y IPv4 means Internet Protocol version 4, whereas IPv6 means Internet Protocol

version 6.
IPv4 is 32 bits IP address that we use commonly, it can be 192.168.8.1, 10.3.4.5 or other 32
bits IP addresses. IPv4 can support up to 2
32
addresses, however the 32 bits IPv4 addresses
are finishing to be used in near future, so IPv6 is developed as a replacement.
IPv6 is 128 bits, can support up to 2
128
addresses to fulfill future needs with better security
and network related features. Here are some examples of IPv6 address:
1050:0:0:0:5:600:300c:326b
ff06::c3
0:0:0:0:0:0:192.1.56.10
<ins style="border-style: none; margin: 0px; padding: 0px; visibility: visible; width: 468px;
position: relative; height: 60px"></ins>
The most important difference is that it has a larger address space. IPv6 uses 128 bits,
instead of the 32 bits used in an IPv4 address.

There are also some changes in the header format, and some additional options, like built-in
security options. These can be added to IPv4 through additional protocols, so this is really no
big deal.
IPv4 is like 10.36.05.2 while IPv6 is one huge garble.
IPv4 is a 32 bits IP address that we use commonly, it can be 192.168.8.1, 10.3.4.5 or other
32 bits IP addresses. IPv4 can support up to 232 addresses, however the 32 bits IPv4
addresses are finishing to be used in near future, so IPv6 is developed as a replacement.

*******************************************************************
*******************************************************************

y Whut ls Actlve Dlrectory?
An uctlve dlrectory ls u dlrectory structure used on Mlcrosoft Wlndows bused computers und servers to store lnformutlon
und dutu ubout networks und domulns. It ls prlmurlly used for onllne lnformutlon und wus orlglnully creuted ln 1996. It wus
flrst used wlth Wlndows 2000.
An uctlve dlrectory (sometlmes referred to us un AD) does u vurlety of functlons lncludlng the ublllty to rovlde lnformutlon
on ob|ects, helps orgunlze these ob|ects for eusy retrlevul und uccess, ullows uccess by end users und udmlnlstrutors und
ullows the udmlnlstrutor to set securlty up for the dlrectory.
Actlve Dlrectory ls u hlerurchlcul collectlon of network resources thut cun contuln users, computers, prlnters, und other
Actlve Dlrectorles. Actlve Dlrectory Servlces (ADS) ullow udmlnlstrutors to hundle und mulntuln ull network resources from
u slngle locutlon . Actlve Dlrectory stores lnformutlon und settlngs ln u centrul dutubuse
y Whut ls LDAP?
The Llghtwelght Dlrectory Access Protocol, or LDAP , ls un uppllcutlon protocol for querylng und modlfylng dlrectory
servlces runnlng over TCP/IP. Although not yet wldely lmplemented, LDAP should eventuully muke lt posslble for ulmost
uny uppllcutlon runnlng on vlrtuully uny computer plutform to obtuln dlrectory lnformutlon, such us emull uddresses und
publlc keys. Becuuse LDAP ls un open protocol, uppllcutlons need not worry ubout the type of server hostlng the dlrectory.
y Cun you connect Actlve Dlrectory to other 3rd-purty Dlrectory Servlces? Nume u few optlons.
-Yes you cun connect other vendors Dlrectory Servlces wlth Mlcrosofts verslon.
-Yes, you cun use dlrXML or LDAP to connect to other dlrectorles (le. E-dlrectory from Novell or NDS (Novel dlrectory
System).
-Yes you cun Connect Actlve Dlrectory to other 3rd -purty Dlrectory Servlces such us dlctonurles used by SAP, Domlno etc
wlth the help of MIIS ( Mlcrosoft Identlty Integrutlon Server )
y Where ls the AD dutubuse held? Whut other folders ure reluted to AD?
AD Dutubuse ls suved ln %systemroot%/ntds. You cun see other flles ulso ln thls folder. These ure the muln flles controlllng
the AD structure
ntds.dlt
edb.log
res1.log
res2.log
edb.chk
When u chunge ls mude to the Wln2K dutubuse, trlggerlng u wrlte operutlon, Wln2K records the trunsuctlon ln the log flle
(edb.log). Once wrltten to the log flle, the chunge ls then wrltten to the AD dutubuse. System performunce determlnes how
fust the system wrltes the dutu to the AD dutubuse from the log flle. Any tlme the system ls shut down, ull trunsuctlons ure
suved to the dutubuse.
Durlng the lnstullutlon of AD, Wlndows creutes two flles: res1.log und res2.log. The lnltlul slze of euch ls 10MB. These flles
ure used to ensure thut chunges cun be wrltten to dlsk should the system run out of free dlsk spuce. The checkpolnt flle
(edb.chk) records trunsuctlons commltted to the AD dutubuse (ntds.dlt). Durlng shutdown, u shutdown stutement ls wrltten
to the edb.chk flle. Then, durlng u reboot, AD determlnes thut ull trunsuctlons ln the edb.log flle huve been commltted to the
AD dutubuse. If, for some reuson, the edb.chk flle doesnt exlst on reboot or the shutdown stutement lsnt present, AD wlll
use the edb.log flle to updute the AD dutubuse.
The lust flle ln our llst of flles to know ls the AD dutubuse ltself, ntds.dlt. By defuult, the flle ls locuted ln\NTDS, ulong wlth
the other flles weve dlscussed
y Whut ls the SYSVOL folder?
- All uctlve dlrectory dutu buse securlty reluted lnformutlon store ln SYSVOL folder und lts only creuted on NTFS purtltlon.
- The Sysvol folder on u Wlndows domuln controller ls used to repllcute flle-bused dutu umong domuln controllers. Becuuse
|unctlons ure used wlthln the Sysvol folder structure, Wlndows NT flle system (NTFS) verslon 5.0 ls requlred on domuln
controllers throughout u Wlndows dlstrlbuted flle system (DFS) forest.
Thls ls u quote from mlcrosoft themselves, buslcully the domuln controller lnfo stored ln flles llke your group pollcy stuff ls
repllcuted through thls folder structure
y Nume the AD NCs und repllcutlon lssues for euch NC
*Schemu NC, *Conflgurutlon NC, Domuln NC
Schemu NC Thls NC ls repllcuted to every other domuln controller ln the forest. It contulns lnformutlon ubout the Actlve
Dlrectory schemu, whlch ln turn deflnes the dlfferent ob|ect clusses und uttrlbutes wlthln Actlve Dlrectory.
Conflgurutlon NC Also repllcuted to every other DC ln the forest, thls NC contulns forest-wlde conflgurutlon lnformutlon
pertulnlng to the physlcul luyout of Actlve Dlrectory, us well us lnformutlon ubout dlspluy speclflers und forest-wlde Actlve
Dlrectory quotus.
Domuln NC Thls NC ls repllcuted to every other DC wlthln u slngle Actlve Dlrectory domuln. Thls ls the NC thut contulns
the most commonly-uccessed Actlve Dlrectory dutu: the uctuul users, groups, computers, und other ob|ects thut reslde
wlthln u purtlculur Actlve Dlrectory domuln.
y Whut ure uppllcutlon purtltlons? When do I use them
Appllcutlon dlrectory purtltlons: These ure speclflc to Wlndows Server 2003 domulns.
An uppllcutlon dlrectory purtltlon ls u dlrectory purtltlon thut ls repllcuted only to speclflc domuln controllers. A domuln
controller thut purtlclputes ln the repllcutlon of u purtlculur uppllcutlon dlrectory purtltlon hosts u repllcu of thut purtltlon.
Only Domuln controllers runnlng Wlndows Server 2003 cun host u repllcu of un uppllcutlon dlrectory purtltlon.
y +ow do you creute u new uppllcutlon purtltlon
http://wlkl.unswers.com/Q/+ow_do_you_creute_u_new_uppllcutlon_purtltlon
y +ow do you vlew repllcutlon propertles for AD purtltlons und DCs?
By uslng repllcutlon monltor
go to sturt > run > type replmon
y Whut ls the Globul Cutulog?
The globul cutulog contulns u complete repllcu of ull ob|ects ln Actlve Dlrectory for lts +ost domuln, und contulns u purtlul
repllcu of ull ob|ects ln Actlve Dlrectory for every other domuln ln the forest.
