1
Volume
T.R.Young, M.Sc., MCSE
Windows Server Management Series
Windows Server
Administration
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
TEAM APPROACH LIMITED
Windows Server Administration
Team Approach Limited 2003
Ottawa Ontario Canada
Phone 613.721.2100
ISBN 0-9733207-0-2
Printed in Canada
1
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Table of Contents
1. Introduction ..................................... 4
Editions .................................................... 5
2. Security.............................................. 6
SAM ........................................................ 7
DACL ...................................................... 8
Permissions ............................................ 10
Inheritance ............................................. 11
Auditing ................................................. 14
Active Directory .................................... 15
3. Active Directory .......................... 20
AD Organization ................................... 21
Trusts ..................................................... 22
Users ...................................................... 23
Groups ................................................... 27
Domain Controllers ............................... 28
FSMO .................................................... 29
DNS ....................................................... 30
Publishing .............................................. 32
Schema .................................................. 33
4. Resources ....................................... 34
MMC ..................................................... 34
Filesystem .............................................. 36
Compression ...................................... 39
EFS .................................................... 40
Quotas ................................................ 43
Shares .................................................44
Web Sharing.......................................47
Client-Side Caching ...........................48
Dfs ......................................................52
Printers ...................................................53
Profiles ...................................................55
Policies ...................................................59
Installation..............................................60
5. AD Troubleshooting ...................65
Global Catalog .......................................69
Logon .....................................................69
FSMO.....................................................71
NTDSUtil ...............................................73
RepAdmin ..............................................75
Garbage Collection ................................76
RootDSE ................................................78
Distinguished Name ...............................79
Sites ........................................................80
DNS........................................................83
Replication .............................................85
REPLMON ............................................91
Restore the AD .......................................92
Log Files ................................................93
Conclusion ...........................................94
Index .......................................................95
2
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
ww
3
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
1
Chapter
1. Introduction
Microsoft introduced the Active Directory with the release of Windows 2000. This major
release of Windows delivered an administrative architecture that will be a strong
foundation for many years to come. This document is a guide to the many administrative
features in Windows Server.
Windows Server Architecture
Although Windows has many administration features, its architecture was designed for
the following.
32 or 64-bit Operating System
Preemptive multitasking
Scalable with multiple processors
Supports mission-critical applications
Memory protection
Recoverable file system
Support for native Win32 applications plus
Win16 and DOS applications
OS/2 and POSIX applications
Configuration databases
The Registry is machine specific
The Active Directory is enterprise-wide
Enhanced security
Kerberos authentication improves server connection time
Certificates can be stored on smart cards for authentication
Certificate Server can issue certificates for authentication
4
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Editions
The Windows Server 2003 family includes the following products:
Product
Description
Windows Server 2003,
Standard Edition
Windows Server 2003, Standard Edition is for small businesses and departmental use. For
more information, see the Windows Server 2003, Standard Edition Overview at
www.microsoft.com.
Windows Server 2003,
Enterprise Edition
Windows Server 2003,
Web Edition
Offers secure Internet connectivity.
Allows centralized desktop application deployment.
Windows Server 2003, Enterprise Edition is built to support applications, Web services, and
infrastructure, delivering high reliability, and performance. For more information, see the
Windows Server 2003, Enterprise Edition Overview at www.microsoft.com.
Windows Server 2003,
Datacenter Edition
Supports file and printer sharing.
Supports up to eight processors.
Provides eight-node clustering and support for up to 32 GB of memory.
Is available for Intel Itanium-based computers.
Supports 64-bit computing platforms capable of supporting 8 processors and 64 GB
of RAM.
Windows Server 2003, Datacenter Edition is built for the highest levels of scalability and
availability. For more information, see the Windows Server 2003, Datacenter Edition
Overview at www.microsoft.com.
The most advanced Microsoft server operating system.
Supports 64-bit computing platforms capable of supporting 64 processors and 512
GB of RAM.
Supports up to 32-way SMP and 64 GB of RAM.
Provides both eight-node clustering and load balancing services as standard
features.
A new product within the Windows operating systems, Windows Server 2003, Web Edition is
provided for both Web serving and hosting. For more information, see the Windows Server
2003, Web Edition Overview at www.microsoft.com.
Is provided for building and hosting Web applications, Web pages, and XML Web
Services.
Is designed to be used primarily as an IIS 6.0 Web server.
Provides a platform for rapidly developing and deploying XML Web services and
applications that use ASP.NET technology, a key part of the .NET Framework.
5
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
2
Chapter
2. Security
Authentication
Authentication is the process of identifying a user. This is normally done with a user
name and password combination, but it can also be done with a certificate on a smart
card and a PIN. Windows security demands a mandatory logon.
If the authentication is successful, a SAT Security Access Token is issued. The SAT
contains SIDs Security IDentifiers for the user and for all groups where the user is a
member. SIDs are unique numbers used to identify security principals (eg. users and
groups). A copy of the SAT is attached to every process launched by the user.
SAT Security Access Token
containing user & group SIDs
Process
Authorization
Once a user is authenticated, the user may wish
to access a resource. To obtain access to the
resource the user must be authorized to use the
resource. In Windows, each resource is
protected by a DACL Discretionary Access
Control List which defines who has what kind of
access to the resource. Windows security is
designed as a discretionary access control
system. All resources are owned and it is the
discretion of the owner as to who else has
access to the resource. Owners are accountable
for the access to their resource. It is not
possible to restrict the owner in this
responsibility.
When a resource is accessed by a process, the
Windows Security Reference Monitor allows
access only if the security principals defined in
6
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
the SAT are allowed access as defined in the DACL.
The DACL for a folder is accessed by selecting the Security tab in the properties dialog as
shown below.
Ownership
Setting the access
permissions in a DACL is the
discretion of the owner of
the object. The owner can
specify that others can
change permissions or take
ownership. Administrators
can take ownership of a
resource and then control
the DACL. The right to take
ownership can be assigned
with the Computer Security
Policy.
Ownership can be changed
with the Advanced Security
Settings dialog below.
Auditing
All security related events can be audited. Examples of events are reading or writing a
files, or changing a users password.
SAM
Security Accounts Manager
For centralized administration, Windows Servers are managed with the Active Directory.
However, for small numbers of computers can be configured in a workgroup where there
is not centralized administration. Workgroup computers do not access or create the
Active Directory. Every Windows server and workstation has a local SAM Security
Accounts Manager database with local user and group accounts. In a workgroup
environment, users authenticate locally on each computer. There is not connection
between user accounts in the SAM database on one computer and user accounts in
another computer's SAM database. If some users want access to multiple computer, then
multiple computers accounts should be created on each computer.
Guest Account
In a workgroup environment, if a user needs access to 5 computer, you may wish to
create user accounts on each of the 5 computer for that user. Five passwords are
7
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
maintained and must be specified to complete the authentication for each computer
accessed. If security is not important, the Guest Account can be enabled. If the Guest
Account is enabled, then no authentication dialog is presented when a server is accessed.
The remote access is authenticated with the Guest account and has whatever rights and
permissions assigned to the Guest account.
Local Logon
It is possible to authenticate to accounts in the local SAM database, even for computer
that a members of a domain. The logon dialog allows for the specification of the domain
in the field labeled Logon to the. Although the domain is normally specified, you can also
specify (this computer) to authenticate to a local SAM account. Access to the Active
Directory is not possible with a local logon. Local account users can access the resources
of the local computer but other servers are not accessible without further authentication.
Local users accounts are managed with the Computer Management console.
Keyboard Exercise
Find the local user accounts in the Computer Management console.
DACL
Discretionary Access Control List
The DACL is a list of ACE Access Control Entries. Each entry defines access permissions
for an individual or group of users. If no entry corresponds to a user then access is
denied.
New in Windows 2000 security is the ability of an ACE to deny specific permissions.
Windows processes all of the AccessDenied entries before the AccessAllowed entries
thereby giving precedence to the Access Denied entries, i.e. if there is a conflict then the
AccessDenied entry applies. If you deny permissions, the following dialog appears.
8
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The following example DACL shows how the AccessDenied entries appear before the
AccessAllowed entries.
Type
Deny
Allow
Name
Permission Inherited From Apply To
JoeUser
Delete
<not inherited> This folder, ...
SalesGroup Read
<not inherited> This folder, ...
Windows checks each ACE in a DACL as follows.
Access is denied if an ACE denies access to any of the requested permissions
Access is allowed if all of the requested permissions are allowed in the DACL
Access is denied if any of the permissions are not explicitly allowed
Consider the example DACL above where JoeUser is a member of SalesGroup. The
following table shows examples of access request and the resulting access that is
granted.
Access Request Access Granted
Read
Read access allowed to group members
Write
No access - Write not specified
Read Write
No access - Write not specified
Read Delete
No access - Delete denied
Creator Owner
Normally users and groups are specified in an ACE, but there is a special trustee known
as Creator Owner. This allows for a default ACE to be established in a parent object which
will be automatically set when the child object is created.
ACE
Creator Owner Full control
—
JoeUser Full control - Automatically set if JoeUser creates the file
For printer queues, Creator Owner is set to have the Manage Documents permission so
that users can delete their own print jobs if necessary.
9
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Keyboard Exercise
Find the DACL for a folder and look at both the standard and advanced view.
Permissions
The discussion of Windows security tends to be generic because the security system
applies to different object types. People relate to file security best because it is the most
commonly used aspect of computer security. Windows security also applies to printers,
the registry, the Active Directory, and other resources. In all cases we have DACLs and
SACLs, but the permissions are different.
Printer
Files
Registry
Active Directory
Print
Manage Printers
Manage Documents
Read Permissions
Change Permissions
Take Ownership
Full Control
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
Full Control
Query Value
Set Value
Create Subkeys
Enumerate Subkeys
Notify
Create Link
Delete
Write DAC
Write Owner
Read Control
Full Control
List Contents
Read All Properties
Write All Properties
Delete
Delete Subtree
Read Permissions
Modify Permissions
Modify Owner
All Validated Writes
All Extended Rights
Create All Child Objects
Delete All Child Objects
Other Object Specific
The table above shows the special permissions for each object type. To simply the user
interface, permissions are grouped into commonly used sets called standard permissions.
The following table shows how the standard permissions are defined for the file system.
Standard Permissions
Full Control Modify Read & Execute Read
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
●
10
Write
●
●
●
●
Special Permissions
Full Control
Traverse Folder/Execute File
List Folder/Read Data
Read Attributes
Read Extended Attributes
Create Files/Write Data
Create Folders/Append Data
Write Attributes
Write Extended Attributes
Delete Subfolders and Files
Delete
Read Permissions
Change Permissions
Take Ownership
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The standard permissions are presented with the normal object security dialog.
Special permissions are only made visible in the Advanced Security Settings dialog.
Keyboard Exercise
Look at the permissions in a DACL for a file, a printer, a registry key, and an Active
Directory object and note the differences.
Inheritance
By default, child objects such as files, inherit security permissions from a parent object,
such as a folder. With inheritance, any changes to the parent's DACL are propagated to
the child.
Explicit PERMISSIONS
—
Inherited PERMISSIONS
Child objects can also have explicit permissions
Inheritance can be disabled on any object by removing the check box labelled
Allow inheritable permissions from parent to propagate to this object
11
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The dialog to the right,
appears when you
disable inheritance.
Copying the parent
permissions will give
the same effective
permissions after
disabling inheritance.
Removing the parent
permissions will leave
only the child's explicit
permissions. Without
inheritance, permission changes to the parent does not affect the child.
ACE Precedence
Explicit ACEs have precedence
over inherited ACEs. The ACEs
are processed and ordered in the
DACL as follows.
1.
2.
