. <ulticasting can be used to send messages to a group of computers at the same time with only one copy of the message. 1he <ulticast Address Dynamic #lient Allocation !rotocol %<AD#A!& is used to re$uest a multicast address from a D?#! server. DO#A D?#! Lease !rocess D?#! leases are used to reduce D?#! network traffic by giving clients specific addresses for set periods of time. D?#! Lease !rocess 0. 1he D?#! client re$uests an I! address by broadcasting a D?#!Discover message to the local subnet. '.

1he client is offered an address when a D?#! server responds with a D?#!,ffer message containing I! address and configuration information for lease to the client. If no D?#! server responds to the client re$uest, the client can proceed in two ways. IIf it is a /indows '(((Tbased client, and I! auto configuration has not been disabled, the client self configures an I! address for its interface. IIf the client is not a /indows '(((Tbased client, or I! auto configuration has been

disabled, the client network initialization fails. 1he client continues to resend D?#!Discover messages in the background %four times, every F minutes& until it receives a D?#!,ffer message from a D?#! server. ). 1he client indicates acceptance of the offer by selecting the offered address and replying to the server with a D?#!;e$uest message. K.

1he client is assigned the address and the D?#! server sends a D?#!Ack message, approving the lease. ,ther D?#! option information might be included in the message. F. ,nce the client receives acknowledgment, it configures its 1#!DI! properties using any D?#! option information in the reply, and joins the network.

In rare cases, a D?#! server might return a negative acknowledgment to the client. 1his can happen if a client re$uests an invalid or duplicate address. If a client receives a negative acknowledgment %D?#!2ak&, the client must begin the entire lease process again.

/hen the client sends the lease re$uest, it then waits one second for an offer. If a response is not received, the re$uest is repeated at W, 0), and 0N second intervals with additional ( to 0((( milliseconds of randomness. 1he attempt is repeated every F minutes thereafter. 1he client uses port NO and the server uses port NA. #lient ;eservation

#lient ;eservation is used to be sure a computer gets the same I! address all the time. 1herefore since D?#! I! address assignments use <A# addresses to control assignments, the following are re$uired for client reservation. 0& <A# %hardware& address '& I! address >=clusion ;ange

>=clusion range is used to reserve a bank of I! addresses so computers with static I! addresses, such as servers may use the assigned addresses in this range. 1hese addresses are not assigned by the D?#! server. Database files.


1he main database

D?#!.1<! 1emporary D?#! storage.

S>1V.L," 1ransaction logs used to recover data. 3C31><.<D9 -3ed to track the structure of the D?#! database. A!I!A If all else fails, then clients give themselves an Automatic I! address in the range 0NW.'FK.=.y where = and y are two random numbers between 0 and 'FK. 9,,1! 9,,1! or the bootstrap protocol can be used to boot diskless clients /I23 /I23 /I23 stands for /indows Internet 2ame 3ervice. /I23 is a 2et9I,3 2ame 3erver that registers your 2et9I,3 names and resolves into I! addresses. DB3

1he Distributed Bile 3ystem %DB3& allows files and directories in various places to be combined into one directory tree. ,nly /indows '((( H '(()3ervers can contain DB3 root directories and they can have only one. DB3 #omponents DB3 root DB3 A shared directory that can contain other shared directories, files,

links, and other DB3 roots. ,ne root is allowed per server. 1ypes of DB3 roots. 3tand alone DB3 root replicated, and 2ot published in Active Directory, cannot be

can be on any /indows '((( H '(() 3erver. 1his provides no fault tolerance with

the DB3 topology stored on one computer. A DB3 can be accessed using the 3ynta=. 773erver7DB3name Domain DB3 root can be It is published in Active Directory, can be replicated, and

on any /indows '((( H '(() 3erver. Biles and directories must be manually replicated to other servers or /indows '((( H '(() must be configured to replicate files and directories. #onfigure the domain DB3 root, then the replicas when configuring automatic replication. Links are automatically replicated. 1here may be up to )0 replicas. Domain DB3 root directories can be accessed using the 3ynta=. 77domain7DB3name DB3 link A pointer to another shared directory. 1here can be up to 0((( DB3 links for a DB3 root. II3 8irtual Directory. A virtual directory is a directory that is not contained in the home directory but appears to client browsers as though it were. /hat is I3A!IG Internet 3erver Application !rogramming Interface %I3A!I&, is an A!I developed to provide the application developers with a powerful way to e=tend the functionality of Internet Information 3erver %II3&. Although I3A!I e=tensions by no means are limited to II3, they are e=tensively used in conjunction with <3 II3. /hat is application poolG

Application !ools5 that can house a single or multiple web sites. It provides a convenient way to administer a set of /eb sites and applications and increase reliability, /hat is a #,< componentG Any 89N DLL is a #,< component, as is any /indows DLL or >R> that supports the #,< interfaces. ?ow many types of authentication securities are there in II3G In II3 there are K types of authentication security H Integrated windows Authentication. /hat is the 1ombstoneG /hat is the default tombstone life timeG ?ow to increase the tombstone life timeG 9asic, Anonymous, Digest

1he number of days before a deleted object is removed from the directory services. 1he default tombstone lifetime of N( days, /indows 3erver '(() sp0 the new default tombstone lifetime is 0A( days. Cou can check your tombstone lifetime using the following command which comes with /indows 3erver '(().

ds$uery V +#2EDirectory 3ervice,#2E/indows 21,#2E3ervices,#2E#onfiguration,D#Eyourdomain,D#Ecom+ scope base attr tombstonelifetime /hat is a session ,bjectG A 3ession ,bject holds information relevant to a particular user6s session. ?ow II3 can host multiple websites

