What is SYSVOL, and why is it important?
SYSVOL is a folder that exists on all domain controllers. It is the repository for all of the active directory files. It stores all the important elements of the Active Directory group policy. The File Replication Service or FRS allows the replication of the SYSVOL folder among domain controllers. Logon scripts and policies are delivered to each domain user via SYSVOL.
The first domain installed in a forest is called the forest root domain
Difference between Im and GC
The Globle catalog server maintains a partial read only copy of every domain in a forest
The Globle catalog holds a partial copy of every object in the forest itself
If IM and GC is on the same server than IM will not function because it will never find the data that is out of data
IM get updates from GC server in the forest
GC holds group membership of universal group while IM hold group information in domain level.
GC server holds a partial replica of every object in the forest IM contains the references to object in the forest
Why IM and GC we can’t put on same domain?
GC have full details about all object in its domain & partial details absolute objects in other domain in the forest. Than no changes will be detected by IM role at all.
The GC holds a partial copy of every object in the forest itself, Therefore the IM won’t do anything in its Domain
What is Globle Catalog?
A global catalog is a data storage source containing partial representations of objects found in a multidomain active directory domain services forest
The active directory GC is the central storage of information about objects in an active directory forest a global catalog is created automatically on the first domain controller in the first domain in the forest.
The domain controller which is hosting the GC is known as GC server, A GC server sores a full copy of all objects in the directory for its domain and partial copy of all objects for all other domains in forest
The GC helps in searching active directory objects in the forest more efficiently
The function of a GC can be compared with a telephone directory GC store information like a telephone directory that users can perform queries against to find specific information
What is Bridge head server?
A bridgehead server is a domain controller in each site, which is used as a contact point to receive and replicate data between sites.
When a bridgehead server receives replication updates from another site, it replicates the data to the other domain controllers within its site
A Preferred Bridgehead Server is a Domain Controller in a site,
A Bridge head server is a domain controller that is used for intersite replication. This is the point of contact for a domain controller in another site. This passed replication traffic to a domain controller on another site. Replication data is compressed and sent over IP or SMTP.
KCC Information
|
The replication topology in Active Directory generated automatically by a service known as the Knowledge Consistency Checker (KCC). Knowledge Consistency Checker (KCC) helps to keep same database information across all domain controllers. Knowledge Consistency Checker (KCC) ensures that replication can always take place between Active Directory Domain Controllers.
|
When two sites are connected by a Site Link, the Knowledge Consistency Checker (KCC) automatically selects one bridgehead server in each site for each domain that has Domain Controllers in the site. The data which needed to be replicated is first sent to the bridgehead server of a site and then is replicated from bridgehead server to the other domain controllers inside that site
Why DNS is require for AD?
DNS is the primary name resolution service for Windows Server 2003 and later. Active Directory depends on DNS for domain controller location, and DNS influences Active Directory domain naming
DNS provides Active Directory with both a name resolution service for domain controller
DNS Support for Active Directory Components as below
· Domain controller locator (Locator)
· Active Directory domain names in DNS
· Active Directory DNS objects
User got deleted in AD?
You can use three methods to restore deleted user accounts, computer accounts, and security groups. These objects are known collectively as security principals. In all three methods, you authoritatively restore the deleted objects,
If RID master fails what happens
U won’t be able to create new objects once all the RIDs run out of stock of all the DCs. please refer Technet for transferring RID role to other DCs with good working condition.
I have only one domain controller with all the fsmo roles in it, while placing a additional domain controller if my first RID goes down what will happen
Ans: I think it's more important to know you can seize the role to the second domain controller
What is online and offline defragmentations?
Perfect Disk’s online defragmentation defragments the drive when the computer is ON and running. The defragmentation pass runs in the background without disrupting your work. Since online defragmentation runs when the system is ON, it does not defragment system files and directories
Active Directory automatically performs online defragmentation of the database at certain intervals (by default, every 12 hours) as part of the Garbage Collection process. Online defragmentation does not reduce the size of the database file (Ntds.dit), but instead optimizes data storage in the database and reclaims space in the directory for new objects.
What is offline defragmentations?
The offline defragmentation is a little extensive
1. You need a backup of you AD
2. After that you need a reboot with press F8
3.Choose Directory Services Restore Mode
4.ntdsutil->files->info
5.compact databas to drive:\directory
6. Copy the ntds.dit file to the old folder and overwrite
When you require a Infrastructure Master.
At any time, there can be only one domain controller acting as the infrastructure master in each domain. The infrastructure master is responsible for updating references from objects in its domain to objects in other domains. The infrastructure master compares its data with that of a global catalog. Global catalogs receive regular updates for objects in all domains through replication, so the global catalog data will always be up to date. If the infrastructure master finds data that is out of date, it requests the updated data from a global catalog. The infrastructure master then replicates that updated data to the other domain controllers in the domain.
Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
In the case where all of the domain controllers in a domain are also hosting the global catalog, all of the domain controllers will have the current data and it does not matter which domain controller holds the infrastructure master role.
The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.
What is Active directory Integrated zone
Active Directory-integrated zone: This is an authoritative primary zone that stores its data in Active Directory. Active Directory-integrated zones can be regarded as enhanced standard primary zones.
Explain three main features of Active Directory?
Active Directory enables single sign on to access resources on the network such as desktops, shared files, printers etc. Active Directory provides advanced security for the entire network and network resources. Active Directory is more scalable and flexible for administration.
. How to add additional Domain Controller in a remote site with slower WAN link?
It is possible to take a backup copy of existing Domain Controller, and restore it in Windows Server machine in the remote locations with slower WAN link.
How do we install Active Directory in Windows 7 Computer?
Active Directory is designed for Server Operating System, and it cannot be installed on Windows 7.
What are the prerequisites to install Active Directory in a Server?
Windows Server Operating System. Free hard disk space with NTFS partition. Administrator's privilege on the computer. Network connection with IP address, Subnet Mask, Gateway and DNS address. A DNS server that can be installed along with first Domain Controller. Windows Server installation CD or i386 folder.
What is FSMO role? (Or what are Single Master Operations / Flexible Single Master Operations / Operations Master Role / SMO / OMR?)
