Vous êtes sur la page 1sur 7

What is Active Directory Domain Services 2008?

Active Directory Domain Services (AD DS), formerly known as Active Directory Directory Services, is the
central location for configuration information, authentication requests, and information about
all of the objects that are stored within your forest. Using Active Directory, you can efficiently
manage users, computers, groups, printers, applications, and other directory-enabled objects
from one secure, centralized location.

What is the SYSVOL folder?

The Sysvol folder on a Windows domain controller is used to replicate file-based data among domain
controllers. Because junctions are used within the Sysvol folder structure, Windows NT file
system (NTFS) version 5.0 is required on domain controllers throughout a Windows
distributed file system (DFS) forest.

This is a quote from microsoft themselves, basically the domain controller info stored in files like your
group policy stuff is replicated through this folder structure

What’s New in Windows Server 2008 Active Directory Domain Services?

Active Directory Domain Services in Windows Server 2008 provides a number of enhancements over
previous versions, including these:

Auditing—AD DS auditing has been enhanced significantly in Windows Server 2008. The enhancements
provide more granular auditing capabilities through four new auditing categories: Directory
Services Access, Directory Services Changes, Directory Services Replication, and Detailed
Directory Services Replication. Additionally, auditing now provides the capability to log old
and new values of an attribute when a successful change is made to that attribute.

Fine-Grained Password Policies—AD DS in Windows Server 2008 now provides the capability to create
different password and account lockout policies for different sets of users in a domain. User
and group password and account lockout policies are defined and applied via a Password
Setting Object (PSO). A PSO has attributes for all the settings that can be defined in the
Default Domain Policy, except Kerberos settings. PSOs can be applied to both users and
groups.

Read-Only Domain Controllers—AD DS in Windows Server 2008 introduces a new type of domain
controller called a read-only domain controller (RODC). RODCs contain a read-only copy of
the AD DS database. RODCs are covered in more detail in Chapter 6, “Manage Sites and
Replication.”

Restartable Active Directory Domain Services—AD DS in Windows Server 2008 can now be stopped
and restarted through MMC snap-ins and the command line. The restartable AD DS service
reduces the time required to perform certain maintenance and restore operations. Additionally,
other services running on the server remain available to satisfy client requests while AD DS is
stopped.

AD DS Database Mounting Tool—AD DS in Windows Server 2008 comes with a AD DS database


mounting tool, which provides a means to compare data as it exists in snapshots or backups
taken at different times. The AD DS database mounting eliminates the need to restore multiple
backups to compare the AD data that they contain and provides the capability to examine any
change made to data stored in AD DS.
What is the Global Catalog?

A global catalog server is a domain controller. It is a master searchable database that contains information
about every object in every domain in a forest. The global catalog contains a complete replica
of all objects in Active Directory for its host domain, and contains a partial replica of all
objects in Active Directory for every other domain in the forest.

It has two important functions:

Provides group membership information during logon and authentication

Helps users locate resources in Active Directory

What are RODCs? And what are the major benefits of using RODCs?

A read-only domain controller (RODC) is a new type of domain controller in the Windows Server® 2008
operating system. With an RODC, organizations can easily deploy a domain controller in
locations where physical security cannot be guaranteed. An RODC hosts read-only partitions
of the Active Directory® Domain Services (AD DS) database.

Before the release of Windows Server 2008, if users had to authenticate with a domain controller over a
wide area network (WAN), there was no real alternative. In many cases, this was not an
efficient solution. Branch offices often cannot provide the adequate physical security that is
required for a writable domain controller. Furthermore, branch offices often have poor network
bandwidth when they are connected to a hub site. This can increase the amount of time that is
required to log on. It can also hamper access to network resources.

Beginning with Windows Server 2008, an organization can deploy an RODC to address these problems. As
a result, users in this situation can receive the following benefits:

* Improved security

* Faster logon times

* More efficient access to resources on the network

What does an RODC do?

Inadequate physical security is the most common reason to consider deploying an RODC. An RODC
provides a way to deploy a domain controller more securely in locations that require fast and
reliable authentication services but cannot ensure physical security for a writable domain
controller.

However, your organization may also choose to deploy an RODC for special administrative requirements.
For example, a line-of-business (LOB) application may run successfully only if it is installed
on a domain controller. Or, the domain controller might be the only server in the branch office,
and it may have to host server applications.

In such cases, the LOB application owner must often log on to the domain controller interactively or use
Terminal Services to configure and manage the application. This situation creates a security
risk that may be unacceptable on a writable domain controller.
An RODC provides a more secure mechanism for deploying a domain controller in this scenario. You can
grant a nonadministrative domain user the right to log on to an RODC while minimizing the
security risk to the Active Directory forest.

