Active Directory 2008 Implement at On & Migration

Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
Document Management Information
Document Title: Microsoft Windows Server 2008 Active Directory Implementation and Migration
Document.
Document Status: Approved Wipro
Document Publication History
(All revisions made to this document must be listed in chronological order, with the most recent revision at the
top.)
Version Date Author(s) Remark

Number
Draft 22-12-2008 Kamal Singh & Microsoft Windows Server 2008 Active Directory
Gurpreet Singh Implementation and Migration.
1.0 22-12-2008 Monojit Bhowmik Reviewed
Document Distribution List
Ver. No. Name and Company Purpose
Microsoft Windows Server 2008

1.0 Bharat Heavy Electrical Limited Active Directory Implementation
and Migration.
WIPRO – BHEL Confidential Page 2

Contents
About this Document...............................................................................................5
About the Project..................................................................................................5
Overview of Project................................................................................................ 5
1 Company Profile:....................................................................................6
1.1.1 Introduction to Active Directory...................................................................6
1.1.2 Why Have a Directory Service?.....................................................................6
1.1.3 The Windows Server 2003/2008 Directory Service..............................................6
1.1.4 Active Directory Services Features................................................................7
1.1.5 Active Directory Components......................................................................8
1.1.6 Logical Structures....................................................................................8
1.1.7 Physical Structures..................................................................................9
1.1.8 Catalog Services—The Global Catalog...........................................................10
1.1.9 Global Catalog Functions..........................................................................10
1.1.10 Replication.......................................................................................... 11
1.1.11 What Information Is Replicated..................................................................11
1.1.12 Trust Relationships.................................................................................11
1.1.13 Group Policies.......................................................................................12
1.1.14 DNS................................................................................................... 12
1.1.15 Operations Master Roles...........................................................................12
1.1.16 Forest-Wide Operations Master Roles...........................................................12
1.1.17 Schema Master Role................................................................................13
1.1.18 Domain Naming Master Role......................................................................13
1.1.19 Domain-Wide Operations Master Roles..........................................................13
1.1.20 RID Master Role.....................................................................................13
1.1.21 PDC Emulator Role.................................................................................14
1.1.22 Infrastructure Master Role........................................................................14
1.1.23 What Problems arises when Operation Masters Failure Occurs..............................14
1.2 What does an RODC do?....................................................................................16
1.3 Who will be interested in this feature?..................................................................16
1.4 Are there any special considerations?...................................................................17
1.5 What new functionality does this feature provide?....................................................17
1.5.2 TOOLS...............................................................................................123
1.5.3 NTDSUTIL Overview...............................................................................123

1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL............124
1.5.5 ADSIEDIT OVERVIEW..............................................................................124
1.5.6 DCDIAG OVERVIEW................................................................................126
1.5.7 NETDIAG OVERVIEW...............................................................................128
1.5.8 REPLMON OVERVIEW..............................................................................134
Windows Server 2003/2008 - Replmon Support Tool Utility...........................................135

About this Document

This document is intended as reference guide for the Administrators of BHEL who was involved during the
implementation of Active Directory Right Management Service and DHCP NAP Enforcement and the
Specialists from Wipro and Customer’s end who was involved in the Project.
This Document will serve as guideline for the Project Approach and Implementation & Migration of Active
Directory 2008.
About the Project

The Customers objective for initiating this project is to have an in-house comprehensive solution for
addressing and resolving change and configuration needs in IT Infrastructure.
The activities involved in this project are as below:
Installation of Windows Server 2008 with latest Service Packs and Hot fixes in BHEL Kolkata HQ.
Creation of Microsoft Windows Server 2008 Additional Domain Controller.
Raising the Domain Functional Level.
Transfer FSMO Roles to the new Server 2008 Domain Controller.
Configuring Sites and Setting for Across the PSER Region.
Installing the new Additional Domain Controller.
Installing Read Only Domain Controller for Budge-Budge & Bakreswar Remote Locations.
Overview of Project
Project Management and Installation of the Complete Project carried out by Wipro MSBU Infrastructure
Availability services team.
The Project flow is as follows:
 Configuration Gathering
 Implementation phase
 Documentation and Training
 Sign off for the Project
Team Involved executing the Project: Kamal Singh & Gurpreet Singh
Principal(S): Mr. Sudipta Biswas DGM IT
1 Company Profile:
BHEL is the largest engineering and manufacturing enterprise in India in the energy-related/infrastructure
sector, today. BHEL was established more than 40 years ago, ushering in the indigenous Heavy Electrical
Equipment industry in India - a dream that has been more than realized with a well-recognized track record
of performance. The company has been earning profits continuously since 1971-72 and paying dividends
since 1976-77.
BHEL manufactures over 180 products under 30 major product groups and caters to core sectors of the
Indian Economy viz., Power Generation & Transmission, Industry, Transportation, Telecommunication,
Renewable Energy, etc. The wide network of BHEL's 14 manufacturing divisions, four Power Sector regional
centers, over 100 project sites, eight service centers and 18 regional offices, enables the Company to
promptly serve its customers and provide them with suitable products, systems and services -- efficiently and
at competitive prices. The high level of quality & reliability of its products is due to the emphasis on design,
engineering and manufacturing to international standards by acquiring and adapting some of the best
technologies from leading companies in the world, together with technologies developed in its own R&D
Center.
1.1.1 Introduction to Active Directory
Active Directory directory service provides a single point of network resource management, allowing you to
add, remove, and relocate users and resources easily. This chapter introduces you to Active Directory
concepts and administration tasks and walks you through the steps involved in planning an Active Directory
infrastructure.
1.1.2 Why Have a Directory Service?
A directory service provides the means to organize and simplify access to resources of a networked computer
system. Users and administrators might not know the exact name of the objects they need. However, they
might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a
directory service to query the directory for a list of objects that match known characteristics. For example,
“Find all color printers on the third floor” queries the directory for all color printer objects that are associated
with the third floor characteristic (or maybe a location characteristic that has been set to “third floor”). A
directory service makes it possible to find an object based on one or more of its characteristics.
1.1.3 The Windows Server 2003/2008 Directory Service
Active Directory is the directory service included in the Windows Server 2003/2008 family. Active Directory
includes the directory, which stores information about network resources, as well as all the services that
make the information available and useful. Active Directory is also the directory service included in Windows
2000.

1.1.4 Active Directory Services Features
Active Directory in the Windows Server 2003/2008 family is a significant enhancement over the flat domain
model provided in Windows NT. Active Directory is integrated within the Windows Server 2003/2008 family
and offers the following features:
■ Centralized data store all data in Active Directory resides in a single, distributed data repository, allowing
users easy access to the information from any location. A single distributed data store requires less
administration and duplication and improves the availability and organization of data.
■ ScalabilityActive Directory enables you to scale the directory to meet business and network requirements
through the configuration of domains and trees and the placement of domain controllers. Active Directory
allows millions of objects per domain and uses indexing technology and advanced replication techniques to
speed performance.
■ Extensibility The structure of the Active Directory database (the schema) can be expanded to allow
customized types of information.
■ Manageability In contrast to the flat domain model used in Windows NT, Active Directory is based on
hierarchical organizational structures. These organizational structures make it easier for you to control
administrative privileges and other security settings, and to make it easier for your users to locate network
resources such as files and printers.
■ Integration with the Domain Name System (DNS) Active Directory uses DNS, an Internet standard
service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Although
separate and implemented differently for different purposes, Active Directory and DNS have the same
hierarchical structure. Active Directory clients use DNS to locate domain controllers. When using the
Windows Server 2003/2008 DNS service, primary DNS zones can be stored in Active Directory, enabling
replication to other Active Directory domain controllers.
■ Client configuration management Active Directory provides new technologies for managing client
configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user
downtime.
■ Policy-based administration In Active Directory, policies are used to define the permitted actions and
settings for users and computers across a given site, domain, or organizational unit. Policy-based
management simplifies tasks such as operating system updates, application installation, user profiles, and
desktop-system lock down.
■ Replication of information Active Directory provides multimaster replication technology to ensure

information availability, fault tolerance, load balancing, and other performance benefits. Multimaster
replication enables you to update the directory at any domain controller and replicates directory changes to
any other domain controller. Because multiple domain controllers are employed, replication continues, even
if any single domain controller stops working.

