Académique Documents
Professionnel Documents
Culture Documents
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
Document Title: Microsoft Windows Server 2008 Active Directory Implementation and Migration
Document.
(All revisions made to this document must be listed in chronological order, with the most recent revision at the
top.)
Contents
About this Document...............................................................................................5
About the Project..................................................................................................5
Overview of Project................................................................................................ 5
1 Company Profile:....................................................................................6
1.1.1 Introduction to Active Directory...................................................................6
1.1.2 Why Have a Directory Service?.....................................................................6
1.1.3 The Windows Server 2003/2008 Directory Service..............................................6
1.1.4 Active Directory Services Features................................................................7
1.1.5 Active Directory Components......................................................................8
1.1.6 Logical Structures....................................................................................8
1.1.7 Physical Structures..................................................................................9
1.1.8 Catalog Services—The Global Catalog...........................................................10
1.1.9 Global Catalog Functions..........................................................................10
1.1.10 Replication.......................................................................................... 11
1.1.11 What Information Is Replicated..................................................................11
1.1.12 Trust Relationships.................................................................................11
1.1.13 Group Policies.......................................................................................12
1.1.14 DNS................................................................................................... 12
1.1.15 Operations Master Roles...........................................................................12
1.1.16 Forest-Wide Operations Master Roles...........................................................12
1.1.17 Schema Master Role................................................................................13
1.1.18 Domain Naming Master Role......................................................................13
1.1.19 Domain-Wide Operations Master Roles..........................................................13
1.1.20 RID Master Role.....................................................................................13
1.1.21 PDC Emulator Role.................................................................................14
1.1.22 Infrastructure Master Role........................................................................14
1.1.23 What Problems arises when Operation Masters Failure Occurs..............................14
1.2 What does an RODC do?....................................................................................16
1.3 Who will be interested in this feature?..................................................................16
1.4 Are there any special considerations?...................................................................17
1.5 What new functionality does this feature provide?....................................................17
1.5.2 TOOLS...............................................................................................123
1.5.3 NTDSUTIL Overview...............................................................................123
1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL............124
1.5.5 ADSIEDIT OVERVIEW..............................................................................124
1.5.6 DCDIAG OVERVIEW................................................................................126
1.5.7 NETDIAG OVERVIEW...............................................................................128
1.5.8 REPLMON OVERVIEW..............................................................................134
Windows Server 2003/2008 - Replmon Support Tool Utility...........................................135
This Document will serve as guideline for the Project Approach and Implementation & Migration of Active
Directory 2008.
Installation of Windows Server 2008 with latest Service Packs and Hot fixes in BHEL Kolkata HQ.
Installing Read Only Domain Controller for Budge-Budge & Bakreswar Remote Locations.
Overview of Project
Project Management and Installation of the Complete Project carried out by Wipro MSBU Infrastructure
Availability services team.
Configuration Gathering
Implementation phase
Documentation and Training
Sign off for the Project
Team Involved executing the Project: Kamal Singh & Gurpreet Singh
WIPRO – BHEL Confidential Page 5
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
1 Company Profile:
BHEL is the largest engineering and manufacturing enterprise in India in the energy-related/infrastructure
sector, today. BHEL was established more than 40 years ago, ushering in the indigenous Heavy Electrical
Equipment industry in India - a dream that has been more than realized with a well-recognized track record
of performance. The company has been earning profits continuously since 1971-72 and paying dividends
since 1976-77.
BHEL manufactures over 180 products under 30 major product groups and caters to core sectors of the
Indian Economy viz., Power Generation & Transmission, Industry, Transportation, Telecommunication,
Renewable Energy, etc. The wide network of BHEL's 14 manufacturing divisions, four Power Sector regional
centers, over 100 project sites, eight service centers and 18 regional offices, enables the Company to
promptly serve its customers and provide them with suitable products, systems and services -- efficiently and
at competitive prices. The high level of quality & reliability of its products is due to the emphasis on design,
engineering and manufacturing to international standards by acquiring and adapting some of the best
technologies from leading companies in the world, together with technologies developed in its own R&D
Center.
Active Directory directory service provides a single point of network resource management, allowing you to
add, remove, and relocate users and resources easily. This chapter introduces you to Active Directory
concepts and administration tasks and walks you through the steps involved in planning an Active Directory
infrastructure.
1.1.2 Why Have a Directory Service?
A directory service provides the means to organize and simplify access to resources of a networked computer
system. Users and administrators might not know the exact name of the objects they need. However, they
might know one or more characteristics of the objects in question. As illustrated in Figure 1-1, they can use a
directory service to query the directory for a list of objects that match known characteristics. For example,
“Find all color printers on the third floor” queries the directory for all color printer objects that are associated
with the third floor characteristic (or maybe a location characteristic that has been set to “third floor”). A
directory service makes it possible to find an object based on one or more of its characteristics.
