Saturday, August 2, 2014
FSMO Roles
Each domain in an AD-based network has three FSMO roles that must be assigned to domain controllers within the domain:
PDC Emulator.
The DC holding this role plays PDC for any legacy Windows NT BDCs you may still have running. But even if you've migrated all your legacy DCs and your domains are running in Windows 2000 mixed functional level or higher, the PDC Emulator role is still important because the PDC Emulator enforces account lockout, handles password changes, and synchronizes time for all DCs in the domain.
RID Master.
When an administrator creates a new security principle in Active Directory (typically a new user or group) the SID for the new object is constructed from the domain SID and a relative ID (RID) selected from a pool of RIDs on the domain's DCs. If this pool starts running low (under 50% remaining) the RID Master replenishes it.
Infrastructure Master.
Ensures cross-domain object references are handled properly, such as when objects in one domain are referenced by objects in a different domain.
The forest root domain also has two additional FSMO roles that must be assigned to domain controllers in that domain:
Domain Naming Master.
Handles changes to the namespace, for example when a new child domain is added to a parent domain.
Schema Master. Handles changes to the schema and replicates these changes to all other DCs throughout the forest.
There are a number of ways you can determine which DCs are FSMO roles holders on your network, but the simplest is to install the Support Tools from the \Support\Tools folder on your product CD and type netdom query fsmo at a command prompt:
Symptoms of FSMO Problems
If one or more of your FSMO role holders has problems, bad things can happen. To help you troubleshoot such situations, the table below describes some of the symptoms that can occur when FSMO role holders go missing or don't work properly.
1. Schema Master fails: Can't modify the schema. Can't raise the functional level for the forest. This role holder must be available when the raising the forest functional level.
2. Domain Naming Master fails: Can't add or remove a domain. Can't promote or demote a DC. Changes to the namespace need this role holder.
3. PDC Emulator fails:
A) Users can't log on because if system clocks become unsynchronized, Kerberos may fail.
B) Can't change passwords because Password changes need this role holder.
C) Account lockout not working because Account lockout enforcement needs this role holder.
D) Can't raise the functional level for a domain because this role holder must be available when the raising the domain functional level.
4. RID Master fails: Can't create new users or groups because RID pool has been depleted.
5. Infrastructure Master fails: Problems with universal group memberships because Cross-domain objects references need this role holder.
Rules for FSMO Role Placement
Since FSMO roles are crucial for the proper functioning of an AD-based network, it's a good idea to get them right from the planning stage of your deployment. By default, when you install the first DC of your forest root domain, this first DC holds all five FSMO roles. When you install the first DC of any other domain in your forest, that DC will hold all three domain FSMO roles (PDC Emulator, RID Master, and Infrastructure Master). Depending on the complexity of your network, however, this default roles assignment may not be appropriate, so you need to transfer some of your roles to a different machine to achieve optimal FSMO-role placement on your network.
Proper FSMO role placement basically boils down to a few simple rules, tips, and exceptions:
Rule 1: The PDC Emulator and RID Master roles should be on the same machine because the PDC Emulator is a large consumer of RIDs.
Tip: Since the PDC Emulator is the role that does the most work by far of any FSMO role, if the machine holding the PDC Emulator role is heavily utilized then move this role and the RID Master role to a different DC, preferable not a global catalog server (GC) since those are often heavily used also.
Rule 2: The Infrastructure Master should not be placed on a GC.
Tip: Make sure the Infrastructure Master has a GC in the same site as a direct replication partner.
Exception 1: It's OK to put the Infrastructure Master on a GC if your forest has only one domain.
Exception 2: It's OK to put the Infrastructure Master on a GC if every DC in your forest has the GC.
Rule 3: For simpler management, the Schema Master and Domain Naming Master can be on the same machine, which should also be a GC.
Exception: If you've raised your forest functional level to Windows Server 2003, the Domain Naming Master doesn't need to be on a GC, but it should at least be a direct replication partner with a GC in the same site.
Rule 4: Proactively check from time to time to confirm that all FSMO roles are available or write a script to do this automatically.
Tip: If any FSMO role holders at a remote site are unavailable, check first to see if your WAN link is down.
What are the Application Directory Partition?
What are the Application Directory Partition?