■ Flexible, secure authentication and authorization Active Directory authentication and authorization
services provide protection for data while minimizing barriers to doing business over the Internet. Active
Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets
Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active
Directory provides security groups that span domains.
■ Security integration Active Directory is integrated with Windows Server 2003/2008 security. Access
control can be defined for each object in the directory and on each property of each object. Security policies
can be applied locally, or to a specified site, domain, or organizational unit.
■ Directory-enabled applications and infrastructure Features within Active Directory make it easier for
you to configure and manage applications and other directory-enabled network components. In addition,
Active Directory provides a powerful development environment through Active Directory Service Interfaces
(ADSI).
■ Interoperability with other directory services Active Directory is based on standard directory access
protocols, including Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider
Interface (NSPI), and can interoperate with other directory services employing these protocols. Because the
LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed
using LDAP to share Active Directory information with other directory services that also support LDAP. The
NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory
to provide compatibility with the Exchange directory.
■ Signed and encrypted LDAP traffic by default, Active Directory tools in Windows Server 2003/2008 sign
and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a
known source and that it has not been tampered with.
1.1.5 Active Directory Components

Various Active Directory components are used to build a directory structure that meets the needs of your
organization. The following Active Directory components represent logical structures in an organization:
domains, organizational units (OUs), trees, and forests. The following Active Directory components represent
physical structures in an organization: sites (physical subnets) and domain controllers. Active Directory
completely separates the logical structure from the physical structure.
1.1.6 Logical Structures

In Active Directory, you organize resources in a logical structure—a structure that mirrors organizational
models—using domains, OUs, trees, and forests. Grouping resources logically allows you to easily find a
resource by its name rather than by remembering its physical location. Because you group resources logically,
Active Directory makes the network’s physical structure transparent to users.
Domains: The core unit of logical structure in Active Directory is the domain, which can store millions of
objects. Objects stored in a domain are those considered vital to the network. These vital objects are items

the members of the networked community need in order to do their jobs: printers, documents, e-mail
addresses, databases, users, distributed components, and other resources. All network objects exist within a
domain, and each domain stores information only about the objects it contains. Active Directory is made up
of one or more domains. A domain can span more than one physical location.
OU: An OU is a container used to organize objects within a domain into a logical administrative group. OUs
provide a means for handling administrative tasks, such as the administration of users and resources, as they
are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as
user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain.
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each
domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide
administrative control in a hierarchical fashion.
Trees: A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003/2008 domains
that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a
contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next
lesson
Forests: A forest is a grouping or hierarchical arrangement of one or more separate, completely independent
domain trees. As such, forests have the following characteristics:
 All domains in a forest share a common schema.

 All domains in a forest share a common global catalog.
 All domains in a forest are linked by implicit two-way transitive trusts.
 Trees in a forest have different naming structures, according to their domains.
 Domains in a forest operate independently, but the forest enables communication across the entire
organization.
1.1.7 Physical Structures
The physical components of Active Directory are sites and domain controllers. As an administrator, you use
these components to develop a directory structure that mirrors the physical structure of your organization.
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize
as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).
When you group subnets on your net-work, you should combine only subnets that have fast, cheap and
reliable network connections with one another. “Fast” network connections are at least 512 kilobits per
second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after
normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
Domain Controllers A domain controller is a computer running Windows Server 2003/2008 that stores a
replica of the domain directory (local domain database). Because a domain can contain one or more domain
controllers, each domain controller in a domain has a complete replica of the domain’s portion of the
directory. A domain controller can service only one domain. A domain controller also authenticates user
logon attempts and maintains the security policy for a domain.
1.1.8 Catalog Services—The Global Catalog
The global catalog is the central repository of information about objects in a tree or forest. By default, a
global catalog is created automatically on the initial domain controller in the first domain in the forest. A
domain controller that holds a copy of the global catalog is called a global catalog server. You can designate
any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to
replicate the global catalog information between global catalog servers in other domains. It stores a full
replica of all object attributes in the directory for its host domain and a partial replica of all object attributes
contained in the directory for every domain in the forest. The partial replica stores attributes most frequently
used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are
marked or unmarked for replication in the global catalog when they are defined in the Active Directory
schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains,
ensuring that data in the global catalog is secure.
1.1.9 Global Catalog Functions

The global catalog performs the following two key functions:
■ It enables a user to log on to a network by providing universal group membership information to a domain
controller when a logon process is initiated.
■ It enables finding directory information regardless of which domain in the forest actually contains the data .

1.1.10 Replication
Users and services should be able to access directory information at any time from any computer in the
domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain
controllers within a domain. Directory information is replicated to domain controllers both within and among
sites.
1.1.11 What Information Is Replicated

The information stored in the directory (in the Ntds.dit file) is logically partitioned into four categories. Each
of these information categories is referred to as a directory partition. A directory partition is also referred to
as a naming context. These directory partitions are the units of replication. The directory contains the
following partitions:
 Schema partition: This partition defines the objects that can be created in the directory
and the attributes those objects can have. This data is common to all domains in a forest
and is replicated to all domain controllers in a forest.
 Configuration partition: This partition describes the logical structure of the deployment,
including data such as domain structure or replication topology. This data is common to all
domains in a forest and is replicated to all domain controllers in a forest.
 Domain partition: This partition describes all of the objects in a domain. This data is
domain-specific and is not replicated to any other domains. However, the data is
replicated to every domain controller in that domain.
 Application Directory partition: This partition stores dynamic application-specific data in
Active Directory without significantly affecting network performance by enabling you to
control the scope of replication and the placement of replicas. The application directory
partition can contain any type of object except security principals (users, groups, and
computers). Data can be explicitly rerouted to administrator-specified domain controllers
within a forest in order to prevent unnecessary replication traffic, or it can be set to
replicate everything to all domain controllers in the same fashion as the schema,
configuration, and domain partitions.
1.1.12 Trust Relationships
A trust relationship is a link between two domains in which the trusting domain honors the logon
authentication of the trusted domain, as shown in Figure 1-13. Users and applications are authenticated in
the Windows Server 2003/2008 family using one of two trust protocols: Kerberos version 5 or NT LAN
Manager (NTLM). The Kerberos version 5 protocol is the default protocol for computers running Windows
Server 2003/2008. If any computer involved in a transaction does not support Kerberos version 5, the NTLM
protocol is used. A trust relationship is also permitted with any MIT Kerberos version 5 realms. There are two
domains in a trust relationship—the trusting and the trusted Domain.
1.1.13 Group Policies