Active Directory is the directory service included in the Windows Server 2003/2008 family. Active Directory
includes the directory, which stores information about network resources, as well as all the services that
make the information available and useful. Active Directory is also the directory service included in Windows
2000.
Active Directory in the Windows Server 2003/2008 family is a significant enhancement over the flat domain
model provided in Windows NT. Active Directory is integrated within the Windows Server 2003/2008 family
and offers the following features:
■ Centralized data store all data in Active Directory resides in a single, distributed data repository, allowing
users easy access to the information from any location. A single distributed data store requires less
administration and duplication and improves the availability and organization of data.
■ ScalabilityActive Directory enables you to scale the directory to meet business and network requirements
through the configuration of domains and trees and the placement of domain controllers. Active Directory
allows millions of objects per domain and uses indexing technology and advanced replication techniques to
speed performance.
■ Extensibility The structure of the Active Directory database (the schema) can be expanded to allow
customized types of information.
■ Manageability In contrast to the flat domain model used in Windows NT, Active Directory is based on
hierarchical organizational structures. These organizational structures make it easier for you to control
administrative privileges and other security settings, and to make it easier for your users to locate network
resources such as files and printers.
■ Integration with the Domain Name System (DNS) Active Directory uses DNS, an Internet standard
service that translates easily readable host names to numeric Internet Protocol (IP) addresses. Although
separate and implemented differently for different purposes, Active Directory and DNS have the same
hierarchical structure. Active Directory clients use DNS to locate domain controllers. When using the
Windows Server 2003/2008 DNS service, primary DNS zones can be stored in Active Directory, enabling
replication to other Active Directory domain controllers.
■ Client configuration management Active Directory provides new technologies for managing client
configuration issues, such as user mobility and hard disk failures, with a minimum of administration and user
downtime.
■ Policy-based administration In Active Directory, policies are used to define the permitted actions and
settings for users and computers across a given site, domain, or organizational unit. Policy-based
management simplifies tasks such as operating system updates, application installation, user profiles, and
desktop-system lock down.
■ Flexible, secure authentication and authorization Active Directory authentication and authorization
services provide protection for data while minimizing barriers to doing business over the Internet. Active
Directory supports multiple authentication protocols, such as the Kerberos version 5 protocol, Secure Sockets
Layer (SSL) version 3, and Transport Layer Security (TLS) using X.509 version 3 certificates. In addition, Active
Directory provides security groups that span domains.
■ Security integration Active Directory is integrated with Windows Server 2003/2008 security. Access
control can be defined for each object in the directory and on each property of each object. Security policies
can be applied locally, or to a specified site, domain, or organizational unit.
■ Directory-enabled applications and infrastructure Features within Active Directory make it easier for
you to configure and manage applications and other directory-enabled network components. In addition,
Active Directory provides a powerful development environment through Active Directory Service Interfaces
(ADSI).
■ Interoperability with other directory services Active Directory is based on standard directory access
protocols, including Lightweight Directory Access Protocol (LDAP) version 3, and the Name Service Provider
Interface (NSPI), and can interoperate with other directory services employing these protocols. Because the
LDAP directory access protocol is an industry-standard directory service protocol, programs can be developed
using LDAP to share Active Directory information with other directory services that also support LDAP. The
NSPI protocol, which is used by Microsoft Exchange Server 4 and 5.x clients, is supported by Active Directory
to provide compatibility with the Exchange directory.
■ Signed and encrypted LDAP traffic by default, Active Directory tools in Windows Server 2003/2008 sign
and encrypt all LDAP traffic by default. Signing LDAP traffic guarantees that the packaged data comes from a
known source and that it has not been tampered with.
Domains: The core unit of logical structure in Active Directory is the domain, which can store millions of
objects. Objects stored in a domain are those considered vital to the network. These vital objects are items
the members of the networked community need in order to do their jobs: printers, documents, e-mail
addresses, databases, users, distributed components, and other resources. All network objects exist within a
domain, and each domain stores information only about the objects it contains. Active Directory is made up
of one or more domains. A domain can span more than one physical location.
OU: An OU is a container used to organize objects within a domain into a logical administrative group. OUs
provide a means for handling administrative tasks, such as the administration of users and resources, as they
are the smallest scope to which you can delegate administrative authority. An OU can contain objects such as
user accounts, groups, computers, printers, applications, file shares, and other OUs from the same domain.
The OU hierarchy within a domain is independent of the OU hierarchy structure of other domains—each
domain can implement its own OU hierarchy. By adding OUs to other OUs, or nesting, you can provide
administrative control in a hierarchical fashion.