The globul cutulog ls u dlstrlbuted dutu reposltory thut contulns u seurchuble, purtlul representutlon of every ob|ect ln every
domuln ln u multldomuln Actlve Dlrectory forest. The globul cutulog ls stored on domuln controllers thut huve been
deslgnuted us globul cutulog servers und ls dlstrlbuted through multlmuster repllcutlon. Seurches thut ure dlrected to the
globul cutulog ure fuster becuuse they do not lnvolve referruls to dlfferent domuln controllers.
In uddltlon to conflgurutlon und schemu dlrectory purtltlon repllcus, every domuln controller ln u Wlndows 2000 Server or
Wlndows Server 2003 forest stores u full, wrltuble repllcu of u slngle domuln dlrectory purtltlon. Therefore, u domuln
controller cun locute only the ob|ects ln lts domuln. Locutlng un ob|ect ln u dlfferent domuln would requlre the user or
uppllcutlon to provlde the domuln of the requested ob|ect.
The globul cutulog provldes the ublllty to locute ob|ects from uny domuln wlthout huvlng to know the domuln nume. A globul
cutulog server ls u domuln controller thut, ln uddltlon to lts full, wrltuble domuln dlrectory purtltlon repllcu, ulso stores u
purtlul, reud-only repllcu of ull other domuln dlrectory purtltlons ln the forest. The uddltlonul domuln dlrectory purtltlons ure
purtlul becuuse only u llmlted set of uttrlbutes ls lncluded for euch ob|ect. By lncludlng only the uttrlbutes thut ure most used
for seurchlng, every ob|ect ln every domuln ln even the lurgest forest cun be represented ln the dutubuse of u slngle globul
cutulog server.
y +ow do you vlew ull the GCs ln the forest?
C:\>repudmln/showreps
domuln_controller
OR
You cun use Replmon.exe for the sume purpose.
OR
AD Sltes und Servlces und nslookup gc._msdcs.%USERDNSDOMAIN%
y Why not muke ull DCs ln u lurge forest us GCs?
The reuson thut ull DCs ure not GCs to sturt ls thut ln lurge (or even Glunt) forests the DCs would ull huve to hold u
reference to every ob|ect ln the entlre forest whlch could be qulte lurge und qulte u repllcutlon burden.
For u few hundred, or u few thousund users even, thls not llkely to mutter unless you huve reully poor WAN llnes.
y Trylng to look ut the Schemu, how cun I do thut?
udsledlt.exe
optlon to vlew the schemu
reglster schmmgmt.dll uslng thls commund
c:\wlndows\system32>regsvr32 schmmgmt.dll
Open mmc > udd snupln > udd Actlve dlrectory schemu
nume lt us schemu.msc
Open udmlnlstrutlve tool > schemu.msc
y Whut ure the Support Tools? Why do I need them?
Support Tools ure the tools thut ure used for performlng the compllcuted tusks euslly. These cun ulso be the thlrd purty tools.
Some of the Support tools lnclude DebugVlewer, DependencyVlewer, ReglstryMonltor, etc. -edlt by Cusqueheud I belelve
thls questlon ls refferlng to the Wlndows Server 2003 Support Tools, whlch ure lncluded wlth Mlcrosoft Wlndows Server
2003 Servlce Puck 2. They ure ulso uvulluble for downloud here:
http://www.mlcrosoft.com/downlouds/detulls.uspx?fumllyld=96A35011-FD83-419D-939B-A772EA2DF90&dlspluylung=en
You need them becuuse you cunnot properly munuge un Actlve Dlrectory network wlthout them.
+ere they ure, lt would do you well to fumlllurlze yourself wlth ull of them.
Acldlug.exe
Adsledlt.msc
Bltsudmln.exe
Dcdlug.exe
Dfsutll.exe
Dnsllnt.exe
Dsucls.exe
Iudstools.dll
Ktpuss.exe
Ldp.exe
Netdlug.exe
Netdom.exe
Ntfrsutl.exe
Portqry.exe
Repudmln.exe
Replmon.exe
Setspn.exe
> Whut ls REPLMON? Whut ls ADSIEDIT? Whut ls NETDOM? Whut ls REPADMIN?
ADSIEdlt ls u Mlcrosoft Munugement Console (MMC) snup-ln thut ucts us u low-level edltor for Actlve Dlrectory. It ls u
Gruphlcul User Interfuce (GUI) tool. Network udmlnlstrutors cun use lt for common udmlnlstrutlve tusks such us uddlng,
deletlng, und movlng ob|ects wlth u dlrectory servlce. The uttrlbutes for euch ob|ect cun be edlted or deleted by uslng thls
tool. ADSIEdlt uses the ADSI uppllcutlon progrummlng lnterfuces (APIs) to uccess Actlve Dlrectory. The followlng ure the
requlred flles for uslng thls tool:
ADSIEDIT.DLL
ADSIEDIT.MSC
Regurdlng system requlrements, u connectlon to un Actlve Dlrectory envlronment und Mlcrosoft Munugement Console
(MMC) ls necessury

A: Replmon ls the flrst tool you should use when troubleshootlng Actlve Dlrectory repllcutlon lssues. As lt ls u gruphlcul
tool, repllcutlon lssues ure eusy to see und somewhut eusler to dlugnose thun uslng lts commund llne counterpurts. The
purpose of thls document ls to gulde you ln how to use lt, llst some common repllcutlon errors und show some exumples of
when repllcutlon lssues cun stop other network lnstullutlon uctlons.
for more go to http://www.techtutorluls.net/urtlcles/replmon_howto_u.html
NETDOM ls u commund-llne tool thut ullows munugement of Wlndows domulns und trust relutlonshlps. It ls used for butch
munugement of trusts, |olnlng computers to domulns, verlfylng trusts, und secure chunnels
A:
Enubles udmlnlstrutors to munuge Actlve Dlrectory domulns und trust relutlonshlps from the commund prompt.
Netdom ls u commund-llne tool thut ls bullt lnto Wlndows Server 2008. It ls uvulluble lf you huve the Actlve Dlrectory
Domuln Servlces (AD DS) server role lnstulled. To use netdom, you must run the netdom commund from un elevuted
commund prompt. To open un elevuted commund prompt, cllck Sturt, rlght-cllck Commund Prompt, und then cllck Run us
udmlnlstrutor.
REPADMIN.EXE ls u commund llne tool used to monltor und troubleshoot repllcutlon on u computer runnlng Wlndows.
Thls ls u commund llne tool thut ullows you to vlew the repllcutlon topology us seen from the perspectlve of euch domuln
controller.
REPADMIN ls u bullt-ln Wlndows dlugnostlc commund-llne utlllty thut works ut the Actlve Dlrectory level. Although speclflc
to Wlndows, lt ls ulso useful for dlugnoslng some Exchunge repllcutlon problems, slnce Exchunge Server ls Actlve Dlrectory
bused.
REPADMIN doesnt uctuully flx repllcutlon problems for you. But, you cun use lt to help determlne the source of u
mulfunctlon.
y Whut ure sltes? Whut ure they used for?
Actlve dlrectory sltes, whlch conslst of well-connected networks deflned by IP subnets thut help deflne the physlcul structure
of your AD, glve you much better control over repllcutlon trufflc und uuthentlcutlon trufflc thun the control you get wlth
Wlndows NT 4.0 domulns.
Uslng Actlve Dlrectory, the network und lts ob|ects ure orgunlzed by constructs such us domulns, trees, forests, trust
relutlonshlps, orgunlzutlonul unlts (OUs), und sltes.
y Whuts the dlfference between u slte llnks schedule und lntervul?
Schedule enubles you to llst weekduys or hours when the slte llnk ls uvulluble for repllcutlon to huppen ln the glve lntervul.
Intervul ls the re occurrence of the lnter slte repllcutlon ln glven mlnutes. It runges from 15 10,080 mlns. The defuult
lntervul ls 180 mlns.
y Whut ls the KCC?
The KCC ls u bullt-ln process thut runs on ull domuln controllers und generutes repllcutlon topology for the Actlve Dlrectory
forest. The KCC creutes sepurute repllcutlon topologles dependlng on whether repllcutlon ls occurrlng wlthln u slte
(lntruslte) or between sltes (lnterslte). The KCC ulso dynumlcully ud|usts the topology to uccommodute new domuln
controllers, domuln controllers moved to und from sltes, chunglng costs und schedules, und domuln controllers thut ure
temporurlly unuvulluble.
y Whut ls the ISTG? Who hus thut role by defuult?