Group policies are collections of user and computer configuration settings that can be linked to computers,
sites, domains, and OUs to specify the behavior of users’ desk-tops. For example, using group policies, you
can set the programs that are available to users, the programs that appear on the user’s desktop, and Start
menu options.
1.1.14 DNS
DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) net-works, such as the
Internet, to locate computers and services through user-friendly names. DNS provides a method of naming
computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name
in an application, DNS services can resolve the name to other information associated with the name, such as
an IP address. For example, it’s easy for most users who want to locate a computer on a network to
remember and learn a friendly name such as example.microsoft.com. However, computers communicate
over a network by using numeric addresses. DNS provides a way to map the user-friendly name for a
computer or service to its numeric address. If you have used a Web browser, you have used DNS.
1.1.15 Operations Master Roles

Active Directory supports multimaster replication of the Active Directory database between all domain
controllers in the domain. However, some changes are impractical to perform in multimaster fashion, so one
or more domain controllers can be assigned to perform operations that are single-master (not permitted to
occur at different places in a network at the same time). Operations master roles are assigned to domain
controllers to perform single-master operations.
In any Active Directory forest, five operations master roles must be assigned to one or more domain
controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.
You must be aware of operations master roles assigned to a domain controller if problems develop on the
domain controller or if you plan to take it out of service.
1.1.16 Forest-Wide Operations Master Roles
Every Active Directory forest must have the following roles:
 Schema master
 Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one
schema master and one domain naming master.

1.1.17 Schema Master Role

The domain controller assigned the schema master role controls all updates and modifications to the
schema. To update the schema of a forest, you must have access to the schema master. At any time, there
can be only one schema master in the entire forest.
1.1.18 Domain Naming Master Role

The domain controller holding the domain naming master role controls the addition or removal of domains
in the forest. There can be only one domain naming master in the entire forest at any time.
1.1.19 Domain-Wide Operations Master Roles

Every domain in the forest must have the following roles:
 Relative identifier (RID), or relative ID, master

 Primary domain controller (PDC) emulator
 Infrastructure master
These roles must be unique in each domain. This means that each domain in the forest can have only one RID
master, PDC emulator master, and infrastructure master.
1.1.20 RID Master Role

The domain controller assigned the RID master role allocates sequences of relative IDs to each of the various
domain controllers in its domain. At any time, there can be only one domain controller acting as the RID
master in each domain in the forest.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique
security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the
domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must
initiate the move on the domain controller acting as the RID master of the domain that currently contains the
object.
1.1.21 PDC Emulator Role

If the domain contains computers operating without Windows Server 2003/2008 client soft-ware or if it
contains Windows NT backup domain controllers (BDCs), the domain controller assigned the PDC emulator
role acts as a Windows NT PDC. It processes password changes from clients and replicates updates to the

BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the
forest.
Even after all systems are upgraded to Windows Server 2003/2008, and the Windows Server 2003/2008
domain is operating at the Windows Server 2003/2008 functional level, the PDC emulator receives
preferential replication of password changes performed by other domain controllers in the domain. If a
password was recently changed, that change takes time to replicate to every domain controller in the
domain. If a logon authentication fails at another domain controller due to a bad password, that domain
controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
1.1.22 Infrastructure Master Role

The domain controller assigned the infrastructure master role is responsible for updating the group-to-user
references whenever the members of groups are renamed or changed. At any time, there can be only one
domain controller acting as the infrastructure master in each domain.
When you rename or move a member of a group (and the member resides in a different domain from the
group), the group might temporarily appear not to contain that member. The infrastructure master of the
group’s domain is responsible for updating the group so it knows the new name or location of the member.
The infrastructure master distributes the update via multimaster replication.
There is no compromise to security during the time between the member rename and the group update.
Only an administrator looking at that particular group membership would notice the temporary
inconsistency.
1.1.23 What Problems arises when Operation Masters Failure Occurs

Schema Master Failure Temporary loss of the schema operations master is not visible to network users. It is
not visible to network administrators either, unless they are trying to modify the schema or install an
application that modifies the schema during installation. If the schema master will be unavailable for an
unacceptable length of time, you can seize the role to the domain controller you’ve chosen to act as the
standby schema master. However, seizing this role is a step that you should take only when the failure of the
schema master is permanent.
Domain Naming Master Failure Temporary loss of the domain naming master is not visible to network
users. It is not visible to network administrators either, unless they are trying to add a domain to the forest or
remove a domain from the forest. If the domain naming master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller you’ve chosen to act as the standby domain
naming master. However, seizing this role is a step that you should take only when the failure of the domain
naming master is permanent.

RID Master Failure Temporary loss of the RID operations master is not visible to network users. It is not
visible to network administrators either, unless they are creating objects and the domain in which they are
creating the objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller you’ve chosen to act as the standby RID
master. However, seizing this role is a step that you should take only when the failure of the RID master is
permanent.
PDC Emulator Failure The loss of the PDC emulator affects network users. Therefore, when the PDC
emulator is not available, you might need to immediately seize the role. If the current PDC emulator will be
unavailable for an unacceptable length of time and its domain has clients without Windows Server
2003/2008 client software, or if it contains Windows NT backup domain controllers, seize the PDC emulator
role to the domain controller you’ve chosen to act as the standby PDC emulator. When the original PDC
emulator is returned to service, you can return the role to the original domain controller.
Infrastructure Master Failure Temporary loss of the infrastructure master is not visible to network users. It
is not visible to network administrators either, unless they have recently moved or renamed a large number
of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize
the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any
domain), ideally in the same site as a global catalog server. When the original infrastructure master is
returned to service, you can transfer the role back to the original domain controller.
Read-Only Domain Controllers
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008
operating system. With an RODC, organizations can easily deploy a domain controller in locations where
physical security cannot be guaranteed. An RODC hosts read-only partitions of the
Active Directory® Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide
area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch
offices often cannot provide the adequate physical security that is required for a writable domain controller.
Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This
can increase the amount of time that is required to log on. It can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a
result, users in this situation can receive the following benefits:
 Improved security
 Faster logon times
 More efficient access to resources on the network
1.2 What does an RODC do?
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a
way to deploy a domain controller more securely in locations that require fast and reliable authentication
services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements. For
example, a line-of-business (LOB) application may run successfully only if it is installed on a domain
controller. Or, the domain controller might be the only server in the branch office, and it may have to host
server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use
Terminal Services to configure and manage the application. This situation creates a security risk that may be
unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant
a non-administrative domain user the right to log on to an RODC while minimizing the security risk to the
Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a
primary threat, for example, in an extranet or application-facing role.
1.3 Who will be interested in this feature?
RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically
have the following characteristics:
 Relatively few users

 Poor physical security
 Relatively poor network bandwidth to a hub site
 Little knowledge of information technology (IT)
You should review this section, and the additional supporting documentation about RODC, if you are in any of
the following groups:
 IT planners and analysts who are technically evaluating the product

 Enterprise IT planners and designers for organizations
 Those responsible for IT security
 AD DS administrators who deal with small branch offices

