Embed Size (px)
Citation preview
Q. What is the boot sequence of windows? A successful boot process takes the following six steps to complete: Step 1 - POST - Power On Self Test. Step 2 - Choose the OS. At the beginning of this step, the screen will display the "OS Loader V5.0" message on the screen. When NTLDR runs, it switches the processor into 32-bit flat memory mode. It will then read the Boot.ini file, and display the boot menu on the screen. If an OS other than Windows is selected, NTLDR then loads the bootsect.dos file and passes control to it, which then boots the other OS. If a Windows 2000 OS is selected, then NTLDR runs Ntdetect.com to gather information about the computer's hardware. Ntdetect detects the hardware components, once Ntdetect.com has collected the hardware information, NTLDR will load Ntoskrnl and pass that information to it. Step 3 - Kernel Load This phase begins with the loading of ntoskrnl.exe, along with the file hall.dll. NTLDR read the SYSTEM registry key into memory, and select the hardware configuration and control set (from the Registry) that will be used for this boot. NTLDR load any device drivers that have a start value (again from the Registry) of 0x0. At this point all of these files have been loaded into memory. Step 4 - Kernel Initialization Once Ntoskrnl.exe is initialized, it creates the Clone control set by copying the current control set. It will also create the HARDWARE key in the Registry using the information gathered by earlier by ntdetect.com. Ntoskrnl.exe will then initialize the drivers loaded earlier, and will then scan the Registry for device drivers that have a start value of 0x1. Step 5 - Services Load This step begins with the starting of the Session Manager (Smss.exe). It will run the programs listed in its Boot Execute Registry entry, as well as starting the required subsystems. The Win32 subsystem will then start Winlogon.exe, which starts the Local Security Administration (Lsass.exe), and the Ctrl + Alt + Delete window appears. The Service Controller (Screg.exe) will check the Registry for services with a start value of 0x2, and will load them. Services can be loaded simultaneously, but dependent on their dependencies. Services with start values of 0x3 are started manually, and services with start values of 0x4 are disabled. Step 6 - Logon The logon prompt will appear during the previous step, but it begins the final step in the boot-up process
Q. How do you Troubleshoot user account Logon issue? Verify the correct logon name is being used, with the correct UPN suffix. Make sure the corresponding user account exists in Active Directory. Make sure the user account is enabled. If the user has tried many times unsuccessfully, and receives a message stating the user account is locked, unlock the user account. If necessary, change the password for users who might have forgotten the password
Q. How do you Troubleshoot computer account Logon issue? 1. If the computer account exists, reset the account in Active Directory. 2. If the account does not exist, create it. 3. If troubles persist, remove the computer from the domain and add it to a workgroup (use a workgroup name not currently in use). Rejoin the domain
Q. What are the different types of profile? a) Local Profile: stored on local machine where the user log on. User gets different profile when he logs on to different machine. b) Roaming Profile: Stored in shared folder of server. User gets same profile when he logs on to different machine. User can modify his profile. c) Mandatory profile: Stored in shared folder of server. User gets same profile when he logs on to different machine. User cannot modify his profile.
Q. Explain NTFS Permission The following table summarizes the permissions for folders and files. Permission
Allowed Actions
Read View folder details and attributes. View file attributes; open a file. Write Change folder or file data and attributes. List Folder Contents Includes all Read actions and adds the ability to view a folder's
contents. Read & Execute Includes all Read actions and adds the ability to run programs. Modify Includes all Read & Execute and Write actions and adds the ability
to add or delete files. Full Control Includes all other actions and adds the ability to take ownership of
and change permissions on the folder.
Q. Explain Shared Folder permissions Permission Actions Read Browse the shared folder and its files Open files in
the shared folder and its subfolders Copy files from the shared folder Run programs
Change All Read actions (browse, open files, copy files from the folder, run programs) Write to files and change file attributes Create new files and subfolders Copy files to the shared folder Delete files or subfolders
Full Control All Read and Change actions Configure share permissions
Q. What is Basic and Dynamic Disks? Basic disks A basic disk has a limit of four partitions, only one of which can be an extended partition. One primary partition must be marked active. Most operating systems can recognize only one primary partition. All other primary partitions are invisible. (Windows NT/2000/XP/Server 2003 can recognize multiple primary partitions.) The active primary partition is represented with one drive letter (C:). The extended partition can be divided into multiple logical drives (up to 26).
Dynamic disks Windows 2000/XP/Server 2003 recognize dynamic disks. Volumes on dynamic disks are like partitions and logical drives on basic disks. A volume can be made of non-contiguous space on a single drive or space taken from more than one drive. You cannot install the operating system on a dynamic disk. You can, however, upgrade a basic disk containing the operating system to dynamic after installation.
Volume Characteristics The following table summarizes volume types and their characteristics. Volume Type
Characteristics
Simple volume Contains a single, contiguous block of space from a single hard disk.
Extended volume Contains space from multiple areas on the disk. An extended volume that spans two disks is a spanned volume.
Spanned volume Combines areas from two or more disks into one storage unit. Fills the first area, then the second, and so on. Does not provide fault tolerance. If one hard disk fails, you lose all data. Cannot contain system or boot files.
Redundancy and Fault Tolerance You should know the following facts about RAID volumes: Redundant array of Independent Disks (RAID) combines the use of two or more disks for fault tolerance and performance. Windows supports three RAID levels: 0 (striping), 1 (mirroring), 5 (stiping with parity). RAID0 uses data striping but no redundancy for improving performance. RAID1 uses disk mirroring for providing fault tolerance. RAID5 uses disk striping with parity for performance and fault tolerance. The Windows interface uses the term RAID to refer to RAID 5 or striping with parity. Overhead refers to the amount of extra (or "wasted") disk space required to add fault tolerance. o RAID5 volumes use one disk in the set for fault tolerance (a three-disk set has 33% overhead, a four-disk set has 25% overhead). o Mirrored volumes have 50% overhead (meaning one disk in two is used for fault tolerance). The following table summarizes volumes that provide redundancy and fault tolerance.
Volume Type Characteristics Mirrored volume Stores data to two duplicate disks simultaneously. Fault tolerant
because if one disk fails, data is preserved on the other. The system switches immediately from the failed disk to the functioning disk to maintain service.
Striped volume Uses storage areas on several different disks. Improves performance by writing to multiple disks simultaneously. Uses disk areas similar in size. The amount of space used on each disk is equal to the smallest area. Saves data from a single file on multiple disks.
Q. What precaution you will take while replacing/ recovering disk? When you move a disk that has been installed and used in another computer, you might need to import the disk. In Disk Management, right-click the disk and choose Import Foreign Disks. Use Disk Management to reactivate volumes in a RAID-5 configuration. This improves performance after a disk in the configuration has been replaced. Recovering failed disks: To recover a failed disk in a mirror configuration: 1. Break the mirror. 2. Delete the failed disk. 3. Recreate the mirror to a new disk (make sure the disk is upgraded to a dynamic disk first). To recover a failed disk in a RAID5 configuration: 1. Repair the volume on a new dynamic disk. 2. Delete the old disk. To recover a volume in a failed operating system: 1. Move the disk to a new machine. 2. Import the foreign disk on the new system.
Backup Most backup methods use the archive bit on a file to identify files that need to be backed up. When a file is modified, the system automatically flags the file as needing to be archived. When the file is backed up, the backup method may reset (clear) the archive bit to indicate it has been backed up. The following table shows the type of data backed up using each backup method.
Backup Type Backs Up Resets Archive Bit? Full Backs up all files regardless of the archive bit. Yes Incremental Backs up files on which the archive bit is set. Yes Differential Backs up files on which the archived bit is set. No Copy Backs up all files regardless of the archive bit status. No
Volume Shadow Copy Services (VSS) VSS is a component of the backup system that takes a point-in-time snapshot of files on the disk. By enabling VSS, you can recover lost (deleted) files and back up open files. You enable VSS on a volume through Explorer. After VSS is enabled, all shared folders on the volume will be shadow copied. You can customize where files are copied to, the limit that copied files can take up, and the interval at which copies will be made.
Through shadow copies, you can recover lost, damaged, or overwritten files by accessing the previous versions of the files cached by the server. The Previous Copies tab in the Properties dialog box of a folder or file lists the previous copies you can access. The Previous Copies tab is available under the following circumstances: Shadow Copies must be enabled on the server. The client must have the Shadow Copy client software (installed to the %systemroot%\System32\Clients\Twclient\x86 folder on the Windows Server 2003 system). You must access the file's properties through a shared folder (if you access the properties for a file on the local machine, the Previous Copies tab won't be available, even if the file is shared and VSS is running).
System Recovery FactsTool Use Driver Rollback Use this tool to uninstall recent driver changes and revert to a
previous version. In Device Manager, edit the properties of the device.