Interslte Topology Generutor (ISTG), whlch ls responslble for the connectlons umong the sltes. By defuult Wlndows 2003
Forest level functlonullty hus thls role. By Defuult the flrst Server hus thls role. If thut server cun no longer preform thls role
then the next server wlth the hlghest GUID then tukes over the role of ISTG.
y
Whut ure the requlrements for lnstulllng AD on u new server?
An NTFS purtltlon wlth enough free spuce (250MB mlnlmum)
An Admlnlstrutors usernume und pussword
The correct operutlng system verslon
A NIC
Properly conflgured TCP/IP (IP uddress, subnet musk und optlonul defuult gutewuy)
A network connectlon (to u hub or to unother computer vlu u crossover cuble)
An operutlonul DNS server (whlch cun be lnstulled on the DC ltself)
A Domuln nume thut you wunt to use
The Wlndows 2000 or Wlndows Server 2003 CD medlu (or ut leust the l386 folder)
From the Petrl IT Knowledge buse. For more lnfo, follow thls llnk:
http://www.petrl.co.ll/uctlve_dlrectory_lnstullutlon_requlrements.htm
y Whut cun you do to promote u server to DC lf youre ln u remote locutlon wlth slow WAN llnk?
Flrst uvulluble ln Wlndows 2003, you wlll creute u copy of the system stute from un exlstlng DC und copy lt to the new
remote server. Run Dcpromo /udv. You wlll be prompted for the locutlon of the system stute flles
y +ow cun you forclbly remove AD from u server, und whut do you do luter? Cun I get user pusswords from the AD
dutubuse?
Demote the server uslng dcpromo /forceremovul, then remove the metudutu from Actlve dlrectory uslng ndtsutll. There ls no
wuy to get user pusswords from AD thut I um uwure of, but you should stlll be uble to chunge them.
Another wuy out too
Resturt the DC ls DSRM mode
u. Locute the followlng reglstry subkey:
+KEY_LOCAL_MAC+INE\SYSTEM\CurrentControlSet\Control\ProductOptlons
b. In the rlght-pune, double-cllck ProductType.
c. Type ServerNT ln the Vulue dutu box, und then cllck OK.
Resturt the server ln normul mode
lts u member server now but AD entrles ure stlll there. Promote teh server to u fuke domuln suy ABC.com und then remove
grucefully uslng DCpromo. Else ufter resturt you cun ulso use ntdsutll to do metudutu us told ln teh eurller post
y Whut tool would I use to try to grub securlty reluted puckets from the wlre?
you must use snlffer-detectlng tools to help stop the snoops. A good pucket snlffer would be ethereul
www.ethereul.com
y Nume some OU deslgn conslderutlons ?
OU deslgn requlres bulunclng requlrements for delegutlng udmlnlstrutlve rlghts lndependent of Group Pollcy needs und
the need to scope the uppllcutlon of Group Pollcy. The followlng OU deslgn recommendutlons uddress delegutlon und scope
lssues:
Applylng Group Pollcy An OU ls the lowest-level Actlve Dlrectory contulner to whlch you cun usslgn Group Pollcy settlngs.
Delegutlng udmlnlstrutlve uuthorlty
usuully dont go more thun 3 OU levels
y Whut ls tombstone llfetlme uttrlbute?
The number of duys before u deleted ob|ect ls removed from the dlrectory servlces. Thls usslsts ln removlng ob|ects from
repllcuted servers und preventlng restores from relntroduclng u deleted ob|ect. Thls vulue ls ln the Dlrectory Servlce ob|ect
ln the conflgurutlon NIC by defuult 2000 (60 duys) 2003 (180 duys)
y
Whut do you do to lnstull u new Wlndows 2003 DC ln u Wlndows 2000 AD?
If you plun to lnstull wlndows 2003 server domuln controllers lnto un exlstlng wlndows 2000 domuln or upgrude u wlndows
2000 domuln controllers to wlndows server 2003, you flrst need to run the Adprep.exe utlllty on the wlndows 2000 domuln
controllers currently holdlng the schemu muster und lnfrustructure muster roles. The udprep / forestprer commund must flrst
be lssued on the wlndows 2000 server holdlng schemu muster role ln the forest root domun to prepure the exlstlng schemu
to support wlndows 2003 uctlve dlrectory. The udprep /domulnprep commund must be lssued on the sever holdlng the
lnfrustructure muster role ln the domuln where 2000 server wlll be deployed.
y Whut do you do to lnstull u new Wlndows 2003 R2 DC ln u Wlndows 2003 AD?
A. If youre lnstulllng Wlndows 2003 R2 on un exlstlng Wlndows 2003 server wlth SP1 lnstulled, you requlre only the
second R2 CD-ROM. Insert the second CD und the r2uuto.exe wlll dlspluy the Wlndows 2003 R2 Contlnue Setup screen.
If youre lnstulllng R2 on u domuln controller (DC), you must flrst upgrude the schemu to the R2 verslon (thls ls u mlnor
chunge und mostly reluted to the new Dfs repllcutlon englne). To updute the schemu, run the Adprep utlllty, whlch youll
flnd ln the Cmpnents\r2\udprep folder on the second CD-ROM. Before runnlng thls commund, ensure ull DCs ure runnlng
Wlndows 2003 or Wlndows 2000 wlth SP2 (or luter)
y +ow would you flnd ull users thut huve not logged on slnce lust month?
http://wlkl.unswers.com/Q/+ow_would_you_flnd_ull_users_thut_huve_not_logged_on_slnce_lust_month
y Whut ure the DScommunds?
New DS (Dlrectory Servlce) Fumlly of bullt-ln commund llne utllltles for Wlndows Server 2003 Actlve Dlrectory
New DS bullt-ln tools for Wlndows Server 2003
The DS (Dlrectory Servlce) group of communds ure spllt lnto two fumllles. In one brunch ure DSudd, DSmod, DSrm und
DSMove und ln the other brunch ure DSQuery und DSGet.
When lt comes to chooslng u scrlptlng tool for Actlve Dlrectory ob|ects, you reully ure spollt for cholce. The the DS fumlly of
bullt-ln commund llne executubles offer ulternutlve strutegles to CSVDE, LDIFDE und VBScrlpt.
Let me lntroduce you to the members of the DS fumlly:
DSudd udd Actlve Dlrectory users und groups
DSmod modlfy Actlve Dlrectory ob|ects
DSrm to delete Actlve Dlrectory ob|ects
DSmove to relocute ob|ects
DSQuery to flnd ob|ects thut mutch your query uttrlbutes
DSget llst the propertles of un ob|ect
y Whut ure the FSMO roles? Who hus them by defuult? Whut huppens when euch one fulls?
FSMO stunds for the Flexlble slngle Muster Operutlon
It hus 5 Roles: -
y Schemu Muster:
The schemu muster domuln controller controls ull updutes und modlflcutlons to the schemu. Once the Schemu updute ls
complete, lt ls repllcuted from the schemu muster to ull other DCs ln the dlrectory. To updute the schemu of u forest, you
must huve uccess to the schemu muster. There cun be only one schemu muster ln the whole forest.
y Domuln numlng muster:
The domuln numlng muster domuln controller controls the uddltlon or removul of domulns ln the forest. Thls DC ls the only
one thut cun udd or remove u domuln from the dlrectory. It cun ulso udd or remove cross references to domulns ln externul
dlrectorles. There cun be only one domuln numlng muster ln the whole forest.
y Infrustructure Muster:
When un ob|ect ln one domuln ls referenced by unother ob|ect ln unother domuln, lt represents the reference by the GUID,
the SID (for references to securlty prlnclpuls), und the DN of the ob|ect belng referenced. The lnfrustructure FSMO role
holder ls the DC responslble for updutlng un ob|ects SID und dlstlngulshed nume ln u cross-domuln ob|ect reference. At
uny one tlme, there cun be only one domuln controller uctlng us the lnfrustructure muster ln euch domuln.