3.
4.
Explicit Deny
Explicit Allow
Inherited Deny
Inherited Allow
Examples
Assume for the following that JoeUser is a member of SalesGroup.
—
—
ACE
Inherit
Effective permissions for JoeUser
SalesGroup Full control
Explicit
Full control
SalesGroup Full control
Inherited
Full control
SalesGroup Full control
Inherited
JoeUser Deny read
Explicit
Deny read
In both cases, the explicit rights take precedence over the inherited rights.
—
—
ACE
Inherit
Effective permissions for JoeUser
JoeUser Deny read
Explicit
Deny read
JoeUser Deny read
Inherited
Deny read
JoeUser Deny read
Inherited
SalesGroup Full control
Explicit
12
Full control
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Resetting Permissions on Child Objects
The Advanced Security Settings dialog has a check box labeled
Replace permission entries on all child objects with entries shown here that apply
to child objects
Checking this option will present the following dialog before removing explicit permissions
on child objects.
Inheritance Propagation
The inheritance propagation of an ACE can be controlled within the Advanced Security
Settings dialog. The Apply onto field provides the inheritance propagation options.
13
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Auditing
There are 3 major events in auditing.
Specifying the major categories to
be audited in the security policy
Viewing the audit log in the event
viewer
Specifying which types of access
to audit for each object in its SACL
Auditing is enabled in the computer
security policy as shown in the dialog to
the right. Auditing can be enabled for
successful operations such as a
successful logon or for failures as in the
example of an attempted logon where the password was specified incorrectly. Failure
events may indicate that someone is trying to hack into your system or access restricted
files.
Audit transactions are stored in the Security Log and are viewable with the Event Viewer
as shown below.
Auditing object access requires setting the SACL Security Access Control List for the
objects of interest. The SACL has the same structure as a DACL in that it is a list of ACE
Access Control Entries. The DACL controls access to an object whereas a SACL controls
which accesses are audited. The SACL specifies which types of access should be audited
for specified users or groups. Access to the SACL is through the Advanced option in the
object security dialog as shown below.
14
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Keyboard Exercise
Enable auditing for logon events and then logon and off a few time. Use the event viewer
to view these events.
Active Directory
The following table show which groups have control of which AD naming contexts.
Administrative Group
Naming Context
Domain Admins for each domain
their domain
Enterprise Admins in the root domain configuration
Schema Admins in the root domain
schema
Active directory ACE Access Control Entries can apply to all objects or specific objects
types. Through inheritance, an object specific ACE can be set on an OU and applies to all
objects of that type within the OU.
15
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
ACE 1 for User objects
ACE 2 for Shared Folder objects
ACE 3 for OUs
ACE 1
—
ACE 2
—
ACE 3
—
ACE 2
—
Administration can be delegated by defining an ACE for an OU. For example, John can
manage groups in one OU and Jane can manage groups in another.
John can modify Group objects
Jane can manage Group objects
—
John can manage
—
Jane can manage
Configuring DACLs for administration can become complex. To simplify this Windows has
a Delegation of Control wizard that defines common tasks.
16
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Administrators can select the common task and let the wizard set the DACL details. The
following example shows that a predefined task might involve 2 or more ACEs that can
automatically be set by the wizard.
ACE 1 for OU - FinanceAdmin can create User objects
ACE 2 for User objects - FinanceAdmin can modify user objects
—
ACE 2 for User objects - FinanceAdmin can modify user objects
Active Directory inheritance works the same as with the file system except that OUs are
the containers and take the place of folders. The following diagrams show how
inheritance propagation options are applied.
Child objects only
This object only
This object & all child objects
○
┌┼┐
●●●
┌┼┐├┐
●●●●●
●
┌┼┐
○○○
┌┼┐├┐
○○○○○
●
┌┼┐
●●●
┌┼┐├┐
●●●●●
Child objects only apply
within this container only
User objects
This object & all child objects
○
┌┼┐
○●○
┌┼┐├┐
○●○○●
●
┌┼┐
●●○doesn't allow propagation
┌┼┐├┐
●●●○○
○
┌┼┐
●●●
┌┼┐├┐
○○○○○
The gray checkbox for the ACE below, indicates that it is inherited.
17
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The Advanced Security Settings dialog shows
where the ACE is inherited from or indicates that it is explicit <not inherited>
which objects inherit the permissions
The ACE has permissions that apply to
the object and
18
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
each property/attribute within the object
19
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
3
Chapter
3. Active Directory
The AD Active Directory is a database to store enterprise-wide configuration
information for entities such as
User information such as name, password, etc.
Group information such as name, membership, etc.
Computer information such as name, role, etc.
Printer information such as name, driver, queue, etc.
Information about individual users, groups, etc. are represented by objects in the
database. An object is like a database record.
Attributes are the characteristics of an entity such as name, password, membership,
driver, etc.
The AD schema defines the each object type and its attributes. The schema is stored in
the AD database and can be extended and modified.
The directory acts as the yellow pages for network resources. Resources are advertised
by publishing related objects in the directory. Windows clients can query the directory to
locate network resources. Searching can specify specific attributes of a resource, such as
Printers that print color
Printers that support double-sided duplex printing
Active Directory has many improvements over NT domains as shown in the following
table.
Feature
Active Directory
NT Domains
Maximum size
17TB for 1 million objects 40,000-60,000 users
Structure
Hierarchical with OUs
Flat list
Extensible
Yes
No
Delegation of administration Fine control
General categories
Replication control
Sites and domains
Domains only
Trusts
Automatic and complete
Manual
20
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
AD Organization
Namespace
A namespace is a collection of uniquely named objects. Examples of hierarchically
structured namespaces are the file system and the Active Directory.
Organizational Units
Users organize
numerous files
by using folders.
Administrators organize
the numerous AD
objects with OU
Organizational Units.
OUs should be used to group objects that have a common administration group. For
example if an administrator is responsible for a group of users, then those users should
be in a common OU.
Domains
A domain is a collection of servers, computers, users and other objects. A domain
is a partition of the AD where the domain objects are stored together on specific domain
controllers. Domains are organized into a
tree structure, or a
group of tree structures called a forest.
21
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Trusts
NT Trusts
NT trusts are established manually and allow the potential access of resources in one
domain by users in another domain. The reverse access in not automatic but can be
established in a second trust is defined.
Trusting Resource
Domain A
A trusts B
Trusted Account
Domain B
means that users from
B potentially can access
resources in A
B access A
In drawing diagrams of domains and their trusts, we draw the trust as an arrow showing
the direction of the trust rather than the opposite direction of the access.
A
B
If A trusts B,
B does not
automatically trust A
A
B
C
If A trust B and B trusts C
A does not automatically trust C
A
A
B
2-way trusts require 2
one-way trusts
B
C
NT trusts must be defined between every
pair of domains and are not transitive
AD Trusts
AD 2-way transitive trusts are automatically created and follow the tree structure of the
domain names. This creates a complete trust environment between all domains.
Complete trust does not mean a lack of security. Security restrictions are established
with DACLs.
22
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
For interoperability NT trusts can be established with NT domains.
Users
To successfully logon, users must identify themselves and satisfy a number of security
restrictions.
Pass Name and password security check?
Pass account restrictions?
- Account enabled?
- Within time restrictions?
- From an appropriate computer?
Build SAT Security Access Token containing
+ User SID + Group SIDs
+ Group SIDs from nested membership
+ Rights as an individual user
+ Rights from group membership
Does the user have the right to logon?
Success
23
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Predefined Users
Windows installs with builtin accounts Administrator and Guest.
Administrator has full control of the system. The user account can be renamed by
not deleted. The account should only be used in emergencies and the password
should be guarded carefully. Regular administration should be done with other
user accounts that can be members of the Domain Admins group.
The Guest users account is to allow infrequent users to access the system. If this
account is enabled, users without a valid user account will automatically be logged
on as the guest account. The Guest account is a potential security hazard and is
disabled by default. If you intend to enable this user account, ensure that
resources are properly secured with DACLs. Note that Guest is a member of
Everyone.
Additional users accounts are easily created with the Active Directory Users and
Computers console.
Rights
Users can be granted administrative rights using policies as shown below. Users can also
obtain these same rights by becoming a member of a group that has the right.
24
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
SID Security ID
A unique number or SID is generated for each account that is created. Internal user
references like those in a DACL, use the SID rather than the user name. Renaming a user
does not cause any problem for other user references because the SID number does not
change. If a user object is deleted the SID is deleted and cannot be recovered. All
references to that user become invalid. Recreating a user with the same name will not
recover lost references in a DACL, because the SID for the new user will be different than
the old user with the same name.
If a new user replaces someone who has left your organization, it is easier to rename the
old user object than to create a new one and also create all security references.
Warning! Never delete a user account unless you also want to delete all references to the
user, such as all references in DACLs.
25
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
User Principal Names
A user can logon with a pre-Windows 2000 user name and a specified domain name. An
alternative is to use the UPN User Principal Name. The UPN is the same format as an email address, eg. jsmith@newdomain.com. The UPN has two parts; the user's common
name and the UPN suffix. The UPN suffix is normally the users's logon domain, but can
also be set to match the user's e-mail address. A user's UPN must be unique in the
forest.
UPN suffixes can be created via the Active Directory Domains and Trusts console
26
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Searching
Many of the user properties are only descriptive or not needed for basic operation
of Windows. In many cases, administrators do not use these properties. When
descriptive properties like phone numbers are specified, directory searches can
then use these properties as the search criteria.
Keyboard Exercise
Use the Active Directory Users and Computers console to create a user and examine the
user properties.
Groups
Most computer administration systems have the concept of a group of users.
Security is simplified if you can specify security for a group rather than repeatedly
specifying security definitions for each member of the groups. In most cases
computer security groups correspond to departments and divisions within your
organization. Security permissions should always be assigned to groups rather than
individuals. This provides flexibility when the individual changes responsibilities and the
security must change. If only one user needs a certain kind of security settings, set up a
one user group for this job function. If the user changes job functions, you simply
remove the user from the group and add some other user who will take over the
responsibility.
Local Groups
Windows includes a number of Built-in local groups which have assigned rights to
perform administrative tasks. Users can obtain these rights be becoming members of the
27
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
groups. On member servers and workstations, local groups are managed with the
Computer Management console. These local groups only have rights on the one
computer. Built-in domain local groups on domain controllers are replicated to all domain
controllers in the domain and have rights on all domain controllers. Domain groups are
managed with the Active Directory Users and Computers console.
Distribution Groups
Distribution groups are not used by the Windows security system. They are intended for
applications such as e-mail programs to establish distribution lists.
Active Directory Groups
Active Directory allows groups nesting, i.e. groups can be members of groups. Ideally
Active Directory would have only one type of group. For efficiency reasons, there are 3
types of groups which differ in membership and where they can be used.
Group
Scope
Membership
Domain local Own domain All users in group with scope in the domain
Global
All domains
Uses and global groups from the domain
Universal
All domains
Users, global and universal groups from any domain
Keyboard Exercise
User Active Directory Users and Computers to create one of each of the three types of
groups; domain local, global, and universal.
Domain Controllers
The initial Windows Server installation results in a member server. A member server
does not store the Active Directory database. If you wish the server to store the Active
Directory database, you must upgrade the server to a Domain Controller. This is
accomplished with either the DCPROMO utility or using the Manage Your Server wizard.
28
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Each DC domain controller maintains a copy of the domain directory. Updates are
accepted by any DC and replicated to the other DCs. Multimaster replication ensures the
consistency of the directory.
User1
User2
Group1
Object1
...
Replication
User1
User2
Group1
Object1
...
In addition to domain data replication, schema and configuration data is also replicated.