Flexible Single-Master Operation (FSMO) roles, manage an aspect of the domain or forest, to prevent conflicts, which are handled by Single domain controllers in domain or forest. The tasks which are not suited to multi-master replication, There are 5 FSMO roles, and Schema Master and Domain naming master roles are handled by a single domain controller in a forest, and PDC, RID master and Infrastructure master roles are handled by a single domain controller in each domain.
Flexible Single Master Operation Roles (FSMO) Active Directory has five special roles which are vital for the smooth running of AD as a multimaster system.
Explain Infrastructure Master Role. What will be the impact if DC with Infrastructure Master Role goes down?
Infrastructure master role is a domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly.Intrastrcuture master does not have any functions to do in a single domain environment. If the Domain controller with Infrastructure master role goes down in a single domain environment, there will be no impact at all. Whereas, in a complex environment with multiple domains, it may impact creation and modification of groups and group authentication.
The infrastructure FSMO keeps its domain's references to objects in other domains up-to-date by comparing its data with information in the Global Catalog (GC). As a result, the infrastructure FSMO doesn't usually work if it's a GC because the FSMO's information would always be the same as the GC's information. If the infrastructure FSMO's data becomes out-of-date, the FSMO will request updated information from the GC, then replicate the update to all domain controllers (DCs) in its domain. Where possible in the same site, the infrastructure FSMO needs to have a good connection to the GC. The infrastructure FSMO can reside on a GC server only when every DC in a domain is a GC (because every DC would have up-to-date information) or when only one domain exists in the forest.
The primary purpose of the infrastructure FSMO is to update group memberships for users who reside in domains other than the group's domain.
Infrastructure master role is a domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly.Intrastrcuture master does not have any functions to do in a single domain environment. If the Domain controller with Infrastructure master role goes down in a single domain environment, there will be no impact at all. Whereas, in a complex environment with multiple domains, it may impact creation and modification of groups and group authentication.
What are the two forest specific FSMO roles?
Schema Master Role and Domain Naming Master role.
Which FSMO role directly impacting the consistency of Group Policy?
PDC Emulator
I want to promote a new additional Domain Controller in an existing domain. Which are the groups I should be a member of?
You should be a member of Enterprise Admins group or the Domain Admins group. Also you should be member of local Administrators group of the member server which you are going to promote as additional Domain Controller.
Tell me one easiest way to check all the 5 FSMO roles.
Use netdom query /domain: Your Domain FSMO command. It will list all the FSMO role handling domain controllers.
Can I configure two RID masters in a domain?
No, there should be only one Domain Controller handling RID master role in a Domain.
Can I configure two Infrastructure Master Role in a forest? If yes, please explain.
There should be only one Domain Controller handling Infrastructure master role in a domain. Hence if you have two domains in a forest, you can configure two Infrastructure masters, one in each domain.
What will be the impact on the network if Domain Controller with PDC Emulator crashes?
If PDC emulator crashes, there will be immediate impact on the environment. User authentication will fail as password changes won’t get effected, and there will be frequent account lockout issues. Network time synchronization will be impacted. It will also impact DFS consistency and Group policy replication as well.
What are the physical components of Active Directory?
Domain controllers and Sites. Domain controllers are physical computers which is running Windows Server operating system and Active Directory database. Sites are a network segment based on geographical location and which contains multiple domain controllers in each site.
What are the logical components of Active Directory?
A: Domains, Organizational Units, trees and forests are logical components of Active Directory.
What are the Active Directory Partitions? (Or what are Active Directory Naming Contexts? Or what is AD NC?)
Active Directory database is divided into different partitions such as Schema partition, Domain partition, and Configuration partition. Apart from these partitions, we can create Application partition based on the requirement.
What is group nesting?
Adding one group as a member of another group is called 'group nesting'. This will help for easy administration and reduced replication traffic
Explain Group Types and Group Scopes?
There are two group types: Security Groups and Distribution Groups.Security groups are used to apply permissions to resources whereas distribution groups are used to create Exchange server email communication groups. Group scopes are categorized based on the usage. There are three group types: Domain Local Group, Global Group and Universal Group.
What is the feature of Domain Local Group?
A domain local group is a security or distribution group that can contain universal groups, global groups, other domain local groups from its own domain, and accounts from any domain in the forest.
How will you take Active Directory backup?
Active Directory is backed up along with System State data. System state data includes Local registry, COM+, Boot files, NTDS.DIT and SYSVOL folder. System state can be backed up either using Microsoft's default NTBACKUP tool or third party tools such as Symantec NetBackup, IBM Tivoli Storage Manager Etc.
What are the Active Directory Restore types?
There are two types of Active Directory restores, Authoritative restore and Non-Authoritative restore.
. How is Authoritative Restore different from non-Authoritative Restore?
Non-Authoritative means, a normal restore of a single Domain controller in case that particular domain controller OS or hardware crashed. After non-authoritative restoration completed, compares its data base with peer domain controllers in the network and accepts all the directory changes that have been made since the backup. This is done through multi master replication.
Whereas, in Authoritative restore, a restored database of a Domain controller forcefully replicated to all the other domain controllers. Authoritative restore is performed to recover an active directory resource or object (eg. an Organizational Unit) which accidentally deleted and it needs to be restored.
Explain me, how to restore Active Directory using command line?
We can use NTDSUTIL command line to perform Authoritative restore of Active Directory. First, start a domain controller in 'Directory Service Restore Mode'. Then, restore the System State data of Domain controller using NTBACKUP tool. This is non-authoritative restore. Once non-authoritative restore is completed, we have to perform authoritative restore immediately before restarting the Domain Controller.
Open command prompt and type NTDSUTIL and enter, then type authoritative restore and press enter, then type restore database and press enter, click OK and then click Yes. This will restore all the data in authoritative restore mode. If you want to restore only a specific object or subtree, you can type below command instead of 'restore database'.
restore subtree ou=OU_Name,dc=Domain_Name,dc=xxx
Tell me few switches of NTDSUTIL command.
Authoritative restore, Configurable settings, Partition management, Set DSRM Password etc.
What is a tombstone? What is the tombstone lifetime period?
A tombstone is a container object for deleted items from Active Directory database, even if objects are deleted, it will be kept hidden in the active directory database for a specific period. This period is known as tombstone lifetime. Tombstone lifetime is 180 days on Windows Server 2003 SP1 and later versions of Windows Server.
What do you understand by Garbage Collection? Explain.