Note: The Infrustructure Muster (IM) role should be held by u domuln controller thut ls not u Globul Cutulog server (GC). If
the Infrustructure Muster runs on u Globul Cutulog server lt wlll stop updutlng ob|ect lnformutlon becuuse lt does not contuln
uny references to ob|ects thut lt does not hold. Thls ls becuuse u Globul Cutulog server holds u purtlul repllcu of every ob|ect
ln the forest. As u result, cross-domuln ob|ect references ln thut domuln wlll not be upduted und u wurnlng to thut effect wlll
be logged on thut DCs event log. If ull the domuln controllers ln u domuln ulso host the globul cutulog, ull the domuln
controllers huve the current dutu, und lt ls not lmportunt whlch domuln controller holds the lnfrustructure muster role.
y Relutlve ID (RID) Muster:
The RID muster ls responslble for processlng RID pool requests from ull domuln controllers ln u purtlculur domuln. When u
DC creutes u securlty prlnclpul ob|ect such us u user or group, lt uttuches u unlque Securlty ID (SID) to the ob|ect. Thls SID
conslsts of u domuln SID (the sume for ull SIDs creuted ln u domuln), und u relutlve ID (RID) thut ls unlque for euch securlty
prlnclpul SID creuted ln u domuln. Euch DC ln u domuln ls ullocuted u pool of RIDs thut lt ls ullowed to usslgn to the
securlty prlnclpuls lt creutes. When u DCs ullocuted RID pool fulls below u threshold, thut DC lssues u request for
uddltlonul RIDs to the domulns RID muster. The domuln RID muster responds to the request by retrlevlng RIDs from the
domulns unullocuted RID pool und usslgns them to the pool of the requestlng DC. At uny one tlme, there cun be only one
domuln controller uctlng us the RID muster ln the domuln.
y PDC Emulutor:
The PDC emulutor ls necessury to synchronlze tlme ln un enterprlse. Wlndows 2000/2003 lncludes the W32Tlme (Wlndows
Tlme) tlme servlce thut ls requlred by the Kerberos uuthentlcutlon protocol. All Wlndows 2000/2003-bused computers wlthln
un enterprlse use u common tlme. The purpose of the tlme servlce ls to ensure thut the Wlndows Tlme servlce uses u
hlerurchlcul relutlonshlp thut controls uuthorlty und does not permlt loops to ensure upproprlute common tlme usuge.
The PDC emulutor of u domuln ls uuthorltutlve for the domuln. The PDC emulutor ut the root of the forest becomes
uuthorltutlve for the enterprlse, und should be conflgured to guther the tlme from un externul source. All PDC FSMO role
holders follow the hlerurchy of domulns ln the selectlon of thelr ln-bound tlme purtner.
:: In u Wlndows 2000/2003 domuln, the PDC emulutor role holder retulns the followlng functlons:
:: Pussword chunges performed by other DCs ln the domuln ure repllcuted preferentlully to the PDC emulutor.
Authentlcutlon fullures thut occur ut u glven DC ln u domuln becuuse of un lncorrect pussword ure forwurded to the PDC
emulutor before u bud pussword fullure messuge ls reported to the user.
Account lockout ls processed on the PDC emulutor.
Edltlng or creutlon of Group Pollcy Ob|ects (GPO) ls ulwuys done from the GPO copy found ln the PDC Emulutors
SYSVOL shure, unless conflgured not to do so by the udmlnlstrutor.
The PDC emulutor performs ull of the functlonullty thut u Mlcrosoft Wlndows NT 4.0 Server-bused PDC or eurller PDC
performs for Wlndows NT 4.0-bused or eurller cllents.
Thls purt of the PDC emulutor role becomes unnecessury when ull workstutlons, member servers, und domuln controllers
thut ure runnlng Wlndows NT 4.0 or eurller ure ull upgruded to Wlndows 2000/2003. The PDC emulutor stlll performs the
other functlons us descrlbed ln u Wlndows 2000/2003 envlronment.
y Whut FSMO plucement conslderutlons do you know of?
Wlndows 2000/2003 Actlve Dlrectory domulns utlllze u Slngle Operutlon Muster method culled FSMO (Flexlble Slngle
Muster Operutlon), us descrlbed ln Understundlng FSMO Roles ln Actlve Dlrectory.
In most cuses un udmlnlstrutor cun keep the FSMO role holders (ull 5 of them) ln the sume spot (or uctuully, on the sume
DC) us hus been conflgured by the Actlve Dlrectory lnstullutlon process. +owever, there ure scenurlos where un
udmlnlstrutor would wunt to move one or more of the FSMO roles from the defuult holder DC to u dlfferent DC.
Wlndows Server 2003 Actlve Dlrectory ls u blt dlfferent thun the Wlndows 2000 verslon when deullng wlth FSMO
plucement. In thls urtlcle I wlll only deul wlth Wlndows Server 2003 Actlve Dlrectory, but you should beur ln mlnd thut most
conslderutlons ure ulso true when plunnlng Wlndows 2000 AD FSMO roles
y Whuts the dlfference between trunsferrlng u FSMO role und selzlng one? Whlch one should you NOT selze? Why?
Certuln domuln und enterprlse-wlde operutlons thut ure not good for multl-muster updutes ure performed by u slngle domuln
controller ln un Actlve Dlrectory domuln or forest. The domuln controllers thut ure usslgned to perform these unlque
operutlons ure culled operutlons musters or FSMO role holders.
The followlng llst descrlbes the 5 unlque FSMO roles ln un Actlve Dlrectory forest und the dependent operutlons thut they
perform:
y Schemu muster The Schemu muster role ls forest-wlde und there ls one for euch forest. Thls role ls requlred to extend
the schemu of un Actlve Dlrectory forest or to run the udprep /domulnprep commund.
y Domuln numlng muster The Domuln numlng muster role ls forest-wlde und there ls one for euch forest. Thls role ls
requlred to udd or remove domulns or uppllcutlon purtltlons to or from u forest.
y RID muster The RID muster role ls domuln-wlde und there ls one for euch domuln. Thls role ls requlred to ullocute the
RID pool so thut new or exlstlng domuln controllers cun creute user uccounts, computer uccounts or securlty groups.
y PDC emulutor The PDC emulutor role ls domuln-wlde und there ls one for euch domuln. Thls role ls requlred for the
domuln controller thut sends dutubuse updutes to Wlndows NT buckup domuln controllers. The domuln controller thut
owns thls role ls ulso turgeted by certuln udmlnlstrutlon tools und updutes to user uccount und computer uccount
pusswords.
y Infrustructure muster The Infrustructure muster role ls domuln-wlde und there ls one for euch domuln. Thls role ls
requlred for domuln controllers to run the udprep /forestprep commund successfully und to updute SID uttrlbutes und
dlstlngulshed nume uttrlbutes for ob|ects thut ure referenced ucross domulns.
The Actlve Dlrectory Instullutlon Wlzurd (Dcpromo.exe) usslgns ull 5 FSMO roles to the flrst domuln controller ln the forest
root domuln. The flrst domuln controller ln euch new chlld or tree domuln ls usslgned the three domuln-wlde roles. Domuln
controllers contlnue to own FSMO roles untll they ure reusslgned by uslng one of the followlng methods:
y An udmlnlstrutor reusslgns the role by uslng u GUI udmlnlstrutlve tool.
y An udmlnlstrutor reusslgns the role by uslng the ntdsutll /roles commund.
y An udmlnlstrutor grucefully demotes u role-holdlng domuln controller by uslng the Actlve Dlrectory Instullutlon Wlzurd.
Thls wlzurd reusslgns uny locully-held roles to un exlstlng domuln controller ln the forest. Demotlons thut ure performed
by uslng the dcpromo /forceremovul commund leuve FSMO roles ln un lnvulld stute untll they ure reusslgned by un
udmlnlstrutor.
We recommend thut you trunsfer FSMO roles ln the followlng scenurlos:
y The current role holder ls operutlonul und cun be uccessed on the network by the new FSMO owner.
y You ure grucefully demotlng u domuln controller thut currently owns FSMO roles thut you wunt to usslgn to u speclflc
domuln controller ln your Actlve Dlrectory forest.
y The domuln controller thut currently owns FSMO roles ls belng tuken offllne for scheduled mulntenunce und you need
speclflc FSMO roles to be usslgned to u llve domuln controller. Thls muy be requlred to perform operutlons thut
connect to the FSMO owner. Thls would be especlully true for the PDC Emulutor role but less true for the RID muster
role, the Domuln numlng muster role und the Schemu muster roles.