1o distinguish between websites, II3 looks at three attributes. I 1he host header name I 1he I! number I 1he port number /hat is a host headerG

A host header is a string part of the re$uest sent to the web server %it is in the ?11! header&. 1his means that configuring II3 to use host headers is only one step in the approach to host multiple websites using host headers to distinguish between the websites. A configuration of the D23 server %usually means that you need to add an %A& record for the domain& is also re$uired, so the client can find the web server. >R#?A2"> 3>;8>; D3 !;,RC

D3!ro=y is the component in <icrosoft >=change 3erver '(() that provides an address book service to <icrosoft ,utlook clients. Although the name implies that this component provides only pro=y services, D3!ro=y provides both of the following services. 0. D3!ro=y emulates a <A!I address book service and sends pro=y re$uests to an Active Directory server. '. D3!ro=y refers ,utlook client $ueries to an Active Directory server. D3Access

1he >=change components that need to interact with Active Directory use D3Access to retrieve Active Directory information rather than communicating directly with domain controllers and global catalog servers

Borestprep /hen you use the DBorest!rep option, the >=change 3etup program e=tends the Active Directory schema to add >=change specific classes and attributes.

1o verify that the setup Dforestprep command completed successfully on a computer that is running <icrosoft /indows '((( 3erver in an >=change '((( environment, use either of the following methods. ILook for event ID 0FOF Domain!rep.

Domain!rep creates the groups and permissions necessary for >=change servers to read and modify user attributes in Active Directory. Cou must run Domain!rep before installing your first >=change server in a domain <A!I%<essaging Application !rogramming Interface& It is an e=tensive set of functions that developers can use to create mail enabled applications. >nables an application to send and receive mail over a <icrosoft <ail message system ;ecovery 3torage "roup.

;ecovery 3torage "roup is a new feature in >=change '((). 1he biggest advantage of this method is that it reduces the impact of restoring a single mailbo= from backup. >=merge tool. >=<erge is to recover the mailbo= data from the ;ecovery 3torage "roup. 3ince >=<erge creates a .pst file. List the services of >=change 3erver '(()G

<icrosoft >=change >vent <onitors folders and triggers events for server applications compatible with >=change 3erver F.F. <icrosoft >=change I<A!K It is a method of accessing electronic mail that are kept on a mail server. <icrosoft >=change Information 3tore

1he information store, which is the key component for database management in >=change 3erver, is actually two separate databases. 1he private information store database, !riv.edb, manages data in user mailbo=es. 1he public information store, !ub.edb, manages data in public folders. <icrosoft >=change <anagement

!rovides >=change management information using /indows <anagement Instrumentation %/<I&. If this service is stopped, /<I providers implemented to work in <icrosoft >=change <anagement, like message tracking and Directory Access, will not work. <icrosoft >=change <1A 3tacks Cou use >=change R.K(( services to connect to >=change F.F servers and other connectors %custom gateways&. <icrosoft >=change !,!) !,!) is a #lientD3ervice protocol in which e mail is received and held for you by your Internet server. <icrosoft >=change ;outing >ngine

1he >=change ;outing >ngine uses Link 3tate information for e mail routing. 1he ;outing >ngine will forward this information to the Advanced Jueuing >ngine. 1he default size of routing table log file is F( <9 and default age is seven days.

<icrosoft >=change 3ite ;eplication 3ervice

!rovides directory interoperability between >=change F.F and >=change '((( 3erver or >=change '((). 3ite ;eplication 3ervice %3;3& acts as a directory replication bridgehead server for an >=change site. 3;3 runs on >=change '((( and serves as a modified >=change F.F directory. 3;3 uses Lightweight Directory Access !rotocol %LDA!& to communicate to both the Active Directory[ directory service and the >=change F.F directory. 1o >=change F.F, 3;3 looks similar to another >=change F.F configurationDrecipients replication partner. <icrosoft >=change 3ystem Attendant

!rovides monitoring, maintenance, and Active Directory lookup services %for e=ample, monitoring of services and connectors, pro=y generation, Active Directory to metabase replication, publication of freeDbusy information, offline address book generation, mailbo= maintenance, and forwarding Active Directory lookups to a global catalog server&. If this service is stopped, monitoring, maintenance, and lookup services are unavailable. If this service is disabled, any services that e=plicitly depend on it cannot start. /hat are the >=change 3erver '(() 1roubleshooting >seutil commandsG >seutil Dmh

?ere is a simple switch to verify the state of an >=change database. All that eseutil Dmh does is to determine whether the last shutdown was clean or dirty. >seutil Dmh is ideal to practice getting to the right path and e=ecuting eseutil without doing any harm to the mailstore databases. >seutil Dml 3imilar to the Dmh, e=cept this switch performs an integrity check on log files, for e=ample, >((.log. >seutil Dmm

Dumps metadata from the database file %not the logs&. 3pecialist use only, I find the output fascinating but not very useful. >seutil Dmk

!rovides information about the checkpoint file. ?andy for troubleshooting backup D restore problems. /here Dmh used priv0.edb, remember to substitute the name of the checkpoint file >((.chk with Dmk.