Garbage collection is a process of Active Directory. This process starts by removing the remains of previously deleted objects from the database. These objects are known as tombstones. Then, the garbage collection process deletes unnecessary log files. And the process starts a defragmentation thread to claim additional free space. The garbage collection process is running on all the domain controllers in an interval of 12 hours.
Where can I locate Lost and Found Container?
Lost and Found container can be viewed by enabling advanced features from View menu of Active Directory User and Computers MMC.
. Is Lost and Found Container included in Windows Server 2008 AD?
Yes, it is included.
Have you ever installed Active Directory in a production environment?
[Never say no] We had set up an additional domain for a new subsidiary of the firm, and I was a member of the team who handled installation and configuration of domain controllers for the sub domain.[or] I was supporting an existing Active Directory network environment of the company, but I have installed and configured Active Directory in test environment several occasions.
Do we use clustering in Active Directory? Why?
No one installs Active Directory in a cluster. There is no need of clustering a domain controller. Because Active Directory provides total redundancy with two or more servers.
What is Active Directory Recycle Bin?
Active Directory Recycle bin is a feature of Windows Server 2008 AD. It helps to restore accidentally deleted Active Directory objects without using a backed up AD database, rebooting domain controller or restarting any services.
What is RODC? Why do we configure RODC?
Read only domain controller (RODC) is a feature of Windows Server 2008 Operating System. RODC is a read only copy of Active Directory database and it can be deployed in a remote branch office where physical security cannot be guaranteed. RODC provides more improved security and faster logon time for the branch office.
How do you check currently forest and domain functional levels? Say both GUI and Command line.
To find out forest and domain functional levels in GUI mode, open ADUC, right click on the domain name and take properties. Both domain and forest functional levels will be listed there. TO find out forest and domain functional levels, you can use DSQUERY command.
Explain Knowledge Consistency Checker (KCC)
KCC can be expanded as Knowledge Consistency Checker. It is a protocol process running on all domain controllers, and it generates and maintains the replication topology for replication within sites and between sites.
What are the tools used to check and troubleshoot replication of Active Directory?
We can use command line tools such as repadmin and dcdiag. GUI tool REPLMON can also be used for replication monitoring and troubleshooting.
What is SYSVOL folder used for?
SYSVOL is a folder exists on each domain controller, which contains Active Directory related files and folders. SYSVOL mainly stores important elements of Group Policy Objects and scripts, and it is being replicated among domain controllers using File Replication Service (FRS).
What is the use of Kerberos in Active Directory? Which port is used for Kerberos communication?
Kerberos is a network authentication protocol. Active Directory uses Kerberos for user and resource authentication and trust relationship functionality. Kerberos uses port number 88.
Which version of Kerberos is used for Windows 2000/2003 and 2008 Active Directory?
All versions of Windows Server Active Directory use Kerberos 5.
Please name few port numbers related to Active Directory.
Kerberos 88, LDAP 389, DNS 53, SMB 445.
Explain Active Directory tree and forest.
A tree in Active Directory is a collection of one or more domains which are interconnected and sharing global resources each other. If a tree has more than one domain, it will have contiguous namespace. When we add a new domain in an existing tree, it will be called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a common schema. It also shares common configuration and global catalog. When a forest contains more than one tree, the trees will not form a contiguous namespace.
Explain Active Directory tree and forest.
A tree in Active Directory is a collection of one or more domains which are interconnected and sharing global resources each other. If a tree has more than one domain, it will have contiguous namespace. When we add a new domain in an existing tree, it will be called a child domain.
A forest is a collection of one or more trees which trust each other and sharing a common schema.It also shares common configuration and global catalog. When a forest contains more than one tree, the trees will not form a contiguous namespace.
Have you heard of ADAC?
ADAC- Active Directory Administrative Center is a new GUI tool came with Windows Server 2008 R2, which provides enhanced data management experience to the admin. ADAC helps administrators to perform common Active Directory object management task across multiple domains with the same ADAC instance
What is the use of ADSIEDIT? How do we install it in Windows Server 2003 AD?
ADSIEDIT- Active Directory Service Interfaces Editor is a GUI tool which is used to perform advanced AD object and attribute management. This Active Directory tool helps us to view objects and attributes that are not visible through normal Active Directory Management Consoles. ADSIEDIT can be downloaded and installed along with Windows Server 2003 Support Tools.
What is ADMT? What is it used for?
ADMT - Active Directory Migration Tool, is a tool which is used for migrating Active Directory objects from one domain to another. ADMT is an effective tool that simplifies the process of migrating users, computers, and groups to new domains
What do you mean by Lingering Objects in AD? How to remove Lingering Objects?
When a domain controller is disconnected for a period that is longer than the tombstone lifetime, one or more objects that are deleted from Active Directory on all other domain controllers may remain on the disconnected domain controller. Such objects are called lingering objects. Lingering objects can be removed from Windows Server 2003 or 2008 using REPADMIN utility.
Explain Global Catalog. What kind of AD infrastructure makes most use of Global Catalog?
The Global catalog is a container which contains a searchable partial replica of all objects from all domains of the forest, and full replica of all objects from the domain where it is situated. The global catalog is stored on domain controllers that have been designated as global catalog servers and is distributed through multimaster replication. Global catalogs are mostly used in multidomain, multisite and complex forest environment, where as Global catalog does not function in a single domain forest.
Global Catalog and Infrastructure master roles cannot be configure in same Domain Controller. Why?
In a forest that contains only a single Active Directory domain, there is no harm in placing both GC and Infrastructure master in same DC, because Infrastructure master does not have any work to do in a single domain environment. But in a forest with multiple and complex domain structure, the infrastructure master should be located on a DC which is not a Global Catalog server. Because the global catalog server holds a partial replica of every object in the forest, the infrastructure master, if placed on a global catalog server, will never update anything, because it does not contain any references to objects that it does not hold.
How many objects can be created in Active Directory? (Both 2003 and 2008)
As per Microsoft, a single AD domain controller can create around 2.15 billion objects during its lifetime.
Can you explain the process between a user providing his Domain credential to his workstation and the desktop being loaded? Or how the AD authentication works?