Last Known Good Configuration This option reboots the system using the last successful hardware profile. However, it can only be used if you have not logged on after the last change.
Safe Mode Boots Windows with a limited number of drivers and features enabled. Press F8 during boot to enter Safe Mode. After booting into Safe Mode, you can use Device Manager to rollback drivers, disable devices, uninstall devices, or reinstall or update drivers.
Recovery Console This is a command-line interface. Before a problem exists, you must install Recovery Console. Install it by using the winnt32.exe /cmdcons command to install the recovery tools on the system. Use Recovery Console to fix boot sector or master boot record (MBR). You can also remove or update system files and repartition hard disks.
Automated System Recovery This restores original Windows 2003 Server drivers and files as well as files from the ASR backup set.
Q. What is mounting? Mounting is a process of assigning or mapping of the folder to a drive.
Q. What is RAID? RAID is a technology of grouping disk in order to provide more space and redundancy. There are total 54 RAID method. Windows 2003 support RAID 0, 1 and 5.
Q. What is difference between mirroring and duplexing? Mirroring requires single controller and duplexing requires two controllers.
Q. What is Logon script? Logon script is a bat file or script file which runs when a user logs on.
Q. Where are logon scripts stored? They are stored in Sysvol folder of DC
Q. What are the supported extensions for logon script? The common supported format for logon script .exe, .bat, .com, .vbs, etc.
Q. Why logon scripts are used? Logon scripts are generally used to automate task like mapping of drivers, home directory, printers, etc.
Q. Which protocol is used by ADS for time sync? Between PC's? SNTP (Simple network time protocol)
Q. What is RPC protocol? RPC stands for Remote Procedure Call. It uses port number 135. RPC is an inter-process communication technique that allows client and server software to communicate.
Q. What is COM? Component Object Model (COM) is Microsoft's object-oriented programming model that defines how objects interact within a single application or between applications.
Q. What is SNMP? SNMP stands for Simple Network Management Protocol. This protocol is used to monitor and manage network devices like Switches, Routers, Servers, etc. SNMP uses port UDP port number 161 and 162.
Q. What is Network Monitor Agent? Network Monitor Agent is a packet capturing software. It is also called as sniffer.
Q. What are the default shares in Windows 2003 Server? a) Admin$ b) All drives i.e. C$. D$ .etc c) IPC$ d) Net logon (Only on DC) e) Sysvol (Only on DC)
Q. How to create a hidden share in Windows? In share name of a folder Specify $ after the share name i.e. data$
Q. What authentication options do Windows 2000 Servers have for remote clients? PAP, SPAP, CHAP, MS-CHAP and EAP.
Q. How do the permissions work in Windows 2000? What permissions does folder inherit from the parent? When you combine NTFS permissions based on users and their group memberships, the least restrictive permissions take precedence. However, explicit Deny entries always override Allow entries.
Q. .PAGE FILE AND VIRTUAL MEMORY Page File Is Storage Space For The Virtual Memory, Page File Uses Hard Disk Space As a Memory To Provide Memory Allocation
----------------------------------------------------------------------------------------------------------------------------------------------------------------------
Active Directory A Windows-based directory service, Active Directory stores information about objects on a network and makes this information usable to users and network administrators. Active Directory gives network users access to permitted resources anywhere on the network using a single logon process. It provides net-work administrators with an intuitive, hierarchical view of the network and a single point of administration for all network objects. Domain A collection of computer, user, and group objects defined by the administrator, These objects share a common directory database, security policies, and security relationships with other domains. Forest One or more Active Directory domains that share the same class and attribute definitions (schema), site, and replication information (configuration), and forest-wide search capabilities (global catalog). Domains in the same forest are linked with two-way, transitive trust relationships. Site One or more well-connected (highly reliable and fast) TCP/IP subnets, A site allows administrators to configure Active Directory access and replication topology to take advantage of the physical network. Global catalog server A domain controller running Windows Server 2003 that holds a copy of the global catalog for the forest
Forest root domain A forest root domain is the first domain you create in an Active Directory forest. The forest root domain must be centrally managed by an IT organization that is responsible for making domain hierarchy, naming, and policy decisions.
Operations masterA domain controller that has been assigned one or more special roles in an Active Directory domain, The domain controllers assigned these roles perform operations that are single-master (not permitted to occur at different places on the network at the same time). Selective authentication A method of setting the scope of authentication differently for outgoing and incoming external and forest trusts. Selective trusts allow you to make flexible access control decisions between external domains in a forest. Trust relationship A logical relationship established between domains to allow pass-through authentication, in which a trusting domain honors the logon authentications of a trusted domain. User accounts and global groups defined in a trusted domain can be given rights and permissions in a trusting domain, even though the user accounts or groups don’t exist in the trusting domain’s directory Tree root domain A tree root domain is the highest-level domain in the tree; child and grandchild domains are arranged under it. Typically, the domain you select for a tree root should be the one that is most critical to the operation of the tree. A tree root domain can also be the forest root domain. Application directory partition
A directory partition that is replicated only to specific domain controllers, Only domain controllers running Windows Server 2003 can host a replica of an application directory partition. Applications and services can use application directory partitions to store application-specific data.
Preferred bridgehead server? A domain controller in a site, designated manually by the administrator, that is part of a group of bridgehead servers. Once designated, preferred bridgehead servers are used exclusively to replicate changes collected from the site. An administrator may choose to designate preferred bridgehead servers when there is a lot of data to replicate between sites, or to create a fault-tolerant topology. If one preferred bridgehead server is not available, the KCC automatically uses one of the other preferred bridgehead servers. If no other preferred bridgehead servers are available, replication does not occur to that site. Universal group membership caching A feature in Windows Server 2003 that allows a site that does not contain a global catalog server to be configured to cache universal group memberships for users who log on to the domain controller in the site. This ability allows a domain controller to process user logon requests without contacting a global catalog server when a global catalog server is unavailable. The cache is refreshed periodically as determined in the replication schedule.
Access control list (ACL) The mechanism for limiting access to certain items of information or to certain controls based on users’ identity and their membership in various predefined groups. An ACL is typically used by system administrators for controlling user access to network resources such as servers, directories, and files and is typically implemented by granting permissions to users and groups for access to specific objects.
Multimaster replication Multimaster replication is a replication model in which any domain controller accepts and replicates directory changes to any other domain controller. Because multiple domain controllers are employed, replication continues, even if any single domain controller stops working.
Define each of the following names: DN, RDN, GUID, UPN. The distinguished name (DN) uniquely identifies the object and contains the name of the domain that holds the object, as well as the complete path through the container hierarchy to the object. The relative distinguished name (RDN) is the part of an object’s DN that is an attribute of the object itself. The globally unique identifier (GUID) is a 128-bit hexadecimal number that is guaranteed to be unique within the enterprise. The user principal name (UPN) consists of a user account name (sometimes referred to as the user logon name) and a domain name identifying the domain in which the user account is located. Function of the global catalog The global catalog has two main functions: (1) it enables a user to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated, and (2) it enables finding directory information regardless of which domain in the forest actually contains the data. Function of the KCC The KCC is a built-in process that runs on all domain controllers. The KCC configures connection objects between domain controllers. Within a site, each KCC generates its own connections. For replication between sites, a single KCC per site generates all connections between sites. Function of group policies. Group policies are collections of user and computer configuration settings that can be linked to computers, sites, domains, and OUs to modify computer settings and specify the behavior of users’ desktops.
For best performance and fault tolerance, where should you store the database and log files It’s recommended that you place the database and the log file on separate hard disks that are NTFS drives, although NTFS is not required. Function of the shared system volume folder and where is the default storage location of the folder The shared system volume folder stores public files that must be replicated to other domain controllers, such as logon scripts and some of the GPOs, for both the current domain and the enterprise. The default location for the shared system volume folder is %Systemroot%\Sysvol. The shared system folder must be placed on an NTFS drive. Purpose of the Active Directory Domains And Trusts console The Active Directory Domains And Trusts console provides the interface to manage domains and manage trust relationships between forests and domains. Purpose of the Active Directory Sites And Services console The Active Directory Sites And Services console contains information about the physical structure of your network. Purpose of the Active Directory Users And Computers console The Active Directory Users And Computers console allows you to add, modify, delete, and organize Windows Server 2003 user accounts, computer accounts, security and distribution groups, and published resources in your organization’s directory. It also allows you to manage domain controllers and OUs.