>seutil Dk to check for damaged headers >seutil Dcc for troubleshooting >seutil Dd to defrag the .edb database >=ample. eseutil Dd e.7e=chsrvr7mdbdata7priv0.edb %,r other path to your store&

>seutil Dr to repair >=change '(() log files >seutil Dp will attempt to repair a corrupted store database >seutil Dy #opies a database, streaming file, or log file >seutil Dg 8erifies the integrity of a database >seutil Dm "enerates formatted output of various database file types. e.g. Dmh Isinteg -tility %Information 3tore Integrity #hecker& finds and eliminates errors from the public folder and mailbo= databases at the application level. it can recover data that >seutil cannot recover. ,ffline 3torage Biles %.,31& file

<icrosoft >=change 3erver locally stores its data in ,31 file on your storage Device. An ,31 file is a component ,f <icrosoft >=change 3erver and can6t

be used with <icrosoft ,utlook.

At the time of when e=change server crashes or when mailbo= is deleted from the e=change server, ,31 file gets inaccessible and remains on the users computer holding large part of emails, calendar, journals, notes, contacts, tasks etc. Advanced Jueuing >ngine %AJ>&

1he Advanced Jueuing >ngine %AJ>& is responsible for creating and managing message $ueues for e mail delivery. /hen AJ> receives a 3imple <ail 1ransfer !rotocol %3<1!& mailmsg object, this object will be forwarded to the <essage #ategorizer. 1he Advanced Jueuing >ngine then $ueues the <ailmsg object for message delivery based on the ;outing information provided by the ;outing >ngine process of >=change 3erver '((). ,utbound <ail Blow in >=change 3erver '(() ,utbound mail flows through an >=change 3erver deployment in the following manner.

0. <ail messages are sent from a client %<icrosoft ,utlook, ,utlook >=press, or ,utlook /eb Access, for e=ample& and are submitted to the local >=change store. '. 1he >=change store submits the message to the Advanced Jueuing >ngine. ). 1he Advanced Jueuing >ngine submits the message to the message categorizer. K.1he message categorizer validates the recipients of the message,

checks for proper recipient attributes, applies limits and restrictions, flags the message for local or remote delivery, and then returns the message to the Advanced Jueuing >ngine.

F. If for local delivery, the Advanced Jueuing >ngine submits the message to the Local Delivery $ueue, and the >=change store receives the message from the Local Delivery $ueue. Bor more information about the Advanced Jueuing >ngine,

N. If for remote delivery, the Advanced Jueuing >ngine submits the message to the ;outing >ngine. 1he ;outing >ngine determines the most efficient route for mail delivery, returns the message to the Advanced Jueuing >ngine, and, in turn, submits the messages for remote delivery. 1he messages are then sent via 3<1! to a remote 3<1! host or to the Internet. 1he following are the minimum re$uirements for outbound mail flow. I

>=change 3erver must have access to the Internet on port 'F. 1his access should not be blocked by firewalls or other network settings. Anonymous connections should be allowed. I 1he >=change 3erver 3<1! virtual server should be configured to use the default settings. I

1he public mail e=changer %<R& resource record configured on your public Domain 2ame 3ystem %D23& service should be accessible to all other Internet domains. 1he <R record should point to the >=change

server and must be identified before messages can be sent or received. I21>;8I>/ J->31I,23 /hat protocol and port does D?#! useG D?#!, like 9,,1! runs over -D!, utilizing ports NO and NA. /hat is the D?#! automatic backup timeG In fact, by default it@s N( minutes. Cou can change the fre$uency though ?ow many scopes you can create As a general recommendation, limit each D?#! server to having no more than 0,((( scopes defined for use.

/hen adding a large number of scopes to the server, be aware that each scope creates a corresponding need for additional incremental increases to the amount of disk space used for the D?#! server registry and for the server paging file Bor the best possible D?#! server design in most networks, it is recommended that you have, at most, 0(,((( clients per server. Advantage of LD! tool. ;eanimating Active Directory 1ombstone ,bjects we use LD! tool. ;epadmin to remove lingering objects repadmin Dremovelingeringobjects If there is set of )( hard disk configured for raid F if two hard disk failed what about data

9ecause of parity, information all data are available in case one of the disks fails. If

e=tra %spare& disks are available, then reconstruction will begin immediately after the device failure. ?owever if two hard disks fail at same time, all data are L,31. In short ;AID F can survive one disk failure, but not two or more. In ;aid F, suppose I have F ?DD of 0( 0( "9, after configuring the ;aid how much space does I have for utilized. 0 out of the total %eg if u r using F u will get only K because 0 goes for parity&.

?ere I am playing a key role Active Directory and 9ackup Administration. I need to check the backup logs, backing is completed successfully. /e have a <,< 1eam, it will generate the alerts in respective to <,<. I am taking care of AD Alert6s and backups. Like Disk space low issues, automated services, #!- -tilization, 3erver Availability, 3erver ?ealth check, ?ardware Bailures and D23 issues and moreover I can say user creations, DL #reations, <ail 9o= moments and I am in a part of taking care about the Anti virus bad clients. /e are using ?! ,83D tool to monitor the Jueue. All these issues. ;AID F and 0(G

#ommon 2ame%s&. ;AID F. 1echni$ue%s& -sed. 9lock level striping with distributed parity. Description. ,ne of the most popular ;AID levels, ;AID F stripes both data and parity

information across three or more drives. It is similar to ;AID K e=cept that it e=changes the dedicated parity drive for a distributed parity algorithm, writing data and parity blocks across all the drives in the array. 1his removes the +bottleneck+ that the dedicated parity drive represents, improving write performance slightly and allowing somewhat better parallelism in a multiple transaction environment, though the overhead necessary in dealing with the parity continues to bog down writes. Bault tolerance is maintained by ensuring that the parity information for any given block of data is placed on a drive separate from those used to store the data itself. 1he performance of a ;AID F array can be +adjusted+ by trying different stripe sizes until one is found that is well matched to the application being used.

