AD support DNS, LDAP v2/v3, LDIF, DHCP, HTTP, SNTP, Kerberos 5
All domains in a Tree share a common schema, common Global Catalog
All trees in a Forest share a common schema, common Global Catalog, but have different naming structure
DC immediately replicates important changes in AD such as user account is disabled
DC multimaster replication means DC are peers, no single master
AD generates ring topology to ensure one path is down, it still can be replicated
• Distinguished Name – DN
• Relative DN – RDN
• GUID – unique 128-bit ID assigned to an object when created, never change
• User Principal Name – UPN
Default in Win2000, AD in a tress is implicit 2-way trust
Default in WinNT4, explicit one-way nontransitive trust
• WinNT4
• Win2000 domains in a separate forest
• Win2000 domains and MIT Kerberos 5
Keep your organization in a single domain if possible, add OU. Under certain conditions, you need create new domains:
• Massive number of objects
• Different password requirements
• Decentralized network admin
• Replication control
• Different Internet name
• International requirements
• Internal political requirements
AD namespace is based on DNS. MS recommends to register any domain name even it is for internal usage.
No more than 5 domain levels
Internal namespace (used by AD) and external namespace can be same or different.
• same is complex for proxy to hide internal resource
• different is complex to keep multiple names registered with an Internet DNS
Sites are part of AD physical structure.
• logon and auth should be in the same site
• inter-site replication should be less than within a site.
dcpromo to promote/demote DC.
native mode
• one-way, can’t switch back
• the previous PDC is no longer as domain master, but in multimaster replication
• can’t add NT DC
• no support for pre-Win2000 replication
mixed mode
\support\tools\setup.exe
• acldiag.exe
• ADSI edit
• dfsutil.exe
• Dnscmd.exe
• Dsacls.exe
• Dsastat.exe
• Ldp.exe
• movetree.exe
• netdom.exe
Admin Tools > AD Sites and Services > Sites > New Site
If a new installed DC match a site subnet, it will add to that site automatically. Otherwise, it is added to the site of the source DC.
Admin Tools > AD Sites and Services > Sites > Subnets > New Subnet – use to find DC in the same site and best route between DCs
Admin Tools > AD Sites and Services > Inter-Site Transports > IP or SMTP > New Site Link
• need to create manually
• need for replication between sites
• default cost is 100
• replication interval must be at least 15min, can’ exceed 10080(1 week)
• also depends on scheduling
• IP replication – RPC, use scheduling by default, doesn’t need CA.
• SMTP replication – ignore scheduling, need CA
Admin Tools > AD Sites and Services > server_name > NTDS Setting
• Connection objects are created by KCC automatically.
• AD create one Global Catalog server per forest by default.
Admin Tools > AD Sites and Services > server_name > Server
In a single domain with a single DC, all domain roles are assumed. In multimaster, there are no Operation Master roles and Standby Operation Master roles.
• Forest-Wide Operation Master roles (assumed in first DC in forest)
o Schema Master, to check/ transfer use AD Schema MMC
o Domain Naming Master, to check/transfer use AD Domains and Trusts MMS
• Domain-Wide Operation Master roles (assumed in first DC in domain)
o Infrastructure Master
o PDC-Emulator
o Relative ID Master
o To check/ transfer the Infrastructure, PDC, RID role, use dsa.msc > Operations Master.
Roles can be seized/ transferred with ntdsutil.exe
To check a DC is installed:
o database %systemroot%\ntds\ntds.dit
o %systemroot%\sysvol
o nslookup ls –t SRV AD_domain_name
o _ldap._tcp.AD_domain_name IN SRV 0 100 389 dc_name
AD database, Certificate Services DB and COM+ are not restored when you use alternate location. Registry, SYSVOL, and boot files are restored when you use alternate location.
Authoritative restore
o perform non-authoritative restore
o restart into Directory Restore Mode
o ntdsutil
o authoritative restore
o restore database or restore subtree
BOOT.INI
o /basevideo
o /fastdetect=comx,y,z
o /maxmem:n
o /noguiboot
o /sos
o /bootlog
o /safeboot:minimal
o /safeboot:minimal(alternateshell)
o /safeboot:network
Win2000 Control Sets
o Current
o Default
o Failed
o LoasKnownGood
Memory dumps are always saved as memory.dmp, small memory dump need 64K. Use dumpchk.exe to check.
multi(0)disk(0)rdisk(0)partition(1) is the lowest numbers
DNS server in WinNT 4 can not be used with AD, but BIND 8.1.2+ can
Only Secure Updates option is only available in AD Integrated Zone.