Schema and configuration data is the same for the entire directory forest. Domain data is
unique to each domain and is only replicated within the domain.
Domain
Controller
with Global
Catalog
Replication
Replication of Domain,
Schema & Configuration NCs
Domain
Domain Controller
Controller
FSMO
Flexible Single Master Operation
Multimaster replication is used to replicate the main domain database. This means that
there is no central point of failure. The Active Directory provides normal functionality
even if a domain controller is offline.
There are five critical operations that are handled by a single master which holds the
FSMO Flexible Single Master Operation role.
Forest-wide - One for the entire forest
Schema master handles schema changes
Domain naming master checks names when creating new domains
Domain-wide - One for each domain
RID pool master manages the allocation of domain SID numbers to ensure that
they are unique.
PDC emulator emulates an NT 4 Primary Domain Controller
29
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Infrastructure master, maintains cross-domain links
DNS
Domain Name System
DNS servers have a table of domain names with their associated IP address. When
clients send a query with a domain name, the server return the associated IP address.
DNS server data
What is the IP address for www.msn.com?
www.msn.com = 209.47.184.43
www.msn.com is 209.47.184.43
DNS client
DNS server
DNS allows the authority of name definitions to be distributed to multiple servers by
dividing the namespace into zones based on the hierarchy. DNS servers are responsible
for resolving DNS queries within their zone.
Zone:
msn.com
DNS root edu
com
msn
www
...
test
ftp
org
Zone:
...
...
test.msn.com
Name resolution may involve consulting multiple DNS servers each responsible for a
different zone, as shown in the following diagram.
Other DNS servers
root
2nd query
DNS server
DNS
client
Preferred
DNS server
1st DNS query
3rd query
com
DNS server
4th query
msn.com
DNS server
5th query
test.msn.com
DNS server
30
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
DNS clients and servers cache the results of the name resolution for a time specified on
the DNS server.
DNS client resolver
Client-to-server query
Zones
Server-to-server query
Recursive
resolver
cache
Web browser
URL:www.msn.com
HOSTS file
DNS server cache
Computer properties allow you to change the DNS computer name. The concatenation of
the computer name and the domain DNS name results in the FQDN Fully Qualified
Domain Name.
Keyboard Exercise
Investigate your DNS server with the MMC DNS console.
31
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Publishing
Shared resources like shared folders and shared printers can be published
in the Active Directory. Objects can be created in the Active Directory to represent these
shared resources. Users can then search the Active Directory for resources with specific
properties; eg. find printers that can print color in our site.
By default, any authenticated user can browse these resources in My Network Places
Directory. The visibility of the resource is controlled by the object DACL. The object
visibility could be further restricted by changing the DACL. To view the DACL with the
Active Directory Users and Computers console, you must use the View menu to enable
the Advanced Features.
Having permissions to a resource object does not provide access to the resource. Each
resource has its own DACL to control access.
32
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Schema
Each object type in the Active Directory stores different information.
User objects have a name, password, phone number, etc.
Groups have a list of members
Printers have a name, driver, port, etc.
Shared Folders have a path
The individual pieces of information are known as attributes. All object types and
attributes for the Active Directory are defined in its schema. When an object is created in
the directory, the directory's ESE Extensible Storage Engine allocates space only for the
attributes that have data. The schema contains a default DACL that is copied to newly
created objects.
Schema
instantiate
Object class
create
Directory
Object instance
—
Attribute syntax
—
Attribute syntax
—
Attribute syntax
—
Attribute syntax
—
Attribute syntax
—
Attribute syntax
Default DACL
DACL
The schema can be view and modified with the AD Schema snap-in. This snap-in is not
available until you register it with the command regsvr32 schmmgmt.
Keyboard Exercise
Run regsvr32 schmmgmt and then snap-in the Active Directory Schema console into
MMC.
33
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
4
Chapter
4. Resources
Windows Server administration involves creating a security environment to control
access to network resources.
The main network resources are the file system and shared printers.
The MMC Microsoft Management Console hosts the administrative utilities that are
used to do the server administration.
The user profile environment can be controlled by using policies and mandatory
profiles.
MMC
Microsoft Management Console
MMC is a console environment to host snap-in modules that provide management
functionality. Most management and administration functions in Windows are
accomplished with an MMC snap-in. Important consoles that use MMC are
Computer Management Console
Active Directory Users and Computers
Domain Security Policy Console
Performance Console for System Monitor
A set of snap-ins form an administrative console that is configured in a file with an
extension of .MSC (Microsoft Saved Console). For example, typing DSA.MSC from the
command line will start the Active Directory Users and Computers console.
34
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The following console shows how MMC can host documentation from Microsoft's
Knowledgebase along with System Monitor which is actively reporting on operations on
the server.
Keyboard Exercise
Run MMC and add the Link to Web Address snap-in and the ActiveX control, System
Monitor. Use the New Window from Here Action to create two child windows within MMC
as in the above screen image.
35
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Filesystem
NTFS v5 had more features than any
other Microsoft filesystem. NTFS v4
volumes are converted to NTFS v5 during
an upgrade.
Recoverable Filesystem
Feature
FAT
FAT32
NTFS v4 NTFS v5
Max size
4 GB
2 TB
16 EB
16 EB
●
●
Security
●
●
Recoverable
●
●
POSIX support
●
●
Macintosh support
●
●
Long names
●
●
NTFS is recoverable because file system
●
●
transactions are logged. If the filesystem Compression
becomes corrupt because of a system
Quotas
●
failure, the system checks the transaction
Encryption
●
log and automatically fixes any errors.
Property sets
●
The recovery is restricted to the file
system infrastructure or metadata (eg.
Junction points
●
MFT Master File Table). Problems, such
Link tracking
●
as lost clusters, which are common with
AD support
●
the FAT fileystem, do not occur with
NTFS. Although the file system metadata
is protected, user data in the file contents may be lost. File contents can be protected
using RAID technology.
Junction Points
Junction Points provide a mechanism to
create logical folders that take the user
to folders in other volumes or other
folders in the same volume. It provides
a way to logically reorganize the tree
structured file system without physically
moving the files.
The following diagram shows 3 Junction
Points represented by the top left
folders. The first points to another
volume and is created with the Disk
Management console. The other
junction points created with the LINKD
command can link to other folders on
other or the same volume.
C:
D:
—
use Disk
Management
console
—
use linkd
—
↓
use
linkd
E:
—
—
—
—
—
—
Junction points are created with empty
folders. Any valid local pathname can
be mounted at the junction point. With junction points, local volumes do not need drive
letters because they can be accessed through a junction point folder. This eliminates the
volume restriction limited by the 26 letter alphabet. Drive letters can be removed from a
volume by using the Disk Management console.
36
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Reparse Points
Either folders or files can be tagged as reparse points. The reparse point tag redirects
requests to the appropriate file system filter. The junction point filter redirects the
request to the target path. The remote storage filter redirects the request to the remote
storage manager.
Normal
I/O
request
↓ ↑
NTFS
↓ ↑
↓ ↑
Junction
Point
request
↓
↑
Remote
Storage
request
↓
↑
↓
↑
↓
↑
↓
↑
↓
↑
↑
normal
↓
access
↑
Junction
Point
filter
↑
↓
↑
Remote
Storage
filter
Distributed Link Tracking
Distributed link tracking will automatically update shortcuts and OLE links when the
destination files and folders are moved or renamed. When a file that is referenced by a
link is moved to another volume the Distributed Link Tracking server creates an object in
Active Directory so that it can be tracked. Distributed Link Tracking is supported by the
Distributed Link Track Client and Server services. Because of a potentially large
overhead, these servers are disabled by default in Windows Server 2003.
Distributed Link Tracking can automatically update OLE links in a MS-Word document
when referenced files are moved or renamed.
37
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Property Sets - Multiple Data
Streams
Property Sets provide additional
properties to any file or directory
as shown for the MS-Word
document example to the right.
Defragmentation
http://teamapproach.ca/trouble/D
efragment.htm
Dynamic Disk
http://teamapproach.cal/trouble/D
ynamicDisk.htm
38
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Compression
NTFS files can be compressed by simply checking the option in the Advanced
Attributes Property dialog.
If a folder is compressed then all new files will inherit the compression attribute. If files
exist within a folder when it is compressed, the following dialog appears.
Moved files retain their compression attribute.
Source
—
Move Destination
The folder compression attribute
does not affect moved files
Compressed
—
Uncompressed
—
Compressed
—
Uncompressed
39
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The compression attribute of a copied file is inherited from the destination folder. The
source file's compression attribute does not affect the result.
Source
Copy
Destination
Compressed
—
—
Compressed
Uncompressed
—
—
Uncompressed
Keyboard Exercise
Experiment by compressing a file and then checking its compression attribute after you
copy and move it to compressed and uncompressed folders.
EFS
Encrypted File System
Files can be encrypted simply by checking the option in the Advanced Attributes dialog.
If a folder in encrypted then any new files created in that folder will by encrypted
automatically. Encrypted files look normal to a users who owns the encrypted file.
Recovery Agents
40
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Authorized security principals can decrypt a user's file if defined as a Recovery Agent.
This is done in the following dialog which is activated by pressing the Details button in
the Advanced Attribute dialog shown above. The administrator is a recovery agent by
default. The recovery agent will recover a file if the user account is deleted or if the
decryption mechanism fails.
Encryption Techniques
There are two basic types of encryption techniques, symmetric and asymmetric
encryption.
Symmetric Secret Key Encryption
An example of symmetric encryption is to shift the letters of the alphabet based on some
key like the number one. In this example, the decryption shifts the letters back based on
the same number one as shown in the following diagram.
Plaintext
The
quick
brown
fox
Encryption
Same Key
Ciphertext
Uif rvjdl
cspxo
gpy
Decryption
41
Same Key
Plaintext
The
quick
brown
fox
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Asymmetric Public Key Encryption
Public Key encryption is much more complex and uses two keys
One key to encrypt or lock the data and
Another different key to decrypt or unlock the data.
The public key can be known by anyone because does not decrypt the data.
Plaintext
The
quick
brown
fox
Encryption
Ciphertext
eiv&l$3f%l
les@4l'xq!
Decryption
Public Key
Private Key
Plaintext
The
quick
brown
fox
Encrypted File System
EFS files are encrypted with a randomly generated symmetric FEK File Encryption Key.
The FEK is encrypted with the user's public key and attached to the encrypted file as the
DDF Data Decryption Field. When a user access the file, the DDF is decrypted with the
user's private key to produce the FEK which is used to decrypt the ciphertext. In case of
emergency the FEK is also encrypted with the public key of the recovery agent, so that
the recovery agent can also produce the FEK if necessary.
Encrypted
File
Plaintext
The quick
brown fox
Encrypted
with FEK
Ciphertext
eiv&l$3f%l
les@4l'xq!
Random
FEK File
Encryption
Key
Decrypted
with FEK
Encrypted
with
users's
public
key
DDF Data
Decryption
Field
DRF Data
Recovery
Field
Encrypted
with
recovery
agent's
public
key
42
Decrypted
with
user's
private
key
Plaintext
The quick
brown fox
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Quotas
Disk space usage by individual users can be monitored and limited. Maximum disk usage
and warning levels can be set. The disk space usage is assigned to the owner of the file.
Quotas are set on a per-volume basis to NTFS volumes. The quota amount is the number
of bytes in the file and does not include cluster waste nor does it give credit if the file is
compressed.
Enable the quota system in the volume property dialog as shown below.
Once enabled, all file space as assigned to the owner. Each user's usage can be reviewed
in the Quota Entries dialog as shown below.
Keyboard Exercise
Enable the Quota system and then check the Quota Entries.