;AIDF versus ;AID0( %or even ;AID) or ;AIDK& Birst let@s get on the same page so we@re all talking about apples. /hat is ;AIDFG

,: here is the deal, ;AIDF uses ,2LC ,2> parity drive per stripe and many ;AIDF arrays are F %if your counts are different adjust the calculations appropriately& drives %K data and 0 parity though it is not a single drive that is holding all of the parity as in ;AID ) H K but read on&. If you have 0( drives or say '("9 each for '(("9

;AIDF will use '(M for parity %assuming you set it up as two F drive arrays& so you will have 0N("9 of storage. 2ow since ;AID0(, like mirroring %;AID0&, uses 0 %or more& mirror drive for each primary drive you are using F(M for redundancy so to get the same 0N("9 of storage you will need A pairs or 0N '("9 drives, which is why ;AIDF is so popular. 1his intro is just to put things into perspective.

;AIDF is physically a stripe set like ;AID( but with data recovery included. ;AIDF reserves one disk block out of each stripe block for parity data. 1he parity block contains an error correction code which can correct any error in the ;AIDF block, in effect it is used in combination with the remaining data blocks to recreate any single missing block, gone missing because a drive has failed. 1he innovation of ;AIDF over ;AID) H ;AIDK is that the parity is distributed on a round robin basis so that 1here can be independent reading of different blocks from the several drives. 1his is why ;AIDF became more popular than ;AID) H ;AIDK which must synchronously read the same block from all drives together. 3o, if Drive' fails blocks 0,',K,F,N H O are data blocks on this drive and blocks ) and A are parity blocks on this drive. 3o that means that the parity on DriveF will be used to recreate the data block from

Disk' if block 0 is re$uested before a new drive replaces Drive' or during the rebuilding of the new Drive' replacement. Likewise the parity on Drive0 will be used to repair block ' and the parity on Drive) will repair blockK, etc. Bor block ' all the data is safely on the remaining drives but during the rebuilding of Drive'@s replacement a new parity block will be calculated from the block ' data and will be written to Drive '.

2ow when a disk block is read from the array the ;AID softwareDfirmware calculates which ;AID block contains the disk block, which drive the disk block is on and which drive contains the parity block for that ;AID block and reads ,2LC the one data drive. It returns the data block. If you later modify the data block it recalculates the parity by subtracting the old block and adding in the new version then in two separate operations it writes the data block followed by the new parity block. 1o do this it must first read the parity block from whichever drive contains the parity for that stripe block and reread the unmodified data for the updated block from the original drive. 1his read read write write is known as the ;AIDF write penalty since these two writes are se$uential and synchronous the write system call cannot return until the reread and both writes complete, for safety, so writing to ;AIDF is up to

F(M slower than ;AID( for an array of the same capacity. %3ome software ;AIDF@s avoid the re read by keeping an unmodified copy of the original block in memory.& 2ow what is ;AID0(G

;AID0( is one of the combinations of ;AID0 %mirroring& and ;AID( %striping& which are possible. 1here used to be confusion about what ;AID(0 or ;AID0( meant and different ;AID vendors defined them differently. About five years or so ago I proposed the following standard language which seems to have taken hold. /hen 2 mirrored pairs are striped together this is called ;AID0( because the mirroring %;AID0& is applied before striping %;AID(&. 1he other option is to create two stripe 3ets and mirror them one to the other, this is known as ;AID(0 %because the ;AID( is applied first&. In either a ;AID(0 or ;AID0( system each and every disk block is completely duplicated on its drive@s mirror. !erformance wise both ;AID(0 and ;AID0( are functionally e$uivalent. 1he difference comes in during recovery where ;AID(0 suffers from some of the same problems I will describe affecting ;AIDF while ;AID0( does not. 2ow if a drive in the ;AIDF array dies, is removed, or is shut off data is returned by reading the blocks from the remaining drives and calculating the missing data using

the parity, assuming the defunct drive is not the parity block drive for that ;AID block. 2ote that it takes K physical reads to replace the missing disk block %for a F drive array& for four out of every five disk blocks leading to a NKM performance degradation until the problem is discovered and a new drive can be mapped in to begin recovery. !erformance is degraded further during recovery because all Drives are being actively accessed in order to rebuild the replacement drive %see below&.

If a drive in the ;AID0( array dies data is returned from its mirror drive in a single read with only minor %N.'FM on average for a K pair array as a whole& performance reduction when two non contiguous blocks are needed from the damaged pair %since the two blocks cannot be read in parallel from both drives& and none otherwise. <irroringG

<irroring is one of the two data redundancy techni$ues used in ;AID %the other beingpar ity&. In a ;AIDsyste m using mirroring, all data in the system is written simultaneously to two hard disks instead of one\ thus the +mirror+ concept. 1he principle behind mirroring is that this 0((M data redundancy provides full protection against the failure of either of the disks containing the duplicated data. <irroring setups always re$uire an even number of drives for obvious reasons. 1he chief advantage of mirroring is that it provides not only complete

redundancy of data, but also reasonably fast recovery from a disk failure. 3ince all the data is on the second drive, it is ready to use if the first one fails. <irroring also improves some forms of readpe r for mance %though it actually hurts write performance.& 1he chief disadvantage of ;AID 0 is e=pense. that data duplication means half the space in the ;AID is +wasted+ so you must buy twice the capacity that you want to end up with in the array. !erformance is also not as good as some ;AID levels. !arity

<irroring is a data redundancy techni$ue used by some ;AID levels, in particular ;AID level 0, to provide data protection on a ;AID array. /hile mirroring has some advantages and is well suited for certain ;AID implementations, it also has some limitations. It has a high overhead cost, because fully F(M of the drives in the array are reserved for duplicate data\ and it doesn@t improve performance as much as data striping does for many applications. Bor this reason, a different way of protecting data is provided as an alternate to mirroring. It involves the use ofpar ity information, which is redundancy information calculated from the actual data values. #ross realm uses for ticket granting service for cross domain authentication. :erberos Authentication.After giving the password at client end checks the


stamp with domain controller of "lobal catalogue with the use of 21! protocol % port number 0') & If the time difference between the D# and client should not be e=ceed more than F mins.