You might also deploy an RODC in other scenarios where local storage of all domain user passwords is a
primary threat, for example, in an extranet or application-facing role.

What is REPADMIN?

Repadmin.exe: Replication Diagnostics Tool

This command-line tool assists administrators in diagnosing replication problems between Windows
domain controllers.

Administrators can use Repadmin to view the replication topology (sometimes referred to as RepsFrom and
RepsTo) as seen from the perspective of each domain controller. In addition, Repadmin can be
used to manually create the replication topology (although in normal practice this should not
be necessary), to force replication events between domain controllers, and to view both the
replication metadata and up-to-dateness vectors.

Repadmin.exe can also be used for monitoring the relative health of an Active Directory forest. The
operations replsummary, showrepl, showrepl /csv, and showvector /latency can be used to
check for replication problems.

What is NETDOM?

NETDOM is a command-line tool that allows management of Windows domains and trust relationships. It
is used for batch management of trusts, joining computers to domains, verifying trusts, and
secure channels

What is the difference between transferring a fsmo role and seizing one which one should you not
seize why?

Seizing an FSMO can be a destructive process and should only be attempted if the existing server with the
FSMO is no longer available.

If the domain controller that is the Schema Master FSMO role holder is temporarily unavailable, DO NOT
seize the Schema Master role.

If you are going to seize the Schema Master, you must permanently disconnect the current Schema Master
from the network.

If you seize the Schema Master role, the boot drive on the original Schema Master must be completely
reformatted and the operating system must be cleanly installed, if you intend to return this computer to the
network.

NOTE: The Boot Partition contains the system files (\System32). The System Partition is the partition that
contains the startup files, NTDetect.com, NTLDR, Boot.ini, and possibly Ntbootdd.sys.
The Active Directory Installation Wizard (Dcpromo.exe) assigns all 5 FSMO roles to the first domain
controller in the forest root domain. The first domain controller in each new child or tree domain is
assigned the three domain-wide roles. Domain controllers continue to own FSMO roles until they are
reassigned by using one of the following methods:

• An administrator reassigns the role by using a GUI administrative tool.


• An administrator reassigns the role by using the ntdsutil /roles command.
• An administrator gracefully demotes a role-holding domain controller by using the Active
Directory Installation Wizard. This wizard reassigns any locally-held roles to an existing domain
controller in the forest. Demotions that are performed by using the dcpromo /forceremoval
command leave FSMO roles in an invalid state until they are reassigned by an administrator.

We recommend that you transfer FSMO roles in the following scenarios:

• The current role holder is operational and can be accessed on the network by the new FSMO
owner.
• You are gracefully demoting a domain controller that currently owns FSMO roles that you want to
assign to a specific domain controller in your Active Directory forest.
• The domain controller that currently owns FSMO roles is being taken offline for scheduled
maintenance and you need specific FSMO roles to be assigned to a "live" domain controller. This
may be required to perform operations that connect to the FSMO owner. This would be especially
true for the PDC Emulator role but less true for the RID master role, the Domain naming master
role and the Schema master roles.

We recommend that you seize FSMO roles in the following scenarios:

• The current role holder is experiencing an operational error that prevents an FSMO-dependent
operation from completing successfully and that role cannot be transferred.
• A domain controller that owns an FSMO role is force-demoted by using the dcpromo
/forceremoval command.
• The operating system on the computer that originally owned a specific role no longer exists or has
been reinstalled.

As replication occurs, non-FSMO domain controllers in the domain or forest gain full knowledge of
changes that are made by FSMO-holding domain controllers. If you must transfer a role, the best candidate
domain controller is one that is in the appropriate domain that last inbound-replicated, or recently inbound-
replicated a writable copy of the "FSMO partition" from the existing role holder. For example, the Schema
master role-holder has a distinguished name path of CN=schema,CN=configuration,dc=<forest root
domain>, and this mean that roles reside in and are replicated as part of the CN=schema partition. If the
domain controller that holds the Schema master role experiences a hardware or software failure, a good
candidate role-holder would be a domain controller in the root domain and in the same Active Directory
site as the current owner. Domain controllers in the same Active Directory site perform inbound replication
every 5 minutes or 15 seconds.