Trees: A tree is a grouping or hierarchical arrangement of one or more Windows Server 2003/2008 domains
that you create by adding one or more child domains to an existing parent domain. Domains in a tree share a
contiguous namespace and a hierarchical naming structure. Namespaces are covered in detail in the next
lesson
Forests: A forest is a grouping or hierarchical arrangement of one or more separate, completely independent
domain trees. As such, forests have the following characteristics:
Sites A site is a combination of one or more IP subnets connected by a highly reliable and fast link to localize
as much network traffic as possible. Typically, a site has the same boundaries as a local area network (LAN).
When you group subnets on your net-work, you should combine only subnets that have fast, cheap and
WIPRO – BHEL Confidential Page 9
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
reliable network connections with one another. “Fast” network connections are at least 512 kilobits per
second (Kbps). An available bandwidth (the average amount of bandwidth that is available for use after
normal network traffic is handled) of 128 Kbps and higher is sufficient for a site.
Domain Controllers A domain controller is a computer running Windows Server 2003/2008 that stores a
replica of the domain directory (local domain database). Because a domain can contain one or more domain
controllers, each domain controller in a domain has a complete replica of the domain’s portion of the
directory. A domain controller can service only one domain. A domain controller also authenticates user
logon attempts and maintains the security policy for a domain.
1.1.8 Catalog Services—The Global Catalog
The global catalog is the central repository of information about objects in a tree or forest. By default, a
global catalog is created automatically on the initial domain controller in the first domain in the forest. A
domain controller that holds a copy of the global catalog is called a global catalog server. You can designate
any domain controller in the forest as a global catalog server. Active Directory uses multimaster replication to
replicate the global catalog information between global catalog servers in other domains. It stores a full
replica of all object attributes in the directory for its host domain and a partial replica of all object attributes
contained in the directory for every domain in the forest. The partial replica stores attributes most frequently
used in search operations (such as a user’s first and last names, logon name, and so on). Attributes are
marked or unmarked for replication in the global catalog when they are defined in the Active Directory
schema. Object attributes replicated to the global catalog inherit the same permissions as in source domains,
ensuring that data in the global catalog is secure.
■ It enables a user to log on to a network by providing universal group membership information to a domain
controller when a logon process is initiated.
■ It enables finding directory information regardless of which domain in the forest actually contains the data .
1.1.10 Replication
Users and services should be able to access directory information at any time from any computer in the
domain tree or forest. Replication ensures that changes to a domain controller are reflected in all domain
controllers within a domain. Directory information is replicated to domain controllers both within and among
sites.
1.1.14 DNS
DNS is a service used in Transmission Control Protocol/Internet Protocol (TCP/IP) net-works, such as the
Internet, to locate computers and services through user-friendly names. DNS provides a method of naming
computers and network services using a hierarchy of domains. When a user enters a user-friendly DNS name
in an application, DNS services can resolve the name to other information associated with the name, such as
an IP address. For example, it’s easy for most users who want to locate a computer on a network to
remember and learn a friendly name such as example.microsoft.com. However, computers communicate
over a network by using numeric addresses. DNS provides a way to map the user-friendly name for a
computer or service to its numeric address. If you have used a Web browser, you have used DNS.
In any Active Directory forest, five operations master roles must be assigned to one or more domain
controllers. Some roles must appear in every forest. Other roles must appear in every domain in the forest.
You must be aware of operations master roles assigned to a domain controller if problems develop on the
domain controller or if you plan to take it out of service.
Schema master
Domain naming master
These roles must be unique in the forest. This means that throughout the entire forest there can be only one
schema master and one domain naming master.
Whenever a domain controller creates a user, group, or computer object, it assigns the object a unique
security ID. The security ID consists of a domain security ID (that is the same for all security IDs created in the
domain) and a relative ID that is unique for each security ID created in the domain.
To move an object between domains (using Movetree.exe: Active Directory Object Manager), you must
initiate the move on the domain controller acting as the RID master of the domain that currently contains the
object.
BDCs. At any time, there can be only one domain controller acting as the PDC emulator in each domain in the
forest.
Even after all systems are upgraded to Windows Server 2003/2008, and the Windows Server 2003/2008
domain is operating at the Windows Server 2003/2008 functional level, the PDC emulator receives
preferential replication of password changes performed by other domain controllers in the domain. If a
password was recently changed, that change takes time to replicate to every domain controller in the
domain. If a logon authentication fails at another domain controller due to a bad password, that domain
controller forwards the authentication request to the PDC emulator before rejecting the logon attempt.
There is no compromise to security during the time between the member rename and the group update.
Only an administrator looking at that particular group membership would notice the temporary
inconsistency.