Describe what happens in a nonauthoritative restore. In a nonauthoritative restore, the distributed services on a domain controller are restored from backup media and the restored data is then updated through normal replication. Each restored directory partition is updated with that of its replication partners. Describe what happens in an authoritative restore. An authoritative restore brings a domain or a container back to the state it was in at the time of backup and overwrites all changes made since the backup. Q. Which of the Operations master roles should not be assigned to the domain controller hosting the global catalog? The infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain. Difference between a site link and a connection object Site links are used by the KCC to determine replication paths between two sites and must be created manually. Connection objects actually connect domain controllers and are created by the KCC, though you can also create them manually if necessary. Purpose of a site license server The site license server stores and replicates licensing information collected by the License Logging service on each server in a site. Function of the global catalog The global catalog performs three key functions: ■ It enables users to log on to a network by providing universal group membership information to a domain controller when a logon process is initiated. ■ It enables finding directory information regardless of which domain in the forest actually contains the data. ■ It resolves UPNs when the authenticating domain controller does not have knowledge of the account.
Function of Replmon.exe Replmon.exe, the Active Directory Replication Monitor, enables administrators to view the low-level status of Active Directory replication, force synchronization between domain controllers, view the topology in a graphical format, and monitor the status and performance of domain con-troller replication through a graphical interface. Function of Repadmin.exe Repadmin.exe, the Replication Diagnostics Tool, allows you to view the replication topology as seen from the perspective of each domain controller. Repadmin.exe can be used in trouble-shooting to manually create the replication topology (although in normal practice this should not be necessary), to force replication events between domain controllers, and to view the replication metadata and see how up-to-date a domain controller is. Function of Dsastat.exe Dsastat.exe compares and detects differences between directory partitions on domain controllers and can be used to ensure that domain controllers are up-to-date with one another. The tool retrieves capacity statistics such as megabytes per server, objects per server, and mega-bytes per object class, and compares the attributes of replicated objects. Active Directory
Domains in a tree: o Are connected with a two-way transitive trust. o Share a common schema. o Have common global catalogs. A site link cost is a value assigned to a link that is used to regulate the traffic according to the speed of the link. The higher the site link cost, the slower the link speed. Domain controllers are servers that contain copies of the Active Directory database that can be written to. Domain controllers participate in replication. The Active Directory database is partitioned and replicated. There are four types of Active Directory database partitions: o Domain o Configuration o Schema o Application The first domain controller installed in the forest automatically becomes the global catalog server for that domain.
Tools to troubleshoot an Active Directory installation:
Tool Description
Directory Services log
Use Event Viewer to examine the log. The log lists informational, warning, and error events.
Netdiag Run from the command line. Test for domain controller connectivity (in some cases, it can make repairs).
DCDiag Analyzes domain controller states and tests different functional levels of Active Directory.
Dcpromo log files
Located in %Systemroot%/Debug folder. Dcpromoui gives a detailed progress report of Active Directory installation and removal. Dcpromos is created when a Windows 3.x or NT 4 domain controller is promoted.
Ntdsutil Can remove orphaned data or a domain controller object from Active Directory.
Backup and Restore Facts When you reboot after restoring, Active Directory replication replicates changes. Items restored non-authoritatively will be overwritten during replication. Use an authoritative restore to restore deleted objects. Objects will be replicated back to other domain controllers on the network. Use a nonauthoritative restore to get the DC back online. Items will replicate from other DCs after the restored DC goes back online. Active Directory data is restored by restoring the System State data. You cannot selectively restore Active Directory objects from the backup media. To restore objects that were added to deleted OUs, move the objects from the LostAndFound container. No restore of objects is necessary. Make sure you perform backups more often than the tombstone lifetime setting in Active Directory. For example, if the tombstone lifetime is set to 10 days, you should back up Active Directory at least every 9 days. If your backup interval is larger than the tombstone lifetime, your Active Directory backup can be viewed as expired by the system.
Microsoft gives the following as the best practice procedure for restoring Active Directory from backup media: 1. Reboot into Active Directory restore mode. Log in using the password you specified during setup (not a domain account). 2. Restore the System State data from backup to its original and to an alternate location. 3. Run Ntdsutil to mark the entire Active Directory database (if you're restoring the entire database) or specific Active Directory objects (if you're only restoring selected Active Directory objects) as authoritative. 4. Reboot normally. 5. Restore Sysvol contents by copying the Sysvol directory from the alternate location to the original location to overwrite the existing Sysvol directory (if you're restoring the entire database). Or, copy the policy folders (identified by GUID) from the alternate location to the original location to overwrite the existing policy folders.
You should know the following facts about Sysvol restoration: Sysvol is the shared system volume on all domain controllers. Sysvol stores scripts and Group Policy objects for the local domain and the network. The default location for Sysvol is %Systemroot/Sysvol.
To ensure that the proper settings are authoritatively restored, copy the Sysvol directory from an alternate location over the existing Sysvol directory. Or, copy the Sysvol policy folders from the alternate location over the original location. (This maintains the integrity of the Group Policy of the computer.)
Security Facts A security principal is an account holder who has a security identifier. The Active Directory migration tool allows you to move objects between domains. Objects moved to a new domain get a new SID. The Active Directory migration tool creates a SID history. The SID history allows an object moved to a new domain to keep its original SID.
You should know the following information pertaining to identifiers: Identifier Description
GUID Globally Unique Identifier. 128-bit number guaranteed to be unique across the network. Assigned to objects when they are created. An object's GUID never changes (even if object is renamed or moved).
SID Security Identifier. Unique number assigned when an account is created. Every account is given a unique SID. System uses the SID to track the account rather than the account's user or group. A deleted account that is recreated will be given a different SID. The SID is composed of the domain SID and a unique RID.
RID Relative Identifier. Unique to all the SIDs in a domain. Passed out by the RID master.
Group Facts
Active Directory defines three scopes that describe the domains on the network from which you can assign members to the group; where the group's permissions are valid; and which groups you can nest. Scope Description
Global groups
Are used to group users from the local domain. Typically, you assign users who perform similar job functions to a global group. A global group can contain user and computer accounts and global groups from the domain in which the global group resides. Global groups can be used to grant permissions to resources in any domain in the forest.
Domain local groups
Are used to grant access to resources in the local domain. They have open membership, so they may contain user and computer accounts, universal groups, and global groups from any domain in the forest. A domain local group can also contain other domain local groups from its domain. Domain local groups can be used to grant permissions to resources in the domain in which the domain local group resides.
Universal groups
Are used to grant access to resources in any domain in the forest. They have open membership, so you can include user and computer accounts, universal groups, and global groups from any domain in the forest. Universal groups can be used to grant permissions to resources in any domain in the forest. Universal groups are available only in Windows 2000 Native or Windows 2003 domain functional level.
Trust Types
The following table shows the types of trusts you can create in Active Directory. Trust Type Characteristics and Uses
Tree root Automatically established between two trees in the same forest. Trusts are transitive and two-way.
Parent/child Automatically created between child and parent domains. Trusts are transitive and two-way.
Shortcut Manually created between two domains in the same forest. Trusts are transitive, and can be either one-way or two-way. Create a shortcut trust to reduce the amount of Kerberos traffic on the network due to authentication.
External Manually created between domains in different forests. Typically used to create trusts between Active Directory and NT 4.0 domains. Trusts are not transitive, and can be either one-way or two-way.
Forest root Manually created between the two root domains or two forests. Transitive within the two forests. Can be either one-way or two-way.
Realm Manually created between Active Directory and non-Windows Kerberos realms. Can be transitive or non-transitive. Can be either one-way or two-way
.
Trusts have a direction that indicates which way trust flows in the relationship. The direction of the arrow identifies the direction of trust. For example, if Domain A trusts Domain B, the arrow would point from Domain A to Domain B. Domain A is the trusting domain, and Domain B is the trusted domain. Resource access is granted opposite of the direction of trust. For example, if Domain A trusts Domain B, users in Domain B have access to resources in Domain A (remember that users in the trusted domain have access to resources in the trusting domain). A two-way trust is the same as two one-way trusts in opposite directions.
Functional Level Types
The table below shows the domain functional levels. Domain Functional Level
Domain Controller Operating Systems
Features
2000 Mixed NT 2000 2003 The following features are available in 2000 Mixed: Universal groups are available for distribution groups. Group nesting is available for distribution groups.
2000 Native 2000 2003 The following features are available in 2000 Native: Universal groups are available for security and distribution groups. Group nesting. Group converting (allows conversion between security and distribution groups).
SID history (allows security principals to be migrated among domains while maintaining permissions and group memberships).
2003 2003 The following features are available in 2003: All features of 2000 Native domains. Domain controller rename. Update logon time stamp. User password on InetOrgPerson object.
Forest functional levels depend on the domain functional levels. The table below shows the forest functional levels. Forest Functional Level
Domain Functional Level
Features
2000 2000 Mixed or 2000 Native
The following features are available in 2000: Global catalog replication improvements are available if both replication partners are running Windows Server 2003.