After finishing the time stamp matching session ticket with encrypted password and it releases the two tickets with help of :D# % :ey distribution #entre &. ,ne is for sends the re$uest to logon and another one sends the permission whether accepting or not. After providing the authentication from :erberos LDA! finishes the logon process with port number )AW :erberos uses to protocols -D! and 1#! with same port number AA. After that it checks for password which is maintaining in D# if it matches it will start authenticating with domain. ;eplmon

;eplmon.e=e. Active Directory ;eplication <onitor 1his "-I tool enables administrators to view the low level status of Active Directory replication, force synchronization between domain controllers, view the topology in a

graphical format, and monitor the status and performance of domain controller replication. Cou can use ;epl<on to do the following. 0. 3ee when a replication partner fails. '. 8iew the history of successful and failed replication changes for troubleshooting purposes. ). #reate your own applications or scripts written in <icrosoft 8isual 9asic 3cripting >dition %893cript& to e=tract specific data from Active Directory. K. 8iew a snapshot of the performance counters on the computer, and the registry configuration of the server. F. "enerate status reports that include direct and transitive replication partners,

and detail a record of changes. N. Bind all direct and transitive replication partners on the network. O. Display replication topology. A. !oll replication partners and generate individual histories of successful and failed replication events. W. Borce replication. 0(. 1rigger the :nowledge #onsistency #hecker %:##& to recalculate the

replication topology. 00. Display changes that have not yet replicated from a given replication partner. 0'. Display a list of the trust relationships maintained by the domain controller being monitored.

0). Display the metadata of an Active Directory object@s attributes. 0K. <onitor replication status of domain controllers from multiple forests. ;epadmin.e=e. ;eplication Diagnostics 1ool

1his command line tool assists administrators in diagnosing replication problems between /indows domain controllers. Administrators can use ;epadmin to view the replication topology %sometimes referred to as ;epsBrom and ;eps1o& as seen from the perspective of each domain controller. In addition, ;epadmin can be used to manually create the replication topology %although in normal practice this should not be necessary&, to force replication events between domain controllers, and to view both the replication metadata and up to dateness vectors. ;epadmin.e=e can also be used for monitoring the relative health of an Active Directory forest. 1he operations replsummary, showrepl, showrepl Dcsv, and showvector Dlatency can be used to check for replication problems. -sually, the :nowledge #onsistency #hecker %:##& manages the replication topology for each naming conte=t held on domain controllers.

Important. During the normal course of operations, there is no need to create the replication topology manually. Incorrect use of this tool can adversely impact the replication

topology. 1he primary use of this tool is to monitor replication so that problems such as offline servers or unavailable LA2D/A2 connections can be identified. 0.?ow to conform if the software package deployed using group policy. ?as got installed in the user !#. '.in one D# one user has been deleted the ,- by admin0 **delete by one administrator, in other D# the same ,- is getting updated in admin ' %Lost and found object& ). what are the two attributes, which reflect while replication happening do u see the by using "!, *which software has been installed in the machines F.hw to install the software package for F(( machines**.can u just give the steps N. hw do deploy patch in enterprise environment O. hw to un install a package A.if :erberos fail, what will happen, is there any other authentication W. when you need to install D23 server in member servers, what is the use of it 0(. Active directory integrated D23 in member server installG 00. what the log files and what is the use of log files Answers. 0.3oftware deployment tools are there *3<3 *..!ackage**how to diploye*..3<s or some other tool**

<93A '.(.0 is compatible with <icrosoft -pdate and /indows 3erver -pdate 3ervices and the 3<3 Inventory 1ool for <icrosoft -pdate %I1<-&. <93A '.(.0 offers customers

improved /indows component support, e=panded platform support for R! >mbedded and NK bit /indows, as well as more consistent and less comple= security update management e=perience. -nless specifically noted, all references to <93A '.( in the <93A 1ech2et pages also apply to <93A '.(.0. Legacy !roduct 3upport. Bor customers using legacy products not supported by <93A '.(.0, <icrosoft -pdate, and /3-3, 3havlik 1echnologies provides a free <93A '.(.0 companion tool called 3havlik 2et#hk Limited. '.only one ,- you can create and delete *hw the same ,- name will come in

other machines ). "!<#***..gpo is one object in in group policy K. whats is the "!<#**..password policy***.hw u will apply**where u will apply

F.hirarchichy**site and domain and ,-*. N.F((**Distribution point%3<3&**. O.hw to deployed *..the enterprise environement*..

3-3. <icrosoft 3-3 is a free patch management tool provided by <icrosoft to help network administrators deploy security patches more easily. In simple terms, <icrosoft 3-3 is a version of /indows -pdate that you can run on your network.