RID Master Failure Temporary loss of the RID operations master is not visible to network users. It is not
visible to network administrators either, unless they are creating objects and the domain in which they are
creating the objects runs out of relative identifiers. If the RID master will be unavailable for an unacceptable
length of time, you can seize the role to the domain controller you’ve chosen to act as the standby RID
master. However, seizing this role is a step that you should take only when the failure of the RID master is
permanent.
PDC Emulator Failure The loss of the PDC emulator affects network users. Therefore, when the PDC
emulator is not available, you might need to immediately seize the role. If the current PDC emulator will be
unavailable for an unacceptable length of time and its domain has clients without Windows Server
2003/2008 client software, or if it contains Windows NT backup domain controllers, seize the PDC emulator
role to the domain controller you’ve chosen to act as the standby PDC emulator. When the original PDC
emulator is returned to service, you can return the role to the original domain controller.
Infrastructure Master Failure Temporary loss of the infrastructure master is not visible to network users. It
is not visible to network administrators either, unless they have recently moved or renamed a large number
of accounts. If the infrastructure master will be unavailable for an unacceptable length of time, you can seize
the role to a domain controller that is not a global catalog but is well connected to a global catalog (from any
domain), ideally in the same site as a global catalog server. When the original infrastructure master is
returned to service, you can transfer the role back to the original domain controller.
A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008
operating system. With an RODC, organizations can easily deploy a domain controller in locations where
physical security cannot be guaranteed. An RODC hosts read-only partitions of the
Active Directory® Domain Services (AD DS) database.
Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a wide
area network (WAN), there was no real alternative. In many cases, this was not an efficient solution. Branch
offices often cannot provide the adequate physical security that is required for a writable domain controller.
Furthermore, branch offices often have poor network bandwidth when they are connected to a hub site. This
can increase the amount of time that is required to log on. It can also hamper access to network resources.
Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As a
result, users in this situation can receive the following benefits:
Improved security
Faster logon times
More efficient access to resources on the network
WIPRO – BHEL Confidential Page 15
Wipro Infotech - MSBU Division
BHEL /Kolkata/ Windows Server 2008 Active Directory Implementation and Migration
Inadequate physical security is the most common reason to consider deploying an RODC. An RODC provides a
way to deploy a domain controller more securely in locations that require fast and reliable authentication
services but cannot ensure physical security for a writable domain controller.
However, your organization may also choose to deploy an RODC for special administrative requirements. For
example, a line-of-business (LOB) application may run successfully only if it is installed on a domain
controller. Or, the domain controller might be the only server in the branch office, and it may have to host
server applications.
In such cases, the LOB application owner must often log on to the domain controller interactively or use
Terminal Services to configure and manage the application. This situation creates a security risk that may be
unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can grant
a non-administrative domain user the right to log on to an RODC while minimizing the security risk to the
Active Directory forest.
You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a
primary threat, for example, in an extranet or application-facing role.
RODC is designed primarily to be deployed in remote or branch office environments. Branch offices typically
have the following characteristics:
You should review this section, and the additional supporting documentation about RODC, if you are in any of
the following groups:
To deploy an RODC, at least one writable domain controller in the domain must be running Windows
Server 2008. In addition, the functional level for the domain and forest must be Windows Server 2003 or
higher.
RODC addresses some of the problems that are commonly found in branch offices. These locations might not
have a domain controller. Or, they might have a writable domain controller but not the physical security,
network bandwidth, or local expertise to support it. The following RODC functionality mitigates these
problems:
Local applications that request Read access to the directory can obtain access. Lightweight Directory
Application Protocol (LDAP) applications that request Write access receive an LDAP referral response. This
response directs them to a writable domain controller, normally in a hub site.
For these types of applications, you can dynamically configure a set of attributes in the schema for domain
objects that will not replicate to an RODC. This set of attributes is called the RODC filtered attribute set.
Attributes that are defined in the RODC filtered attribute set are not allowed to replicate to any RODCs in the
forest.
A malicious user who compromises an RODC can attempt to configure it in such a way that it tries to replicate
attributes that are defined in the RODC filtered attribute set. If the RODC tries to replicate those attributes
from a domain controller that is running Windows Server 2008, the replication request is denied. However, if
the RODC tries to replicate those attributes from a domain controller that is running Windows Server 2003,
the replication request can succeed.
Therefore, as a security precaution, ensure that forest functional level is Windows Server 2008 if you plan to
configure the RODC filtered attribute set. When the forest functional level is Windows Server 2008, an RODC
that is compromised cannot be exploited in this manner because domain controllers that are running
Windows Server 2003 are not allowed in the forest.