2003 2003 The following features are available in 2003: Global catalog replication improvements Defunct schema objects Forest trusts Linked value replication Domain rename Improved AD replication algorithms Dynamic auxiliary classes InetOrgPerson objectClass change
Operation Master Types The following table lists the operation masters at the domain and forest levels. Only one domain controller in the domain or forest performs
each role. Operation Master Function and Characteristics
RID Master Ensures domain-wide unique relative IDs (RIDs). One domain controller in each domain performs this role. The RID master allocates pools of IDs to each domain controller. When a DC has used all the IDs, it gets a new pool of IDs.
PDC Emulator Emulates a Windows NT 4.0 primary domain controller (PDC). Replicates password changes within a domain. Ensures synchronized time within the domain (and between domains in the forest). One domain controller in each domain performs this role.
Infrastructure Master
Tracks moves and renames of objects. Updates group membership changes. One domain controller in each domain performs this role.
Domain Naming Master
Ensures that domain names are unique. Must be accessible to add or remove a domain from the forest. One domain controller in the forest performs this role.
Schema Master Maintains the Active Directory schema for the forest. One domain controller in the forest performs this role.
You should know the following facts about operation master roles:
Operation master role servers are also called flexible single master operation (FSMO) servers. These are domain controllers that perform operations on the network. By default, the first domain controller in the forest holds all operation masters. When you create a new domain, the first domain controller holds the three domain operation masters (RID master, PDC emulator, infrastructure master). Use Active Directory Users and Computers to transfer RID master, PDC emulator, and infrastructure masters. Use Active Directory Domains and Trusts to transfer the domain naming master. Use the Active Directory Schema snap-in to transfer the schema master. Run Regsvr32 schmmgmt.dll to register the Active Directory Schema snap-in to make it available for adding to a custom console. Before transferring any role, you must connect to the domain controller that will receive the transferred role.
To move an object between domains (using Movetree.exe), you must initiate the move on the domTroubleshooting Operation Masters
The following table lists several problems that can be attributed to inaccessible or failed operation masters. If you have this problem... Check this operations master... Unable to add Active Directory objects (either from one or many domain controllers). RID master
Unable to move or rename an object. Infrastructure master
Group membership information is not updated between domain controllers Infrastructure master
Cannot add or remove a domain Domain naming master
Non-Windows 2000/XP/2003 clients cannot authenticate. PDC master
Password changes are not updated. PDC master
Normally, you should transfer roles to other servers only if the server holding the original role is available. If the server holding the master has failed, you will need to seize the role (forcefully move the role to another server). To seize an operations master role you must use the Repadmin tool to make sure the domain controller that is seizing the role is fully up-to-date with the updates on the former role owner. Use the Ntdsutil tool to finish seizing the role: o Enter ntdsutil at the command line. o Enter roles. o Enter connections. o Enter connect to server [fully qualified domain name of the server]. o Enter quit. o At the FSMO prompt, enter seize [master role name]. o Enter quit to exit. After seizing the role, do not bring the old server back on line. If you repair the server, use Dcpromo to first remove Active Directory. Then bring it back on line, install Active Directory, and transfer the role back if desired. ain controller acting as the RID master of the domain that currently contains the object. With a few exceptions, the infrastructure master should not be located on a global catalog server.
Managing the Schema You should know the following facts about schema management: The schema is the database of object classes and attributes that can be stored in Active Directory. Each object definition in the schema is stored as an object itself, so Active Directory can manage these definitions just as it does other objects. The schema includes definitions for classes and attributes (the definitions are also called metadata). Extending the schema allows Active Directory to recognize new attributes and classes. Adding a component like Microsoft Exchange requires the Active Directory to be extended. Only a member of the Schema Admins group has the permission to modify or extend the schema. To perform schema management tasks, use the Active Directory Schema snap-in.
Default Active Directory Objects
When you install Active Directory, several objects and containers are automatically created. The following table lists the default containers and their contents. Container Contents
Builtin Built-in domain local security groups. These groups are pre-assigned permissions needed to perform domain management tasks.
Computers All computers joined to the domain without a computer account.
Domain Controllers* All domain controllers. This OU cannot be deleted.
ForeignSecurityPrincipals Proxy objects for security principals in NT 4.0 domains or domains outside of the forest.
LostAndFound** Objects moved or created at the same time an Organizational Unit is deleted. Because of Active Directory replication, the parent OU can be deleted on one domain controller. Administrators at other domain controllers can add or move objects to the deleted OU before the change has been replicated. During replication, new objects are placed in the LostAndFound container.
NTDS Quotas** Objects that contain limits on the number of objects users and groups can own.
Program Data** Application-specific data created by other programs. This container is empty until a program designed to store information in Active Directory uses it.
System** Configuration information about the domain including security groups and permissions,
the domain SYSVOL share, Dfs configuration information, and IP security policies.
Users Built-in user and group accounts. Users and groups are pre-assigned membership and permissions for completing domain and forest management tasks.
*Be aware that the Domain Controllers OU is the only default organizational unit object. All other default containers are just containers, not OUs. As such, you cannot apply a GPO to any default container except for the Domain Controllers OU. **By default, these containers are hidden in Active Directory Users and Computers. To view these containers, click View/Advanced Features from the menu. Object Management Tasks and Tools The Active Directory Migration Tool (ADMT) is a GUI-based utility that lets you migrate users and other objects between domains. The tool requires that the source domain trust the target domain. You can use the ADMT to retain an object's SID. Moving an object within a domain retains its permissions. Deleting the object deletes existing permissions. You should rename or move an object rather than delete and recreate the object. The Ldp utility allows you to search for and view the properties of multiple Active Directory objects. If a computer that does not have an account is joined to the domain, a computer object is created by default in the built-in Computers OU. Use the Dsadd command to add an OU object to Active Directory from the command line. The easiest way to create a single OU in Active Directory is to use the Active Directory Users and Computers snap-in in the MMC. To view the LostAndFound folder, select Advanced Features from the View menu in the Active Directory Users and Computers snap-in. The LostAndFound folder is used when, for example, a container is deleted on one replica, but objects are added or moved beneath the same container on another replica. In this case, the objects added or moved under the deleted container are stored in the LostAndFound container
Group Policy Facts Group policy is a tool used to implement system configurations that can be deployed from a central location through GPOs (Group Policy Objects). You should know the following Group Policy facts: GPOs contain hundreds of configuration settings. GPOs can be linked to Active Directory sites, domain, or organizational units (OUs). GPOs include computer and user sections. Computer settings are applied at startup. User settings are applied at logon. A GPO only affects the users and computers beneath the object to which the GPO is linked. Group policy settings take precedence over user profile settings. A local GPO is stored on a local machine. It can be used to define settings even if the computer is not connected to a network. GPOs are applied in the following order: 1. Local 2. Site 3. Domain 4. OU If GPOs conflict, the last GPO to be applied overrides conflicting settings. The Computers container is not an OU, so it cannot have a GPO applied to it. Group policy is not available for Windows 98/NT clients or Windows NT 4.0 domains. You can use a GPO for document redirection, which customizes where user files are saved. (For example, you can redirect the My Documents folder to point to a network drive where regular backups occur. Folder redirection requires Active Directory-based group policy.)
Configuring a domain group policy to delete cached copies of roaming user profiles will remove the cached versions of the profile when a user logs off.
Refreshing Group Policy By default, Computer Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 5 minutes on domain controllers and every 90 minutes (plus a random offset between 0 and 30 minutes) for other computers. By default, User Configuration group policy settings (except Software Installation and Folder Redirection) refresh every 90 minutes (plus a random offset between 0 and 30 minutes). You can modify refresh rates by editing the properties of the following settings in Group Policy: o Group Policy refresh interval for computers. o Group Policy refresh interval for Domain Controllers. o Group Policy refresh intervals for users. Software Installation and Folder Redirection don't refresh because it is too risky to install/uninstall software or move files while users are using their computers.
To manually refresh group policy settings, use the Gpupdate command with the following switches: Switch Function
No switch Refresh user and computer-related group policy.
/target:user Refresh user-related group policy.
/target:computer Refresh computer-related group policy.
Editing GPO Facts Group Policy Object Editor has two nodes: o Computer Configuration to set Group Policies for computers. o User Configuration to set Group Policies for users. You can extend each node's capabilities by using snap-ins. Use an Administrative Template file (.adm) to extend registry settings available in the Group Policy Editor. Use the Software setting to automate installation, update, repair, and removal of software for users or computers. The Windows setting automates tasks that occur during startup, shutdown, logon, or logoff. Security settings allow administrators to set security levels assigned to a local or non-local GPO.
Controlling GPO Application You should know the following controlling GPO application: All GPOs directly linked to or inherited by a site, domain, or OU apply to all users and computers within that container that have Apply Group Policy and Read permissions. By default, each GPO you create grants the Authenticated Users group (basically all network users) Apply Group Policy and Read permissions. To apply settings to computers, configure the Computer Configuration node of a GPO.