Root or . can not be configured for dynamic update
SOA records name the primary DNS, TTL
Zone Transfer refers to DNS data duplication not in AD
o AXFR – full zone transfer
o IXFR – incremental zone transfer
Zone Replication refers to DNS data duplication in AD
GPO
o software settings
o windows settings
o scripts
o security
o RIS
o folder redirection
o administrative templates
o registry-based group policy
o windows components
o system logon/logoff
o network – offline, network and dial-up
Write access is required to open/view Group Policy snap-in and see the setting it contains
GPO is inherited by
o Local
o Site
o Domain
o OU
It can be changed by
o Block Inheritance
o No override
o Loopback setting
Setting permission for security groups allow admin to filter GPO
o poledit.exe – used by NT, 9x. Settings are imported/exported using .ADM. Windows 2000 comes with system.adm, inetres.adm and conf.adm
o Group Policy snap-in – used by Win2000. Settings are imported/exported using .INF
The default script processing time is 10m.
Software installation using .MSI – Preparation, Deployment, Maintenance and Removal
When upgrading software, AD either uninstalls the old one or upgrade over top of it
When publishing upgrades, it is optional/mandatory for users but mandatory for computers
It can be force removed when user logon or machine startup.
Select “Uninstall this application when it falls out of the scope of management” option to force uninstall when GPO no longer applies.
o Published software appears in Add/Remove Program. It can only to users.
o Assigned software to users shows as icons; install until user start the application. Assigned to computers will install automatically.
Invocation – when user click an unknown file type, it query AD, to see if software is registered, published to user, and check for auto-install permission.
ZAP files doesn’t take advantage of MSI, and can only be published.
For Key, misexec /a
.MSP – patches
GPO can redirect
• Application Data
• Desktop
• My Documents
• My Pictures
• Start Menu
RIS need
• DHCP
• DNS
• AD
• 2GB disk space, 2 partitions – one for OS and one for images
RIS need to add from Windows Component first. Run risetup, create OS images. It needs be authorized and then can response to client requests. Associate an answer file Risndrd.sif with your image.
RIPrep
• Install everything in a single partition, remember to copy setting from Admin to Default User profile.
• \\RISServername\reminst\admin\i386\riprep.exe
RIPrep Image can be deployed to computer with same HAL as source computer. CD-based Image can be deployed to any Win2000 with supported HAL.
No BINL message, check RIS is online and authorized
BINL message but can’t connect RIS, restart NetPC Boot Service Manager – BINLSVC
\\RISServename\reminst\admin\i386\rbfg.exe to create remote boot disk
Move objects between domains
• movetree to move objects between domains.
• When moved, objects’ GUID kept the same, but SID changed.
• Objects GPO link is automatically created and continue to work
• Global group user can’t be moved, unless Domain users group is the only global group.
• User objects that contain any other objects can’t be moved.
Shared folders are published using Admin Tools > AD Users & Computers > domain node, click the container to add shared folders, similar to add Printers.
Security groups
Distribution groups
Standard permissions:
• Read
• Write
• Full Control
• Create All Child Objects
• Delete All Child Objects
Cannot create objects in AD – bad RID Master
Cannot add/remove domain – bad Domain Naming Server
Cannot modify the schema – bad Schema Master
Cannot logon without AD client software – bad PDC emulator
Cannot access resources in a different domain – Trusts may have failed
Bridgehead servers can be used to improve intersite DC replications. When using a firewall proxy server, you must establish it as a bridgehead server and allow it to replicate AD info to other DCs outside the firewall.
Intrasite DC replication doesn’t need to care cost and schedule, but intersite need to.
Urgent replication triggers:
• Native mode
o newly locked-out account
o changing an LSA secret
o RID manager state changes
• Mixed mode
o newly locked-out account
o changing an LSA secret
o RID manager state changes
o inter-domain trust password changes
o changes to account logout policy
o changes to domain password policy
o changes the password on a machine account
Replication Monitor – replmon.exe
You need Manage Auditing & Security Log user right to implement audit policy and review audit log
secedit.exe – Security Config and Analysis snap-in
Policy propagates every 90m for members, 5m for DC
secedit /refreshpolicy machine_policy [user_policy]
Comments
Post a Comment