You cannot add system-critical attributes to the RODC filtered attribute set. An attribute is system-critical if it
is required for AD DS; Local Security Authority (LSA); Security Accounts Manager (SAM; and Microsoft-specific
Security Service Provider Interfaces (SSPIs), such as Kerberos; to function properly. A system-critical attribute
has a schemaFlagsEx attribute value equal to 1 (schemaFlagsEx attribute value & 0x1 = TRUE).
The RODC filtered attribute set is configured on the server that holds the schema operations master role. If
you try to add a system-critical attribute to the RODC filtered set while the schema master is running
Windows Server 2008, the server returns an "unwillingToPerform" LDAP error. If you try to add a system-
critical attribute to the RODC filtered attribute set on a Windows Server 2003 schema master, the operation
appears to succeed but the attribute is not actually added. Therefore, it is recommended that the schema
master be a Windows Server 2008 domain controller when you add attributes to RODC filtered attribute set.
This ensures that system-critical attributes are not included in the RODC filtered attribute set.
RODC unidirectional replication applies to both AD DS and Distributed File System (DFS) Replication of
SYSVOL. The RODC performs normal inbound replication for AD DS and SYSVOL changes.
The RODC is advertised as the Key Distribution Center (KDC) for the branch office. The RODC uses a different
krbtgt account and password than the KDC on a writable domain controller uses when it signs or encrypts
ticket-granting ticket (TGT) requests.
After an account is successfully authenticated, the RODC attempts to contact a writable domain controller at
the hub site and requests a copy of the appropriate credentials. The writable domain controller recognizes
that the request is coming from an RODC and consults the Password Replication Policy in effect for that
RODC.
The Password Replication Policy determines if a user's credentials or a computer's credentials can be
replicated from the writable domain controller to the RODC. If the Password Replication Policy allows it, the
writable domain controller replicates the credentials to the RODC, and the RODC caches them.
After the credentials are cached on the RODC, the RODC can directly service that user's logon requests until
the credentials change. (When a TGT is signed with the krbtgt account of the RODC, the RODC recognizes that
it has a cached copy of the credentials. If another domain controller signs the TGT, the RODC forwards
requests to a writable domain controller.)
By limiting credential caching only to users who have authenticated to the RODC, the potential exposure of
credentials by a compromise of the RODC is also limited. Typically, only a small subset of domain users has
credentials cached on any given RODC. Therefore, in the event that the RODC is stolen, only those credentials
that are cached can potentially be cracked.
Leaving credential caching disabled might further limit exposure, but it results in all authentication requests
being forwarded to a writable domain controller. An administrator can modify the default Password
Replication Policy to allow users' credentials to be cached at the RODC.
However, the DNS server on an RODC is read-only and therefore does not support client updates directly.
Format the volume with NTFS file system with appropriate details.
Click Next.
To configure this server as an additional Root Domain Server, firstly we configure it as Additional Domain
Controller for the domain bhelpser.co.in.
Welcome wizard.
Check the advanced mode installation check box then Click next.
Click next.
Select the first option for replicating the database over the network.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
After the restart we have given the server more than 24hrs to complete the replication of all Active Directory
components.
Once the replication is complete the size of AD Database file ndts.dit indicates the completion of replication from
Root Domain Controller.
After the replication all the DNS records are also available on BHELPSERRDC01 including Nameserver
and forwarders.
DNS records.
Name Servers.
Forwarder
Before transferring the Roles, function levels of existing RDC must be raised.
Open Active Directory Users and Computers. Right click on bhelpser.co.in and then Raise the Domain Functional
level.
Click ok to proceed.
Open Active Directory Domain and Trust. Right click on bhelpser.co.in and then Raise the Forest Functional level.
Click OK to proceed.
Upgrading the schema of windows server 2008 requires its installation files.
After upgrading, our 2003 server able to recognize the windows server 2008.
Querying the Naming master roles on our existing Windows Server 2003 RDC.
To connect the server type ‘connect to server bhelpserrdc01’ then it will connect to our server 2008.
Creation of separate OUs for Kolkata-Salt lake, Budge-budge and Bakreswar sites.
Account lockout duration set to 15 minutes. Account will lock out after 3 invalid logon attempts.
Check both Success and failure events. Enable the policy –Shutdown system immediately if unable
to log security audits.
Set the maximum system log size to 10MB. Set the maximum application log size to 10MB
Set the security log size to 10MB. Enables auditing of all user rights in conjunction with Audit
Privilege Use auditing being enabled.
This feature is provided for the system availability reasons such as the user’s machine being disconnected from the
network or domain controllers not being available.
Welcome wizard.
Click next.
Welcome wizard.
Welcome wizard.
Different Sites and settings will be created for the replication between Domain Controllers.