1.4 Are there any special considerations?
To deploy an RODC, at least one writable domain controller in the domain must be running Windows
Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or
higher.
1.5 What new functionality does this feature provide?
RODC addresses some of the problems that are commonly found in branch offices. These locations might not
have a domain controller. Or, they might have a writable domain controller but not the physical security,
network bandwidth, or local expertise to support it. The following RODC functionality mitigates these
problems:
 Read-only AD DS database

 Unidirectional replication
 Credential caching
 Administrator role separation
 Read-only Domain Name System (DNS)
1.5.1.1 Read-only AD DS database
Except for account passwords, an RODC holds all the Active Directory objects and attributes that a writable
domain controller holds. However, changes cannot be made to the database that is stored on the RODC.
Changes must be made on a writable domain controller and then replicated back to the RODC.
Local applications that request Read access to the directory can obtain access. Lightweight Directory
Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This
response directs them to a writable domain controller, normally in a hub site.
1.5.1.2 RODC filtered attribute set

Some applications that use AD DS as a data store might have credential-like data (such as passwords,
credentials, or encryption keys) that you do not want to be stored on an RODC in case the RODC is
compromised.
For these types of applications, you can dynamically configure a set of attributes in the schema for domain
objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set.
Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the
forest.
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate
attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes
from a domain controller that is running Windows Server 2008, the replication request is denied. However, if
the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003,
the replication request can succeed.

Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to
configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC
that is compromised cannot be exploited in this manner because domain controllers that are running
Windows Server 2003 are not allowed in the forest.
You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it
is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific
Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute
has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).
The RODC filtered attribute set is configured on the server that holds the schema operations master role. If
you try to add a system-critical attribute to the RODC filtered set while the schema master is running
Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-
critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation
appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema
master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set.
This ensures that system-critical attributes are not included in the RODC filtered attribute set.
1.5.1.3 Unidirectional replication

Because no changes are written directly to the RODC, no changes originate at the RODC. Accordingly,
writable domain controllers that are replication partners do not have to pull changes from the RODC. This
means that any changes or corruption that a malicious user might make at branch locations cannot replicate
from the RODC to the rest of the forest. This also reduces the workload of bridgehead servers in the hub and
the effort required to monitor replication.
RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of
SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
1.5.1.4 Credential caching

Credential caching is the storage of user or computer credentials. Credentials consist of a small set of
approximately 10 passwords that are associated with security principals. By default, an RODC does not store
user or computer credentials. The exceptions are the computer account of the RODC and a special krbtgt
account that each RODC has. You must explicitly allow any other credential caching on an RODC.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different
krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts
ticket-granting ticket (TGT) requests.
After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at
the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes
that the request is coming from an RODC and consults the Password Replication Policy in effect for that
RODC.

The Password Replication Policy determines if a user's credentials or a computer's credentials can be
replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the
writable domain controller replicates the credentials to the RODC, and the RODC caches them.
After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until
the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that
it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards
requests to a writable domain controller.)
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of
credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has
credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials
that are cached can potentially be cracked.
Leaving credential caching disabled might further limit exposure, but it results in all authentication requests
being forwarded to a writable domain controller. An administrator can modify the default Password
Replication Policy to allow users' credentials to be cached at the RODC.
1.5.1.5 Administrator role separation

You can delegate local administrative permissions for an RODC to any domain user without granting that user
any user rights for the domain or other domain controllers. This permits a local branch user to log on to an
RODC and perform maintenance work on the server, such as upgrading a driver. However, the branch user
cannot log on to any other domain controller or perform any other administrative task in the domain. In this
way, the branch user can be delegated the ability to effectively manage the RODC in the branch office
without compromising the security of the rest of the domain.
1.5.1.6 Read-only DNS

You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory
partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an
RODC, clients can query it for name resolution as they query any other DNS server.
However, the DNS server on an RODC is read-only and therefore does not support client updates directly.
Creation of Root Domain Controller on Windows Server 2008.

TCP/IP configuration of Root Domain Controller in Salt-lake.

GENERAL CONFIGURATION ON SALT-LAKE RDC.
HARD DISK PARTITION INFORMATION OF RDC.

A New Simple volume created for AD Database.

Welcome wizard click next.
Specify the size of volume.
Choose a Drive Letter and then click next.

Format the volume with NTFS file system with appropriate details.

Format completed successfully.

Installation of DNS server role on BHELPSERRDC01.
Welcome wizard, click next.

Check the DNS server and then click next.
Click Next.

Process of adding the DNS server role started.
RDC Creation in salt-lake:

To configure this server as an additional Root Domain Server, firstly we configure it as Additional Domain
Controller for the domain bhelpser.co.in.
Welcome wizard.
Check the advanced mode installation check box then Click next.
Click next.

Select Existing forest and Add a DC to an existing domain.
Provide the name of the existing domain name.
Supply the credential of domain admin for creating ADC.

Select the domain bhelpser.co.in and then click next.
Select the default first site and then click next.

Check the Global catalog option and then click next.
Select the first option for replicating the database over the network.
Select the appropriate domain controller.

Specify the path for Active Directory Database.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
Summary of the whole wizard.

Click next.

Process of installation of Active Directory Services started.
After the restart we have given the server more than 24hrs to complete the replication of all Active Directory
components.
Once the replication is complete the size of AD Database file ndts.dit indicates the completion of replication from
Root Domain Controller.
After the replication all the DNS records are also available on BHELPSERRDC01 including Nameserver
and forwarders.

DNS records.


Name Servers.
Forwarder

Raising the Domain Functional Level.
Before transferring the Roles, function levels of existing RDC must be raised.
Open Active Directory Users and Computers. Right click on bhelpser.co.in and then Raise the Domain Functional
level.
Select Windows Server 2008 and then Raise.

Click ok to proceed.
Domain Functional Level successfully raised.
Open Active Directory Domain and Trust. Right click on bhelpser.co.in and then Raise the Forest Functional level.

Select Windows Server 2008 then click Raise.
Click OK to proceed.

Forest Functional Level successfully raised.
Upgrading the schema
Upgrading the schema of windows server 2008 requires its installation files.

After upgrading, our 2003 server able to recognize the windows server 2008.

Transferring the five Operation Master Roles to BHELPSERRDC01.
Querying the Naming master roles on our existing Windows Server 2003 RDC.
Microsoft Windows [Version 5.2.3790]

(C) Copyright 1985-2003/2008 Microsoft Corp.
C:\>netdom query fsmo

Schema owner cal002.bhelpser.co.in
Domain role owner cal002.bhelpser.co.in
PDC role cal002.bhelpser.co.in
RID pool manager cal002.bhelpser.co.in
Infrastructure owner cal002.bhelpser.co.in
The command completed successfully.
To transfer the roles through command-line ntdsutil command is used.

Type roles then press enter.
Type connections then press enter.
To connect the server type ‘connect to server bhelpserrdc01’ then it will connect to our server 2008.

To transfer Domain Naming Master type ‘transfer domain naming master’.

Click yes to confirmation dialog box.
Domain Naming Master transferred to ‘bhelpserrdc01’.
To transfer Infrastructure Master type ‘transfer infrastructure master’.

Infrastructure Master transferred to ‘bhelpserrdc01’.
To transfer PDC type ‘transfer pdc’.
PDC transferred to ‘bhelpserrdc01’.
To transfer RID master type ‘transfer rid master’.