Edit Permissions You can control the application of GPOs by editing the permissions in the GPO access control list (ACL). (When you deny an object the required permissions to a GPO, the object will not receive the GPO.) To deny access to a GPO, add the user, group, or computer to the GPO permissions and deny the Apply Group Policy and Read permissions. To apply a GPO to specific users, groups, or computers, remove the Authenticated Users group from the GPO permissions. Add the specific user, group, or computer and grant the Apply Group Policy and Read permissions.
Block Inheritance You can prevent Active Directory child objects from inheriting GPOs that are linked to the parent objects. To block GPO inheritance, 1. Click the Group Policy tab for the domain or OU for which you want to block GPO inheritance. 2. Select the Block Policy inheritance check box.
You cannot block inheritance on a per-GPO basis. Blocking policy inheritance prevents the domain or OU (along with all the containers and objects beneath them) from inheriting GPOs. No Override You should know the following facts about the No Override option: The no override option prevents a GPO from being overridden by another GPO. When no override is set on more than one GPO, the GPO highest in the Active Directory hierarchy takes precedence.
No override cannot be set on a local GPO.
WMI Filtering You should know the following facts about WMI filtering: You can use WMI queries to filter the scope of GPOs. WMI filtering is similar to using security groups to filter the scope of GPOs. WMI queries are written in WMI query language (WQL).
Loopback Processing By default, Group Policy configuration applies Computer Configuration GPOs during startup and User Configuration GPOs during logon. User Configuration settings take precedence in the event of a conflict. You can control how Group Policy is applied by enabling loopback processing. Following are some circumstances when you might use loopback processing: If you want Computer Configuration settings to take precedence over User Configuration settings. If you want to prevent User Configuration settings from being applied. If you want to apply User Configuration settings for the computer, regardless of the location of the user account in Active Directory.
Loopback processing is typically used to apply User Configuration settings to special computers located in public locations, such as kiosks and public Internet stations. Keep in mind the following about how loopback processing works. Loopback processing runs in Merge or Replace Mode. Merge mode gathers the Computer Configuration GPOs and appends them to the User Configuration GPOs when the user logs on. Replace mode prevents the User Configuration GPOs from being applied.
To enable loopback processing: 1. Create or edit a GPO to distribute to computers on which you want to enable loopback processing mode. 2. Choose Group Policy from the System node of Administrative Templates in Computer Configuration. 3. Right-click Users Group Policy loopback processing mode and click Properties. 4. Click Enabled. 5. Choose Merge mode or Replace Mode.
Group Policy Tools You should be familiar with the use of the following Group Policy tools: Gpresult Gpresult is a command line tool that allows you to examine the policy settings of specific users and computers. Start Gpresult by entering Gpresult at the command line (use the /? switch for syntax help). Gpresult can show the following: o Last application of Group Policy and the domain controller from which policy was applied. o Detailed list of the applied GPOs. o Detailed list of applied Registry settings. o Details of redirected folders.
o Software management information, like information about assigned and published software.
RSoP RSoP (Resultant Set of Policy) is the accumulated results of the group policies applied to a user or computer. You should know the following facts about RSoP: The RSoP wizard reports on how GPO settings affect users and computers. The wizard runs in two modes: logging and planning. The RSoP wizard logging mode reports on existing group policies applied against computers or users. The RSoP wizard planning mode simulates the effects policies would have if applied to computers or users.
RSoP Access You can access the Resultant Set of Policy (RSoP) wizard in various ways. Here are some common ways: Install the RSoP wizard as an MMC snap-in Use the Start > Run sequence and run Rsop.msc. You can also select an object in Active Directory Users and Computer and select Resultant Set of Policy (in planning or logging mode) from the All Tasks menu.
Delegation Facts You should know the following facts about trust delegating control of group policies:
Decentralized administrative delegation means that administration is delegate to OU level administrators. In decentralized administrative delegation, assign full-control permission to the OU administrators for GPOs. Centralized administrators only delegate full-control permissions to top level OU administrators. Those administrators are responsible for everything downward. In task-based delegation, administration of specific group policies to administrators who handle specific tasks. For example, security administrators would get full-control of security GPOs, and application administrators would get full-control of application GPOs.
Logon Facts You should know the following facts about managing logon: Password policies are only effective in GPOs applied to the domain. To create different password policies, you must create additional domains. Each forest has a single alternate user principle name (UPN) suffix list that you can edit from the properties of the Active Directory Domains and Trusts node. After adding an alternate UPN suffix, you can configure all user accounts to use the same UPN suffix, thus simplifying user logon for users in all domains in the forest.
You should be familiar with the following password and account lockout policy settings: Setting Description
Enforce password history Keeps a history of user passwords (up to 24) so that users cannot reuse passwords.
Minimum password length Configures how many characters a valid password must have.
Minimum password age Forces the user to use the new password for whatever length of time you determine before changing it again.
Password must meet complexity requirements
Determines that user passwords cannot contain the user name, the user's real name, the company name, or a complete dictionary word. The password must also contain multiple types of characters, such as upper and lowercase letters, numbers, and symbols.
Maximum password age Forces the user to change passwords at whatever time interval you determine.
Account lockout threshold Configures how many incorrect passwords can be entered before being locked out.
Account lockout duration Identifies how long an account will stay locked out once it has been locked. A value of 0 indicates that an administrator must manually unlock the account. Any other number indicates the number of minutes before the account will be automatically unlocked.
Reset account lockout after
Specifies the length of time that must pass after a failed login attempt before the counter resets to zero.
Managing Sites and Subnets You should know the following facts about managing sites and subnets: 1. When a client attempts to find a domain controller for authentication, it receives a list of DC IP addresses from DNS. 2. The client passes a query to the DCs to find a good match for authentication. 3. Active Directory grabs the query and passes it to Net Logon. 4. Net Logon looks for the client IP address in the subnet-to-site mapping table. 5. If the client IP address isn't found in the subnet-to-site mapping table, the DC returns a NULL site value, and the client authenticates using the returned DC.
Replication Facts You should know the following facts about replication: Active Directory automatically decides which servers are the bridgehead servers (generally, the first domain controller in the site). To force a specific server to be the bridgehead server, you must manually configure it as the bridgehead server. To designate a preferred bridgehead server, edit the server object properties in Active Directory Sites and Services. Replication between sites occurs only between the bridgehead servers. To have different replication settings for different WAN links, you need to configure multiple site links. For complete flexibility, you should create a site link for each network connection between sites. The default link cost is 100. A higher cost for a link is less desirable. To force traffic over one link, set a lower cost. For example, set a lower cost for high-speed links to force traffic over the high speed link. Configure a higher cost for dial-up links that are used as backup links.
Costs are additive when multiple links are required between sites. Use SMTP replication for high latency links where RPC replication would probably fail.
Managing Replication Facts You should know the following facts about managing replication: Use Replication Monitor (Replmon) or Active Directory Sites and Services to force replication. Replmon has an Update Automatically feature that allows you to specify the how often replication reports are refreshed. The Sysvol share replicates using the File Replication Service (this includes things like group policy and logon scripts). Replication uses port 135. DCs must be able to contact each other for replication. This means they need to have a valid network connection, valid IP address configuration, and DNS must be available so the servers can locate each other. You can use the Directory Service and the File Replication Service logs in Event Viewer to monitor replication services.
You should also know the following facts about Replmon: Replmon allows you to perform the following administrative tasks: o force synchronization between domain controllers. o monitor domain controller replication. o perform simultaneous monitoring of domain controllers in different forests. Replmon gives a graphical view of the topology. Replmon must run on a computer running Windows Server 2003. You can start Replmon by entering Replmon at the command line.
Tombstones and Garbage Collection You should know the following facts about tombstones and garbage collection: When an object is removed from the Active Directory database, it is moved to a hidden Deleted Objects container. Objects in the Deleted Objects container are called tombstones. The default storage time for tombstones is 60 days. Every 12 hours (default setting) a domain controller examines its Deleted Objects folder for tombstones that have exceeded the storage period. Objects beyond the storage period are removed in a process called garbage collection.
Global Catalogs and Universal Group Membership Caching You should know the following facts about global catalogs and universal group membership caching: A global catalog server needs to be contacted during logon. Place a global catalog server in each site to speed up logon. A global catalog server also maintains universal group membership. Group membership needs to be consulted during resource access. Only one server per site needs to be a global catalog server. Enabling the universal group membership caching feature for a site will let users who are members of a universal group log on in the event of a WAN link failure. If the only need is to obtain universal group membership information, enabling this feature for a site is a better solution than creating a global catalog server in the site. All servers in a site must be running Windows Server 2003 for universal group membership caching to work.