Schema Partition: Every DC in an AD forest has a copy of the Schema partition which defines that object types that can be created and their associated properties.
Configuration partition: All DC‘s in Forest hold a copy of the configuration partition, which holds information about sites and services.
Domain Partition: Within a domain, all DC‘s hold a copy of the domain partition, this includes information about objects with in that particular domain only.
Schema Partition: Every DC in an AD forest has a copy of the Schema partition which defines that object types that can be created and their associated properties.
Configuration partition: All DC‘s in Forest hold a copy of the configuration partition, which holds information about sites and services.
Domain Partition: Within a domain, all DC‘s hold a copy of the domain partition, this includes information about objects with in that particular domain only.
What is backup?
Normal backup:
The normal backup is…normal (surprised?). So, what does this mean? It simply means that it copies all the files you have marked to be backed up, and marks the files as having been backed up. You also only need the most recent copy of the backup file (other types of backups requires several files, see below) to restore. This type is usually what you use the first time you backup files.
Incremental backup :
The incremental backup backs up only those files that have been created or changed since last incremental or normal backup. It also marks the files as having been backed up. A combination of Normal backups and Incremental backups is common, and also a very good combination. It also requires the least amount if storage space and is fast for backing up the data. The disadvantage of this is that it‘s time-consuming to recover files, simply because you need the last normal backup set and all incremental backup sets, which can be stored on several backup drives or tapes.
Differential backup :
The differential backup is similar to the incremental backup and only copies files that have been created or changed since the last normal or incremental backup. No, it wasn‘t a typo, it doesn‘t check if a differential backup has been run. This is because differential backups does not mark files as having been backed up. A combination of differential backups and normal backups is more time-consuming concerning the backup part then the incremental + normal backups are. But on the other hand it is faster to restore data because all you need is the last normal backup and the last differential backup.
Copy backup :
A copy backup copies all the files you have selected, but does not mark the files as having been backed up. This backup type is useful when you must backup single files between normal and incremental backups because it does not affect these operations.
Daily backup :
The daily backup copies all the files that you have selected that have been modified on the day, without marking the files as having been backed up
The normal backup is…normal (surprised?). So, what does this mean? It simply means that it copies all the files you have marked to be backed up, and marks the files as having been backed up. You also only need the most recent copy of the backup file (other types of backups requires several files, see below) to restore. This type is usually what you use the first time you backup files.
Incremental backup :
The incremental backup backs up only those files that have been created or changed since last incremental or normal backup. It also marks the files as having been backed up. A combination of Normal backups and Incremental backups is common, and also a very good combination. It also requires the least amount if storage space and is fast for backing up the data. The disadvantage of this is that it‘s time-consuming to recover files, simply because you need the last normal backup set and all incremental backup sets, which can be stored on several backup drives or tapes.
Differential backup :
The differential backup is similar to the incremental backup and only copies files that have been created or changed since the last normal or incremental backup. No, it wasn‘t a typo, it doesn‘t check if a differential backup has been run. This is because differential backups does not mark files as having been backed up. A combination of differential backups and normal backups is more time-consuming concerning the backup part then the incremental + normal backups are. But on the other hand it is faster to restore data because all you need is the last normal backup and the last differential backup.
Copy backup :
A copy backup copies all the files you have selected, but does not mark the files as having been backed up. This backup type is useful when you must backup single files between normal and incremental backups because it does not affect these operations.
Daily backup :
The daily backup copies all the files that you have selected that have been modified on the day, without marking the files as having been backed up
What is Authoritative and Non-authoritative restore?
Non-Authoritative:
When doing a normal restore, Backup is working in nonauthoritative mode. That means that any data (including Active Directory objects) will have their original sequence number. This is the number AD replication uses to detect if there are any new objects to replicate to other servers. So when you use Normal restore any data will appear as old and will therefore not replicate to other servers. If newer data is available, it will of course replicate to the restored server. This method is used when restoring all but the first replica set and when restoring a single domain controller in a replicated environment.
Authoritative restore:
This is the third method. To perform an authoritative restores you have to run a utility called Ntdsutil. This must be run after you have restored the System State data, but before you restart the server. When you perform this kind of restore the sequence number of Active Directory objects are changed so that it has a higher number. This will ensure that any data you restore will be replicated (because Active Directory replication thinks it‘s new). This is a little bit difficult to understand, but if you compare this to Normal restore, Normal restore will always mark objects as old, and authoritative restore will always mark objects as new. So simply said, use Authoritative restore when you have changed something and the change has been replicated to all other servers and you want to undo the change.