RID master transferred to ‘bhelpserrdc01’.
To transfer Schema master type ‘transfer schema master’.

Schema master transferred to ‘bhelpserrdc01’.

Querying the Naming master roles

Creation of separate OUs for Kolkata-Salt lake, Budge-budge and Bakreswar sites.
Provide a name for the OU.

Hierarchical Structure for Kolkata site.
Hierarchical Structure for Bakreswar site.

Hierarchical Structure for Kolkata site OU’s.
Hierarchical OU structure has been created.

Group Policy Settings
Account lockout duration set to 15 minutes. Account will lock out after 3 invalid logon attempts.
Check both Success and failure events. Enable the policy –Shutdown system immediately if unable
to log security audits.

Set the maximum system log size to 10MB. Set the maximum application log size to 10MB
Set the security log size to 10MB. Enables auditing of all user rights in conjunction with Audit
Privilege Use auditing being enabled.

This feature is provided for the system availability reasons such as the user’s machine being disconnected from the
network or domain controllers not being available.
Creation of separate DNS zones for different subnets.
Welcome wizard.

Click next.
Select Primary zone.
Select the method for the replication.
Select the IPv4 addresses.

Provide the network Id for the creation of zone.
Zone created successfully.
Welcome wizard.

Select the primary zone. Click next.
Select the method for the replication.

Select the IPv4 Addresses.
Provide the unique network Id for this zone.
Select for both no- secure and secure updates.

Welcome wizard.

Select primary zone.
Select the method for the replication of zone.

Select IPv4 addresses.
Provide the unique network Id for this zone.
Select for both non-secure and secure updates.


Sites and settings for different sites.
Different Sites and settings will be created for the replication between Domain Controllers.
Creation of different Subnets.

Right click on Subnet and select New Subnet to create a Subnet.

Provide the IP Subnet and its subnet mask.
Right click on Subnet and select New Subnet to create a Subnet.

Provide the IP Subnet and its Subnet Mask.
Creation of different Sites.

Right click on Sites and select New Site to create a Site.
Provide the name for Bakreswar Site and select the Default Site Link.

Site for Bakreswar successfully created.
Go to the properties of Subnet.
Set the description to recognize easily.

Creation of different site link.

Select New Site Link
Set the name for New Site Link.

Choose the settings for replication between Domain Controllers.
Decrease the replication frequency.
Create a Site for Budge-budge.

Select New Site.
Set the name for new site.
Go to the properties page of subnet.


Add the Budge-budge site in Site link.
Verify that replication is available all the week.

Different Sites and settings are created for the replication between Domain Controllers.
Creation of Additional Domain Controller on Windows Server 2008.
Basic details of ADC.
TCP/IP configuration of Additional Domain Controller in Salt-lake.

Sever name changes to BHELPSERADC01.
Hard disk partition information of BHELPSERRDC01.
A New Simple volume created for AD Database.

Welcome wizard click next.
Specify the size of volume.

Choose a Drive Letter and then click next.
Format the volume with NTFS file system with appropriate details.

Format completed successfully.
Installation of DNS BHELPSERADC01.

Click Add roles
Welcome wizard, click next

Click next.

DNS server role service successfully installed.
ADC creation in salt-lake.

Configure this server as an additional Active Directory Domain Server for the domain bhelpser.co.in.
Open cmd and type dcpromo.
Welcome wizard.

Click next.


Select the default first site and then click next.

Check the Global catalog option and then click next.

Select the root domain controller.


Click next.

Click on Finish button.

Click finish and restart before the changes take effect.
After the restart server will require more than 24hrs to complete the replication of all Active Directory
components.
Creation of Read Only Domain Controller on Windows Server 2008 at Budge-budge.

TCP/IP configuration of Read-only Domain Controller at Budge-budge.
Sever name changes to BHELBUDGRODC01.
Installation of DNS on BHELBUDGRODC01.

Click Add roles


Click next.


RODC creation in Budge-budge.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Welcome wizard.

Click next.



Select the budge-budge site and then click next.

Select Gloabal catalog and RODC then click next.
Select ‘Allowed RODC Password Replication’ and click next.

Select Allow password for the account to replicate to this RODC.
Add Domain Users.
Set the domain administrator user account for delegation of RODC Installation and Administration.




Click next.
Exported settings of DCPROMO wizard.

; DCPROMO unattend file (automatically generated by dcpromo)

; Usage:
; dcpromo.exe /unattend:C:\Bhel Implementation\rodc-settings.txt
;
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=bhelpser.co.in
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group"
PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group"
PasswordReplicationAllowed="BHELPSER\Domain Users"
DelegatedAdmin="BHELPSER\emperor"
SiteName=Budge-Budge
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=bhelpser.co.in
UserName=bhelpser.co.in\emperor
Password=*
ReplicationSourceDC=BHELPSERRDC01.bhelpser.co.in
DatabasePath="D:\Windows\NTDS"
LogPath="D:\Windows\NTDS"
SYSVOLPath="D:\Windows\SYSVOL"
; Set SafeModeAdminPassword to the correct value prior to using the unattend file
SafeModeAdminPassword=
; Run-time flags (optional)
; CriticalReplicationOnly=Yes
; RebootOnCompletion=Yes
Click on Finish Button.

After the restart server will require enough time to replicate.
In RODC there is no option grayed out for Creating any users & groups.

Creation of Read Only Domain Controller on Windows Server 2008 at Bakreswar.
TCP/IP configuration of Read-only Domain Controller at Bakreswar.
Sever name changes to BHELBAKRRODC01.

Installation of DNS on BHELBAKRRODC01.
Click Add roles


Click next.


RODC creation in Bakreswar.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Welcome wizard, Click on Next Button

Click on Next.



Select the bakreswar site and then click next.
Select Global catalog and RODC then click next.
Select ‘Allowed RODC Password Replication’ and click next.

Select Allow password for the account to replicate to this RODC.
Add Domain Users.
Set the domain administrator user account for delegation of RODC Installation and Administration.



DSRM Passwords bhel@123#

Click next.

Exported settings of DCPROMO wizard.

; DCPROMO unattend file (automatically generated by dcpromo)
; Usage:
; dcpromo.exe /unattend:C:\rodc setting.txt
;
; You may need to fill in password fields prior to using the unattend file.
; If you leave the values for "Password" and/or "DNSDelegationPassword"
; as "*", then you will be asked for credentials at runtime.
;
[DCInstall]
; Read-Only Replica DC promotion
ReplicaOrNewDomain=ReadOnlyReplica
ReplicaDomainDNSName=bhelpser.co.in
; RODC Password Replication Policy
PasswordReplicationDenied="BUILTIN\Administrators"
PasswordReplicationDenied="BUILTIN\Server Operators"
PasswordReplicationDenied="BUILTIN\Backup Operators"
PasswordReplicationDenied="BUILTIN\Account Operators"
PasswordReplicationDenied="BHELPSER\Denied RODC Password Replication Group"
PasswordReplicationAllowed="BHELPSER\Allowed RODC Password Replication Group"
DelegatedAdmin="BHELPSER\emperor"
SiteName=Bakreswar
InstallDNS=Yes
ConfirmGc=Yes
CreateDNSDelegation=No
UserDomain=bhelpser.co.in
UserName=bhelpser\emperor
Password=*
ReplicationSourceDC=BHELPSERRDC01.bhelpser.co.in
DatabasePath="d:\Windows\NTDS"
LogPath="d:\Windows\NTDS"
SYSVOLPath="d:\Windows\SYSVOL"

After the restart server will require enough time to replicate.
User Creation and Deletion Option is just Grayed out in RODC.