3oftware -pdate 3ervices leverages the successful /indows Automatic -pdates service first available in /indows R!, and allows information technology professionals to configure a server that contains content from the live /indows -pdate site in their own /indows based intranets to service corporate servers and clients. 3oftware -pdate 3ervices 1he server features include. I

9uilt in security. 1he administrative pages are restricted to local administrators on the computer that hosts the updates. 1he synchronization validates the digital certificates on any downloads to the update server. If the certificates are not from <icrosoft, the packages are deleted. I

3elective content approval. -pdates synchronized to your server running 3oftware -pdate 3ervices are not made automatically available to the computers that have been configured to get updates from that server. 1he administrator approves the updates before they are made available for download. 1his allows the administrator to test the packages being deploying them. I

#ontent synchronization. 1he server is synchronized with the public /indows -pdate service either manually or automatically. 1he administrator can set a schedule or have the synchronization component of the server do it automatically at preset times. Alternatively, the administrator can use the 3ynchronize 2ow button to manually synchronize. I

3erver to server synchronization. 9ecause you may need multiple servers running <icrosoft 3-3 inside your corporation in order to bring the updates closer to your desktops and servers for downloading, <icrosoft 3-3 will allow you to point to another server running <icrosoft 3-3 instead of /indows -pdate, allowing these critical software updates to be distributed around your enterprise. I

-pdate package hosting fle=ibility. Administrators have the fle=ibility of downloading the actual updates to their intranet, or pointing computers to a worldwide network of download servers maintained by <icrosoft. Downloading updates might appeal to an administrator with a network closed to the Internet. Large networks spread over geographically disparate sites might find it more beneficial to use the <icrosoft maintained download servers. 1hese are the actual /indows -pdate download servers. In a scenario like this, an administrator would download and test updates at a central site, then point

computers re$uiring updates to one of the /indows -pdate download servers. <icrosoft maintains a worldwide network of these type servers. I

<ulti language support. Although the 3oftware -pdate 3ervices administrative interface is available only in >nglish or Sapanese, the server supports the publishing of updates to multiple operating system language versions. Administrators can configure the list of languages for which they want updates downloaded. I

;emote administration via ?11! or ?11!3. 1he administrative interface is /eb based and therefore allows for remote %internal& administration using Internet >=plorer F.F or higher. I

-pdate status logging. Cou can specify the address of a /eb server where the Automatic -pdates client should send statistics about updates that have been downloaded, and whether the updates have been installed. 1hese statistics are sent using the ?11! protocol and appear in the log file of the /eb server. Download 3oftware -pdate 3ervices 3erver 0.( with 3ervice !ack 0?>; > %))mb& <icrosoft 3-3 3erver limitations

1hough very good as what it does, <icrosoft6s patch management tool does have a few limitations. I It does not push out service packs\ you need a separate solution for that. I

It only handles patches at operating system level %including Internet >=plorer and II3&, but not application patches such as <icrosoft ,ffice, <icrosoft >=change 3erver, <icrosoft 3JL 3erver, etc. I It re$uires /indows '((( and up, so it cannot patch /indows 21 K systems. I It cannot deploy custom patches for third party software. I

It does not allow you to scan your network for missing patches, so you cannot check if everything has been installed correctly. 1here is no easy reporting system for this.

1his means that you still re$uire a patch management solution to perform the above tasks. <icrosoft does not plan to add the above features, since it promotes <icrosoft 3<3 server as a tool for that. 3o, <icrosoft 3-3 server is ideal for operating system patches if used in conjunction with a patch management tool. ;ead more on how to overcome 3-3@s limitations by using a )rd party tool

called "BI LA2guard 2etwork 3ecurity 3canner. /indows Automatic -pdate #lient

1o use 3-3 on your network you will need to use the /indows Automatic -pdate #lient. 1he client is based on the /indows Automatic -pdates technology that was significantly updated for /indows R!. Automatic -pdates is a proactive pull service that enables users with administrative privileges to automatically download and install /indows updates such as critical operating system fi=es and /indows security patches. 1he features include. I 9uilt in security. ,nly users with local administrative privileges can interact

with Automatic -pdates. 1his prevents unauthorized users from tampering with the installation of critical updates. 9efore installing a downloaded update, Automatic -pdates verifies that <icrosoft has digitally signed the files. I Sust in time validation. Automatic -pdates uses the /indows -pdate service technologies to scan the system and determine which updates are applicable to a particular computer. I 9ackground downloads. Automatic -pdates uses the 9ackground

Intelligent 1ransfer 3ervice %9I13&, an innovative bandwidth throttling technology built into /indows R! and newer operating systems, to download updates to the computer. 1his bandwidth throttling technology uses only idle bandwidth so that downloads do not interfere with or slow down other network activity, such as Internet browsing. I #hained installation. Automatic -pdates uses the /indows -pdate

technologies to install downloaded updates. If multiple updates are being installed and one of them re$uires a restart, Automatic -pdates installs them all together and then re$uests a single restart. I <ulti user awareness. Automatic -pdates is multi user aware, which means that it displays different -I depending on which administrative user is logged on. I <anageability. In an Active Directory environment, an administrator can

configure the behavior of Automatic -pdates using "roup !olicy. ,therwise, an administrator can remotely configure Automatic -pdates using registry keys through the use of a logon script or similar mechanism. I <ulti language support. 1he client is supported on localized versions of /indows. 1his update applies to the following operating systems. I

/indows '((( !rofessional with 3ervice !ack ' I /indows '((( 3erver with 3ervice !ack ' I /indows '((( Advanced 3erver with 3ervice !ack ' I /indows R! !rofessional I /indows R! ?ome >dition 2ote. /indows '((( 3ervice !ack ) %3!)& and /indows R! 3ervice !ack 0 %3!0& include the Automatic -pdates component,elimin a t in g the need to download the client component separately. Download /indows automatic updating %3-3 #lient&?>; > %0mb& Administrator #ontrol via !olicies