When a user enters a username and password, the computer sends the user name to the KDC. The KDC contains a master database of unique long term keys for every principal in its realm. The KDC looks up the user's master key (KA), which is based on the user's password. The KDC then creates two items: a session key (SA) to share with the user and a Ticket-Granting Ticket (TGT). The TGT includes a second copy of the SA, the user name, and an expiration time. The KDC encrypts this ticket by using its own master key (KKDC), which only the KDC knows. The client computer receives the information from the KDC and runs the user's password through a one-way hashing function, which converts the password into the user's KA. The client computer now has a session key and a TGT so that it can securely communicate with the KDC. The client is now authenticated to the domain and is ready to access other resources in the domain by using the Kerberos protocol.
In a large forest environment, why we don’t configure all Domain Controllers as GCs?
Global Catalog servers produce huge traffic related to the replication process. There for making all the domain controllers in the forest as Global Catalog servers will cause network bandwidth problem. GCs should be placed based on Network bandwidth and user or application requirement.
What is NETDOM command line tool used for?
Netdomm is used to manage Active Directory domains and trust relationships from the command prompt. Some of the Netdom functions include; Join a computer to domain, Establish one-way or two-way trust relationships between domains, Manage trust relationships between domains, Manages the primary and alternate names for a computer etc.
What is role seizure? Who do we perform role seizure?
Role seizure is the action of assigning an operations master role to a new domain controller without the support of the existing role holder (generally because it is offline due to a hardware failure). During role seizure, a new domain controller assumes the operations master role without communicating with the existing role holder. Role seizure can be done using repadmin.exe and Ntdsutil.exe commands.
Is it possible to find idle users who did not log in for last few months?
Yes, this is possible using PowerShell command, with the help of LastLogonTimeStamp. Commands and pipes such as Get-ADUser, Where-Object, LastLogonDate etc. can be used to get inactive users.
Tell me the order of GPO as it applied.
GPO applies in this order – Local Policy, Site, Domain, and Organizational Units.
What is the command used for Domain Controller decommissioning?
Dcpromo
Have you ever planned and implemented Active Directory infrastructure anywhere? Tell me few considerations we have to take during the AD planning.
Yes. Keeping your Active Directory as simple as possible will help improve overall efficiency, and it will make the troubleshooting process easier whenever problems arise. Use the appropriate site topology. Use dedicated domain controllers. Have at least two DNS servers. Place at least one global catalog server in each site.
. Name few differences from Windows Server 2003 AD and Windows Server 2008 AD.
There are many changes in Active Directory from 2003 version to 2008 version, like Active Directory is a service now that can be restarted. RODC is a new type of DC introduce in windows 2008. Group policy preference mode is introduced. New number of AD templates has been introduced in 2008. DFS is being used for replication instead of FRS in 2003.Windows Server 2008 AD includes new features such as Active Directory Recycle Bin, Active Directory Administrative Center, Active Directory Web Services, Offline domain join etc.
Imvs GC
Unless there is only one domain controller in the domain, the infrastructure master role should not be assigned to the domain controller that is hosting the global catalog. If the infrastructure master and global catalog are on the same domain controller, the infrastructure master will not function. The infrastructure master will never find data that is out of date, so it will never replicate any changes to the other domain controllers in the domain.
You should not place the infrastructure master role on a domain controller that is configured
As a global catalog server unless all domain controllers are configured as global catalog
Servers. Otherwise, the infrastructure master would be unable to update its references to
Objects in other domains properly. New to Windows Server 2008, when you create an
Additional domain controller in a child domain, dcpromo checks whether the infrastructure
Master is on a global catalog server. If so, it prompts you to transfer this role to the new
Domain controller.
Active Directory
Domains can hold millions of objects, as opposed to the Windows NT domain
Structure, which was limited to approximately 40,000 objects.
Tree Information
All domains in a tree are linked with two-way, transitive
Trust relationships; in other words, accounts in any one domain can access
Resources in another domain and vice versa.
A forest can contain multiple trees, and trees can contain multiple levels of child
Domains.
Forest Information
Two-way transitive trust relationships
Exist between domains in the trees of a single forest. When you create a new
Active Directory structure, the first domain created is the forest root domain.
Site Information
A site can contain objects from more than one tree or domain within a single forest,
The use of sites enables you to control the replication of data within the Active Directory database as well as to apply policies to all users and computers
Global Catalog
The global catalog is a subset of domain information created for the purpose of enabling domain controllers in other domains in the same forest to locate Resources in any domain. Users searching for objects such as files, folders, or Printers in another domain are directed to a global catalog for searching the Entire directory database.
Operations Masters
It will be installed automatically during the domain creation. And by default, it will be available in the first DC of the forest all the roles can be moved to any DC in the forest
Schema master—This is a configuration database that describes all available Object and function types in the Active Directory forest.
The schema determines How AD objects and their attributes are defined
The schema master controls all updates and modification to the schema
There is only one schema master per directory
Once the schema update is completed it is replication from the schema master to all other domain controller in the directory
The purpose of schema role is to replicate schema changes to all other domain controller in the forest
The schema master is the only one domain controller in the entire active directory forest
A schema stores definition of an object such as the named attributes
Schema master Failure: When the schema master goes down there won’t be any effect on the users the administrators will be affected by the failure only if they try to modify the schema or install or application that needs to modify the schema
No impact on the domain. The work of the domain will continue as always.
But if the admin tries to perform any schema related change, error will occur.
Once you seized schema then it can’t be brought back online you must designate another DC in Active directory as Schema master
The domain Naming Master:
When first domain controller is created in the forest is considered as the domain naming master
Manages the addition and removal of domains in a forest.
The domain naming master is responsible for keeping track of the domains in the entire AD forest to ensure that duplicate domain names are not created
The domain naming master also ensures that not more than one domain is created simultaneously
The domain naming master controls the addition or removal of domains in the forest
The Domain controller is the only one that can add or remove a domain from the directory
One domain naming master in the whole forest
Domain naming master Failure: When domain naming master fails you can’t remove domain from the forest
No impact on the domain. The work of the domain will continue as always.
New domains cannot be added. Existing domains cannot be deleted.
PDC emulator—
· Responsible for handling password changes in a domain
· Manages account lock out. Whenever authentication fails a lockout counter will be incremented by the PDC.
· Responsible in updating group policy
· PDC emulator handles account management activities such as password changes for
· Users at these computers. It also processes error messages and lockout actions
· For users entering incorrect passwords at these computers. In addition, the PDC
· Emulator acts as a time synchronization master for all computers in the domain.
If PDC Emulator is down?