43
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Shares
Sharing folders with other network users is easy. Simply select the folder and view its
property dialog. The Sharing tab has a Share this folder option as shown in the following
dialog.
.
Shares have their own DACL that can provide an additional security restriction for
network access. The share DACL can be changed by pressing the Permissions button.
Note that the security here is much simplified compared to the file system permissions.
44
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Connecting to Shared Resources
Network shares are easily accessed by users browsing
My Network Places as shown in the hierarchy to the
right.
Shares can also be mapped to local drive letters using
the following dialog.
HINT! Another way to access shares is to specify a UNC Uniform Naming
Convention path in the format \\server\share in the Start | Run | Open field.
Normally, Start | Run | Open is used to start an executable program, but if a path is
specified, explorer will display that
folder.
Authentication
Users who logon with a domain account
are authenticated to all servers within
the domain. If you try to connect to a
remote server where you are not
autheticated, the following dialog
appears.
If the Guest account is enabled, you will
automatically be connected as the
guest.
Shared Folders console
The Shared Folders console can be used to
Create, delete, and view shares
Monitor and disconnect sessions
Monitor and close open files
45
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Keyboard Exercise
Look at the Shares that appear in the Computer Management console as shown in the
dialog above.
46
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Web Sharing
By default the Windows Server
web site is located at
C:\INETPUB\WWWROOT.
Files stored at that location will be
accessible from the server's web
site at its DNS address, e.g.
http://server.newdomain.com.
Subfolders like
C:\INETPUB\WWWROOT\FOLDER
would be accessed as
http://server.newdomain.com/fold
er.
Other folders which are not
subfolders of
C:\INETPUB\WWWROOT,
can also be added to the web site
by activate the web sharing in the
folder properties dialog as shown
below.
The end result is that the folder
can now be accessed using HTTP
with the web address as shown in the diagram below.
C:
C:\inetpub
—
—
C:\inetpub\wwwroot
—
Virtual directory
http://server.newdomain.com
http://server.newdomain.com/myweb
—
C:\myweb
47
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Client-Side Caching
Client-side Caching allows server files to be designated for offline work so that a copy of
the files is cached on the client computer.
ClientSide
Server Files
—
—
When the client is offline, the files are available from the locally cached copy, but are
accessed in exactly the same way as if they were stored on the server. i.e. UNC paths or
mapped drives are accessible.
ClientSide
—
When the client comes back online, the files are synchronized.
Client-side Caching is enabled in the following Folder Options dialog from the Explorer
Tools menu.
48
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Individual files and folders can be designated for offline work or pinned into the cache.
Right-clicking a network folder will have the option Make Available Offline. A wizard will
start and end with the following confirmation dialog.
Automatic caching is an alternative to pinning. The quantity of space allocated to the
automatic caching is shown in the above dialog. Automatic caching does not guarantee
that a particular file will be available.
Caching can be configured on the server side as shown in the following dialog.
49
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Synchronization is the process that ensures that the local files and the server files are
identical. Use the Synchronization Settings dialog to configured synchronization to occur
At logon and logoff
In the background
As a scheduled event
50
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
51
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Dfs
Distributed File System
Network file shared can be reorganized into a logical namespace with Dfs. The Dfs
volume is shared and accessed as a normal network share. The server where the data is
stored becomes transparent. Dfs links point to other network shares using UNC names.
Alternative paths provide fault tolerance and load balancing as shown in the following
diagram. Dfs can be nested in that a link can point to another Dfs volume as shown in
the following diagram.
Dfs
volume
—
—
—
Another
Dfs
volume
—
—
Alternate
paths
NT servers can host Dfs volume and Windows 95 can be a Dfs client.
Dfs volumes can be hosted
on a standalone server which becomes a potential single point of failure
by the Active Directory where volume information is automatically replicated
Clients cache the destination of Dfs links. In the case of alternative paths, all paths are
cached and then the client randomly picks one path. If the connection fails, another path
is chosen. Some applications may fail as a result of this failover process.
Dfs servers should be within the same security boundary (i.e. same Active Directory),
because the same security credentials are used to connect to all servers.
52
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Printers
Printers are created with the Add Printer icon in the Control Panel. The printer
name, driver, and destination port must be specified.
Each logical printer defined represents a print queue. More than one logical
printer can connect to a physical printer. Print queues can define a priority and hours of
active printing.
High priority, 24 hours
Low priority, 24 hours
Nighttime printing only
Connection made with Control Panel
Drivers download automatically
When the printer is created the print driver is installed into the folder
...\system32\spool\drivers. This folder is automatically shared as print$ so that clients
can have the driver automatically downloaded when they connect to the printer. Drivers
for NT, Windows 9X, and Itanium can be also loaded as shown if the following dialog.
When a shared printer is created, it is automatically published in the Active Directory.
The printer objects is only visible when computers are viewed as contains. The printer
53
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
appears within the computer container as shown in the dialog below. To make the printer
visible for regular users, it should be moved to a normal container like an OU.
Security
Access to printers is controlled by a DACL. Standard permissions are Print, Manage
Printers, Manage Documents. Administrators, Power Users, Print and Server Operators
are given full control by default. Everyone has Print access to they can send output to the
printer and the Manage Documents permission is granted to Creator Owner so that users
can manager their own documents, but not others. Print access can be audited by setting
the SACL.
Remote management includes
Viewing the print queue
Pausing and resuming a document
Deleting a document from the queue
Changing print order
Changing the printer's properties
Keyboard Exercise
Use the Add Printer icon in the Control Panel to create a new printer. Use the
Generic/Text Only driver to create a fake experimental printer object. Once created,
investigate the printer properties.
54
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Profiles
A computers working environment is presented to the user upon logon. The environment
is the combination of user settings and machine setting.
User settings:
Desktop
Folders
Software
Machine settings:
Boot options
Device drivers
Services
Network settings
The user's environment is known as the user
profile. It consists of the users registry setting and
all of the files and shortcuts that make up the user
interface, including the desktop, start menu, etc.
By default the user profile is stored at on the
system drive at
\Documents and Settings\UserName
The registry hive files for the machine settings are stored at ...\System32\config.
Common user environment configuration is stored at
\Document and Settings\All Users
NTUSER.DAT and the System32\config hive files combine to create the Registry and the
other files in Documents and Settings combine to create the desktop environment as
shown in the following diagram. All combined this creates the working environment.
Desktop
Registry
55
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Local User Profile
A users local profile is stored on the local disk and is initialized the first time the users
logs on by a default configuration stored at
Documents and Settings\Default User
All
Users
Default User
UserX
First logon
Logon
loaded
loaded
Logoff
saved
Global Default Profile
If a profile called Default User is created in the NETLOGON share, it is automatically used
as the default user profile for all computers in the domain.
Local
Computer
Logon Server
______
NETLOGON
Default User
Default User
(Network)
UserX
First logon
UserY
Roaming User Profiles
If a user profile is stored on a server, it becomes a roaming profile that can be accessed
on all network computers. The roaming profile gets copied to the local computer, but this
locally cached profile is only used when the server profile is unavailable. If the network
and local profiles become different then the changes can be merged.
Logon
All Users
loaded
Local
UserX
Merged?
loaded
Logoff
saved
server's
UserX
56
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
A mandatory profile is a profile that cannot be changed by the user. Mandatory profiles
are used to provide a constant environment where a users cannot accidentally modify or
destroy parts of their environment. Mandatory profiles are the same as roaming profiles
with the exception that the user hive file must be renamed from NTUSER.DAT to
NTUSER.MAN. Normally each user has their own profile. Because mandatory profiles do
not change, they can be shared by a group of users.
The user profile path can be set with the following user property dialog.
File names for logon scripts can be specified in the dialog above. Logon scripts for local
account logons are stored in
%SystemRoot%\System32\Repl\Imports\Scripts
Domain Controllers are automatically configured to have a NETLOGON share. When users
authenticate to a domain controller, they get their logon scripts from this share which is
at
%SystemRoot%\SYSVOL\sysvol\DNSDomainName\scripts
Creating Profiles
New profiles can be created by copying existing profiles. Use the following dialog,
available through My Computer Properties, to copy a profile.
57
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Keyboard Exercise
Find the user profile files under the Documents and Settings folder. Ensure that the
Explorer Folder Options are set so that you can view hidden files and folders.
Additionally, find the hive files in ...\System32\config.
58
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Policies
Group Policies are a mechanism to enforce configuration options for computers and
users. This enforcement is achieved by changing registry entries to reflect the
policies. The policies are specified and stored in the Active Directory as GPOs, Group
Policy Objects. The GPO is created and modified with the GPO editor shown in the
following dialog.
59
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
GPOs are associated with Sites, Domains, and OUs and apply to all objects with the site,
domain or OU. If an object is affected by more than one GPO, the policy which is closest
to the object has precedence. The sequence of precedence is Sites, Domains, and finally
OUs, or SDOU. Some policy values are cumulative. For example, if login scripts are
specified in multiple GPOs then all are run.
The following diagram shows the precedence for GPOs in different OUs.
GPO1:
Wallpaper = Autumn.jpg
Logon script = one.vbs
|
|
|
GPO2:
Wallpaper = Ascent.jpg
Logon script = two.vbs
|
UserX:
Wallpaper = Ascent.jpg
Logon script = one.vbs, two.vbs
User policies are applied when the user logs on. Computer policies are applied when the
computer starts. Policies are also applied periodically. Policies can be applied immediately
by using the SECEDIT command. For example
SECEDIT /refreshpolicy user_policy
SECEDIT /refreshpolicy machine_policy
Keyboard Exercise
In the Active Directory Users and Computers console, select your domain and start the
properties dialog. Select the Group Policy tab and edit the default domain policy.
Investigate the many options that are available.
Installation
Installation Methods
There are a variety of ways to install Windows. Ultimately access to the files on
the installation CD-ROM in necessary. If the installation is not started from a bootable
CD-ROM or boot diskettes, then access to the setup command I386\WINNT is necessary.
Use WINNT from the MS-DOS command prompt
User WINNT32 to upgrade from a previous version of Windows
This is easy on computer with a bootable CD-ROM. For computers that cannot boot to the
CD-ROM boot diskettes are necessary. If you are upgrading from a previous version of
60
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Windows, the old Windows drivers will give you access to the CD-ROM. If the CD-ROM or
its files are available on a network share, then you need a network boot diskette that will
connect you to the network share.
Bootable CD-ROM
Upgrade from previous Windows version
Boot diskettes and CD-ROM
- Use BOOTDISK\MAKEBOOT to create the boot diskettes
Network boot diskette to connect with shared installation files
Cloned Sysprep image
RIS with boot floppy or PXE-enabled client
The installation requires the following information.
Regional settings
Name and organization
Per Server or Per Seat Licensing
Computer name
Administrator password
Optional components
Time and Time Zone
Typical or custom network settings
Workgroup or domain to join
Licensing
Server licensing is determined at the time that you purchase Windows. During the
installation you must correctly specify whether Per Server licensing or Per User licensing
was purchased.
Per Server Licensing
Per Server licensing has a limit to the number of active users supported on the server at
one time. Any number of computers can connect to the network, but only a specified
number can be connected to the server. In the following, although 4 computers are
connected to the network, only 2 licenses are used to connect the 2 active users.
61
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Per User Licensing
In Per User licensing, an organization pays for a specified number of users independent
of how many servers they connect to. In the following diagram, with one user license, a
user can connect to any number of servers.
Domain Controllers
All Windows Servers are initially installed as member servers. Member servers can be
promoted to domain controllers by running DCPROMO. DCPROMO will automatically
install the DNS server software if it is not already installed. DCPROMO can also be used
to demote a domain controller to a regular member server.