Provide the name for Bakreswar Site and select the Default Site Link.
Different Sites and settings are created for the replication between Domain Controllers.
Format the volume with NTFS file system with appropriate details.
Click next.
Configure this server as an additional Active Directory Domain Server for the domain bhelpser.co.in.
Welcome wizard.
Check the advanced mode installation check box then Click next.
Click next.
Select the first option for replicating the database over the network.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
After the restart server will require more than 24hrs to complete the replication of all Active Directory
components.
Click next.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Welcome wizard.
Check the advanced mode installation check box then Click next.
Click next.
Set the domain administrator user account for delegation of RODC Installation and Administration.
Select the first option for replicating the database over the network.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
In RODC there is no option grayed out for Creating any users & groups.
Click next.
Configure this server as an Read-only Active Directory Domain Server for the domain bhelpser.co.in.
Check the advanced mode installation check box then Click next.
Click on Next.
Set the domain administrator user account for delegation of RODC Installation and Administration.
Select the first option for replicating the database over the network.
Supply the credentials. These credentials will be used incase of any failure to restore the Active Directory.
DSRM Passwords bhel@123#
1.5.2 TOOLS
There are various Tools Available to Monitor/Troubleshooting purpose for Active Directory.
1. NTDSUTIL
2. DCDIAG
3. NLTEST
4. NETDIAG
5. DNSLINT
6. ADSIEDIT
7. ADPREP
8. REPADMIN
9. REPLMON
10. RSOP
NTDSUTIL.EXE is a command-line tool that is used to manage Active Directory. This utility is used to
perform the following tasks:
How to Transfer and Seize Operating Master roles with this tool please look below URL Address
http://support.microsoft.com/kb/255504
Let us start gently and check for duplicate SIDs. This experiment is more for gaining experience of the
NTDSutil interface than the probability of finding any duplicate SIDs. This is what I typed at the command
prompt, my commands are in bold:
E:\ntdsutil>ntdsutil
ntdsutil: security account management
Security Account Maintenance: connect to server BigServer
Security Account Maintenance: check duplicate sid
...
Duplicate SID check completed successfully. Check dupsid.log for any duplicates
Security Account Maintenance:
1.5.4 Reset password for DSRM (Directory Services Restore Mode) with NTDSUTIL
Here is where I challenge you to perform a real task. Once upon a time, when your Windows server
2003/2008 was first installed, setup asked the installer for a separate directory service restore mode
password. 90% of administrators ignored the box or forgot the password. 50% of Administrator's don't
realize that this Directory Services Restore Mode password is different from the normal Administrator
password. The two can get out of synch because they are stored in separate databases.
Now is your chance to reset the password that will be required if ever you need to restart the server in Active
Directory Restore Mode. In many ways, this is such an insignificant job, in other ways it saves frustration of
being thwarted by not having the administrative password for this context.
E:\ntdsutil>ntdsutil
ntdsutil: set dsrm password
Reset DSRM Administrator Password: reset password on server BigServer
Please type password for DS Restore Mode Administrator Account: ********
Please confirm new password: ********
Password has been set successfully.
E:\ntdsutil>
In your Windows Active Directory career you will find dozens of occasions where the only cure to your
problem is editing the Domain or Configuration partition with ADSI Edit. On this page, it is not my intention
to cure a specific Windows Server 2003/2008 problem, I merely chose the examples to give you a good
grounding in the utility.
Nobody wins their Active Directory spurs without knowing where to find ADSI Edit. No-one gets to be a top
Windows Server 2003/2008 techie before they have explored the Domain and Configuration partitions with
ADSI Edit. Without ADSI Edit experience, many TechNet articles will be beyond your skill level. While ADSI
Edit is not Microsoft's most difficult tool, you have to be careful as there is no error checking.
http://www.computerperformance.co.uk/ScriptsGuy/adsi.zip
This example has all the ingredients for learning about ADSI Edit namely, planning, attention to detail and a
real life scenario where there is no other way of configuring the settings. Our objective is to change the
display from: First Name, Last Name to: Last Name, First Name. From the outset, let us be clear which field
we are changing.
Our mission is to change the first field in Active Directory Users and Computers, the column called 'Name'
and not the 'Display Name' or 'Description' column. (Although you could change those too, but that would be
a separate project.) The above diagram shows the final result, let us see how we achieve this goal.
DCDiag switches
1. /v I have to admit that at first I had no idea that DCDiag had switches. Whilst I should have
known that Microsoft would provide switches, I had no idea that there were so many. I will
let you into another secret, I have never before know the /v (verbose) to be of any use. My
point is that many utilities have this switch and normally I avoid it, but in the case of DCDiag
the /v is a little gem, which I use at every opportunity.