When doing a normal restore, Backup is working in nonauthoritative mode. That means that any data (including Active Directory objects) will have their original sequence number. This is the number AD replication uses to detect if there are any new objects to replicate to other servers. So when you use Normal restore any data will appear as old and will therefore not replicate to other servers. If newer data is available, it will of course replicate to the restored server. This method is used when restoring all but the first replica set and when restoring a single domain controller in a replicated environment.
Authoritative restore:
This is the third method. To perform an authoritative restores you have to run a utility called Ntdsutil. This must be run after you have restored the System State data, but before you restart the server. When you perform this kind of restore the sequence number of Active Directory objects are changed so that it has a higher number. This will ensure that any data you restore will be replicated (because Active Directory replication thinks it‘s new). This is a little bit difficult to understand, but if you compare this to Normal restore, Normal restore will always mark objects as old, and authoritative restore will always mark objects as new. So simply said, use Authoritative restore when you have changed something and the change has been replicated to all other servers and you want to undo the change.
What is a LDAP?
Light weight directory access protocol- LDAP Provides a Way to Communicate with Active Directory by Specifying Unique Naming Paths for Each Object in the Directory, LDAP Naming Paths Include: Distinguished names, Domains, Organizational Units, Trees and Forests, Global Catalog.
LDAP specifies that every AD object be represented by a unique name. These names are formed by combining information about domain components, OUs, and the name of the target object, known as a common name. Attribute Type DN Abbreviation Description For example, the LDAP name for the user object for a person named Don Jones in the realtimepublishers.com domain‘s Marketing OU would be as follows: CN=Don Jones,OU=Marketing,DC=realtimepublishers,DC=com
This form of an object‘s name as it appears in the directory is referred to as the object‘s distinguished name (DN). Alternatively, an object can also be referred to using its relative distinguished name. The RDN is the portion of the DN that refers to the target object within its container. In the previous example, the RDN of the user object would simply be Don Jones.
What is the Domain?
A domain serves as the core unit in AD‘s logical structure and is defined as a collection of computers that share a common directory database.
What are the forests and trees?
A tree is a hierarchical arrangement of AD domains within AD that forms a contiguous namespace. For example, assume a domain named xcedia.com exists in your AD structure. The two subdivisions of xcedia.com are Europe and us, which are each represented by separate domains. Within AD, the names of these domains would be us.xcedia.com and europe.xcedia.com. These domains would form a domain tree because they share a contiguous namespace. This arrangement demonstrates the hierarchical structure of AD and its namespace—all of these domains are part of one contiguous related namespace
in the directory; that is to say, they form a single domain tree. The name of the tree is the root level of the tree, in this case, xcedia.com.
A forest is a collection of one or more trees. A forest can be as simple as a single AD domain, or more complex, such as a collection of multi-tiered domain trees.
What is AD?
AD is a distributed database which organizes, manages, and controls the network resources. It‘s provides single point of administration to administer the object in directory and their appropriate membership and permissions. Enables a single administrator to centrally manage resources such as AD users and computers, AD sites and services, AD Domain and Trusts and Group policy settings and OU.At the file level, AD stores its database in a single database file named Ntds.dit, a copy of which can be found on every domain controller.Viewing the AD Schema: To use this snap-in, you need to manually register it by selecting Start, Run (or entering a command-prompt session), and typing ‖regsvr32 schmmgmt.dll‖ you can open an MMC session and choose Add/Remove Snap-in from the Console menu, then select Active Directory Schema from the Add Standalone Snap-In dialog boxTo modify the AD schema, you need to use a different utility: the MMC ADSI Edit snap-in. ADSI Edit is essentially a low-level AD editor that lets you view, change, and delete AD objects and object attributes. In terms of usefulness and potential danger, ADSI Edit is to AD what the regedit or regedt32 registry editors are to the system registry. To use the ADSI Edit utility to make schema modifications, you first need to be a member of the Schema Admins group.Run – CMD type this ---regsvr32 adsiedit.dll
Subscribe to:
Posts (Atom)