Install DNS
Promote to DC
Domain controllers can be installed to
a new forest
an existing domain
a new domain in an existing forest
Domain Functional Level
Domain controllers run in mixed mode immediately after installation. Mixed mode
provides compatibility with NT domain controllers. Unfortunately, with compatibility we
loose some capabilities, like the ability to nest groups of the same type. NT domains
require that one of the domain controllers be a PDC Primary Domain Controller which is
the only domain controller that is allowed to accept updates. Active Directory has multimaster replication and no longer needs a PDC, but to maintain compatibility with NT
domain controllers, the first AD domain controller automatically fills the role of the PDC.
Once an AD domain controller is in a domain, no NT domain controller is allowed to be
promoted to a PDC. The AD PDC replicates any domain changes to the NT domain
controllers which have the role of BDCs, Backup Domain Controllers.
62
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Mixed mode server
with PDC role
Multimaster replication
Master-slave replication
Mixed
mode
server
NT
BDC
NT
BDC
Upgrading
Upgrading a PDC to the Active Directory will migrate the existing security principals into
three containers.
cn=users for users and global groups
cn=computer for computer accounts
cn=builtin for local groups
An alternative to upgrading is to migrate security principals with ADMT Active Directory
Migration Tool.
ADMT Migrate users & groups
NT server
Active Directory
Joining a Domain
To successfully join a domain, a computer object must be created for the computer that
is joining the domain. If the computer object already exists, only local administrative
rights are necessary to join the domain. If the computer object does not exist, AD
administrative rights are required. To join a domain use the following Computer
Properties dialogs.
63
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
My Computer
Service Packs
QFE Quick Fix Engineering patches fix specific problems and are distributed
between service pack releases.
NT service packs must be reapplied after new OS components are installed.
Service packs for Windows 2000 and later and completely installed so that no
reinstallation is not required.
Service packs can be slipstreamed with the original distribution files.
Windows has the ability to integrate a Service Pack into the initial installation of
the operating system. You can use this method to replace the original Windows
source files with the updated Service Pack files before Windows 2000 is installed.
Then, when Windows is installed, the Service Pack is installed automatically.
Keyboard Exercise
If you have a test domain controller available, use DCPROMO to promote and/or demote
the server. Additionally, use the System Properties dialog to join and disjoin a domain.
64
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
5
Chapter
5. AD Troubleshooting
The Active Directory is the database which stores administration information for a
Windows enterprise network. The most common records accessed in the AD
database are the user objects, but other records include computer objects and
shared resources like printer objects. The AD database is critical for the operation of a
Windows network because it is central to security system and to the users ability to
locate resources in the network.
It is intended that this database runs on a network without the need for database
expertise from a database administrator. The AD database is complicated by two
important characteristics;
o
o
Distributed - to provide efficient access in a wide area network
Information need not be stored in one place. The database is partitioned
into domains so that European user information can be stored only in
European servers and American user information can be stored only in
American servers.
Replicated - to provide fault tolerance for the failure of a domain controller
Enterprise and Domain information can be duplicated on as many servers
as necessary to provide reliability.
Windows includes a number of utilities to assist in troubleshooting problems with the
Active Directory.
AD Components
A domain is a collection of servers, computers, users and other objects. Each domain
contains one or more DC Domain Controllers that contain the AD database. All domain
controllers in a domain get a copy of this database through a process known as
replication. Windows NT only allowed database updates on one domain controller
identified as the PDC Primary Domain Controller. The Active Directory supports updates
on any domain controller and copies the updates to all other domain controllers through
a process known as multimaster replication.
The components of the AD database are visible in the ADSIEdit support tool. Each
component is replicated separately and is known as a naming context. Each domain
65
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
controller stores its own domain directory, the schema, and the configuration naming
contexts.
Each domain has a domain directory to store administrative information for users,
computers, printers, etc.
The schema defines each object type and their attributes. Each object definition is
an object class. Objects created in the directory are an instance of the object
class.
The configuration data defines domains, domain controllers, trusts, sites,
replication topology, etc.
The AD database is stored under %systemroot% in a file called NTDS.DIT. DIT stands for
Directory Information Tree.
Global Catalog
The Active Directory is the collection of all of the domain directories (partitions) that are
stored on different domain controllers. The GC Global Catalog combines the important
attributes of all of the objects in all of the domain directories. That is to say, the global
catalog contains a partial replica of all objects with the Active Directory.
The Global Catalog is used to resolve universal group membership and UPNs and
therefore is required at user logon.
The first DC created automatically contains a GC. Use the Active Directory Sites and
Services console to define additional GCs. Each site should have a global catalog server.
Schema Management
The schema can be can be viewed and changed with the MMC Schema Management
snap-in. By default, this snap-in is not available until it is registered with the command
REGSVR32 SCHMMGMT
Under normal circumstances, there is no reason to change the schema with the MMC
snap-in. The default schema installed with Windows is appropriate and sufficient for the
vast majority of networks. The installation program for Exchange automatically updates
the schema to support Exchange. The schema should only be changed to support
software that is designed to store information in the AD. The software installation setup
program should automatically update the schema if necessary. The MMC snap-in should
only make changes to correct setup errors.
Be cautious about making any schema changes, because schema changes must be
replicated to every domain controller in the enterprise.
66
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
FSMO Flexible Single Master Operation
Multimaster replication is used to replicate the main domain database. This means that
there is no central point of failure. The Active Directory provides normal functionality
even if a domain controller is offline.
There are five special operations that are handled by a single master which holds the
FSMO Flexible Single Master Operation role. These FSMO roles Two role are for the entire
enterprise and the other three roles must be provided in each domain.
Forest-wide for the entire enterprise
o Schema master handles schema changes
o Domain naming master checks names when creating new domains
Domain-wide within each domain
o RID pool master manages the allocation of domain SID numbers to ensure
that they are unique.
o PDC emulator emulates an NT 4 Primary Domain Controller
o Infrastructure master, maintains cross-domain links
Creating a New AD Forest
There are a number of initialization operations that are performed when creating a new
Active Directory forest and domain.
The first domain in the forest is the root domain
The first
Creates the schema and configuration name contexts
DC in a
Is a Global Catalog server
forest
Becomes the schema master and the domain naming master
Create the Default-First-Site-Name site
Create the DEFAULTIPSITELINK inter-site link
The first
DC in a
domain
Creates the domain naming context
Becomes the PDC Emulator, Infrastructure, and RID masters
Creates trust relationship
Creates domain group policy object
Registers the domain in the configuration name context
AD Architecture
The Active Directory is accessible through different formats.
LDAP is a network protocol
ADSI is an application programming interface
Domain controllers replicate information to other domain controllers
SAM provides compatible access to NT domain controllers
MAPI Messaging Application Programming Interface provides e-mail client access
The AD components are shown in the following diagram.
67
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
LDAP/ADSI
Replication
NT SAM
Outlook
LDAP
REPL
SAM
MAPI
DSA Directory System Agent presents view of tree heirarchy
Database Abstration Layer stores data in tables
Extensible Storage Engine allocates storage to objects
NTFS database file NTDS.DIT
The Active Directory is stored in a file called %SystemRoot%\NTDS\NTDS.DIT. Data
integrity is maintained by recording updates into transaction and checkpoint logs. These
log files are in %SystemRoot%\NTDS and are called edb.log and edb.chk. In addition,
there are two space reservation files called res1.log and res2.log.
AD Fragmentation
Database activity with the Active Directory causes fragmentation. Defragmentation is
automatically scheduled. Although the automatic defragmentation is probably sufficient,
it can be manually started with NTDSUTIL. As the Active Directory grows, more disk
space will be automatically added to NTDS.DIT. If you delete information from the Active
Directory, the NTDS.DIT stays the same size. System logic assumes that the space will
be needed for the Active Directory in the future. The automatic defragmentation does
not recover disk space within NTDS.DIT.
If a large amount of information with the Active Directory is deleted, you can recover the
unused disk space by performing an offline defragmentation. This requires that the
server be restarted in Directory Service Restore mode and then NTDSUTIL can be used to
initiate a defragmentation. In this mode unused disk space will re recovered and the
NTDS.DIT file will be smaller.
68
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Global Catalog
The following diagram shows the name contexts of the Active directory. Each domain has
3 name contexts; Schema, Configuration, and Domain. The Schema and Configuration
name contexts are the same for the entire forest. The domain name context holds the
administration objects in each domain, such as user, group and computer objects. The
Global Catalog is a partial replica of all domain objects in the forest.
One server in each site should host the Global Catalog.
Logon
To troubleshoot logon problems, you need to understand all of the components involved
in the logon. A successful logon requires access to all of the following servers
DNS server
A Domain Controller for your domain
A Kerberos Key Distribution Center
A Global Catalog server to resolve UPNs and universal group
membership
Users logon with a UPN User Principal Name. The domain of the UPN need not match the
user's object domain. In some cases, users may use an e-mail address as the UPN which
69
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
does not match the user's object domain. The Global Catalog must be searched for a user
object with the matching UPN to determine the logon domain, so that the logon can
proceed.
Logon with UPN
tyoung1234@hotmail.com
Lookup UPN in
AD to
determine
logon domain
If the domain logon fails, Windows may still allow access to the local computer. Windows
caches the last few domain logon credentials. If the domain logon fails, Windows check
the name/password combination against the cached credentials and allows local access if
the credentials are OK. In this situation network resources are unavailable without
authentication.
For the logon to succeed, all group memberships must be determined. Universal Groups
memberships are potentially the most difficult to resolve given that they can be created
in any domain and have potential members from any domain. To resolve this difficulty,
universal group membership is published in the Global Catalog. If a Global Catalog server
is not available at logon, universal group membership cannot be determined. If no GC is
available, administrators will logon without the authority of their universal group
memberships. Other users will logon with cached credentials and will not have network
access.
Logon with
UPN
Domain
Controller
Global Catlog lookup
for universal group
membership
Kerberos Authentication
Kerberos is an authentication protocol developed at MIT in project
Athena. Kerberos is known in mythology as the three-headed dog
guardian of Hades. Microsoft has replaced the NTChaps protocol used
in Windows NT with Kerberos which is the authentication protocol for
the Active Directory. Kerberos authentication is managed by KDC Key
Distribution Center servers. Windows Server Domain Controllers
provide the KDC service.
Before connecting to a server, a client must obtain a session ticket from a KDC domain
controller. The tick is only valid for sessions between that particular client and the
particular server. Another ticket is required to connection to another server.
Ticket from KDC
for session with server
Clients store the Kerberos tickets in a memory area known as the ticket cache. The
Resource Kit utility KERBTRAY can display and purge the ticket cache.
See the Microsoft technical paper on Kerberos at
http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp
70
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
FSMO
FSMO Transfers
The first domain controller established in a new forest initially contains all of the FSMO
roles. The first domain controller in each domain initially contains all three of the domain
FSMO roles (RID, PDC, Infrastructure). Once additional domain controllers are promoted,
FSMO roles can be transferred. Provided the source and target role holder domain
controllers are online, FSMO roles can be transferred using MMC consoles.
Before demoting a domain controller, transfer the roles to other reliable domain
controllers. If a domain controller holds a FSMO role at the time of a demotion, it will
attempt to automatically transfer the role to another domain controller.
Active Directory Users and Computers Manager is used to transfer the three domain roles
(RID, PDC, Infrastructure).
Active Directory Domain and Trusts Manager is used to transfer the Domain Naming
Master.
71
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Schema Manager is used to transfer the Schema Master.