2. /q From the sublime /v you could go to the ridiculous /q which only report errors.
3. /s As always, '/s specifies the server, or in this case, the Domain Controller.
4. /fix Fixes Service Principal Names (SPN) problems.
5. /f:logfile.txt Slightly confusing given that there is also a /fix switch. It works like the re-
direct pipe (> filename.txt). Personally, I copy and paste from the command prompt, but if
you are more organized, then use /f:filename to output to a file.
6. /test: Confession time. I gave up with the /test, I just could not get it to filter the dns tests
as advertised. I consoled myself that you can always get the information by running the full
test and just reading the parts that are of interest. However, I got the /test switch working
perfectly with NetDiag,
***Searching...
ldap_search_s(ld, "DC=cp,DC=com", 2, "(cn=a*)", attrList, 0, &msg)
Result <0>: (null)
Matched DNs:
Getting 24 entries:
>> Dn: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> distinguishedName: CN=a86fe12a-0f62-4e2a-b271-d27f601f8182,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: a86fe12a-0f62-4e2a-b271-d27f601f8182;
1> canonicalName: cp.com/System/DomainUpdates/Operations/a86fe12a-0f62-4e2a-b271-d27f601f8182;
>> Dn: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com
2> objectClass: top; container;
1> cn: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> distinguishedName: CN=ab402345-d3c3-455d-9ff7-40268a1099b6,CN=Operations,CN=DomainUpdates,CN=System,DC=cp,DC=com;
1> name: ab402345-d3c3-455d-9ff7-40268a1099b6;
1> canonicalName: cp.com/System/DomainUpdates/Operations/ab402345-d3c3-455d-9ff7-40268a1099b6;
>> Dn: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-
B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com
2> objectClass: top; packageRegistration;
1> cn: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> distinguishedName: CN=ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9,CN=Packages,CN=Class Store,CN=Machine,CN={4627307D-103B-4A81-99D0-
B5B06B8AD999},CN=Policies,CN=System,DC=cp,DC=com;
1> name: ab9b6f9e-7ef4-4e9a-902d-ae9a3881bce9;
1> canonicalName: cp.com/System/Policies/{4627307D-103B-4A81-99D0-B5B06B8AD999}/Machine/Class Store/Packages/ab9b6f9e-7ef4-4e9a-902d-
ae9a3881bce9;
>> Dn: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com
3> objectClass: top; leaf; categoryRegistration;
1> cn: abab2104-5729-4bed-ac94-a65c89516e84;
1> distinguishedName: CN=abab2104-5729-4bed-ac94-a65c89516e84,CN=AppCategories,CN=Default Domain Policy,CN=System,DC=cp,DC=com;
1> name: abab2104-5729-4bed-ac94-a65c89516e84;
1> canonicalName: cp.com/System/Default Domain Policy/AppCategories/abab2104-5729-4bed-ac94-a65c89516e84;
>> Dn: CN=Account Operators,CN=Builtin,DC=cp,DC=com
2> objectClass: top; group;
1> cn: Account Operators;
1> description: Members can administer domain user and group accounts;
1> distinguishedName: CN=Account Operators,CN=Builtin,DC=cp,DC=com;
1> name: Account Operators;
1> canonicalName: cp.com/Builtin/Account Operators;
Examples of NetDiag
1. Installing Exchange and you wish to check that you can connect to other servers.
2. Checking VPN network tunnels on the WAN.
3. DNS problems. Computers cannot 'see' their domain controller on the LAN.
4. A quick check on hotfixes.
5. Check the Network Card Bindings from the command prompt.
6. You are having problems with IPSEC.
7. Winsock corruption, wrong version incompatibilities.
8. NetDiag checks that Domain Controllers are all able to 'speak' LDAP.
NetDiag switches
1. /v If you need the full report on your network availability, then append this verbose switch
to the command. Unlike the /v of other utilities, NetDiag /v really does produce chapter and
verse on your network cards and their binding.
2. /Debug This debug switch was disappointing in that it did not produce any more details
than those supplied by the /v. Perhaps I would have received extra information if my
Windows Server 2003/2008 really had a network connectivity problem.
3. /q When you just need to know if there are any errors, this is the switch for
troubleshooting. The /q is the antithesis of the /v and /debug.