· Users will not be able to change password
· Can lead to unsynced time which can lead to logon failures
· Group policy update issues
· THIS IS RESPONSIBLE FOR THE AUTHENTICATION OF THE NT 4 CLIENTS
Infrastructure master—This Server processes any changes in objects in the forest received from global Catalog servers and replicates these changes to other domain controllers In its domain.
The infrastructure master is responsible for updating references from objects in its domain to objects in other domains .The infrastructure master then replicates that updated data to the other domain controllers in the domain.
The infrastructure master is also responsible for updating the group-to-user references whenever the members of groups are renamed or changed. When you rename or move a member of a group (and that member resides in a different domain from the group), the group may temporarily appear not to contain that member. The infrastructure master of the group's domain is responsible for updating the group so it knows the new name or location of the member. This prevents the loss of group memberships associated with a user account when the user account is renamed or moved. The infrastructure master distributes the update via multimaster replication.
When an object in one domain is referenced in another domain, it represents the reference by the GUID, SID and the DN of the object being referenced (Phantom Object).
Responsible in updating this cross domain references
Plays an important role when there are multiple domains. But no relevance when it is a single domain environment.
Do not hold Infrastructure Master Role in a DC holding Global Catalog role unless all the DCs in the environment holds the GC role.
Infrastructure Master Role is responsible for updating group membership updates and other references of objects from one domain to another domain. It is required for multi domain environment and not for single domain environment.
It updates references to objects in other domains in the forest. In doing So, it ensures that changes made by different administrators from different Locations are not in conflict. Such changes include adding users or Groups or modifying group memberships. For example, if two administrators In two different cities were to create a user named Mary at the same time, a problem would occur. In this case, the infrastructure master would generate a uniqueness error. Further, if you were to create a user Account in one domain from a domain controller in another domain, you Would need to contact the infrastructure master in the domain where the
Account will be created. The infrastructure master ensures that these changes occur properly and without conflict
If infrastructure master role is down?
No impact in a single domain environment.
If there are multiple domains, any change in an object which is referenced by another object in another domain will not be reflected.
If the infrastructure master were to fail, an administrator would notice a problem If she attempted to perform either of these actions. She would be unable to Move or rename a large number of accounts. Users might be unable to access Objects in other domains because their references would not be updated.
RID Master
· RID master is responsible in allocating the RIDs to the DCs
· The RID Master role owner is responsible for answering RID pool requests from all DC within a domain. It is also responsible for moving objects into another domain and removing them from a domain.
· All security objects like e. g. user/machine accounts and groups are identified by an SID
· It is also responsible for removing an object from its domain and putting it in another domain during an object move.
If RID master is down?
· Not of much impact if the DCs have enough RIDs available in its pool
· New objects will not be created if RIDs exhaust
Requirements for installing active directory
Operating system—The server must be running the Standard,
Enterprise, or Datacenter edition of Windows Server 2008. Note that a
Server running the Web edition cannot act as a domain controller.
Active Directory–Integrated Zones
This helps to ensure that zone data remains up to date on all domain controllers
hosting DNS in the domain.
It promotes fault tolerance because data is always available and can always
Be updated even if one of the servers fails.
If you are using Active Directory–integrated zones, zone data is automatically replicated to
all other domain controllers in the domain. Consequently, you cannot limit zone transfers
For Active Directory–integrated zones.
How to make domain controller.
Ans: by using dcpromo command
What is ADDS and its use
Active Directory Domain Services (AD DS) stores directory data and manages communication between users and domains, including user logon processes, authentication, and directory searches. An Active Directory domain controller is a server that is running AD DS. It provides secure, structured, hierarchical data storage for objects in a network such as users, computers, printers, and services.
What is use of domain controller?
Ans: - The primary function of domain controllers is to validate users to the network. However, domain controllers also provide the catalog of Active Directory objects to users on the network.
What is the Ntdsutil Tool in Windows 2008 server?
ANS : Ntdsutil is used to enables managing AD, Single Master Operations, and removing metadata.
What is Offline Maintenance?
Ans:These are System maintenance activities that performed when users are not using services
provided by a Server.
Which precaution need to take when restoring system state Data?
Ans:Need to ensure that AD services are stopped because full access to system files and AD data
store is required.
How to perform Restoring in AD environment?
Ans:Performing DSRM(Directory Services Restore Mode) Restore data in AD Environment.
What is use of Active Directory Service?
Ans: Active Directory Service is used to store all the information required to manage the use of the AD objects, such as users, groups and computers.
What is the use of Domain Controller?
Ans.:- Domain controller is a server, It is control or responsible of provide to host
Access of all resource like printer, files, mail within the domain from the central point.
What type of Active Directory objects can be contained in a group?
Ans: - A group can contain users, computers, contacts, and other nested groups
8. What types of Active Directory objects can be contained in an Organizational Unit?
Ans: - Organizational Units can hold users, groups, computers, contacts, and other OUs. The
Organizational Unit provides you with a container directly below the domain level that enables you to refine the logical hierarchy of how your users and other resources are arranged in the Active Directory.
What is the purpose of sysvol?
The sysvol folder stores the server's copy of the domain's public files. The contents such as group policy, users, and groups of the sysvol folder are replicated
To all domain controllers in the domain. The sysvol folder must be located on an NTFS volume.
Name 3 benefits of using AD-integrated zones.
AD Integrated Zones allow Secure Dynamic Updates. I.e. there will not be any duplicate or unwanted records. Since all the information are validated in
Active directory. By creating AD- integrated zone you can also trace hacker and spammer by creating reverse zone.AD integrated zones are stored as part of the active directory and support domain-wide or forest-wide replication through application partitions in AD.
How do you backup & Restore AD?
Using Windows NTBackup Utility. In Backup select system state will include active directory backup. Restore the Same using NTBackup Utility.
How do you change the DS Restore admin password?
Using NTDSUTIL tool.
How can you forcibly remove AD from a server?
Using the command dcpromo /forceremoval
ACTIVE DIRECTORY COMPONENTS
LOGICAL STRUCTURE
|
PHYSICAL STRUCTURE
|
Domains
Trees
Forest
Organizational units
|
Sites
Domain controllers
|
What is the use of LDAP (X.500 standard?)
LDAP is a directory access protocol, which is used to exchange directory information
From server to clients or from server to servers
What is the role responsible for time synchronization?