1.5.2 TOOLS
There are various Tools Available to Monitor/Troubleshooting purpose for Active Directory.
1. NTDSUTIL
2. DCDIAG
3. NLTEST
4. NETDIAG
5. DNSLINT
6. ADSIEDIT
7. ADPREP
8. REPADMIN
9. REPLMON
10. RSOP
1.5.3 NTDSUTIL Overview
NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. This utility is used to
perform the following tasks:
 Performing database maintenance of Active Directory.

 Managing and controlling operations master roles.
 Removing metadata left behind by domain controllers
How to Transfer and Seize Operating Master roles with this tool please look below URL Address
http://support.microsoft.com/kb/255504
Security Account Management (Maintenance) With NTDSUTIL
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the
NTDSutil interface than the probability of finding any duplicate SIDs. This is what I typed at the command
prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:

1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server
2003/2008 was first installed, setup asked the installer for a separate directory service restore mode
password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't
realize that this Directory Services Restore Mode password is different from the normal Administrator
password. The two can get out of synch because they are stored in separate databases.
Now is your chance to reset the password that will be required if ever you need to restart the server in Active
Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of
being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
Reset DSRM Administrator Password: quit

ntdsutil: quit
E:\ntdsutil>
1.5.5 ADSIEDIT OVERVIEW

ADSI Edit (Active Directory Services Interface) is the best Windows 2003/2008 Server tool for combining
learning with troubleshooting. The number of configuration tasks that require ADSI Edit is on the increase;
therefore take the time to install ADSI Edit and explore Active Directory's properties and values. Incidentally
some call this Microsoft utility adsiedit.
In your Windows Active Directory career you will find dozens of occasions where the only cure to your
problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is not my intention
to cure a specific Windows Server 2003/2008 problem, I merely chose the examples to give you a good
grounding in the utility.
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top
Windows Server 2003/2008 techie before they have explored the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI
Edit is not Microsoft's most difficult tool, you have to be careful as there is no error checking.
Here you can download this tool

http://www.computerperformance.co.uk/ScriptsGuy/adsi.zip
Example how to use ADSIEDIT
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a
real life scenario where there is no other way of configuring the settings. Our objective is to change the
display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field
we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called 'Name'
and not the 'Display Name' or 'Description' column. (Although you could change those too, but that would be
a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
1. Launch ADSI Edit and make sure you start at the

Configuration container.
2. Next it's CN=Configuration, Display Specifies.
CN=409 means English sort order (not Spanish or
Arabic).
3. What we want is the user-Display Properties, the
crucial attribute is createDialog (not description).
4. Now it took me four tries before I perfected the
string value:
%<sn>, %<givenName>

1.5.6 DCDIAG OVERVIEW

DCDiag is one of those command line utilities that you should turn to when you have a Windows Server
2003/2008 problem. As a source of Active Directory clues, DCDiag comes second only to the Event Logs. You
may have guessed that the DC in DCDiag means domain controller.
Task could be down with this tool
1. Preparing to install or migrate to Exchange 2003/2008.

2. Checking FSMO roles.
3. Troubleshooting Group Policy.
4. Investigating Active Directory not replicating frssysvol error.
5. Running down Kerberos authentication problems.
6. Resetting the Directory Service Administrator's password.
7. Fixing servers Service Principle Name (SPN) error.
DCDiag switches
1. /v I have to admit that at first I had no idea that DCDiag had switches. Whilst I should have
known that Microsoft would provide switches, I had no idea that there were so many. I will
let you into another secret, I have never before know the /v (verbose) to be of any use. My
point is that many utilities have this switch and normally I avoid it, but in the case of DCDiag
the /v is a little gem, which I use at every opportunity.
2. /q From the sublime /v you could go to the ridiculous /q which only report errors.
3. /s As always, '/s specifies the server, or in this case, the Domain Controller.
4. /fix Fixes Service Principal Names (SPN) problems.

5. /f:logfile.txt Slightly confusing given that there is also a /fix switch. It works like the re-
direct pipe (> filename.txt). Personally, I copy and paste from the command prompt, but if
you are more organized, then use /f:filename to output to a file.
6. /test: Confession time. I gave up with the /test, I just could not get it to filter the dns tests
as advertised. I consoled myself that you can always get the information by running the full
test and just reading the parts that are of interest. However, I got the /test switch working
perfectly with NetDiag,
DCDiag Example using my favorite /v
***Searching...
ldap_search_s(ld, "DC=cp,DC=com", 2, "(cn=a*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 24 entries:
>> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> canonicalName: cp.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182;
>> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> canonicalName: cp.com/System/DomainUpdates/Operations/ab402345-d3c3-455d-9ff7-40268a1099b6;
>> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-
B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com
2> objectClass: top; packageRegistration;
1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-
B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com;
1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> canonicalName: cp.com/System/Policies/{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-
ae9a3881bce9;
>> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com
3> objectClass: top; leaf; categoryRegistration;
1> cn: abab2104-5729-4bed-ac94-a65c89516e84;
1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com;
1> name: abab2104-5729-4bed-ac94-a65c89516e84;
1> canonicalName: cp.com/System/Default Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84;
>> Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Account Operators;
1> description: Members can administer domain user and group accounts;
1> distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC=com;
1> name: Account Operators;
1> canonicalName: cp.com/Builtin/Account Operators;

>> Dn: CN=Administrator,CN=Users,DC=cp,DC=com

4> objectClass: top; person; organizationalPerson; user;
1> cn: Administrator;
1> description: Built-in account for administering the computer/domain;
1> distinguishedName: CN=Administrator,CN=Users,DC=cp,DC=com;
1> name: Administrator;
1> canonicalName: cp.com/Users/Administrator;
>> Dn: CN=Administrators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Administrators;
1> description: Administrators have complete and unrestricted access to the computer/domain;
1> distinguishedName: CN=Administrators,CN=Builtin,DC=cp,DC=com;
1> name: Administrators;
1> canonicalName: cp.com/Builtin/Administrators;
1.5.7 NETDIAG OVERVIEW

NetDiag provides a master class in testing Network Availability. When you run NetDiag from the command
line it carries out a battery of tests, which test your servers' ability to operate successfully. As usual, my goal
in this NetDiag tutorial is to show you how to get testing your Lan or Wan network.
Examples of NetDiag
1. Installing Exchange and you wish to check that you can connect to other servers.
2. Checking VPN network tunnels on the WAN.
3. DNS problems. Computers cannot 'see' their domain controller on the LAN.
4. A quick check on hotfixes.
5. Check the Network Card Bindings from the command prompt.
6. You are having problems with IPSEC.
7. Winsock corruption, wrong version incompatibilities.
8. NetDiag checks that Domain Controllers are all able to 'speak' LDAP.
NetDiag switches
1. /v If you need the full report on your network availability, then append this verbose switch
to the command. Unlike the /v of other utilities, NetDiag /v really does produce chapter and
verse on your network cards and their binding.
2. /Debug This debug switch was disappointing in that it did not produce any more details
than those supplied by the /v. Perhaps I would have received extra information if my
Windows Server 2003/2008 really had a network connectivity problem.