4. /test: Unlike DCDiag, NetDiag's test switched worked perfectly
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndis5
Upper Component: Internet Protocol (TCP/IP)
Lower Component: VIA Rhine II Fast Ethernet Adapter
Owner of the binding path : File and Printer Sharing for Microsoft Networks
Binding Enabled: Yes
Interfaces of the binding path:
-Interface Name: netbios
Upper Component: File and Printer Sharing for Microsoft Networks
Lower Component: WINS Client(TCP/IP) Protocol
-Interface Name: tdi
Upper Component: WINS Client(TCP/IP) Protocol
Lower Component: Internet Protocol (TCP/IP)
-Interface Name: ndiswanip
Upper Component: Internet Protocol (TCP/IP)
Lower Component: WAN Miniport (IP)
Note: run "netsh ipsec dynamic show /?" for more detailed information
Installing Replmon is straightforward. Load the Windows 2003/2008 CD into the caddy and navigate to the \
support\tools and double click suptools.msi. However, a word of warning, because there are so many .dlls
and associated Replmon files it is best to keep the files in their original locations. Of all of the support tools,
Replmon is the fussiest about being run from its default location. A bonus of keeping all the support files in
their default folder is that you can type the name of the executable in the Run dialog box and it will execute
because the operating system has learnt the 'Path'. Thus, in this instance type: replmon in the Run Dialog
box.
you cannot help noticing that the similarities between the interfaces. Note in passing, that as beginners we
just focus on one site, however in a big organization there are likely to be several sites each with their own
ring of linked servers.
Here in Replication Monitor, explore the 4 or 5 Configuration containers; keep looking for more detail by
right clicking on any object that you see. Below is an example of right clicking the Domain Controller object.
Replmon is one of the most exciting tools in the Windows Server 2003/2008 toolkit. I have a tutorial to get
you started with Replmon. What I like about Replmon is the way that it combines business with pleasure and
practical with theory. Before I explored Replmon I could not picture how Directory Replication works, with
Replmon I can see precisely what data is replicated to which partition. The theory of Domain, Forest and
Schema partitions come to life when you can actually see the topology and the links.
Replmon displays information about Active Directory Replication. In Windows Server 2003/2008, Microsoft
have improved upon Windows 2000 in two ways, reduced latency, and only replicating the attributes, which
have changed and not the whole object. Both Windows 2000 and 2003/2008 use the same components
namely; multi master model, change notification and pull replication.
1. Replmon will give you clues why replication is not happening. Sift through Active Directory
replication messages and find the last successful synchronization.
2. See what happens when you try and force replication. Does Replmon magically synchronize, or
do you get a new meaningful error message?
3. If you do get replication errors, say when you run DCDiag, then force the KCC (Knowledge
Consistency Checker) to recreate the topology.
4. Should you have the luxury of a large forest, Replmon will give you an understanding of how the
domain controllers are joined by three separate rings. In multiple domain configurations you
could experiment creating shortcut links.
5. Investigate if there are any complications with Trusts. Examine the trust relationships, within or
between forests.
6. Discover more about the meta data, in particular the attributes of objects. Again I confess a bias
as I need LDAP attributes for my VBScripts, Replmon displays the objects and their correct LDAP
syntax.
7. Group Policies can be troublesome because there are two separate replication paths, Active
Directory and FRS. Replmon also matches those strange hex numbers files which you find under
sysvol, with the corresponding names of the policies as seen in the GPMC (or Active Directory
Users and Computers)
Installing Replmon is straightforward. Load the Windows 2003/2008 CD into the caddy and navigate to the \
support\tools and double click suptools.msi. However, a word of warning, because there are so many .dlls
and associated Replmon files it is best to keep the files in their original locations. Of all of the support tools,
Replmon is the fussiest about being run from its default location. A bonus of keeping all the support files in
their default folder is that you can type the name of the executable in the Run dialog box and it will execute
because the operating system has learnt the 'Path'. Thus, in this
instance type: replmon in the Run Dialog box.
Here in Replication Monitor, explore the 4 or 5 Configuration containers, keep looking for more detail by right
clicking on any object that you see. Below is an example of right clicking the Domain Controller object.
still no sign of the replication links. Let us try another right click, and
select 'Show Intra-Site Connections'. At this point I pay attention to
detail. I remember that Intra means within, whereas Inter is like Inter-City and means between. What you
should now see is topology links between all the Domain Controller. Incidentally, the word 'Site' reminds us
that to begin with, we are investigating just the Default-First-Site, in a production network there may be
multiple sites.
If you have 5 or more servers in the ring, you may consider right clicking and adding extra links to speed up
replication; this is particularly true for Windows 2000 networks where latency is much longer than Windows
Server 2003/2008.
Installation Begin
Installation Succeeded
Click Next
Specify Destination
Click Backup
Progress begin
Backup Completed.
Please find below links for the restoration purposes for AD and Full Computer Restore
http://technet.microsoft.com/en-us/library/cc730683.aspx
http://technet.microsoft.com/en-us/library/cc731835.aspx
http://technet.microsoft.com/en-us/library/cc771045.aspx
==============================================================================