The partition for each FSMO role is in the following list:


Collapse this tableExpand this table FSMO role Partition Schema
CN=Schema,CN=configuration,DC=<forest root domain> Domain Naming Master
CN=configuration,DC=<forest root domain> PDC DC=<domain> RID DC=<domain> Infrastructure
DC=<domain>

A domain controller whose FSMO roles have been seized should not be permitted to communicate with
existing domain controllers in the forest. In this scenario, you should either format the hard disk and
reinstall the operating system on such domain controllers or forcibly demote such domain controllers on a
private network and then remove their metadata on a surviving domain controller in the forest by using the
ntdsutil /metadata cleanup command. The risk of introducing a former FSMO role holder whose role has
been seized into the forest is that the original role holder may continue to operate as before until it inbound-
replicates knowledge of the role seizure. Known risks of two domain controllers owning the same FSMO
roles include creating security principals that have overlapping RID pools, and other problems.
Back to the top

Transfer FSMO roles


To transfer the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or


domain controller that is located in the forest where FSMO roles are being transferred. We
recommend that you log on to the domain controller that you are assigning FSMO roles to. The
logged-on user should be a member of the Enterprise Administrators group to transfer Schema
master or Domain naming master roles, or a member of the Domain Administrators group of the
domain where the PDC emulator, RID master and the Infrastructure master roles are being
transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.

Note To see a list of available commands at any one of the prompts in the Ntdsutil utility, type ?,
and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type transfer role, where role is the role that you want to transfer. For a list of roles that you can
transfer, type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at
the start of this article. For example, to transfer the RID master role, type transfer rid master. The
one exception is for the PDC emulator role, whose syntax is transfer pdc, not transfer pdc
emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Back to the top

Seize FSMO roles


To seize the FSMO roles by using the Ntdsutil utility, follow these steps:

1. Log on to a Windows 2000 Server-based or Windows Server 2003-based member computer or


domain controller that is located in the forest where FSMO roles are being seized. We recommend
that you log on to the domain controller that you are assigning FSMO roles to. The logged-on user
should be a member of the Enterprise Administrators group to transfer schema or domain naming
master roles, or a member of the Domain Administrators group of the domain where the PDC
emulator, RID master and the Infrastructure master roles are being transferred.
2. Click Start, click Run, type ntdsutil in the Open box, and then click OK.
3. Type roles, and then press ENTER.
4. Type connections, and then press ENTER.
5. Type connect to server servername, and then press ENTER, where servername is the name of the
domain controller that you want to assign the FSMO role to.
6. At the server connections prompt, type q, and then press ENTER.
7. Type seize role, where role is the role that you want to seize. For a list of roles that you can seize,
type ? at the fsmo maintenance prompt, and then press ENTER, or see the list of roles at the start
of this article. For example, to seize the RID master role, type seize rid master. The one exception
is for the PDC emulator role, whose syntax is seize pdc, not seize pdc emulator.
8. At the fsmo maintenance prompt, type q, and then press ENTER to gain access to the ntdsutil
prompt. Type q, and then press ENTER to quit the Ntdsutil utility.

Notes
o Under typical conditions, all five roles must be assigned to "live" domain controllers in
the forest. If a domain controller that owns a FSMO role is taken out of service before its
roles are transferred, you must seize all roles to an appropriate and healthy domain
controller. We recommend that you only seize all roles when the other domain controller
is not returning to the domain. If it is possible, fix the broken domain controller that is
assigned the FSMO roles. You should determine which roles are to be on which
remaining domain controllers so that all five roles are assigned to a single domain
controller. For more information about FSMO role placement, click the following article
number to view the article in the Microsoft Knowledge Base: 223346
(http://support.microsoft.com/kb/223346/ ) FSMO placement and optimization on
Windows 2000 domain controllers
o If the domain controller that formerly held any FSMO role is not present in the domain
and if it has had its roles seized by using the steps in this article, remove it from the
Active Directory by following the procedure that is outlined in the following Microsoft
Knowledge Base article: 216498 (http://support.microsoft.com/kb/216498/ ) How to
remove data in active directory after an unsuccessful domain controller demotion
o Removing domain controller metadata with the Windows 2000 version or the Windows
Server 2003 build 3790 version of the ntdsutil /metadata cleanup command does not
relocate FSMO roles that are assigned to live domain controllers. The Windows Server
2003 Service Pack 1 (SP1) version of the Ntdsutil utility automates this task and removes
additional elements of domain controller metadata.
o Some customers prefer not to restore system state backups of FSMO role-holders in case
the role has been reassigned since the backup was made.
o Do not put the Infrastructure master role on the same domain controller as the global
catalog server. If the Infrastructure master runs on a global catalog server it stops
updating object information because it does not contain any references to objects that it
does not hold. This is because a global catalog server holds a partial replica of every
object in the forest.

To test whether a domain controller is also a global catalog server:

1. Click Start, point to Programs, point to Administrative Tools, and then click Active Directory
Sites and Services.
2. Double-click Sites in the left pane, and then locate the appropriate site or click Default-first-site-
name if no other sites are available.
3. Open the Servers folder, and then click the domain controller.
4. In the domain controller's folder, double-click NTDS Settings.
5. On the Action menu, click Properties.
6. On the General tab, view the Global Catalog check box to see if it is selected.

Vous aimerez peut-être aussi