3. /q When you just need to know if there are any errors, this is the switch for
troubleshooting. The /q is the antithesis of the /v and /debug.
4. /test: Unlike DCDiag, NetDiag's test switched worked perfectly
Example - NetDiag using my favourite /v
' NetDiag printout
Owner of the binding path : Remote Access NDIS WAN Driver

Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: ndiswanasync
Upper Component: Remote Access NDIS WAN Driver
Lower Component: RAS Async Adapter
Component Name : Message-oriented TCP/IP Protocol (SMB session)

Bind Name: NetbiosSmb
Binding Paths:
Component Name : WINS Client(TCP/IP) Protocol

Bind Name: NetBT
Binding Paths:
Owner of the binding path : WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter
Owner of the binding path : WINS Client(TCP/IP) Protocol

-Interface Name: ndiswanip
Lower Component: WAN Miniport (IP)
Component Name : Internet Protocol (TCP/IP)

Bind Name: Tcpip
Binding Paths:
Owner of the binding path : Internet Protocol (TCP/IP)

Owner of the binding path : Internet Protocol (TCP/IP)

Component Name : Client for Microsoft Networks

Bind Name: LanmanWorkstation
Binding Paths:
Owner of the binding path : Client for Microsoft Networks
-Interface Name: netbios_smb
Upper Component: Client for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)

-Interface Name: netbios
Lower Component: WINS Client(TCP/IP) Protocol

Component Name : WebClient

Bind Name: WebClient
Binding Paths:
Component Name : Virtual Machine Network Services

Bind Name: VPCNetS2
Binding Paths:
Owner of the binding path : Virtual Machine Network Services
Upper Component: Virtual Machine Network Services


Binding Enabled: No
-Interface Name: ndiswanasync
Lower Component: RAS Async Adapter

Binding Enabled: No
-Interface Name: ndiscowan
Lower Component: WAN Miniport (L2TP)

Binding Enabled: No
-Interface Name: ndiswan
Lower Component: WAN Miniport (PPTP)

Binding Enabled: No
-Interface Name: ndiswan
Lower Component: WAN Miniport (PPPOE)

Binding Enabled: No
-Interface Name: ndiscowan
Lower Component: Direct Parallel
Component Name : DHCP Server

Bind Name: DHCPServer
Binding Paths:
Component Name : Wireless Configuration

Bind Name: wzcsvc
Binding Paths:
Component Name : Network Load Balancing

Bind Name: Wlbs
Binding Paths:
Owner of the binding path : Network Load Balancing
Binding Enabled: No
Upper Component: Network Load Balancing
Component Name : Steelhead

Bind Name: RemoteAccess
Binding Paths:

Component Name : Dial-Up Server

Bind Name: msrassrv
Binding Paths:
Component Name : Remote Access Connection Manager

Bind Name: RasMan
Binding Paths:
Component Name : Dial-Up Client

Bind Name: msrascli
Binding Paths:
Component Name : File and Printer Sharing for Microsoft Networks

Bind Name: LanmanServer
Binding Paths:
Owner of the binding path : File and Printer Sharing for Microsoft Networks
-Interface Name: netbios_smb
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: Message-oriented TCP/IP Protocol (SMB session)
Component Name : NetBIOS Interface

Bind Name: NetBIOS
Binding Paths:
Owner of the binding path : NetBIOS Interface
Upper Component: NetBIOS Interface


Owner of the binding path : NetBIOS Interface

Upper Component: NetBIOS Interface
Component Name : Generic Packet Classifier

Bind Name: Gpc
Binding Paths:
Component Name : Application Layer Gateway

Bind Name: ALG
Binding Paths:
Component Name : WAN Miniport (Network Monitor)

Bind Name: NdisWanBh
Binding Paths:
Component Name : WAN Miniport (IP)

Bind Name: NdisWanIp
Binding Paths:
Component Name : Direct Parallel

Bind Name: {008B21D9-D54E-4E48-89D4-6AFE56D46BD9}
Binding Paths:
Component Name : WAN Miniport (PPPOE)

Bind Name: {64B56A43-AB5C-4651-BA33-C2FD789C4FB9}
Binding Paths:
Component Name : WAN Miniport (PPTP)

Bind Name: {DC610D9D-0B7F-44A6-896A-385E053E25FD}
Binding Paths:
Component Name : WAN Miniport (L2TP)

Bind Name: {3169BFB1-4CA5-4B6E-B6C1-3F97DA23E954}
Binding Paths:
Component Name : RAS Async Adapter

Bind Name: {8F35788C-3CFD-41A6-B23B-720020295CF7}
Binding Paths:
Component Name : VIA Rhine II Fast Ethernet Adapter

Bind Name: {C5C19000-0322-4FC1-9566-A647EF0EB900}
Binding Paths:

WAN configuration test . . . . . . : Skipped

No active remote access connections.
Modem diagnostics test . . . . . . : Passed
IP Security test . . . . . . . . . : Skipped
Note: run "netsh ipsec dynamic show /?" for more detailed information
The command completed successfully
C:\Documents and Settings\guyt>
1.5.8 REPLMON OVERVIEW

Replmon is one of the most exciting tools in the Windows Server 2003/2008 toolkit. I have a tutorial to get
you started with Replmon. What I like about Replmon is the way that it combines business with pleasure and
practical with theory. Before I explored Replmon I could not picture how Directory Replication works, with
Replmon I can see precisely what data is replicated to which partition. The theory of Domain, Forest and
Schema partitions come to life when you can actually see the topology and the links.
Getting Started with Replmon
Installing Replmon is straightforward. Load the Windows 2003/2008 CD into the caddy and navigate to the \
support\tools and double click suptools.msi. However, a word of warning, because there are so many .dlls
and associated Replmon files it is best to keep the files in their original locations. Of all of the support tools,
Replmon is the fussiest about being run from its default location. A bonus of keeping all the support files in
their default folder is that you can type the name of the executable in the Run dialog box and it will execute
because the operating system has learnt the 'Path'. Thus, in this instance type: replmon in the Run Dialog
box.
First look at the Replication Monitor
Once Replication Monitor executes click on the Edit Menu and

Add Monitored Server. Now follow your nose, and connect to
the desired Domain Controller. If you have already used Active
Directory Sites and Services to manually replicate Active
Directory or to check on which servers hold Global Catalogs, then

you cannot help noticing that the similarities between the interfaces. Note in passing, that as beginners we
just focus on one site, however in a big organization there are likely to be several sites each with their own
ring of linked servers.
Here in Replication Monitor, explore the 4 or 5 Configuration containers; keep looking for more detail by
right clicking on any object that you see. Below is an example of right clicking the Domain Controller object.
Windows Server 2003/2008 - Replmon Support Tool Utility
Replmon is one of the most exciting tools in the Windows Server 2003/2008 toolkit. I have a tutorial to get
you started with Replmon. What I like about Replmon is the way that it combines business with pleasure and
practical with theory. Before I explored Replmon I could not picture how Directory Replication works, with
Replmon I can see precisely what data is replicated to which partition. The theory of Domain, Forest and
Schema partitions come to life when you can actually see the topology and the links.
Introduction to Directory Replication
Replmon displays information about Active Directory Replication. In Windows Server 2003/2008, Microsoft
have improved upon Windows 2000 in two ways, reduced latency, and only replicating the attributes, which
have changed and not the whole object. Both Windows 2000 and 2003/2008 use the same components
namely; multi master model, change notification and pull replication.
Reasons for Using Replmon
1. Replmon will give you clues why replication is not happening. Sift through Active Directory
replication messages and find the last successful synchronization.
2. See what happens when you try and force replication. Does Replmon magically synchronize, or
do you get a new meaningful error message?
3. If you do get replication errors, say when you run DCDiag, then force the KCC (Knowledge
Consistency Checker) to recreate the topology.
4. Should you have the luxury of a large forest, Replmon will give you an understanding of how the
domain controllers are joined by three separate rings. In multiple domain configurations you
could experiment creating shortcut links.
5. Investigate if there are any complications with Trusts. Examine the trust relationships, within or
between forests.