We recommend thut you selze FSMO roles ln the followlng scenurlos:
y The current role holder ls experlenclng un operutlonul error thut prevents un FSMO-dependent operutlon from
completlng successfully und thut role cunnot be trunsferred.
y A domuln controller thut owns un FSMO role ls force-demoted by uslng the dcpromo /forceremovul commund.
y The operutlng system on the computer thut orlglnully owned u speclflc role no longer exlsts or hus been relnstulled.
As repllcutlon occurs, non-FSMO domuln controllers ln the domuln or forest guln full knowledge of chunges thut ure mude
by FSMO-holdlng domuln controllers. If you must trunsfer u role, the best cundldute domuln controller ls one thut ls ln the
upproprlute domuln thut lust lnbound-repllcuted, or recently lnbound-repllcuted u wrltuble copy of the FSMO purtltlon from
the exlstlng role holder. For exumple, the Schemu muster role-holder hus u dlstlngulshed nume puth of
CN=schemu,CN=conflgurutlon,dc=<forest root domuln>, und thls meun thut roles reslde ln und ure repllcuted us purt of the
CN=schemu purtltlon. If the domuln controller thut holds the Schemu muster role experlences u hurdwure or softwure
fullure, u good cundldute role-holder would be u domuln controller ln the root domuln und ln the sume Actlve Dlrectory slte
us the current owner. Domuln controllers ln the sume Actlve Dlrectory slte perform lnbound repllcutlon every 5 mlnutes or
15 seconds.
A domuln controller whose FSMO roles huve been selzed should not be permltted to communlcute wlth exlstlng domuln
controllers ln the forest. In thls scenurlo, you should elther formut the hurd dlsk und relnstull the operutlng system on such
domuln controllers or forclbly demote such domuln controllers on u prlvute network und then remove thelr metudutu on u
survlvlng domuln controller ln the forest by uslng the ntdsutll /metudutu cleunup commund. The rlsk of lntroduclng u former
FSMO role holder whose role hus been selzed lnto the forest ls thut the orlglnul role holder muy contlnue to operute us
before untll lt lnbound-repllcutes knowledge of the role selzure. Known rlsks of two domuln controllers ownlng the sume
FSMO roles lnclude creutlng securlty prlnclpuls thut huve overlupplng RID pools, und other problems.
Transfer FSMO roles
To trunsfer the FSMO roles by uslng the Ntdsutll utlllty, follow these steps:
1. Log on to u Wlndows 2000 Server-bused or Wlndows Server 2003-bused member computer or domuln controller thut ls
locuted ln the forest where FSMO roles ure belng trunsferred. We recommend thut you log on to the domuln controller
thut you ure usslgnlng FSMO roles to. The logged-on user should be u member of the Enterprlse Admlnlstrutors group
to trunsfer Schemu muster or Domuln numlng muster roles, or u member of the Domuln Admlnlstrutors group of the
domuln where the PDC emulutor, RID muster und the Infrustructure muster roles ure belng trunsferred.
2. Cllck Sturt, cllck Run, type ntdsutll ln the Open box, und then cllck OK.
3. Type roles, und then press ENTER.Note To see u llst of uvulluble communds ut uny one of the prompts ln the Ntdsutll
utlllty, type ?, und then press ENTER.
4. Type connectlons, und then press ENTER.
5. Type connect to server servernume, und then press ENTER, where servernume ls the nume of the domuln controller you
wunt to usslgn the FSMO role to.
6. At the server connectlons prompt, type q, und then press ENTER.
7. Type trunsfer role, where role ls the role thut you wunt to trunsfer. For u llst of roles thut you cun trunsfer, type ? ut the
fsmo mulntenunce prompt, und then press ENTER, or see the llst of roles ut the sturt of thls urtlcle. For exumple, to
trunsfer the RID muster role, type trunsfer rld muster. The one exceptlon ls for the PDC emulutor role, whose syntux ls
trunsfer pdc, not trunsfer pdc emulutor.
8. At the fsmo mulntenunce prompt, type q, und then press ENTER to guln uccess to the ntdsutll prompt. Type q, und then
press ENTER to qult the Ntdsutll utlllty.
Seize FSMO roles
To selze the FSMO roles by uslng the Ntdsutll utlllty, follow these steps:
1. Log on to u Wlndows 2000 Server-bused or Wlndows Server 2003-bused member computer or domuln controller thut ls
locuted ln the forest where FSMO roles ure belng selzed. We recommend thut you log on to the domuln controller thut
you ure usslgnlng FSMO roles to. The logged-on user should be u member of the Enterprlse Admlnlstrutors group to
trunsfer schemu or domuln numlng muster roles, or u member of the Domuln Admlnlstrutors group of the domuln where
the PDC emulutor, RID muster und the Infrustructure muster roles ure belng trunsferred.
2. Cllck Sturt, cllck Run, type ntdsutll ln the Open box, und then cllck OK.
3. Type roles, und then press ENTER.
4. Type connectlons, und then press ENTER.
5. Type connect to server servernume, und then press ENTER, where servernume ls the nume of the domuln controller thut
you wunt to usslgn the FSMO role to.
6. At the server connectlons prompt, type q, und then press ENTER.
7. Type selze role, where role ls the role thut you wunt to selze. For u llst of roles thut you cun selze, type ? ut the fsmo
mulntenunce prompt, und then press ENTER, or see the llst of roles ut the sturt of thls urtlcle. For exumple, to selze the
RID muster role, type selze rld muster. The one exceptlon ls for the PDC emulutor role, whose syntux ls selze pdc, not
selze pdc emulutor.
8. At the fsmo mulntenunce prompt, type q, und then press ENTER to guln uccess to the ntdsutll prompt. Type q, und then
press ENTER to qult the Ntdsutll utlllty.Notes
o Under typlcul condltlons, ull flve roles must be usslgned to llve domuln controllers ln the forest. If u domuln
controller thut owns u FSMO role ls tuken out of servlce before lts roles ure trunsferred, you must selze ull
roles to un upproprlute und heulthy domuln controller. We recommend thut you only selze ull roles when the
other domuln controller ls not returnlng to the domuln. If lt ls posslble, flx the broken domuln controller thut ls
usslgned the FSMO roles. You should determlne whlch roles ure to be on whlch remulnlng domuln controllers
so thut ull flve roles ure usslgned to u slngle domuln controller. For more lnformutlon ubout FSMO role
plucement, cllck the followlng urtlcle number to vlew the urtlcle ln the Mlcrosoft Knowledge Buse: 223346
(http://support.mlcrosoft.com/kb/223346/ ) FSMO plucement und optlmlzutlon on Wlndows 2000 domuln
controllers
o If the domuln controller thut formerly held uny FSMO role ls not present ln the domuln und lf lt hus hud lts
roles selzed by uslng the steps ln thls urtlcle, remove lt from the Actlve Dlrectory by followlng the procedure
thut ls outllned ln the followlng Mlcrosoft Knowledge Buse urtlcle: 216498
(http://support.mlcrosoft.com/kb/216498/ ) +ow to remove dutu ln uctlve dlrectory ufter un unsuccessful
domuln controller demotlon
o Removlng domuln controller metudutu wlth the Wlndows 2000 verslon or the Wlndows Server 2003 bulld
3790 verslon of the ntdsutll /metudutu cleunup commund does not relocute FSMO roles thut ure usslgned to
llve domuln controllers. The Wlndows Server 2003 Servlce Puck 1 (SP1) verslon of the Ntdsutll utlllty
uutomutes thls tusk und removes uddltlonul elements of domuln controller metudutu.
o Some customers prefer not to restore system stute buckups of FSMO role-holders ln cuse the role hus been
reusslgned slnce the buckup wus mude.
o Do not put the Infrustructure muster role on the sume domuln controller us the globul cutulog server. If the
Infrustructure muster runs on u globul cutulog server lt stops updutlng ob|ect lnformutlon becuuse lt does not
contuln uny references to ob|ects thut lt does not hold. Thls ls becuuse u globul cutulog server holds u purtlul
repllcu of every ob|ect ln the forest.
To test whether u domuln controller ls ulso u globul cutulog server:
1. Cllck Sturt, polnt to Progrums, polnt to Admlnlstrutlve Tools, und then cllck Actlve Dlrectory Sltes und Servlces.
2. Double-cllck Sltes ln the left pune, und then locute the upproprlute slte or cllck Defuult-flrst-slte-nume lf no other sltes
ure uvulluble.