PDC Emulator is responsible for time synchronization. Time synchronization is
Important because Kerberos authentication depends on time stamp information
What is tombstone period?
Tombstones are nothing but objects marked for deletion. After deleting an object in
AD the objects will not be deleted permanently. It will be remain 60 days by default
(Which can be configurable) it adds an entry as marked for deletion on the object and
Replicates to all DC’s. After 60 days object will be deleted permanently from all Dc’s.
What are the different types of partitions present in AD?
Active directory is divided into three partitions
Configuration Partition—replicates entire forest
Schema Partition—replicates entire forest
Domain Partition—replicate only in domain
Application Partition (Only in Windows 2003)
Who will replicate the Password changes?
PDC emulator (immediately it replicates to all the Domain Controllers)
What is the hierarchy of Group Policy?
Local policy
Site Policy
Domain Policy
OU Policy
Sub OU Policy (If any are there)
How to force KCC to generate connection object immediately without delay?
Type the command repadmin /kcc. This command forces the KCC to generate
Connection object immediately without any delay.
Active Directory Recycle Bin: Recovering Deleted Objects
AD DS contains five operations master roles. Two roles are performed for the entire forest:
■ Domain naming
■ Schema
Three roles are performed in each domain:
■ Relative identifier (RID)
■ Infrastructure
■ PDC Emulator
Schema Master Role
The domain controller holding the schema master role is responsible for making any changes
To the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify
The schema or install an application that modifies the schema, it is recommended you do so
On the domain controller holding the schema master role. Otherwise, changes you request
Must be sent to the schema master to be written into the schema.
Domain Naming Master Role
The domain naming role is used when adding or removing domains in the forest. When you
Add or remove a domain, the domain naming master must be accessible, or the operation will
Fail.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator.
Each role is performed by only one domain controller in the domain.
NOTE The infrastructure master
You can think of the infrastructure master as a tracking device for group members from other
Domains. When those members are renamed or moved in the other domain, the infrastructure
Master identifies the change and makes appropriate changes to group memberships so that the
Memberships are kept up to date.
RODC
By default an RODC won’t cache any user or computer passwords you can change this policy through each RODCs Unique Password Replication policy (PRP)
RODC accepts the user credential and transfer it to the domain controller this configurations is achieved by configuring the password replication policy PRP of RODC
Sites
1) Sites links are the logical links between two or more active directory sites. They also provide a means of communication and data transmission between sites sites links are
Grouped together in the form of site Link Bridge
2) Sites are primarily used for replication and authentications optimization
3) The purpose of active directory sites is to control replication
KCC (Knowledge Consistency Checker)
The KCC regularly updates the replication topology
The domain controller are connected through the site links and these site links are grouped together with help of site Link Bridge
Bridge Head server: The domain controller which is used to receive and replicate data between sites called dredge head server
KCC designate one of the domain controller in a site as the bridgehead server and this server is responsible for replicating the data for all domain controller in its sites
The bridge head server is down the KCC designates other Domain controller in the site as the bridgehead server
Additional Domain Controllers in a Domain
You can create additional domain controllers to distribute authentication, create a level of fault tolerance in the event any one DC fails, or provide authentication in remote sites
Forest-Wide Operations Master Roles
The schema master and the domain naming master must be unique in the forest. Each role is
Performed by only one domain controller in the entire forest.
Schema Master Role
The domain controller holding the schema master role is responsible for making any changes
To the forest’s schema. All other DCs hold read-only replicas of the schema. If you want to modify
The schema or install an application that modifies the schema, it is recommended you do so
On the domain controller holding the schema master role. Otherwise, changes you request
Must be sent to the schema master to be written into the schema.
Domain Naming Master Role
The domain naming role is used when adding or removing domains in the forest. When you add or remove a domain, the domain naming master must be accessible, or the operation will
Fail.
Domain-Wide Operations Master Roles
Each domain maintains three single master operations: RID, Infrastructure, and PDC Emulator.
Each role is performed by only one domain controller in the domain.
RID Master Role
The RID master plays an integral part in the generation of security identifiers (SIDs) for security
Principals such as users, groups, and computers. The SID of a security principal must be unique. Because any domain controller can create accounts and, therefore, SIDs, a mechanism is necessary to ensure that the SIDs generated by a DC are unique. Active Directory domain
Controllers generate SIDs by assigning a unique RID to the domain SID. The RID master for
The domain allocates pools of unique RIDs to each domain controller in the domain. Thus,
Each domain controller can be confident that the SIDs it generates are unique.
Infrastructure Master Role
You can think of the infrastructure master as a tracking device for group members from other domains. When those members are renamed or moved in the other domain, the infrastructure master identifies the change and makes appropriate changes to group memberships so that the memberships are kept up to date.
PDC Emulator Role
When a user’s password is reset or changed, the domain controller that makes the change replicates the change immediately to the PDC emulator
That domain controller forwards the authentication request to a PDC emulator, which verifies that the new password is correct and instructs the domain controller to accept the logon request. This function means that any time a user enters an incorrect password, the authentication is forwarded to the PDC emulator for a second opinion
Transferring Operations Master Roles
When you establish your forest, all five roles are performed by the first domain controller you install. When you add a domain to the forest, all three domain roles are performed by the first domain controller in that domain. As you add domain controllers, you can distribute the roles to reduce single-point-of-failure instances and improve performance.
If you plan to take a domain controller offline that is currently holding an operations master role, transfer that role to another domain controller prior to taking it offline.
When you transfer an operations master role, both the current master and the new master are online.
Infrastructure master failure
A failure of the infrastructure master will be noticeable to administrators but not to users. Because the master is responsible for updating the names of group members from other domains, it can appear as if group membership is incorrect although, as mentioned earlier in this lesson, membership is not actually affected. You can seize the infrastructure master role to another domain controller and then transfer it back to the previous role holder when that system comes online.
PDC emulator failure The PDC emulator is the operations master that will have the most immediate impact on normal operations and on users if it becomes unavailable. Fortunately, the PDC Emulator role can be seized to another domain controller and then transferred back to the original role holder when the system comes back online.
Schema master failure
The schema master role is necessary only when schema modifications are being made, either directly by an administrator or by installing an Active Directory integrated application that changes the schema. At other times, the role is not necessary. It can remain offline indefinitely until schema changes are necessary. Seizing this role to another domain controller is a significant action. After the schema master role has been seized, the domain controller that had been performing the role cannot be brought back online. .