Seizing a FSMO Role when a role holder fails
If a domain controller holding a FSMO role fails, try to get the server online again. None
of the FSMO roles are immediately critical, so it is not a problem to them to be
unavailable for hours or even days. If a domain controller becomes unreliable, get it
operational, and transfer the FSMO roles to a reliable computer. If a domain controller
with a FSMO role cannot be restarted, it is possible for another domain controller to seize
the FSMO role. If the RID, schema, or domain naming FSMOs are seized, then the
original domain controller must not be activated in the forest again. It is necessary to
reinstall Windows if these servers are to be used again. In the case of the PDC and
infrastructure FSMO roles, it is possible to transfer the role back to the original domain
controller. Only seize a FSMO role if absolutely necessary when the original role holder is
not connected to the network. All roles can be seized by running NTDSUTIL from the
command line.
72
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Before seizing a FSMO role, determine which server is most up-to-date with respect to
the failed server. Each domain controller maintains a USN Update Sequence Number,
showing how up-to-date it is with other domain controllers. The USNs can be displayed
using the REPADMIN /SHOWVECTOR command.
A working server can seize a FSMO role from
a dead server, but it is easier to transfer the
role when both servers are operational.
The following table summarizes the utility used to seize a FSMO role.
FSMO Role
PDC
Infrastructure
RID
Schema
Domain Naming
Utility
MMC or NTDSUTIL
MMC or NTDSUTIL
NTDSUTIL
NTDSUTIL
NTDSUTIL
Later Actions
Can transfer back to original
Can transfer back to original
Original must be reinstalled
Original must be reinstalled
Original must be reinstalled
Security
FSMO management is restricted to the appropriate administration group.
FSMO Role
Domain Naming
Schema
RID, PDC, Infrastructure
Administrative Group
Enterprise Admins
Schema Admins
Domain Admins
NTDSUtil
NTDSUTIL has many AD maintenance functions. This book mentions the following.
NTDSUTIL is a command line utility that has an
interactive hierarchy of menus. Command line
utilities can easily be run in the startup
Directory Service Restore mode as is required
for offline defragmentation. Each menu is
identified by a unique command prompt to help the user determine the current location
in the hierarchy. This doesn't help much and it is easy to get lost. Each menu has a
different set of commands. To determine which command are available enter '?' and an
annotated list of command and submenus is presented. The quit command takes you up
one level in the menu hierarchy.
Section
Active Directory
FSMO
Restore the AD
Topic
Defragmenation
Seizing FSMO roles
Authoritative restore
Complex commands can be shortened, provided they remain unique. For example,
select operation target can be shortened to s o t
73
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
An administrator can interactively navigate the menu hierarchy, or all of the commands
can be typed on one line. For example consider the following command to list all
domains on srvr.newdomain.com.
ntdsutil "domain management" connections "connect to server srvr.newdomain.com quit "select
operation target" "list domains" quit quit quit
or shorten to
ntdsutil "d m" c "co t s srvr.newdomain.com" q "s o t" "l d" q q q
Typing NTDSUTIL ? will provide basic help information as shown below.
Microsoft(R) Windows(TM) Directory Service Utilities Version 2.0
Copyright (C) Microsoft Corporation 1991-2002. All Rights Reserved.
NtdsUtil performs database maintenance of the Active Directory store,
management and control of the Flexible Single Master Operations (FSMO),
and cleaning up of metadata left behind by abandoned domain controllers,
those which are removed from the network without being uninstalled.
This is an interactive tool. Type "help" at the prompt for more information.
? - Show this help information
Authoritative restore - Authoritatively restore the DIT database
Configurable Settings - Manage configurable settings
Domain management - Prepare for new domain creation
Files - Manage NTDS database files
Help - Show this help information
LDAP policies - Manage LDAP protocol policies
Metadata cleanup - Clean up objects of decommissioned servers
Popups %s - (en/dis)able popups with "on" or "off"
Quit - Quit the utility
Roles - Manage NTDS role owner tokens
Security account management - Manage Security Account Database - Duplicate SID Cleanup
Semantic database analysis - Semantic Checker
Set DSRM Password - Reset directory service restore mode administrator account password
domain management: help
? - Show this help information
Add NC Replica %s %s - Adds the DC with full DNS name %s2 to the
replica set for the application directory
partition with DN %s1. If %s2 is specified
"NULL", then currently connected DC is used.
Connections - Connect to a specific domain controller
Create NC %s %s - Creates the application directory partition
with DN %s1, on the DC with DNS name %s2. If
%s2 is specified "NULL", then the currently
connected DC is used.
Delete NC %s - Completely removes the application directory
partition with DN %s from Active Directory.
Help - Show this help information
List - List known naming contexts
List NC Information %s - Show the reference domain, and replication
delays for the application directory partition
with DN %s.
List NC Replicas %s - Show the list of DCs in the replica set for
the application directory partition with DN %s.
Precreate %s %s - Precreate cross reference object for domain or
application directory partition with DN
%s1 allowing server with DNS name %s2 to be
promoted as a DC for the domain or create the
application directory partition.
Quit - Return to the prior menu
Remove NC Replica %s %s - Deletes the DC with DNS name %s2 from the
replica set for the application directory
partition with DN %s1. If %s2 is specified
"NULL", then currently connected DC is used.
Select operation target - Select sites, servers, domains, roles and
74
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
naming contexts
Set NC Reference Domain %s %s - Sets the reference domain of application
directory partition with DN %s1 to domain
with DN %s2.
Set NC Replicate Notification Delay %s %d %d - Sets the notification delays of
directory partition with DN %s to
%d1 and %d2 seconds where %d1 is the delay
between notifying the first DC of changes and
%d2 is the delay of notifying subsequent DCs
of changes.
If you pass -1 in either %d1 or %d2 the command would not modify the corresponded delay (that's in
case you are to modify only one delay.)
If you pass any other negative number, the command would delete the delay.
Delays are always set on Domain Naming Master.
Keyboard Exercise
Try NTDSUtil in interactive mode and try the following operations.
ntdsutil "domain management" connections "connect to server srvr.newdomain.com quit "select
operation target" "list domains" quit quit quit
RepAdmin
REPADMIN is a command line utility which provides replication status information. For
example, use the showutdvec option to display the highest USN on a server.
C:\>repadmin /showutdvec . dc=newdomain,dc=com
repadmin running command /showutdvec against server localhost
Caching GUIDs.
Default-First-Site-Name\WIN2003 @ USN 16433 @ Time 2003-04-23 20:11:44
REPADMIN has many other functions. See the Replication section for an example of the
showmeta parameter. Entering REPADMIN with no options provides the following help
information.
Usage: repadmin <cmd> <args> [/u:{domain\\user}] [/pw:{password|*}]
[/rpc] [/ldap] [/csv] - see /csvhelp
Supported <cmd>s & args:
/bind [DC_LIST]
/bridgeheads [DC_LIST] [/verbose]
/checkprop [DC_LIST from which to enumerate host DCs] <Naming Context>
<Originating DC Invocation ID> <Originating USN>
/dsaguid [DC_LIST] [GUID]
/failcache [DC_LIST]
/istg [DC_LIST] [/verbose]
/kcc [DC_LIST] [/async]
/latency [DC_LIST] [/verbose]
/notifyopt [DC_LIST] <Naming Context> [/first:<value>] [/subs:<value>]
/queue [DC_LIST]
/querysites <From-Site-RDN> <To-Site-RDN-1> [<To-Site-RDN-2> ...]
(may not be called with alternate credentials)
/replicate <Dest_DC_LIST> <Naming Context> /allsources [/force] [/async]
[/full] [/addref] [/readonly]
/replicate <Dest_DC_LIST> <Source DC_NAME> <Naming Context> [/force] [/async]
[/full] [/addref] [/readonly]
/replsingleobj <DC_LIST> <dsa-source-guid> <obj dn>
/replsummary [DC_LIST] /bysrc /bydest /errorsonly
[/sort:{ delta | partners | failures | error | percent | unresponsive }]
/showattr <DC_LIST> <OBJ_LIST> [OBJ_LIST OPTIONS]
[/atts:<att1>,<att2>...] [/allvalues] [/long] [/dumpallblob]
75
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
/showcert [DC_LIST]
/showchanges . <SourceDC> <NamingContext> [/cookie:<file>]
[/atts:<att1>,<att2>,...] [/long] [
/showchanges <Dest_DC_LIST> <SourceDCObjectGUID> <NamingContext>
[/verbose] [/statistics] [/noincremental] [/objectsecurity]
[/ancestors] [/atts:<att1>,<att2>,...] [/filter:<ldap filter>]
/showconn [DC_LIST] {serverRDN | Container DN | <DC GUID>} (default is local site)
[/from:serverRDN] [/intersite]
/showctx [DC_LIST] [/nocache]
/showism [<Transport DN>] [/verbose] (must be executed locally)
/showmsg {<Win32 error> | <DS event ID> /NTDSMSG}
/showncsig [DC_LIST]
/showobjmeta [DC_LIST] <Object DN> [/nocache] [/linked]
/showoutcalls [DC_LIST]
/showproxy [DC_LIST] [Naming Context] [matchstring] (search xdommove proxies)
/showproxy [DC_LIST] [Object DN] [matchstring] /movedobject (dump xdommoved object)
/showrepl [DC_LIST [Source DC object GUID]] [Naming Context] [/verbose]
[/nocache] [/repsto] [/conn] [/all] [/errorsonly] [/intersite]
/showsig [DC_LIST]
/showtime <DS time value>
/showtrust [DC_LIST]
/showutdvec <DC_LIST> <Naming Context> [/nocache] [/latency]
/showvalue [DC_LIST] <Object DN> [Attribute Name] [Value DN] [/nocache]
/syncall <DC> [<Naming Context>] [<flags>]
/viewlist <DC_LIST> [OBJ_LIST]
Note: Most commands take their parameters in the order of "Destination or Target DC_LIST",
then a "Soure DC_NAME" if required, and finally the NC or Object DN if required.
DC_LIST or DC_NAME is the proper DNS or NetBios name of a DC, for more options see
repadmin /listhelp.
<Dest DC>, <Source DC>, <DC> : Names of the appropriate servers
<Naming Context> is the Distinguished Name of the root of the NC
Example: DC=My-Domain,DC=Microsoft,DC=Com
Note: Text (Naming Context names, server names, etc) with International or
Unicode characters will only display correctly if appropriate fonts and
language support are loaded
Deprecated Commands: use repadmin /oldhelp to see these deprecated commands' syntaxes.
/sync /propcheck /getchanges /getchanges /showreps /showvector /showmeta
Keyboard Exercise
Pick an object and try the RepAdmin /showmeta command as in the following example.
repadmin /showmeta cn=administrator,cn=users,dc=newdomain,dc=com
Garbage Collection
When a new object is added to the Active Directory, it is replicated to all
other domain controllers so that they all have the some information. If
we delete an object from a domain controller, how would the other
domain controllers be informed of the deletion? When an object is
deleted from the Active Directory, it is not immediately removed from the
database, but rather, changes state and become a tombstone. It is
necessary for the tombstone to stay in the Active Directory until the
deletion state can be replicated to all domain controllers so that the object is flagged as
a tombstone for later removal. The default tombstone lifetime is 60 days, but can be
changed by using ADSIEDIT as shown in the dialog below.
A garbage collection service runs every 12 hours to
76
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Delete tombstones whose lifetime has expired
Delete unnecessary log files
Start online defragmentation
Garbage collection attributes
tombstoneLifetime
garbageCollPeriod
can be changed in the Active Directory by using ADSIEdit as shown below. The attributes
are in the object
CN=Directory Service,CN=Windows NT,CN=Services,CN=configuration,DC=forest
root
77
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
RootDSE
RootDSE (DSA Specific Entry)
Each Windows Domain Controller provides directory services as a DSA Directory Service
Agent. Each domain controller creates a unique object known as the RootDSE (DSA
Specific Entry). This objects has attributes that are specific to the DSA domain controller
such as the server name, forest name, etc. The RootDSE attributes can be seen with the
ADSIEdit utility as shown below.