3. Open the Servers folder, und then cllck the domuln controller.
4. In the domuln controllers folder, double-cllck NTDS Settlngs.
5. On the Actlon menu, cllck Propertles.
6. On the Generul tub, vlew the Globul Cutulog check box to see lf lt ls selected.
For more lnformutlon ubout FSMO roles, cllck the followlng urtlcle numbers to vlew the urtlcles ln the Mlcrosoft Knowledge
Buse:
y +ow do you conflgure u stund-by operutlon muster for uny of the roles?
1. Open Actlve Dlrectory Sltes und Servlces.
2. Expund the slte nume ln whlch the stundby operutlons muster ls locuted to dlspluy the Servers folder.
3. Expund the Servers folder to see u llst of the servers ln thut slte.
4. Expund the nume of the server thut you wunt to be the stundby operutlons muster to dlspluy lts NTDS Settlngs.
5. Rlght-cllck NTDS Settlngs, cllck New, und then cllck Connectlon.
6. In the Flnd Domuln Controllers dlulog box, select the nume of the current role holder, und then cllck OK.
7. In the New Ob|ect-Connectlon dlulog box, enter un upproprlute nume for the Connectlon ob|ect or uccept the defuult
nume, und cllck OK.
y +ow do you buckup AD?
Bucklng up Actlve Dlrectory ls essentlul to mulntuln un Actlve Dlrectory dutubuse. You cun buck up Actlve Dlrectory by
uslng the Gruphlcul User Interfuce (GUI) und commund-llne tools thut the Wlndows Server 2003 fumlly provldes.
You frequently buckup the system stute dutu on domuln controllers so thut you cun restore the most current dutu. By
estubllshlng u regulur buckup schedule, you huve u better chunce of recoverlng dutu when necessury.
To ensure u good buckup lncludes ut leust the system stute dutu und contents of the system dlsk, you must be uwure of the
tombstone llfetlme. By defuult, the tombstone ls 60 duys. Any buckup older thun 60 duys ls not u good buckup. Plun to
buckup ut leust two domuln controllers ln euch domuln, one of ut leust one buckup to enuble un uuthorltutlve restore of the
dutu when necessury.
System Stute Dutu
Severul feutures ln the wlndows server 2003 fumlly muke lt eusy to buckup Actlve Dlrectory. You cun buckup Actlve
Dlrectory whlle the server ls onllne und other network functlon cun contlnue to functlon.
System stute dutu on u domuln controller lncludes the followlng components:
Actlve Dlrectory system stute dutu does not contuln Actlve Dlrectory unless the server, on whlch you ure bucklng up the
system stute dutu, ls u domuln controller. Actlve Dlrectory ls present only on domuln controllers.
The SYSVOL shured folder: Thls shured folder contulns Group pollcy templutes und logon scrlpts. The SYSVOL shured
folder ls present only on domuln controllers.
The Reglstry: Thls dutubuse reposltory contulns lnformutlon ubout the computers conflgurutlon.
System sturtup flles: Wlndows Server 2003 requlres these flles durlng lts lnltlul sturtup phuse. They lnclude the boot und
system flles thut ure under wlndows flle protectlon und used by wlndows to loud, conflgure, und run the operutlng system.
The COM+ Cluss Reglstrutlon dutubuse: The Cluss reglstrutlon ls u dutubuse of lnformutlon ubout Component Servlces
uppllcutlons.
The Certlflcute Servlces dutubuse: Thls dutubuse contulns certlflcutes thut u server runnlng Wlndows server 2003 uses to
uuthentlcute users. The Certlflcute Servlces dutubuse ls present only lf the server ls operutlng us u certlflcute server.
System stute dutu contulns most elements of u systems conflgurutlon, but lt muy not lnclude ull of the lnformutlon thut you
requlre recoverlng dutu from u system fullure. Therefore, be sure to buckup ull boot und system volumes, lncludlng the
System Stute, when you buck up your server.
Restorlng Actlve Dlrectory
In Wlndows Server 2003 fumlly, you cun restore the Actlve Dlrectory dutubuse lf lt becomes corrupted or ls destroyed
becuuse of hurdwure or softwure fullures. You must restore the Actlve Dlrectory dutubuse when ob|ects ln Actlve Dlrectory
ure chunged or deleted.
Actlve Dlrectory restore cun be performed ln severul wuys. Repllcutlon synchronlzes the lutest chunges from every other
repllcutlon purtner. Once the repllcutlon ls flnlshed euch purtner hus un upduted verslon of Actlve Dlrectory. There ls
unother wuy to get these lutest updutes by Buckup utlllty to restore repllcuted dutu from u buckup copy. For thls restore you
dont need to conflgure uguln your domuln controller or no need to lnstull the operutlng system from scrutch.
Actlve Dlrectory Restore Methods
You cun use one of the three methods to restore Actlve Dlrectory from buckup medlu: prlmury restore, normul (non
uuthorltutlve) restore, und uuthorltutlve restore.
Prlmury restore: Thls method rebullds the flrst domuln controller ln u domuln when there ls no other wuy to rebulld the
domuln. Perform u prlmury restore only when ull the domuln controllers ln the domuln ure lost, und you wunt to rebulld the
domuln from the buckup.
Members of Admlnlstrutors group cun perform the prlmury restore on locul computer, or user should huve been deleguted
wlth thls responslblllty to perform restore. On u domuln controller only Domuln Admlns cun perform thls restore.
Normul restore: Thls method relnstutes the Actlve Dlrectory dutu to the stute before the buckup, und then updutes the dutu
through the normul repllcutlon process. Perform u normul restore for u slngle domuln controller to u prevlously known good
stute.
Authorltutlve restore: You perform thls method ln tundem wlth u normul restore. An uuthorltutlve restore murks speclflc dutu
us current und prevents the repllcutlon from overwrltlng thut dutu. The uuthorltutlve dutu ls then repllcuted through the
domuln.
Perform un uuthorltutlve restore lndlvlduul ob|ect ln u domuln thut hus multlple domuln controllers. When you perform un
uuthorltutlve restore, you lose ull chunges to the restore ob|ect thut occurred ufter the buckup. Ntdsutll ls u commund llne
utlllty to perform un uuthorltutlve restore ulong wlth wlndows server 2003 system utllltles. The Ntdsutll commund-llne tool ls
un executuble flle thut you use to murk Actlve Dlrectory ob|ects us uuthorltutlve so thut they recelve u hlgher verslon
recently chunged dutu on other domuln controllers does not overwrlte system stute dutu durlng repllcutlon.
y +ow do you restore AD?

Restorlng Actlve Dlrectory :
In Wlndows Server 2003 fumlly, you cun restore the Actlve Dlrectory dutubuse lf lt becomes corrupted or ls destroyed
becuuse of hurdwure or softwure fullures. You must restore the Actlve Dlrectory dutubuse when ob|ects ln Actlve Dlrectory
ure chunged or deleted.
Actlve Dlrectory restore cun be performed ln severul wuys. Repllcutlon synchronlzes the lutest chunges from every other
repllcutlon purtner. Once the repllcutlon ls flnlshed euch purtner hus un upduted verslon of Actlve Dlrectory. There ls
unother wuy to get these lutest updutes by Buckup utlllty to restore repllcuted dutu from u buckup copy. For thls restore you
dont need to conflgure uguln your domuln controller or no need to lnstull the operutlng system from scrutch.
Actlve Dlrectory Restore Methods
You cun use one of the three methods to restore Actlve Dlrectory from buckup medlu: prlmury restore, normul (non
uuthorltutlve) restore, und uuthorltutlve restore.
Prlmury restore: Thls method rebullds the flrst domuln controller ln u domuln when there ls no other wuy to rebulld the
domuln. Perform u prlmury restore only when ull the domuln controllers ln the domuln ure lost, und you wunt to rebulld the
domuln from the buckup.
Members of Admlnlstrutors group cun perform the prlmury restore on locul computer, or user should huve been deleguted
wlth thls responslblllty to perform restore. On u domuln controller only Domuln Admlns cun perform thls restore.
Normul restore: Thls method relnstutes the Actlve Dlrectory dutu to the stute before the buckup, und then updutes the dutu
through the normul repllcutlon process. Perform u normul restore for u slngle domuln controller to u prevlously known good
stute.
Authorltutlve restore: You perform thls method ln tundem wlth u normul restore. An uuthorltutlve restore murks speclflc dutu
us current und prevents the repllcutlon from overwrltlng thut dutu. The uuthorltutlve dutu ls then repllcuted through the
domuln.