Site License Facts You should know the following facts about site licensing: Set up a site license servers to monitor license o Purchases. o Deletions. o Usage.
The license logging service runs on each server within a site, collecting information to send to the site license server. The information in the site license server database can be viewed using the Licensing tool in Administrative Tools. By default, the site license server is the first domain controller created for a site. The site license server does not have to be a domain controller.
Application Directory Partitions Application directory partitions are used to store dynamic objects. Most information stored in Active Directory is relatively static, meaning that it changes infrequently enough to allow it to be replicated across a domain with a high degree of regularity. Dynamic objects, however, changes more frequently than they can be efficiently and effectively replicated. (Dynamic objects are created with a time-to-live (TTL) value, which, when it expires, allows Active Directory to delete the object.) Application directory partitions allow you to configure replication and replicas to accommodate the unique requirements of dynamic objects. Where domain partitions must replicate to all domain controllers in a domain, application directory partitions do not have to meet this requirement.
For example, if DNS service is configured to use AD, the DNS zone data will be replicated across a domain (because zone data will be stored in a domain partition) even if the DNS server is not configured to run on the domain controller. However, if you put the DNS zone data in an application directory partition, you can limit the scope of replication. Application directory partitions are not limited, however, in the types of data they can hold. They can hold, for instance, user, computer, and group objects--every object type, in fact, but security principals. However, objects in an active directory partition operate under certain limitations including the following: They cannot maintain DN-value references to objects in other application directory or domain partitions. Neither can objects in other partitions maintain DN-value references to objects in an application directory partition. They are not replicated to the Global Catalog. (However, a global catalog server can be configured to replicate an application directory partition.) They cannot be moved to other application directory partitions outside the partition in which they were created.
To create an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Create nc [distinguished name of the application partition directory] [domain controller name]
To delete an application directory partition: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Delete nc [distinguished name of the application partition directory]
To add an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Add nc [distinguished name of the application partition directory] [domain controller name]
To remove an application directory partition replica: 1. At the command line prompt, enter Ntdsutil. 2. Enter Domain management. 3. Enter Remove nc [distinguished name of the application partition directory] [domain controller name]
Some additional points Site replication interval = 180min (3hr) DC to DC replication within site = 15min If site is not configured then DC to DC replication = win2000= 15min and win2003 = 5 min Tombstone life time win2003 = 60days and win2003 with SP1 = 180days
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- IP Addressing Facts Class Address Range Default Mask
A 1.0.0.0 to 126.255.255.255 255.0.0.0 B 128.0.0.0 to
191.255.255.255 255.255.0.0
C 192.0.0.0 to 223.255.255.255
255.255.255.0
D 224.0.0.0 to 239.255.255.255
(multicast addresses)
E 240.0.0.0 to 255.255.255.255
(experimental addresses)
You should also know the following address ranges that are reserved for private addresses. Use these addresses on a private network that is connected to the Internet through a network address translation (NAT) router. 10.0.0.0 to 10.255.255.255 172.16.0.0 to 172.31.255.255 192.168.0.0 to 192.168.255.255
Keep in mind the following facts about IP addresses: The first address in a range on the subnet is the subnet address. Typically, this address is not assigned to hosts. The last address in a range on the subnet is the broadcast address. Typically, this address is not assigned to hosts.
Troubleshooting TCP/IP Use the following tips to troubleshoot TCP/IP: Use Ipconfig /all to verify your IP address, subnet mask, default gateway, and other IP configuration values. If the IP address is in the APIPA range (169.254.0.0 to 169.254.255.254), the computer could not contact a DHCP server. Use Ipconfig /renew to try contacting the DHCP server again.
Use Ping (Packet Internet Groper) to send small packets to a computer to see if the computer responds. Microsoft recommends the following use of Ping: 1. Ping the loopback address (127.0.0.1). This verifies that the TCP/IP protocol stack has been properly installed. 2. Ping the local IP address assigned to the machine. This verifies communication to the NIC. 3. Ping the default gateway. This verifies connectivity to the default gateway or to another machine on the local network. This verifies that the local network is accessible. 4. Ping a remote host. This checks the connectivity between the default gateway and the remote host. Use Tracert to see the route packets take through an internetwork between two devices. Use Pathping to view the route of the connection and the connectivity response time. This can help identify where communication latency occurs. Use the Arp -d * command to remove all dynamic ARP entries from the ARP list. (Arp -d clears the ARP cache.) Use the Windows system logs to track DHCP service startup and shutdown as well as critical errors.
Scope Facts You should know the following facts about DHCP scopes: Use exclusions to prevent the DHCP server from assigning certain IP addresses. For example, exclude any IP addresses for devices that are not DHCP clients. Use reservations to make sure a client gets the same IP address each time from the DHCP server. The reservation associates the MAC address with the IP address the client should receive. For example, use a reservation for servers and printers to keep their IP addresses consistent while still assigning the addresses dynamically. When using reservations, do not exclude the addresses you want to assign. To change the subnet mask used by a scope, you must delete and recreate the scope. You cannot selectively change the subnet mask in an existing DHCP scope. The scope must be activated before the DHCP server will assign addresses to clients.
DHCP Option Facts Through DHCP, you can deliver a wide range of TCP/IP configuration parameters (not just the IP address and mask). Additional parameters are delivered by configuring DHCP options. Options can be set at the following levels: Server. Options set on the server are delivered to all clients of that DHCP server. Scope. Options set on the scope are delivered to all computers that obtain an IP address from within the scope. Class. A class defines a group of computers that share common characteristics. For example, the vendor class can be used to deliver options to Microsoft Windows clients. Class options are delivered to all computers within the class.
Reserved client. Options set on a reservation are delivered to the specific client.
Options are applied in the order listed above. If conflicting settings are delivered, the last parameters delivered will take precedence over the previous settings. Common options include: 003 Router, the IP address of the default router (the default gateway) 006 DNS Servers, the IP address of DNS server or servers 015 DNS Domain Name, the domain that the client belongs to; used to update DNS server 044 WINS/NBNS Servers, the IP address of WINS server or servers 046 WINS/NBT Node Type, controls the order in which a client uses NetBIOS name servers
DHCP Server Backup and Recovery To move the DHCP service from one server to another, you must perform operations on the source and destination machines. Source machine: 1. In DHCP Console, back up DHCP. The backup includes: o Scopes, exclusions, and reservations. o DHCP configurations. o DHCP-related registry settings. 2. Stop and disable the DHCP service. 3. Copy the DHCP backup files to the destination machine.
On the destination machine: 1. Install DHCP. 2. Stop the DHCP service. 3. In DHCP Console, restore the DHCP backup files. 4. Verify the DHCP configuration and start DHCP.
DHCP Lease and Renewal Processes A DHCP client uses the following process to obtain an IP address: 1. Lease Request. The client initializes a limited version of TCP/IP and broadcasts a DHCPDISCOVER packet requesting the location of a DHCP server. 2. Lease Offer. All DHCP servers with available IP addresses send DHCPOFFER packets to the client. These include the client's hardware address, the IP address the server is offering, the subnet mask, the duration of the IP lease, and the IP address of the DHCP server making the offer.
3. Lease Selection. The client selects the IP address from the first offer it receives and broadcasts a DHCPREQUEST packet requesting to lease the IP address in that offer. 4. IP Lease Acknowledgment. The DHCP server that made the offer responds and all other DHCP servers withdraw their offers. The IP addressing information is assigned to the client and the offering DHCP server sends a DHCPACK (acknowledgement) packet directly to the client. The client finishes initializing and binding the TCP/IP protocol.
Part of the IP address lease includes a lease duration (or the amount of time the client can use the IP address it has been allocated). Periodically, DHCP clients try to renew their IP address with the DHCP server. Microsoft clients use the following rules when renewing leases: When the lease time reaches 50%, the client tries to renew its lease with the DHCP server. It sends a DHCPREQUEST unicast message to the DHCP server requesting a lease renewal. If the DHCP server does not respond, it continues to use the IP address. When the lease time reaches 87.5%, the client sends a DHCPREQUEST unicast message to renew the lease. If the DHCP server does not respond, it continues to use the IP address. When the lease time expires, the client broadcasts a DHCPREQUEST message to renew the lease. When the client boots, it broadcasts a DHCPREQUEST message to renew the lease. If the server sends a negative acknowledgement (a DHCPNAK packet) during any renewal attempt, the client must reinitialize TCP/IP and restart the DHCP lease at the beginning. Enable BootP forwarding on routers to ensure that lease request broadcast packets are forwarded through the routers.
The following table summarizes the packets exchanged between DHCP clients and servers. Message Description DHCPDISCOVER Sent from client to server or servers to ask for an IP address. Used when client starts or cannot renew current lease.