Domain naming master failure
The domain naming master role is necessary only when you add a domain to the forest or remove a domain from a forest. Until such changes are required to your domain infrastructure, the domain naming master role can remain offline for an indefinite period of time. Seizing this role to another domain controller is a significant action. After the domain naming master role has been seized, the domain controller that had been performing the role cannot be brought back online.
NOTE Do not return a seized schema, domain naming, or RID master to service
After seizing the schema, domain naming, or RID roles, you must completely decommission the
Original domain controller.
If you have seized the schema, domain naming, or RID roles to another domain controller,
you must not bring the original domain controller back online without first completely
decommissioning it. That means you must keep the original role holder physically disconnected
from the network, and you must remove AD DS by using the Dcpromo /forceremoval
command. You must also clean the metadata for that domain controller
After the domain controller has been completely removed from Active Directory, if you want the server to rejoin the domain, you can connect it to the network and join the domain. If you want it
To be a domain controller, you can promote it. If you want it to resume performing the operations master role, you can transfer the role back to the DC.
NOTE better to rebuild
Because of the critical nature of domain controllers, it is recommended that you completely reinstall the former domain controller in this scenario.
You should create additional sites when:
A part of the network is separated by a slow link.
A part of the network has enough users to warrant hosting domain controllers or other
Services in that location.
Directory query traffic warrants a local domain controller.
You want to control service localization.
You want to control replication between domain controllers.
Sites and replication are managed using the Active Directory Sites and Services snap-in. To
Define an Active Directory site,
Inter site Transport IP and SMTP
SRV records in Windows Server 2008
Include LDAP (port 389), Kerberos (port 88), Kerberos Password protocol (KPASSWD,
Port 464), and GC services (port 3268).
What is Site Coverage?
So you might have sites without a DC. In this case, a nearby domain controller will register its SRV records in the site in a process called site coverage.
As soon as you have more than one domain controller in your domain, you must consider replication of the directory database between domain controllers. In this lesson, you will learn
which directory partitions are replicated to each domain controller in a forest and how to manage
The replication of the GC and of application partitions.
Reviewing Active Directory Partitions
Domain The domain naming context (NC) contains all the objects stored in a domain,
Including users, groups, computers, and Group Policy containers (GPCs).
■ Configuration The configuration partition contains objects that represent the logical
Structure of the forest, including domains, as well as the physical topology, including
Sites, subnets, and services.
■ Schema The schema defines the object classes and their attributes for the entire directory.
Understanding the Global Catalog
Imagine a forest with two domains. Each domain has two domain controllers. All four domain
Controllers will maintain a replica of the schema and configuration for the forest.
What happens if a user in Domain B is searching for a user, computer, or group in Domain A?
The Domain B domain controllers do not maintain any information about objects in Domain
A, so a domain controller in Domain B could not answer a query about objects in the domain
NC of Domain A.
That’s where the global catalog comes in. The global catalog (GC) is a partition that stores information about every object in the forest. When a user in Domain B looks for an object in
Domain A, the GC provides the results of the query. To optimize efficiency of the GC, it does
Not contain every attribute of every object in the forest. Instead, it contains a subset of
Attributes that are useful for searching across domains.
The Knowledge Consistency Checker
The replication paths built between domain controllers by connection objects create the replication topology for the forest. Luckily, you do not have to create the replication topology
Manually. By default, Active Directory creates a topology that ensures effective replication. The
Topology is two-way so that if any one domain controller fails, replication will continue uninterrupted.
On each domain controller, a component of Active Directory called the knowledge consistency
Checker (KCC) helps generate and optimize the replication automatically between
Domain controllers within a site
If a domain controller is added to or removed from the site, or if a domain controller is not responsive, the KCC rearranges the topology dynamically, adding and deleting connection objects to rebuild an effective replication topology.
If a domain controller named DC01 is the RID master, and DC02 is the system that will take the RID master role if DC01 is taken offline, then a connection object should be created
In DC02 so that it replicates directly from DC01.
Why Should You Do Authoritative Restores?
You may be wondering why an authoritative restore is necessary. If an account is deleted,
Isn’t it easy to just create a new one with the same name?
Although it is easy to create a new account with the same name, the operating system
Doesn’t identify accounts with their names. Instead, any account is identified with a
Security identifier (commonly called a SID). SIDs are unique within a forest, meaning you
Would never have the same SID for any two accounts.
Integrating Domain Name System with AD DS
For example, when you boot a computer that is part of a domain, a standard process takes place. This process begins by the identification of service location records (SRV) from a DNS server to identify the closest domain controller (DC). Then, after DNS has done its work, the authentication process between the computer and the DC can begin. However, without the name resolution for the SRV by DNS, it would be difficult for AD DS to authenticate a member computer.
DNS is integrated with AD DS,
DNS always relies on TCP/IP port 53. All clients and servers are tuned to this port to locate and identify information about the computer names they need to interact with.
In Windows Server 2008, DNS has been updated to integrate with IPv6. Unlike IPv4,
DNS data was properly located within the forest root domain partition, but when you created a child domain, the data would not be stored automatically within the child domain partition. This caused a serious problem with DNS data. All our customers would use a two-DC forest root to keep it as secure as possible and to control access to forest root administration tightly
DNS contains a host of record types that can be used to provide name resolution for specific service types or specific computer types. In addition, these records are stored within DNS zones—special placeholders that provide a given name resolution functionality for a specific namespace.
You already know that DNS relies on a hierarchy of servers because a DNS server cannot hold all possible name records within itself. Because of this, the DNS service relies on name referrals
To perform name resolution.
Integration with AD DS
You can rely on a third-party DNS server to provide name resolution support for AD DS
When you use the Windows DNS server with AD DS, all DNS content is configured by default. This is why DNS installation is integrated with the domain controller promotion wizard
When the AD DS process creates a child domain in an existing forest, it automatically creates a delegation within the top-level root domain and then properly stores the DNS data for the child domain in the child domain’s partition.
When you remove the DC role, it will also remove DNS data created for a domain if this DC is the last DC in a domain
You must set it to support record scavenging, automatically deleting outdated records.
DNS and RODCs
A new feature in Windows Server 2008 is the introduction of read-only domain controllers (RODCs). When placing an RODC at a remote site, you should also configure DNS appropriately.