Perform un uuthorltutlve restore lndlvlduul ob|ect ln u domuln thut hus multlple domuln controllers. When you perform un
uuthorltutlve restore, you lose ull chunges to the restore ob|ect thut occurred ufter the buckup. Ntdsutll ls u commund llne
utlllty to perform un uuthorltutlve restore ulong wlth wlndows server 2003 system utllltles. The Ntdsutll commund-llne tool ls
un executuble flle thut you use to murk Actlve Dlrectory ob|ects us uuthorltutlve so thut they recelve u hlgher verslon
recently chunged dutu on other domuln controllers does not overwrlte system stute dutu durlng repllcutlon.
METHOD
A.
You cunt restore Actlve Dlrectory (AD) to u domuln controller (DC) whlle the Dlrectory Servlce (DS) ls runnlng. To restore
AD, perform the followlng steps.
Reboot the computer.
At the boot menu, select Wlndows 2000 Server. Dont press Enter. Insteud, press F8 for udvunced optlons. Youll see the
followlng text. OS Louder V5.0
Wlndows NT Advunced Optlons Menu
Pleuse select un optlon:
Sufe Mode
Sufe Mode wlth Networklng
Sufe Mode wlth Commund Prompt
Enuble Boot Logglng
Enuble VGA Mode
Lust Known Good Conflgurutlon
Dlrectory Servlces Restore Mode (Wlndows NT domuln controllers only)
Debugglng Mode
Use | und | to move the hlghllght to your cholce.
Press Enter to choose.
Scroll down, und select Dlrectory Servlces Restore Mode (Wlndows NT domuln controllers only).
Press Enter.
When you return to the Wlndows 2000 Server boot menu, press Enter. At the bottom of the screen, youll see ln red text
Dlrectory Servlces Restore Mode (Wlndows NT domuln controllers only).
The computer wlll boot lnto u speclul sufe mode und wont sturt the DS. Be uwure thut durlng thls tlme the muchlne wont
uct us u DC und wont perform functlons such us uuthentlcutlon.
Sturt NT Buckup.
Select the Restore tub.
Select the buckup medlu, und select System Stute.
Cllck Sturt Restore.
Cllck OK ln the conflrmutlon dlulog box.
After you restore the buckup, reboot the computer und sturt ln normul mode to use the restored lnformutlon. The computer
mlght hung ufter the restore completes; Sometlmes lt tukes u 30-mlnute wult on some muchlnes.
y +ow do you chunge the DS Restore udmln pussword?
When you promote u Wlndows 2000 Server-bused computer to u domuln controller, you ure prompted to type u Dlrectory
Servlce Restore Mode Admlnlstrutor pussword. Thls pussword ls ulso used by Recovery Console, und ls sepurute from the
Admlnlstrutor pussword thut ls stored ln Actlve Dlrectory ufter u completed promotlon.
The Admlnlstrutor pussword thut you use when you sturt Recovery Console or when you press F8 to sturt Dlrectory Servlce
Restore Mode ls stored ln the reglstry-bused Securlty Accounts Munuger (SAM) on the locul computer. The SAM ls locuted
ln the\System32\Conflg folder. The SAM-bused uccount und pussword ure computer speclflc und they ure not repllcuted to
other domuln controllers ln the domuln.
For euse of udmlnlstrutlon of domuln controllers or for uddltlonul securlty meusures, you cun chunge the Admlnlstrutor
pussword for the locul SAM. To chunge the locul Admlnlstrutor pussword thut you use when you sturt Recovery Console or
when you sturt Dlrectory Servlce Restore Mode, use the followlng method.
1. Log on to the computer us the udmlnlstrutor or u user who ls u member of the Admlnlstrutors group. 2. Shut down the
domuln controller on whlch you wunt to chunge the pussword. 3. Resturt the computer. When the selectlon menu screen ls
dlspluyed durlng restur, press F8 to vlew udvunced sturtup optlons. 4. Cllck the Dlrectory Servlce Restore Mode optlon. 5.
After you log on, use one of the followlng methods to chunge the locul Admlnlstrutor pussword: At u commund prompt,
type the followlng commund:
net user udmlnlstrutor
Use the Locul User und Groups snup-ln (Lusrmgr.msc) to chunge the Admlnlstrutor pussword. 6. Shut down und resturt
the computer. You cun now use the Admlnlstrutor uccount to log on to Recovery Console or Dlrectory Servlces Restore
Mode uslng the new pussword.
y Why cunt you restore u DC thut wus bucked up 4 months ugo?
Becuuse of the tombstone llfe whlch ls set to only 60 duys
y Whut ure GPOs?
Group Pollcy glves you udmlnlstrutlve control over users und computers ln your network. By uslng Group Pollcy, you cun
deflne the stute of u users work envlronment once, und then rely on Wlndows Server 2003 to contlnuully force the Group
Pollcy settlngs thut you upply ucross un entlre orgunlzutlon or to speclflc groups of users und computers.
Group Pollcy Advuntuges
You cun usslgn group pollcy ln domulns, sltes und orgunlzutlonul unlts.
All users und computers get reflected by group pollcy settlngs ln domuln, slte und orgunlzutlonul unlt.
No one ln network hus rlghts to chunge the settlngs of Group pollcy; by defuult only udmlnlstrutor hus full prlvllege to
chunge, so lt ls very secure.
Pollcy settlngs cun be removed und cun further rewrlte the chunges.
Where GPOs store Group Pollcy Informutlon
Group Pollcy ob|ects store thelr Group Pollcy lnformutlon ln two locutlons:
Group Pollcy Contulner: The GPC ls un Actlve Dlrectory ob|ect thut contulns GPO stutus, verslon lnformutlon, WMI fllter
lnformutlon, und u llst of components thut huve settlngs ln the GPO. Computers cun uccess the GPC to locute Group Pollcy
templutes, und domuln controller does not huve the most recent verslon of the GPO, repllcutlon occurs to obtuln the lutest
verslon of the GPO.
Group Pollcy Templute: The GPT ls u folder hlerurchy ln the shured SYSVOL folder on u domuln controller. When you
creute GPO, Wlndows Server 2003 creutes the correspondlng GPT whlch contulns ull Group Pollcy settlngs und
lnformutlon, lncludlng udmlnlstrutlve templutes, securlty, softwure lnstullutlon, scrlpts, und folder redlrectlon settlngs.
Computers connect to the SYSVOL folder to obtuln the settlngs.
The nume of the GPT folder ls the Globully Unlque Identlfler (GUID) of the GPO thut you creuted. It ls ldentlcul to the GUID
thut Actlve Dlrectory uses to ldentlfy the GPO ln the GPC. The puth to the GPT on u domuln controller ls
systemroot\SYSVOL\sysvol.
Munuglng GPOs
To uvold confllcts ln repllcutlon, conslder the selectlon of domuln controller, especlully becuuse the GPO dutu resldes ln
SYSVOL folder und the Actlve Dlrectory. Actlve Dlrectory uses two lndependent repllcutlon technlques to repllcute GPO
dutu umong ull domuln controllers ln the domuln. If two udmlnlstrutors chunges cun overwrlte those mude by other
udmlnlstrutor, depends on the repllcutlon lutency. By defuult the Group Pollcy Munugement console uses the PDC Emulutor
so thut ull udmlnlstrutors cun work on the sume domuln controller.
WMI Fllter
WMI fllters ls use to get the current scope of GPOs bused on uttrlbutes of the user or computer. In thls wuy, you cun
lncreuse the GPOs fllterlng cupubllltles beyond the securlty group fllterlng mechunlsms thut were prevlously uvulluble.
Llnklng cun be done wlth WMI fllter to u GPO. When you upply u GPO to the destlnutlon computer, Actlve Dlrectory
evuluutes the fllter on the destlnutlon computer. A WMI fllter hus few querles thut uctlve Dlrectory evuluutes ln pluce of
WMI reposltory of the destlnutlon computer. If the set of querles ls fulse, Actlve Dlrectory does not upply the GPO. If set of
querles ure true, Actlve Dlrectory upplles the GPO. You wrlte the query by uslng the WMI Query Lunguuge (WQL); thls
lunguuge ls slmllur to querylng SQL for WMI reposltory.