78
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Distinguished Name
Objects in a tree structure are normally named with a naming scheme that can uniquely
identify each object. Most of these naming schemes specify the entire path to the object
in the hierarchy. In file systems, we can refer to a file by using its familiar full path as
shown in the address bar of the following explorer dialog.
When Active Directory objects are view with explorer, the address bar can display the
object's full path in the URL Universal Resource Locator format. URLs are the same
address format used for web servers, eg. http://teamapproach.ca, or for FTP servers, eg.
ftp://ftp.microsoft.com. This address format is familiar to users of the internet and is
displayed to normal users as they explore My Network Places.
Although the object path is displayed in the URL format in explorer, the full path of Active
Directory objects is stored internally as a X.500 style Distinguished Name. You will see
these Distinguished names when you use ADSIEdit to examine the Active Directory.
79
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Distinguished names consist of three parts, each referred to as a RDN Relative
Distinguished Name.
The CN Common Name of the object
The path through the OUs
The name of the domain
1. File system paths start with the root directory and proceed through the path to
the file.
2. URLs start with the root of the web server and proceed to the web page file.
3. Distinguished Names use the opposite order, starting with the Common Name,
then the path, and finally the root domain name.
The ADSIEdit utility shows the Distinguished Names of each object as shown below.
Sites
The concept of a site is to represent physical locations in a wide-area network. Site
definitions support the control of replication. Site knowledge is also used for logon
location, printer location, and other uses. Sites group domain controllers that are
physically located in well-connected areas.
Intrasite replication is automatically configured to replicate between replication
partners every 5 minutes. Because there is a maximum of 3 hops between
domain controllers, replication is completed within 15 minutes. A service called
KCC Knowledge Consistency Checker automatically determines the replication
topology. The replication topology specifies which DCs exchange information
(replication partners) such that there are no more that 3 hops between any two
servers.
Intersite replication is configurable and schedulable.
80
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Los Angeles site
New York site
intrasite replication
intersite
replication
LA
intrasite replication
Site information is used for
Controlling the replication topology
Scheduling replication
Locating services within a site
Sites and Services Manager
Sites are created with the Sites and Services Manager. Rather than designing some
new way of defining a site, the Active Directory uses the existing TCP/IP subnet
structure that is already defined for routers to find various sites. The Active Directory
sites do not need to follow the subnet structure exactly. Site subnet masks can be
adjusted to combine or divide the TCP/IP subnets. For example, a site defined with the
address 209.47.184.0 and mask 255.255.255.0 defines the range of addresses
209.47.184.1 to 209.47.184.254 as being in the same site.
Each site is associated with a subnet object which is defined by a IP network
address and a subnet mask. All computers within the subnet address range
are considered to be at the same site. Site definitions normally match the
physical subnets, but they can be specified to combine or divide physical
subnets.
Each site connects to other sites with a site link which has configuration information
that controls replication.
The site link configuration shown in the following dialogs includes
Link cost
Replication frequency
Replication Schedule
81
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The replication schedule is easily controlled by modifying the matrix shown in the
following dialog.
How does a client determine its site?
Administrators are not required to configure the site for each client. Portable computers
often change their site locations and they need to automatically determine their new
location without manual administrative effort. This problem also exists and already has
solutions in the area of TCP/IP configuration. When portable computers change locations,
they need to have a new IP address assigned. This can be done manually, but is most
often done automatically by DHCP servers.
82
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
When a client computer starts, it will connect to any domain controller in its domain. The
domain controller looks at the client IP address and compares it to the site definitions
stored in its AD configuration name context. If the domain controller is in the same site,
it will continue to provide services to the client. If the domain controller is in a different
site, it will redirect the client to a domain controller in that site.
I need to connect to a DC, here is my IP address
You are in my site so I will look after you
I need to connect to a DC, here is my IP address
You are in a different site, connect to a server in your site
The site location is remembered in the registry in the key
HKLM\System\CurrentControlSet\Services\Netlogon\Parameters
Value DynamicSiteName records the last known site location
Value SiteName specifies a site location that will override the dynamic discovery
DNS
DNS is normally used to provide a lookup table between domain names such as
www.teamapproach.ca and the corresponding IP address. The Active Directory
requires TCP/IP and DNS. DNS names are used to identify servers and AD domains.
Although DNS supports the use of the same server name in two different domains, the
Active Directory requires unique names. For example, although server1.domain1.com
and server1.domain2.com is perfectly acceptable with DNS it is not allowed with the
Active Directory. Traditionally, Microsoft used globally unique NetBIOS computer names.
To maintain compatibility, globally unique names are still
required.
RFC
Feature
2052 SRV Service records
The Active Directory goes beyond using DNS for its normal
2136 Dynamic updates
address lookup capabilities. The Active Directory uses
2181 Underscore characters
advanced DNS features which are supported in the Windows
DNS server. If a Unix DNS server is used, BIND 8.1.2 or greater is required. The table to
the right, shows the required advanced features together with the RFC number for the
Internet standard Request For Comments document.
The SRV service records allows the Active Directory to use DNS to find servers that
provide the following services.
ldap - Lightweight Directory Access Protocol services (Domain Controller)
gc - Global Catalog
kerberos - KDC Kerberos Key Distribution Center (Domain Controller)
kpasswd - Kerberos password change
The DNS tables identify these servers based on
83
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Protocol - TCP or UDP - and
Location - Domain Controller, domain, site, or for the entire enterprise
The Active Directory automatically registers services in a special domain named, _msdcs.
For example, for the Active Directory to locate a LDAP service provider using TCP in the
London site on a DC for the teamapproach.ca domain, it would use the following DSN
service name;
_ldap._tcp.london._sites.dc._msdcs.teamapproach.ca
Resource Record Types
The following table summarizes the different types of DNS records.
Type
A
Contents
Host Address
Use
Used to hold a specific host's IP address.
CNAME Canonical Name (alias)
Used to make an alias name for a host.
MX
Mail Exchanger
NS
Name Server
Provides message routing to a mail server, plus backup server(s) in case the target
server isn't active.
Provides a list of authoritative servers for a domain or indicates authoritative DNS
servers for any delegated sub-domains.
PTR
Pointer
Used for reverse lookup—resolving an IP address into a domain name using the INADDR.ARPA domain.
SOA
Start of Authority
SRV
Service Locator
Used to determine the DNS server that's the primary server for a DNS zone and to
store other zone property information.
Provides the ability to find the server providing a specific service. Active Directory
uses SRV records to locate domain controllers, global catalog servers, and Lightweight
Directory Access Protocol (LDAP) servers.
NSLOOKUP
From the command line, NSLOOKUP is used to test and query DNS. In interactive
mode, available commands are listed by entering the ? character. Individual
records can be listed directly from the command line as in the following example.
C:\>nslookup win2003.newdomain.com
Server: localhost
Address: 127.0.0.1
Name: win2003.newdomain.com
Address: 209.47.184.39
Keyboard Exercise
From the command line, try NSLOOKUP. If configured, it will identify your default DNS
server. Type the HELP command to determine which commands are available within
NSLOOKUP. When you are finished, use the EXIT command to terminate NSLOOKUP.
84
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Replication
Replicating directory information in Windows NT servers is simple because only the PDC
Primary Domain Controller can accept updates and these updates are sent directly from
the primary to the BDC Backup Domain Controllers. The problem with this simple scheme
is that no updates can be accepted if the Primary Domain Controller fails.
NT Domain
AD Multimaster Replication
BDC
PDC
BCD
Only PDC accept updates
DC
DC
DC
Any DC can accept updates
To provide better fault tolerance, the Active Directory supports multimaster replication.
With multimaster replication, any domain controller can accept updates. All updates must
then be replicated to all other domain controllers to try to achieve a consistent database.
When network links and servers go down, the consistency between the distributed
database cannot be guaranteed at any point in time. Because of this situation, the Active
Directory is said to be loosely consistent. The Active Directory is designed to cope with
loose consistency by continuously trying to get the databases to converge. Eventually
updates will replicate to all Domain Controllers and then the Active Directory has
convergence.
If every server had to replicate changes to every other server, there would be an
excessive number of server connections.
To simplify the replication topology and to reduce the network traffic, the Active
Directory uses a store-and-forward replication model as shown in the following diagram.
Excessive connections
Store-and-Forward
Replication
The store-and-forward model has a reduced number of replication partners with whom
domain controllers exchange information.
Each domain controller stores three NC naming contexts, schema, configuration, and
domain, each of which is replicated separately.
85
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Domain1 NC
Domain2 NC
Domain3 NC
All servers replicate the configuration and schema NCs
A service called the KCC Knowledge Consistency Checker determines which servers are
replication partners. It starts by forming a replication ring and then adds connections
that divide the ring until there is no more that 3 hops between servers. In the following
diagram, 3 connections must be added to divide the 10-server ring to ensure no more
than 3 hops.
Replication Ring
Update Sequence Numbers
Any change to any object attribute in the Active Directory must be replicated to all other
domain controllers. To keep track of changes, every attribute update is assigned a 64-bit
sequence number called the USN update sequence number. The following diagram is a
simplified view of his this works and shows how each attribute update is assigned a
simple update sequence number.
USN
Attribute
1238
AttributeQ
1237
AttributeX
1236
AttributeB
1234
AttributeZ
1234
AttributeN
...
...
In the following example, if Server2 is a new domain controller then all attributes from
Server1 are replicated to Server2. Server2 maintains its own independent USN update
86
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
sequence numbers. Server2 must record the highest USN from Server1. This highest
USN is know as the high-watermark vector. The next time replication occurs, only
attributes with a higher USN need be copied
Existing directory on Server1
New directory on Server2
USN Attribute
USN
Attribute
1238 AttributeQ
325
AttributeQ
1237 AttributeX
324
AttributeX
1236 AttributeB Replicated
323
AttributeB
1234 AttributeZ
322
AttributeZ
1234 AttributeN
321
AttributeN
...
...
...
...
High-watermark for Server1 = 1238
Domain Controllers must also record for every attribute update,
Is this an originating update that was made on this server? or
Is this a replicated update and on which server did it originate?
USN
Attribute
Originated where?
9880
AttributeY
Replicated from Server2
9879
AttributeC
Replicated from Server3
9878
AttributeF
9877
AttributeW
9876
AttributeP
...
...
Originated here
Replicated from Server2
Originated here
...
To understand how the USN is used to notify domain controller replication partners,
consider the following example. The diagram shows the state of the attribute updates
before and after a replication cycle. The italics text represents the new information after
the replication cycle. Initially, Server1 is updated to USN 1241. Its replication partners
Server2 and Server3 have a high-watermark for Server1 of 1238 and 1240 respectively,
set from the previous replication cycle. Only attribute updates with a USN higher than the
high-watermark need to be replicated and are represented by the text in italics with the
gray background. After the replication cycle, both servers will update their highwatermark to Server1's USN of 1241.
When attribute changes occur, domain controllers delay the notification of replication
partners for 5 minutes in an attempt to accumulate multiple changes. Sending multiple
changes together will result in less network traffic than sending each update separately.
87
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Existing directory on Server1
Directory on Server2
USN Attribute
USN
Attribute
1241 AttributeM
325
AttributeM
1240 AttributeG
324
AttributeG
1239 AttributeV Replicated
323
AttributeV
1238 AttributeQ
325
AttributeQ
1237 AttributeX
324
AttributeX
...
...
...
...