As a reminder, an RODC is placed in a branch office that needs a local domain controller but doesn’t have adequate physical security to support placing a regular domain controller at the site. Inadequate physical security means someone could easily come in and steal the domain controller. With unrestricted access to the domain controller, the entire domain could be compromised as the thief slowly learns the passwords of key accounts like Enterprise Admins or Domain Admins.
With an RODC, only the credentials needed to support the remote branch office are maintained on the RODC. RODCs are typically configured so that administrative account credentials are not stored locally.
Now consider DNS. If you place a domain controller at a remote site, you should also place a DNS server there.
When a user logs on, SRV and host records need to be queried to locate a domain controller. If the DNS server is not located locally, multiple queries would have to traverse the WAN link
If you place a DNS server locally, it makes a lot of sense to place it on the domain controller and make it Active Directory–integrated. Last, clients at the remote site should be configured to use the local DNS server.
Why RODC IS require DNS? You can install the DNS Server service on an RODC. An RODC is able to replicate all application directory partitions that DNS uses, including ForestDNSZones and DomainDNSZones. If the DNS server is installed on an RODC, clients can query it for name resolution as they query any other DNS server.
Trees
All domains in a tree are linked with two-way, transitive trust relationships. In other words, accounts in any one domain can access resources in another domain and vice versa.
Forests
A forest can contain multiple trees, and trees can contain multiple levels of child domains.
Two-way transitive trust relationships exist between domains in the trees of a single forest
When you create a new Active Directory structure, the first domain created is the forest root domain.
Organizational Units
OU, such as creating and working with user accounts, groups, and printers. Further, you can control users and computers within an OU by means of Group Policy; this is the smallest unit to which you can deploy Group Policy.
Sites
A site can contain objects from more than one tree or domain within a single forest,
The use of sites enables you to control the replication of data within the Active Directory database as well as to apply policies to all users and computers or delegate administrative control to these objects within a single physical location.
In addition, sites enable users to be authenticated by domain controllers in the same physical location rather than a distant location as often as possible. You should configure a single site for all work locations connected within a high-speed, always available local area network (LAN) link and designate additional sites for locations separated from each other by a slower wide area network (WAN) link.
Domain Controllers
Any server that has Active Directory installed is a domain controller. These servers authenticate all users logging on to their domain, and they serve as centers where you can administer Active Directory in Windows Server 2008. A domain controller stores a complete copy of all objects contained within the Domain, plus the schema and configuration information relevant to the forest where the domain is located. Unlike Windows NT, Active Directory has no primary or
Backup domain controllers. Similar to Windows 2000 and Windows Server 2003, all domain controllers hold a master, editable copy of the Active Directory database.
Global Catalog
The global catalog is a subset of domain information created for the purpose of enabling domain controllers in other domains in the same forest to locate resources in any domain. Users searching for objects such as files, folders, or printers in another domain are directed to a global catalog for searching the entire directory database. A global catalog server provides information on universal group membership, which can include users or groups from any domain in the forest. The global catalog server also enables users to log on to a domain other than their home domain by using their user principal name (UPN), which is a username constructed in the format of an email address (for example, user@products.examcram.com).
To seize or transfer the FSMO roles by using Ntdsutil, follow these steps:
ntdsutil (enter)
ntdsutil: roles (enter)
fsmo maintenance: connections (enter)
server connections: connect to server <DC-Name> (enter)
server connections: quit (enter)
fsmo maintenance: transfer schema master (enter)
2003 server:fsmo maintenance: transfer domain naming master (enter)
2008 server: fsmo maintenance: transfer naming master (enter)
fsmo maintenance: transfer rid master (enter)
fsmo maintenance: transfer pdc (enter)
fsmo maintenance: transfer infrastructure master (enter)
fsmo maintenance: quit (enter)
ntdsutil: quit (enter)
Transferring the RID Master, PDC Emulator, and Infrastructure Masters via GUI
1. Open the Active Directory Users and Computers snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to
Active Directory Users and Computers and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder, the target, and press OK.
4. Right-click the Active Directory Users and Computers icon again and press Operation Masters.
5. Select the appropriate tab for the role you wish to transfer and press the Change button.
6. Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Domain Naming Master via GUI
1. Open the Active Directory Domains and Trusts snap-in from the Administrative Tools folder.
2. If you are NOT logged onto the target domain controller, in the snap-in, right-click the icon next to
Active Directory Domains and Trusts and press Connect to Domain Controller.
3. Select the domain controller that will be the new role holder and press OK.
4. Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
5. Press the Change button.
6.Press OK to confirm the change.
7. Press OK all the way out.
Transferring the Schema Master via GUI
Register the Schmmgmt.dll library by pressing Start > RUN and typing:
regsvr32 schmmgmt.dll
1. Press OK. You should receive a success confirmation.
2. From the Run command open an MMC Console by typing MMC.
3. On the Console menu, press Add/Remove Snap-in.
4. Press Add. Select Active Directory Schema.
5. Press Add and press Close. Press OK.
6.If you are NOT logged onto the target domain controller, in the snap-in, right-click the Active Directory Schema icon in the Console Root and press Change Domain Controller.
7. Press Specify …. And type the name of the new role holder. Press OK.
8. Right-click right-click the Active Directory Schema icon again and press Operation Masters.
9. Press the Change button.
10. Press OK all the way out.
Performing an Authoritative Restore
1.
|
Reboot the DC and press F8 to access Advanced Boot Options.
|
2.
|
Select Directory Services Restore Mode. When prompted, log on with the user name of.\administrator and the DSRM password.
|
3.
|
Restore AD non authoritatively from a backup. You can use the command-line backup tool, wbadmin, or any other method your organization has available. Do not reboot after the restore is complete.
|
4.
|
Launch a command prompt, type ntdsutil, and then press Enter.
|
5.
|
Type activate instance ntds and press Enter.
|
Type the restore command and press Enter.
For example, to restore a user object, use the following format:
· restore object dn
· restore object "cn=Sally,ou=sales,dc=pearson,dc=pub"
| |
8.
|
Type quit and press Enter twice to exit ntdsutil.
|
9.
|
Restart the DC normally.
|
perfculdeu_reBillings Justin Miller https://wakelet.com/wake/sfRD8BPU9PX4maPN6fv5w
ReplyDeletecourtdustmillsupp