1he Automatic -pdates behavior can be driven by configuring "roup !olicy settings in an Active Directory environment. Administrators can use "roup !olicy in an Active Directory environment or can configure registry keys to specify a server running 3oftware -pdate 3ervices. #omputers running Automatic -pdates then use this specified server to get updates. 1he 3oftware -pdate 3ervices installation package includes a policy template file, /-A-.AD<, which contains the "roup !olicy settings described earlier in this paper. 1hese settings can be loaded into "roup !olicy >ditor for deployment. 1hese

policies are also included in the 3ystem.adm file in /indows '((( 3ervice !ack ), and will be included in the /indows 3erver '(() family, and in /indows R! 3ervice !ack 0. A. 21L< 3ystem Login !rocess. :erberos uses as its basis the2ee dham 3chr oe de r protocol. It makes use of a trusted third party, termed a key distribution center %:D#&, which consists of two

logically separate parts. an Authentication 3erver %A3& and a 1icket "ranting 3erver %1"3&. :erberos works on the basis of +tickets+ which serve to prove the identity of users.

1he :D# maintains a database of secret keys\ each entity on the network L whether a client or a server L shares a secret key known only to itself and to the :D#. :nowledge of this key serves to prove an entity@s identity. Bor communication between two entities, the :D# generates a session key which they can use to secure their interactions 1hese cur ity of the protocol relies heavily on participants maintaining loosely synchronized time and on short lived assertions of authenticity called:e r ber os tickets. /hat follows is a simplified description of the protocol. 1he following abbreviations will be used.

I A3 E Authentication 3erver I 1"3 E 1icket "ranting 3erver I 33 E 3ervice 3erver. I 1"1 E 1icket "ranting 1icket

9riefly, the client authenticates to A3 using a long term shared secret and receives a ticketfro m the A3. Later the client can use this ticket to get additional tickets for 33 without resorting to using the shared secret. 1hese tickets can be used to prove authentication to 33. In more detail. -ser #lient based Logon 3teps. 0. A user enters a username and password on theclie nt. '.

1he client performs a one way function on the entered password, and this becomes the secret key of the client. #lient Authentication 3teps.


1he client sends acle ar te =t message to the A3 re$uesting services on behalf of the user. 3ample message. +-ser RCP would like to re$uest services+. 2ote. 2either the secret key nor the password is sent to the A3. '.

1he A3 checks to see if the client is in its database. If it is, the A3 sends back the following two messages to the client. o <essage A. #lientD1"3 session key encrypted using the secret key of the user. o

<essage 9. 1icket "ranting 1icket %which includes the client ID, client network address, ticket validity period, and the clientD1"3 session key& encrypted using the secret key of the 1"3. ). ,nce the client receives messages A and

9, it decrypts message A to obtain the clientD1"3 session key. 1his session key is used

for further communications with 1"3. %2ote. 1he client cannot decrypt <essage 9, as it is encrypted using 1"3@s secret key.& At this point, the client has enough information to authenticate itself to the 1"3. #lient 3ervice Authorization 3teps. 0. /hen re$uesting services, the client sends the following two messages to the 1"3. o <essage #. #omposed of the 1icket "ranting 1icket from message 9 and the ID of the re$uested service. o <essage D. Authenticator %which is composed of the client ID and the timestamp&, encrypted using the clientD1"3 session key. '.

-pon receiving messages # and D, the 1"3 retrieves message 9 out of message #. It decrypts message 9 using the 1"3 secret key.

1his gives it the +clientD1"3 session key+. -sing this key, the 1"3 decrypts message D %Authenticator& and sends the following two messages to the client. o

<essage >. #lient to server ticket %which includes the client ID, client network address, validity period and #lientDserver session key& encrypted using the service@s secret key. o <essage B. #lientDserver session key encrypted with the clientD1"3 session key. #lient 3ervice ;e$uest 3teps. 0.

-pon receiving messages > and B from 1"3, the client has enough information to authenticate itself to the 33. 1he client connects to the 33 and sends the following two messages. o <essage > from the previous step %the client to server ticket, encrypted using service@s secret key&.

<essage ". a new Authenticator, which includes the client ID, timestamp and is encrypted usingclie ntDse r ve r session key. '.

1he 33 decrypts the ticket using its own secret key and sends the following message to the client to confirm its true identity and willingness to serve the client. o

<essage ?. the timestamp found in client@s recent Authenticator plus 0, encrypted using the clientDserver session key. ).

1he client decrypts the confirmation using the clientDserver session key and checks whether the timestamp is correctly updated. If so, then the client can trust the server and can start issuing service re$uests to the server. K. 1he server provides the re$uested services to the client.

Drawbacks I

3ingle point of failure. It re$uires continuous availability of a central server. /hen the :erberos server is down, no one can log in. 1his can be mitigated by using multiple :erberos servers. I

:erberos re$uires the clocks of the involved hosts to be synchronized. 1he tickets have time availability period and, if the host clock is not synchronized with the clock of :erberos server, the authentication will fail. 1he default configuration re$uires that clock times are no more than 0( minutes apart. In practice, 2etwork 1ime !rotocol daemons are usually used to keep the host clocks synchronized. I 1he administration protocol is not standardized, and differs between server implementations. !assword changes are described in ;B# )'KK. I 3ince the secret keys for all users are stored on the central server, a compromise of that server will compromise all users@ secret keys.

"roup policies successive event id 0O(K Bor "!-pdate events. 0F((,0F(0,0F(' and 0F() Bor 3<9 erros event id.0(FA and in '((( id 0((( solution. 0. ,n the domain controller, click 3tart, click ;un, type regedit, and then click ,:.