6. Discover more about the meta data, in particular the attributes of objects. Again I confess a bias
as I need LDAP attributes for my VBScripts, Replmon displays the objects and their correct LDAP
syntax.
7. Group Policies can be troublesome because there are two separate replication paths, Active
Directory and FRS. Replmon also matches those strange hex numbers files which you find under
sysvol, with the corresponding names of the policies as seen in the GPMC (or Active Directory
Users and Computers)
Getting Started with Replmon
Installing Replmon is straightforward. Load the Windows 2003/2008 CD into the caddy and navigate to the \
support\tools and double click suptools.msi. However, a word of warning, because there are so many .dlls
and associated Replmon files it is best to keep the files in their original locations. Of all of the support tools,
Replmon is the fussiest about being run from its default location. A bonus of keeping all the support files in
their default folder is that you can type the name of the executable in the Run dialog box and it will execute
because the operating system has learnt the 'Path'. Thus, in this
instance type: replmon in the Run Dialog box.
First look at the Replication Monitor
Once Replication Monitor executes click on the Edit Menu and

Add Monitored Server. Now follow your nose, and connect to
the desired Domain Controller. If you have already used Active
Directory Sites and Services to manually replicate Active
Directory or to check on which servers hold Global Catalogs, then
you cannot help noticing that the similarities between the
interfaces. Note in passing, that as beginners we just focus on
one site, however in a big organization there are likely to be several sites each with their own ring of linked
servers.
Here in Replication Monitor, explore the 4 or 5 Configuration containers, keep looking for more detail by right
clicking on any object that you see. Below is an example of right clicking the Domain Controller object.

Appreciating the Scope of Replmon
Unlike other Windows Server 2003/2008 tools

where you can practice on just one Domain
Controller, with Replmon you need two Domain
Controllers to see any action. In fact the more
Domain Controllers you add, the more you
appreciate the clever ways in which replication
functions. Best of all, if you have a multi domain
forest, then you can trace the differences between
domain and forest topologies. Theory says that all
domain controllers in the forest share the same
schema, with Replmon you can actually see the one
Schema ring containing every domain controller.
Contrast the Schema ring with domain ring which
has a separate ring topology for each domain.
My advice is to begin by right clicking the

ServerName object, from the resulting drop down
menu select, 'Show Replication Topologies'. As well as viewing how all the domain controllers are linked, this
example shows the value of right-clicking on any object that you meet. At first it seems as though there is
nothing to see, but if you click on the View Menu, Connection Objects only, then all Domain Controller
appear.
still no sign of the replication links. Let us try another right click, and
select 'Show Intra-Site Connections'. At this point I pay attention to
detail. I remember that Intra means within, whereas Inter is like Inter-City and means between. What you
should now see is topology links between all the Domain Controller. Incidentally, the word 'Site' reminds us
that to begin with, we are investigating just the Default-First-Site, in a production network there may be
multiple sites.
If you have 5 or more servers in the ring, you may consider right clicking and adding extra links to speed up
replication; this is particularly true for Windows 2000 networks where latency is much longer than Windows
Server 2003/2008.

Active Directory and System State Backup Procedure.
Install Windows Command Line tool in Server 2008 Manager
Select Command Line Tools

Click Install Button

Installation Begin

Installation Succeeded
Opening Windows Server Backup Console

Click Backup Once Option in Right Pane

Click Next

Select Full Server
Specify Destination

Specify path on Network

Click Backup

Progress begin
Backup Completed.

Please find below links for the restoration purposes for AD and Full Computer Restore
http://technet.microsoft.com/en-us/library/cc730683.aspx
End of the Document
==============================================================================

Active Directory 2008 Implement at On &amp; Migration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Active Directory 2008 Implement at On &amp; Migration

Transféré par

Droits d'auteur :

Formats disponibles

Wipro Infotech - MSBU Division

Document Management Information

Document Status: Approved Wipro

Document Publication History

Version Date Author(s) Remark

Document Distribution List

Ver. No. Name and Company Purpose

Microsoft Windows Server 2008

WIPRO – BHEL Confidential Page 2

WIPRO – BHEL Confidential Page 3

WIPRO – BHEL Confidential Page 4

About this Document

About the Project

The activities involved in this project are as below:

Creation of Microsoft Windows Server 2008 Additional Domain Controller.

Raising the Domain Functional Level.

Transfer FSMO Roles to the new Server 2008 Domain Controller.

Configuring Sites and Setting for Across the PSER Region.

Installing the new Additional Domain Controller.

The Project flow is as follows:

Principal(S): Mr. Sudipta Biswas DGM IT

1.1.1 Introduction to Active Directory

1.1.3 The Windows Server 2003/2008 Directory Service

WIPRO – BHEL Confidential Page 6

1.1.4 Active Directory Services Features

■ Replication of information Active Directory provides multimaster replication technology to ensure

WIPRO – BHEL Confidential Page 7

1.1.5 Active Directory Components

1.1.6 Logical Structures

WIPRO – BHEL Confidential Page 8

 All domains in a forest share a common schema.

1.1.9 Global Catalog Functions

WIPRO – BHEL Confidential Page 10

1.1.11 What Information Is Replicated

1.1.13 Group Policies

1.1.15 Operations Master Roles

1.1.16 Forest-Wide Operations Master Roles

Every Active Directory forest must have the following roles:

WIPRO – BHEL Confidential Page 12

1.1.17 Schema Master Role

1.1.18 Domain Naming Master Role

1.1.19 Domain-Wide Operations Master Roles

 Relative identifier (RID), or relative ID, master

1.1.20 RID Master Role

1.1.21 PDC Emulator Role

WIPRO – BHEL Confidential Page 13

1.1.22 Infrastructure Master Role

1.1.23 What Problems arises when Operation Masters Failure Occurs

WIPRO – BHEL Confidential Page 14

Read-Only Domain Controllers

1.2 What does an RODC do?

1.3 Who will be interested in this feature?

 Relatively few users

 IT planners and analysts who are technically evaluating the product

WIPRO – BHEL Confidential Page 16

1.4 Are there any special considerations?

1.5 What new functionality does this feature provide?

 Read-only AD DS database

1.5.1.2 RODC filtered attribute set

WIPRO – BHEL Confidential Page 17

1.5.1.3 Unidirectional replication

1.5.1.4 Credential caching

WIPRO – BHEL Confidential Page 18

1.5.1.5 Administrator role separation

Active Directory 2008 Implement at On & Migration

Active Directory 2008 Implement at On & Migration