DHCPREQUEST Requests a specific new IP address or renewal of its current IP address. Used to select one lease offer from among multiple offers or to confirm a previous address lease.
DHCPOFFER Offers to lease of an IP address to a client when it starts on the network. Client can receive multiple offers from multiple DHCP servers but usually selects the first.
DHCPACK Sent from server to client to acknowledge and complete a client's requested address lease. Contains IP address, lease duration, and possibly other parameters. Sent from server to a client when the requested IP address is not available (negative acknowledgement).
DHCPDECLINE Used by client to decline the offer of an IP address because of a potential conflict.
DHCPRELEASE Sent from client to server to release an IP address. Used to cancel a currently active lease. Cancellation can be done manually with the Ipconfig /release command.
DHCPINFORM Used by a computer to obtain information from a DHCP server for use in its local configuration. Used when the sender already has an IP address, possibly not from DHCP.
Troubleshooting DHCP For a Windows 2003 Server DHCP server to deliver IP addresses, the following conditions must be met: The server must be authorized. The DHCP service must be running (the DHCP server is started). The scope must be started. There must be IP addresses in the scope that are free to be assigned, or a reservation for the client must be defined. The client must be configured to receive its IP address from the DHCP server.
One useful tool for troubleshooting and fixing DHCP lease problems is Ipconfig. The following table lists the command switches useful in troubleshooting DHCP. Command Use
Ipconfig /all View TCP/IP configuration including the IP address, mask, default gateway, and any other DHCP-delivered parameters. In addition, the command shows the IP address of the DHCP server from which configuration information was received.
Ipconfig /renew
Renew DHCP configuration for specific or multiple adapters.
Ipconfig Releases DHCP configuration and discards IP address configuration for specific or
/release multiple adapters.
An address IP address in the 169.254.0.0 range indicates that the client could not contact the DHCP server and has used APIPA to assign itself an address. You should recognize the following symptoms of a rogue server: Incorrect IP configuration information.
Duplicate addresses assigned. Ipconfig /all shows the DHCP server address incorrectly. DHCPNAK messages at the client during lease renewal.
If the client has an address from the wrong server, remove the rogue server, then do Ipconfig /release followed by Ipconfig /renew.
DNS Name Resolution Process You should be familiar with the DNS name resolution process: 1. When a DNS name resolution request is forwarded to a DNS server, the DNS server examines its local DNS cache for the IP address. 2. If the IP address is not in the DNS server's cache, it checks its Hosts file. (Since the Hosts file is a static text file, it is not commonly used.) 3. If the DNS server is not authoritative and configured for forwarding, the DNS server forwards the request to a higher-level DNS server. 4. If the DNS server cannot forward the request, or if forwarding fails, the DNS server uses its Root Hints file (also known as Cache.dns). The Root Hints file lists the 13 root DNS servers. 5. The root DNS server responds with the address of a com, edu, net, or other DNS server type (depending on the request). 6. The DNS server forwards the request to the high-level DNS server, which can respond with a variety of IP addresses.
You should know the following facts about DNS: DNS translates a hostname to an IP address. The DNS hierarchy is made up of the following components: o . (dot) domain (also called the root domain) o Top Level Domains (TLDs) (.com, .edu, .gov) o Domains o Hosts A fully qualified domain name (FQDN) must include the name of the host and the domain, not just the domain. A forward lookup uses the host name (or the FQDN) to find the IP address. A reverse lookup uses the IP address to find host name (or FQDN).
A DNS server can forward a DNS request to an upstream DNS server if it cannot resolve a host name to an IP address. An authoritative server is a DNS server that has a full, complete copy of all the records for a particular domain. A caching-only DNS server has no zone information; it is not authoritative for any domains. The Root Hints file (also called the Cache.DNS file) lists the 13 root DNS servers. A DNS server uses the Root Hints file to forward a request to a Root DNS server as a last resort to resolve a host name to an IP address. A Root DNS server refers DNS servers to .com or .edu or .gov level DNS servers. Recursion is the process by which a DNS server or host uses root name servers and subsequent servers to perform name resolution. Most client computers do not perform recursion, rather they submit a DNS request to the DNS server and wait for a complete response. Many DNS servers will perform recursion.
Zone Types
The table below lists the types of DNS zones: Zone Type Description
Standard primary Host name-to-IP address name resolution. Data is stored in a flat text file. Read-write copy of the data. Standard secondary
Host name-to-IP address name resolution. Data is copied from another DNS server. Read-only copy of the data.
Reverse lookup IP address to host name resolution. Can be both primary and secondary zones.
Active Directory-integrated
Data is stored in Active Directory. Data is shared between domain controllers. Data is read-write on all servers with the data. Provides automatic replication, fault tolerance, and distributed administration of DNS data.
You should also know the following facts about zones: To configure reverse lookup for a subnetted IP network, enable the Advanced view in the DNS console. Reverse lookup zones for IPv6 addresses should be created in the ip6.arpa namespace.
Common Resource Records
The table below lists the most common resource records. Record Type Use
A (host address) The A record maps a DNS host name to an IP address. This is the most common resource record type.
CNAME (canonical name)
The CNAME record provides alternate names (or aliases) to hosts that already have an A record.
MX (Mail Exchanger)
The MX record identifies servers that can be used to deliver mail.
NS (name server) The NS resource record identifies all name servers that can perform name resolution for the zone. Typically, there is an entry for the primary server and all secondary servers for the zone.
PTR (pointer) In a reverse lookup zone, the PTR record maps an IP address to a host name (i.e. "points" to an A record).
SOA (Start of Authority)
The first record in any DNS database file is the SOA. It defines the general parameters for the DNS zone. The SOA record includes parameters such as the authoritative server and the zone file serial number.
SRV (service locator)
The SRV record is used by Windows 2003 to register network services. This allows clients to find services (such as domain controllers) through DNS. Windows 2003 automatically creates these records as needed.
Dynamic DNS Facts For a Windows 2000/XP/2003 client, the following process is used to dynamically update the DNS database. 1. The client boots and receives an IP address from the DHCP server. 2. The client sends a DNS update request to update the forward lookup record. 3. The DHCP server sends an update request to update the reverse lookup record.
For non-dynamic update clients, the DHCP server sends both the forward and reverse lookup updates. You can also configure the DHCP server to perform both tasks for Windows clients. To enable dynamic updates, use the following steps: 1. On the Windows DNS server, open the Zone Properties dialog box and enable dynamic updates. 2. In the TCP/IP Properties of the client, make sure dynamic DNS is enabled (enabled is the default setting).
Note: You may also need to enable dynamic updates on the DHCP server if you're doing dynamic updates by proxy. You should know the following facts about secure dynamic DNS: Secure dynamic updates are only available for Active Directory-integrated zones. To use secure DDNS, a client must be a member of the same Active Directory domain as the DDNS server. Only the original client can alter or remove records when using secure DDNS.
AD-Integrated Zone Facts Using Active Directory to manage zone information has the following advantages: No single point of failure. Changes are made to multiple rather than individual servers. Fault tolerance. Each host server maintains up-to-date zone information. Single replication topology. Zone transfers occur through Active Directory replication. Secure dynamic updates. Only authorized computers can update dynamically. Simplified management. Any authorized computer can initiate changes to the zone file (not just the primary server).
In Windows 2000, all DNS data is replicated with all domain controllers. With 2003, you have the following options: Replication Option Where data is replicated
2000 Default All domain controllers in a domain receive the information whether or not they have DNS installed.
DomainDNSZones All domain controllers with DNS in the domain receive the information. ForestDNSZones All domain controllers with DNS in the forest receive the information. (Used most effectively when you have very
important records that need to be available throughout the forest.) Application Partitions
All domain controllers within the application partition. By using an application partition, you can customize which domain controllers will receive the DNS data.
Root Hint Facts Keep in mind the following facts regarding root hints. The Cache.dns file holds the 13 root hint addresses for the Internet root servers. The Cache.dns file can be found in two locations: o %SystemRoot%\system32\dns\Cache.dns (the copy in use)
o %SystemRoot%\system32\dns\backup\Cache.dns (the copy reserved in the backup location) If you have a root zone configured on a DNS server, the server will act as a root zone server. A DNS server configured as a root zone server will never use the root hints file (Cache.dns). It considers itself authoritative. Consequently, the server won't access the Internet to forward DNS queries. If you want the DNS server to access the Internet, delete the root zone in the DNS Console. You can configure root hints through the properties of a DNS server or by configuring the DNS server's Cache.dns file. If the server is configured to load data from Active Directory, you must configure root hints using the DNS snap-in because the local Cache.dns is not used (the root hints data is stored in AD). Stub Zones and Forwarding Facts You should know the following facts about DNS performance: A stub zone holds copies of the following DNS record types:
o NS records for all DNS servers (primary and secondary). o SOA record for the primary server. o DNS A records (also called glue records) for the DNS servers. A stub zone is dynamic. It will update itself with changes. Use a stub zone to provide quick access to the name server list and to provide a method of keeping the name server list updated without replicating zone data. Conditional forwarding allows DNS queries to be forwarded to specific DNS servers that have specific zones. Conditional forwarding is static. You set up an IP address which handles a specific type of query. Conditional forwarding must be updated when changes to forwarders are made. If a DNS server is configured to use forwarders, you can disable recursion on the DNS server. This means the server submits requests to the forwarder and waits for a response.