'. Locate and then click the following registry subkey. ?:>CQL,#ALQ<A#?I2>73C31><7#urrent#ontrol3et73ervices7lanmanserver7par am eters ). In the right pane, double click enablesecuritysignature, type 0 in the 8alue data bo=,

and then click ,:. K. Double click re$uiresecuritysignature, type 0 in the 8alue data bo=, and then click ,:. F. Locate and then click the following registry subkey. ?:>CQL,#ALQ<A#?I2>73C31><7#urrent#ontrol3et73ervices7lanmanworkstatio n7 parameters N. In the right pane, double click enablesecuritysignature, type 0 in the 8alue data bo=,

and then click ,:. O. Double click re$uiresecuritysignature, type ( in the 8alue data bo=, and then click ,:. A. After you change these registry values, restart the 3erver and /orkstation services. Do not restart the domain controller, because this action may cause "roup !olicy to change the registry values back to the earlier values.

W. ,pen the domain controller6s 3ysvol share. 1o do this, click 3tart, click ;un, type 773erverQ2ame73ysvol, and then press >21>;. If the 3ysvol share does not open, repeat

steps 0 through A. 0(. ;epeat steps 0 through W on each affected domain controller to make sure that each domain controller can access its own 3ysvol share.

00. After you connect to the 3ysvol share on each domain controller, open the Domain #ontroller 3ecurity !olicy snap in, and then configure the 3<9 signing policy settings. 1o do this, follow these steps.a. #lick 3tart, point to !rograms, point to Administrative 1ools, and then click Domain #ontroller 3ecurity !olicy. b. In the left pane, e=pand Local !olicies, and then click 3ecurity ,ptions. c. In the right pane, double click <icrosoft network server. Digitally sign communications %always&. 2ote In /indows '((( 3erver, the e$uivalent policy setting is Digitally sign server communication %always&.

Important If you have client computers on the network that do not support 3<9 signing, you must not enable the <icrosoft network server. Digitally sign communications %always& policy setting. If you enable this setting, you re$uire 3<9 signing for all client communication, and client computers that do not support 3<9 signing will not be able to connect to other computers. Bor e=ample, clients that are running Apple <acintosh ,3 R or <icrosoft /indows WF do not support 3<9 signing. If your network includes clients that do not support 3<9 signing, set this policy to disabled. d. #lick to select the Define this policy setting check bo=, click >nabled, and

then click ,:. e. Double click <icrosoft network server. Digitally sign communications %if client agrees&. 2ote Bor /indows '((( 3erver, the e$uivalent policy setting is Digitally sign server communication %when possible&. f. #lick to select the Define this policy setting check bo=, and then click >nabled. g. #lick ,:.

h. Double click <icrosoft network client. Digitally sign communications %always&. i. #lick to clear the Define this policy setting check bo=, and then click ,:. j. Double click <icrosoft network client. Digitally sign communications %if server agrees&. k. #lick to clear the Define this policy setting check bo=, and then click ,:. 0'. ;un the "roup !olicy -pdate utility %"pupdate.e=e& with the force switch. 1o do this,

follow these steps.a. #lick 3tart, click ;un, type cmd, and then click ,:. b. At the command prompt, type gpupdate Dforce, and then press >21>;. Bor more information about the "roup !olicy -pdate utility, click the following article number to view the article in the <icrosoft :nowledge 9ase. 'WAKKK'WAKKKD& A description of the "roup !olicy

-pdate utility

2ote 1he "roup !olicy -pdate utility does not e=ist in /indows '((( 3erver. In /indows '(((, the e$uivalent command is secedit Drefreshpolicy machineQpolicy Denforce. Bor more information about using the 3ecedit command in /indows '(((, click the following article number to view the article in the <icrosoft :nowledge 9ase. ''O)('''O)('D& -sing 3>#>DI1 to force a "roup !olicy refresh immediately

0). After you run the "roup !olicy -pdate utility, check the application event log to make sure that the "roup !olicy settings were updated successfully. After a successful "roup !olicy update, the domain controller logs >vent ID 0O(K. 1his event appears in the Application Log in >vent 8iewer. 1he source of the event is 3ce#li. 0K. #heck the registry values that you changed in steps 0 through O to make sure that the registry values have not changed.

2ote 1his step makes sure that a conflicting policy setting is not applied at another group or organizational unit %,-& level. Bor e=ample, if the <icrosoft network client. Digitally sign communications %if server agrees& policy is configured as +2ot Defined+ in Domain #ontroller 3ecurity !olicy, but this same policy is configured as disabled in Domain

3ecurity !olicy, 3<9 signing will be disabled for the /orkstation service.

0F. If the registry values have changed after you run the "roup !olicy -pdate utility, open the ;esultant 3et of !olicy %;3o!& snap in in /indows 3erver '((). 1o start the ;3o! snap in, click 3tart, click ;un, type rsop.msc in the ,pen bo=, and then click ,:. In the ;3o! snap in, the 3<9 signing settings are located in the following path. #omputer #onfigurationD/indows 3ettingsD3ecurity 3ettingsDLocal !oliciesD3ecurity ,ptions

2ote If you are running /indows '((( 3erver, install the "roup !olicy -pdate utility from the /indows '((( ;esource :it, and then type the following at the commmand prompt. gpresult Dscope computer Dv

After you run this command, the Applied "roup !olicy ,bjects list appears. 1his list shows all "roup !olicy objects that are applied to the computer account. #heck the 3<9 signing policy settings for all these "roup !olicy objects.