Replicated
High-watermark for Server1 = 1238
High-watermark for Server1 = 1241
Directory on Server3
USN Attribute
9881
AttributeM
9880
AttributeY
9879
AttributeC
9878
AttributeF
9877
AttributeW
...
...
High-watermark for Server1 = 1240
High-watermark for Server1 = 1241
If a domain controller is offline for an extended period of time, its high-watermark
vectors will not be updated. When it does come back online, it will then receive all
updates without any loss of information.
Up-to-dateness Vector
Although we see that changes get replicated even when servers fail, we do not yet have
the complete story of how replication works. Based on what has been described above,
there is a problem if Server2 and Server3 replicate to each other. Because their USNs
have now increased, they would replicated these changes to each other. But Server2 and
Server3 already got these changes from Server1. They would also try to replicate these
changes back to Server1. Server1's USN would increase again and it would replicate
these same changes back to Server2 and Server3, thus creating a vicious replication
loop. To prevent this, the domain controllers need to have another mechanism to
represent how up-to-date they are with the source of the attribute updates. The Active
Directory has an up-to-dateness vector to record the highest USN for updates that
originate from each domain controller and have been received. The following table
provides a summary.
Vector
Description
High-watermark Highest USN received from
Up-to-dateness Highest USN originating from
88
For which DCs
Replication Partners
All DCs with same name context
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
The up-to-dateness vector prevents changes from replicating when they have already
been received from a different source. The up-to-dateness vector ensures that a domain
controller knows how up to date it is with changes that originated on a particular domain
controller.
Server1
Server2
USN
Attribute
1241
AttributeM
1240
AttributeG
1239
AttributeV
1238
AttributeQ
1237
AttributeX
...
...
My information with respect to Server1
is up-to-date to USN 1240 so only send
Server4 me changes that originate at Server1
with a USN greater than 1240.
__
Up-to-dateness of Server1 = 1240
Server3
Resolving Conflicts
What happens if the same attribute is changed independently on two different domain
controllers? The conflict needs to be resolved as the change replicates between the
domain controllers. In the end the attribute change must converge to a consistent value.
For each attribute, the Active Directory stores its value, but also
an incrementing version number
the time that the change was originated
the server where the change originated
Attribute
Value
Version
Originating
time
Originating server
incremented
Conflicts are resolved by examining this additional information in the following sequence.
Normally the last value that is written is used.
the
the
the
the
highest version number is used
latest originating time is used
originating server is identified by a GUID number, if the version and time are
same then the value of the GUID is arbitrarily used to break the tie.
There is a problem to resolve in the case of an object being added or moved to a
container on one domain controller and that same container is deleted on another
domain controller. In such cases, the objects are placed in the LostAndFound container.
Server1
Server2
Delete container
Add user to container
89
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
To resolve the conflict AD stores the user in the LostAndFound container
Another problem occurs if objects are added to two different domain controllers with the
same object name. In this case, the first added object keeps its name, but the second
object gets a name in the format RDN*CNF:<GUID> where <GUID> is the globally
unique identifying number for the object which is guaranteed to be unique. RDN stands
for Relative Distinguished Name, CNF stand for Conflict, and * is a reserved character.
I want to be called Bob
Added 09:30
I want to be called Bob
Added 09:31
The 1st object will be named
Bob
The 2nd object will be named
RDN*CNF:1234567890
REPADMIN /SHOWMETA
To see the USNs, originating time, and version numbers for each attribute, use the
REPADMIN command as shown below.
C:\>repadmin /showmeta cn=administrator,cn=users,dc=newdomain,dc=com
33 entries.
Loc.USN Originating DC
Org.USN
======= ===============
=========
8194 Default-First-Site-Name\WIN2003 8194
8194 Default-First-Site-Name\WIN2003 8194
16429 Default-First-Site-Name\WIN2003 16429
16427 Default-First-Site-Name\WIN2003 16427
8194 Default-First-Site-Name\WIN2003 8194
8194 Default-First-Site-Name\WIN2003 8194
16432 Default-First-Site-Name\WIN2003 16432
13893 Default-First-Site-Name\WIN2003 13893
Org.Time/Date
Ver
=============
===
2003-02-11 11:31:37 1
2003-02-11 11:31:37 1
2003-04-23 19:45:04 3
2003-04-23 19:44:14 1
2003-02-11 11:31:37 1
2003-02-11 11:31:37 1
2003-04-23 19:45:53 4
2003-02-11 12:00:00 2
90
Attribute
=========
objectClass
cn
description
physicalDeliveryOfficeName
instanceType
whenCreated
displayName
nTSecurityDescriptor
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
REPLMON
Replication Monitor
Use REPLMON to query and control replication and to view the location of the FSMO roles
as shown in the following dialogs.
91
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Restore the AD
Backup and Restore of the Active Directory
If a Domain Controller fails and cannot be restarted, you need to recover somehow.
Before proceeding you will remove all references to the failed Domain Controller by using
the Sites and Services Manager. One approach is simple
Reinstall Windows
Promote the server to a Domain Controller
Let replication for the other Domain Controllers update the Active Directory
If the replication is not practical because of the volume of data or the speed on
the network connection, you may wish to restore the Active Directory from
backup media. With NTBACKUP, you restore the System State which includes the
Active Directory.
Warning! Don't restore the Active Directory with backups older than the tombstone
lifetime. Subsequently deleted objects will not be removed after the tombstones have
expired.
The diagram show the sequence of events
to restore a crashed domain controller to
make it up-to-date to the time of the last
replication cycle. Backups are taken at a
point in time where the USN has some
value. As more transactions occur, they are
replicated to other domain controllers. If
the domain controller fails and cannot be
restarted, a new installation is required
which can be restored to the point of the
last backup. Although the last backup is not
completely up-to-date, the other servers
will replicate the latest changes back to the
recovered server. The only transaction that
will be missing after the restore and
replication, are those applied after the last
5 minute replication cycle.
Backup of USN=5678
Replication to USN=9876
Server Crash
Restore USN=5678
Replication to USN=9876
Normally AD transactions are not replicated back to the originating server. The Active
Directory database is identified on each server by a GUID Globally Unique Identifier. After
a restoration from a backup, the AD database GUID is changed to make the server
appear as a different server so that transactions that originated there get replicated
back.
Authoritative Restore
Consider the case where the Active Directory is recently backed up. Let's say you need to
delete 1000 users because the company department is becoming a separate entity.
Woops! You deleted the wrong 1000 users!! How do you get them back. "Easy", you say,
92
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
"They're backed up on the backup tape and can all be restored". Think about this some
more. After a restore, replication continues. When you deleted the 1000 users, the
tombstones were replicated to other servers. You can restore the users from the backup
tape, but the tombstones will replicate back and delete them again!!
A special procedure called an Authoritative Restore is needed handle cases like
this. The idea of an Authoritative Restore is to specify that the data being
restored should be considered authoritative and other conflicting transactions
on other domain controllers at the time of the restore should be ignored. This is
accomplished by using NTDSUTIL in the Active Directory Restore Mode. An
Administrator must use NTDSUTIL to identify the authoritative objects which have there
version number incremented by 100,000 for each day since the backup to guarantee
authority over other existing transactions.
The procedure to perform an Authoritative Restore is as follows.
Start the Domain Controller is Directory Services Restore Mode
Logon as a the local Administrator
Restore the System State with NTBACKUP
Restart the server in Directory Services Restore Mode
User NTDSUTIL to designate objects as authoritative
o Objects are identified with their distinguished names
o The version number is incremented by 100,000 for each day since the
backup
Restart the server normally
Log Files
Windows maintains a number of log files that can be helpful with troubleshooting. These
files are stored at %SystemRoot%\Debug
Example content in NetSetup.log showing events related to joining a domain
02/11
02/11
02/11
02/11
11:30:02
11:30:05
11:30:08
11:30:08
NetpValidateName: checking to see if 'newdomain.com' is valid as type 4 name
NetpCheckNetBiosNameNotInUse for 'NEWDOMAIN.COM' [MACHINE] returned 0x0
NetpCheckDomainNameIsValid [ NON-Existant ]for 'NEWDOMAIN.COM' returned 0x0
NetpValidateName: name 'NEWDOMAIN.COM' is valid for type 4
Example content in DCPROMO.log showing events of the promotion process
02/11
02/11
...
02/11
02/11
11:31:10 [INFO] Promotion request for domain controller of new domain
11:31:10 [INFO] DnsDomainName newdomain.com
11:33:04 [INFO] The attempted domain controller operation has completed
11:33:04 [INFO] DsRolepSetOperationDone returned 0
Example content in DCPROMOUI.log showing events of the promotion process
dcpromoui
dcpromoui
dcpromoui
dcpromoui
dcpromoui
...
dcpromoui
dcpromoui
dcpromoui
D38.A44
D38.A44
D38.A44
D38.A44
D38.A44
0000
0001
0002
0003
0004
opening log file C:\WINDOWS\debug\dcpromoui.log
C:\WINDOWS\system32\dcpromo.exe
file timestamp 11/18/2002 07:00:00.000
local time 02/11/2003 18:51:45.406
running Windows NT 5.2 build 3718 (BuildLab:3718.dnsrv.021114-1947) i386
D38.A44 00E3 Enter ControlSubclasser::UnhookWindowProc
D38.A44 00E4 exitCode = 0
D38.A44 00E5 closing log
93
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
6
Chapter
Conclusion
The Active Directory is the focal point for administration of Windows servers. The
security system with ownership, auditing, permissions, inheritance and DACLs, applies
consistently to the file system, the registry, the Active Directory, and to printers. The
security system uses the same rules with all of these objects, but the permissions are
different with different object types.
The file system has many features including, junction points, distributed link
tracking, compression, encryption, client-side caching, dfs, and quotas. User profiles and
policies provide a mechanism to control user environments.
There are a number of troubleshooting tools to manage the Active Directory. The
schema, FMSO roles, sites, DNS, replication, garbage collection and fragmentation must
be managed. Troubleshooting utilities include MMC, NTDSutil, RepAdmin, ReplMon,
NSlookup, and NTbackup.
Now that you understand the concepts of the Active Directory, you will be able to
effectively perform administration tasks to manage resources and security.
94
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
Index
ACE, 16
ADMT, 66
ADSIEdit, 68
architecture, 4
auditing, 15
Auditing, 7
Authentication, 6, 48
Authorization, 6
Client-side Caching, 51
compression, 42
DACL, 7, 9
DC, 30
DCPROMO, 65
Dfs, 55
Distinguished names, 83
DNS, 32, 86
domain, 22
EFS, 43
encryption, 44
fragmentation, 71
FSMO, 31, 70, 74
Garbage collection, 80
Global Catalog, 69
GPO, 63
group, 29
Guest, 8, 25
inheritance, 12, 18
Installation, 63
Junction Points, 39
KCC, 89
Kerberos, 73
ldap, 86
licensing, 64
link tracking, 40
log files, 96
logon, 72
MMC, 37
namespace, 22
NSLOOKUP, 87
NTBACKUP, 95
NTDSUTIL, 76
Ownership, 7
permissions, 10
Policies, 62
Precedence, 12
Printers, 56
profile, 58
Publishing, 34
QFE, 67
Quotas, 46
REPADMIN, 78, 93
reparse points, 40
replication, 88
REPLMON, 94
rights, 25
roaming, 59
RootDSE, 81
SAM, 8
schema, 35, 69
security principals, 6
Seizing, 75
Sharing, 47
SID, 26
site, 83
Synchronization, 53
tombstone, 79
trusts, 23
UPN, 27
up-to-dateness, 91
users, 24
USN, 89
95
W I N D O W S
S E R V E R
A D M I N I S T R A T I O N
96