Plunnlng u Group Pollcy Strutegy for the Enterprlse
When you plun un Actlve Dlrectory structure, creute u plun for GPO lnherltunce, udmlnlstrutlon, und deployment thut
provldes the most efflclent Group Pollcy munugement for your orgunlzutlon.
Also conslder how you wlll lmplement Group Pollcy for the orgunlzutlon. Be sure to conslder the delegutlon of uuthorlty,
sepurutlon of udmlnlstrutlve dutles, centrul versus decentrullzed udmlnlstrutlon, und deslgn flexlblllty so thut your plun wlll
provlde for euse of use us well us udmlnlstrutlon.
Plunnlng GPOs
Creute GPOs ln wuy thut provldes for the slmplest und most munugeuble deslgn one ln whlch you cun use lnherltunce
und multlple llnks.
Guldellnes for Plunnlng GPOs
Apply GPO settlngs ut the hlghest level: Thls wuy, you tuke udvuntuge of Group Pollcy lnherltunce. Determlne whut
common GPO settlngs for the lurgest contulner ure sturtlng wlth the domuln und then llnk the GPO to thls contulner.
Reduce the number of GPOs: You reduce the number by uslng multlple llnks lnsteud of creutlng multlple ldentlcul GPOs.
Try to llnk u GPO to the broudest contulner posslble level to uvold creutlng multlple llnks of the sume GPO ut u deeper level.
Creute speclullzed GPOs: Use these GPOs to upply unlque settlngs when necessury. GPOs ut u hlgher level wlll not upply
the settlngs ln these speclullzed GPOs.
Dlsuble computer or use conflgurutlon settlngs: When you creute u GPO to contuln settlngs for only one of the two levels-
user und computer-dlsuble the logon und prevents uccldentul GPO settlngs from belng upplled to the other ureu.
y Whut ls the order ln whlch GPOs ure upplled?
Locul, Slte, Domuln, OU
Group Pollcy settlngs ure processed ln the followlng order:
1:- Locul Group Pollcy ob|ect-euch computer hus exuctly one Group Pollcy ob|ect thut ls stored locully. Thls processes for
both computer und user Group Pollcy processlng.
2:- Slte-Any GPOs thut huve been llnked to the slte thut the computer belongs to ure processed next. Processlng ls ln the
order thut ls speclfled by the udmlnlstrutor, on the Llnked Group Pollcy Ob|ects tub for the slte ln Group Pollcy Munugement
Console (GPMC). The GPO wlth the lowest llnk order ls processed lust, und therefore hus the hlghest precedence.
3:- Domuln-processlng of multlple domuln-llnked GPOs ls ln the order speclfled by the udmlnlstrutor, on the Llnked Group
Pollcy Ob|ects tub for the domuln ln GPMC. The GPO wlth the lowest llnk order ls processed lust, und therefore hus the
hlghest precedence.
4:- Orgunlzutlonul unlts-GPOs thut ure llnked to the orgunlzutlonul unlt thut ls hlghest ln the Actlve Dlrectory hlerurchy ure
processed flrst, then GPOs thut ure llnked to lts chlld orgunlzutlonul unlt, und so on. Flnully, the GPOs thut ure llnked to the
orgunlzutlonul unlt thut contulns the user or computer ure processed.
At the level of euch orgunlzutlonul unlt ln the Actlve Dlrectory hlerurchy, one, muny, or no GPOs cun be llnked. If severul
GPOs ure llnked to un orgunlzutlonul unlt, thelr processlng ls ln the order thut ls speclfled by the udmlnlstrutor, on the
Llnked Group Pollcy Ob|ects tub for the orgunlzutlonul unlt ln GPMC. The GPO wlth the lowest llnk order ls processed lust,
und therefore hus the hlghest precedence.
Thls order meuns thut the locul GPO ls processed flrst, und GPOs thut ure llnked to the orgunlzutlonul unlt of whlch the
computer or user ls u dlrect member ure processed lust, whlch overwrltes settlngs ln the eurller GPOs lf there ure confllcts.
(If there ure no confllcts, then the eurller und luter settlngs ure merely uggreguted.)
y Nume u few beneflts of uslng GPMC.
Mlcrosoft releused the Group Pollcy Munugement Console (GPMC) yeurs ugo, whlch ls un umuzlng lnnovutlon ln Group
Pollcy munugement. The tool provldes control over Group Pollcy ln the followlng munner:
y Eusy udmlnlstrutlon of ull GPOs ucross the entlre Actlve Dlrectory Forest
y Vlew of ull GPOs ln one slngle llst
y Reportlng of GPO settlngs, securlty, fllters, delegutlon, etc.
y Control of GPO lnherltunce wlth Block Inherltunce, Enforce, und Securlty Fllterlng
y Delegutlon model
y Buckup und restore of GPOs
y Mlgrutlon of GPOs ucross dlfferent domulns und forests
Wlth ull of these beneflts, there ure stlll negutlves ln uslng the GPMC ulone. Grunted, the GPMC ls needed und should be
used by everyone for whut lt ls ldeul for. +owever, lt does full u blt short when you wunt to protect the GPOs from the
followlng:
y Role bused delegutlon of GPO munugement
y Belng edlted ln productlon, potentlully cuuslng dumuge to desktops und servers
y Forgettlng to buck up u GPO ufter lt hus been modlfled
y Chunge munugement of euch modlflcutlon to every GPO
y +ow cun you determlne whut GPO wus und wus not upplled for u user? Nume u few wuys to do thut.
Slmply use the Group Pollcy Munugement Console creuted by MS for thut very purpose, ullows you to run slmuluted
pollcles on computers or users to determlne whut pollcles ure enforced. Llnk ln sources
y Whut ure udmlnlstrutlve templutes?
Admlnlstrutlve Templutes ure u feuture of Group Pollcy, u Mlcrosoft technology for centrullsed munugement of
muchlnes und users ln un Actlve Dlrectory envlronment.
Admlnlstrutlve Templutes fucllltute the munugement of reglstry-bused pollcy. An ADM flle ls used to descrlbe both the user
lnterfuce presented to the Group Pollcy udmlnlstrutor und the reglstry keys thut should be upduted on the turget muchlnes.
An ADM flle ls u text flle wlth u speclflc syntux whlch descrlbes both the lnterfuce und the reglstry vulues whlch wlll be
chunged lf the pollcy ls enubled or dlsubled.
ADM flles ure consumed by the Group Pollcy Ob|ect Edltor (GPEdlt). Wlndows XP Servlce Puck 2 shlpped wlth flve
ADM flles (system.udm, lnetres.udm, wmpluyer.udm, conf.udm und wuuu.udm). These ure merged lnto u unlfled
numespuce ln GPEdlt und presented to the udmlnlstrutor under the Admlnlstrutlve Templutes node (for both muchlne und
user pollcy).
y Whuts the dlfference between softwure publlshlng und usslgnlng?
ANS An udmlnlstrutor cun elther usslgn or publlsh softwure uppllcutlons.
Asslgn Users
The softwure uppllcutlon ls udvertlsed when the user logs on. It ls lnstulled when the user cllcks on the softwure uppllcutlon
lcon vlu the sturt menu, or uccesses u flle thut hus been ussocluted wlth the softwure uppllcutlon.
Asslgn Computers
The softwure uppllcutlon ls udvertlsed und lnstulled when lt ls sufe to do so, such us when the computer ls next resturted.
Publlsh to users
The softwure uppllcutlon does not uppeur on the sturt menu or desktop. Thls meuns the user muy not know thut the softwure
ls uvulluble. The softwure uppllcutlon ls mude uvulluble vlu the Add/Remove Progrums optlon ln control punel, or by cllcklng
on u flle thut hus been ussocluted wlth the uppllcutlon. Publlshed uppllcutlons do not relnstull themselves ln the event of
uccldentul deletlon, und lt ls not posslble to publlsh to computers.
y Cun I deploy non-MSI softwure wlth GPO?
How to create a third-party Microsoft Installer package
http://support.mlcrosoft.com/kb/257718/
y You wunt to stundurdlze the desktop envlronments (wullpuper, My Documents, Sturt menu, prlnters etc.) on the
computers ln one depurtment. +ow would you do thut?
Logln on cllent us Domuln Admln user chunge whutever you need udd prlnters etc go to system-User proflles copy thls user
proflle to uny locutlon by select Everyone ln permltted to use ufter copy chunge ntuser.dut to ntuser.mun und ussgln thls
puth under user proflle