Zone Transfer Facts Replication through standard zones takes place through zone transfers. Secondary servers contact their master servers for new zone information. You should know the following facts about zone transfers: The zone serial number is modified when changes are made to the zone file. Zone transfer is initiated when a secondary server checks the master server and finds an incremented zone serial number.
Zone transfer notification occurs when the master server contacts the secondary server when changes have been made. By default, a DNS server replicates the entire zone database (called a full zone transfer or AXFR). A partial zone transfer, in which only the changed information is replicated, is also called an incremental zone transfer or IXFR. To initiate a manual transfer, increment the serial number first. Otherwise, no transfer will occur (a transfer only occurs when the serial number has changed). You can improve DNS performance by placing multiple DNS servers on your network. For example, you can place a secondary server on the other side of a WAN link to reduce WAN traffic caused by name resolution. However, zone replication traffic must still cross the WAN link. A caching only server runs DNS but has no zones configured. Use a caching only server to improve performance while eliminating zone transfers. An Active Directory-integrated zone stores DNS information in Active Directory rather than in a zone file. Zone information is copied automatically when AD replicates. If a zone is Active Directory-integrated and has no secondary servers, you can disable zone transfers. Zone data will continue to be replicated through Active Directory.
Normally, zone transfers happen automatically at periodic intervals. You can force an update of zone data through the DNS console or by using the Dnscmd command. The following table lists some actions you can take to refresh zone data manually. DNS Console Action
Dnscmd Option Result
Reload Dnscmd /ReloadZone
The server reloads zone data from its local copy (it reads the data back in from the zone file on the hard disk).
Transfer from Master
Dnscmd /Refresh Initiates a normal zone transfer. The DNS server compares its version number with the version of the zone master. If the version numbers are the same, no zone transfer takes place.
Reload from Master
N/A The DNS server dumps its copy of the data and reloads the entire data from the master server.
To force a zone transfer, you can either update the sequence number on the master server and then transfer the data from the master, or you can simply reload the data from the master.
DNS Design Guidelines Keep in mind the following facts about DNS namespace design: Active Directory requires DNS. A split-brain DNS solution allows you to run internal DNS and external DNS that don't communicate with one another. This helps to maintain internal security. Following are three split-brain DNS configuration options: o Set up the same DNS name internally and externally. o Set up different DNS names internally and externally. o Set up the internal DNS as a subdomain of the external DNS. The purpose of a split-brain DNS solution is to: o Allow external clients to access only external resources. o Allow internal clients to access all resources.
The table below lists the split-brain DNS configurations. Split-brain DNS Configuration
Implementation
Same Internal and External DNS Names
Set both DNS servers as primary to prevent zone transfer traffic. Allow internal client access to external resources by copying external resource records to the internal DNS server.
Different Internal and External DNS Names
To allow internal clients to access external resources, set up a forwarder, either a regular forwarder or a conditional forwarder.
Internal DNS Name as Subdomain of External DNS Name
One possible advantage is that you can run separate DNS infrastructures (e.g., an external Unix infrastructure and an internal Microsoft infrastructure). One danger is that outside queries could include the internal namespace. Use the firewall to block these types of queries. Set up a forwarder to allow internal clients to access external resources.
DNS Solutions
You have a wide variety of tools to help you in designing a DNS solution. The following table lists various zone types and configuration options and when to use each. Solution Use
Primary zone Select a primary zone to manage zone data on non-domain controllers or non-Windows DNS servers. Secondary zone Select a secondary zone to copy read-only zone data from another server. For example, your Windows server can be a
secondary server to a non-Windows server, or a non-Windows server can be a secondary server to an Active Directory-integrated zone. Secondary zone servers accomplish three tasks: 1. Fault tolerance 2. Load balancing 3. Reduce name resolution traffic over WAN links
Reverse lookup zone
Use a reverse lookup zone to find the host name for a given IP address. For example, use a reverse lookup zone if you need to identify the host name of clients who connect to a server or services. Following are reasons to set up reverse lookup zones: To use Nslookup by using the IP address. To use IP filtering in IIS. To accommodate applications that rely on reverse lookups.
Active Directory-integrated zone
Use when you have DNS servers that are also domain controllers. AD-I zones allow multi-master updates to the DNS database, automatically replicate data through Active Directory (rather than conventional DNS replication), secures zone updates, and allow secure dynamic client registration.
Caching only server
Use to reduce DNS name resolution traffic over WAN links without the zone transfer traffic.
Zone delegation Use to subdivide a zone into multiple zones. This allows other administrators to manage parts of your name space.
Forwarders Use to send DNS queries to other servers when the current server does not hold the data.
Conditional forwarding
Use to forward DNS queries based on the domain name characteristics. Without conditional forwarding, all requests are forwarded to the same servers. With conditional forwarding, requests are forwarded based on the domain name.
Stub zone Use when you need to automatically update lists of name servers for a domain but do not want to replicate zone data.
Root zone Use to make your DNS server authoritative for the entire name space. For example, you can configure a root zone to prevent name queries from being forwarded to the Internet root zone servers.
Root hints Root hints point to the root zone servers. Normally root hints point to the Internet root zone servers. If you have a custom root zone, make sure root hints on internal servers point to your root zone servers.
Dynamic DNS Use to allow clients to update DNS records.
Secure updates Use to prevent unauthorized changes to dynamically-created DNS records. When enabled, only domain members can register DNS records, and only the same computer can modify those records. Secure updates are available only on Active Directory-integrated zones.
DNS Troubleshooting Tools
You should know how to use the tools listed in this table: Tool Use
Nslookup Use the Nslookup tool to perform DNS name resolution. Enter the name of the host, and Nslookup performs DNS queries to report the host's IP address.
Dnscmd Dnscmd displays the properties of DNS servers, zones, and resource records. You can also use Dnscmd to modify these properties, create and delete zones and resource records, and force replication.
Ping Use Ping to determine if an IP address is accessible. If you can ping an IP address, try to ping the logical name of the host. If the logical name test fails, you should troubleshoot the name resolution system.
Network Monitor
Use Network Monitor to analyze and monitor network traffic.
Ipconfig You can use Ipconfig without switches to display the IP address, subnet mask, and default gateway for all adapters. However, the following switches are useful when troubleshooting DNS.
/Displaydns, to display the contents of the local DNS cache. /Flushdns, to flush the local DNS cache. /Registerdns, to force a client to register its DNS information.
DNSLint The DNSLint utility helps you to isolate and diagnose DNS problems. You must use one of the three following switches with DNSLint. /d, to perform domain name tests /ad, to perform AD tests /ql, to perform DNS query tests from a list
To provide fault tolerance for DNS servers, use one of the following strategies: Use Active Directory-integrated zones. If one DNS server goes down, zone data is still stored in Active Directory. Be sure to analyze the replication scope to make sure you have at least two servers holding the DNS data for each zone. Create secondary zones. If the primary server goes down, you can change one of the secondary zones to the primary zone. Back up the DNS database. If you have only one DNS server, be sure to back up the DNS database. For non-Active Directory-integrated zones, you can back up the DNS files or copy them to another location. For Active Directory-integrated zones, you must back up the system state data (because DNS is stored in Active Directory).
![gns(dhcp+dns)blog.mingheinfo.com/wp-content/uploads/2016/11/... · 2019-11-24 · 配置dhcp 作用域用大一点就可以了。 节点配置 [oracle@oel1 grid]$ ./runcluvfy.sh stage](https://img.pdfslide.org/doc/110x75/5f8d27f4dcc99343f576f772/gnsdhcpdnsblog-2019-11-24-ecdhcp-oeccc.jpg)
![Handeln mit Adressen ARP, DHCP, DNS - rrze.fau.de · REGIONALES RECHENZENTRUM ERLANGEN [RRZE] Handeln mit Adressen ARP, DHCP, DNS Netzwerkausbildung – Praxis der Datenkommunikation](https://img.pdfslide.org/doc/110x75/5d4cf72b88c993c96c8b5c9d/handeln-mit-adressen-arp-dhcp-dns-rrzefaude-regionales-rechenzentrum-erlangen.jpg)
